The terms vulnerability assessment and penetration test are often used synonymously but they are not the same thing.  This post is a perfect example of something that would not get identified during a vulnerability assessment and showcases the difference between it and a penetration test.  

During a recent penetration test, I discovered a Microsoft SQL Server.  

There's a function in Windows, Accessibility Options, which is available for the visually impaired.  Basically, at the login prompt, we can hit the Shift key five times and that will activate sethc.exe.  But let's say we want to abuse this prelogin function, we could copy cmd.exe in its place which would launch a command prompt, as SYSTEM, prior to login.  From there, we would create an account or perform any other privilege command prompt function.  

Somehow you make your way onto a system and perhaps you want to maintain that access.  There are a number of reasons and methods for maintaining persistence and one such method is RID Hijacking.  The short of it is this -- each account is assigned a relative identifier (RID).  The Administrator account is assigned 500 and user accounts begin at 1000.  If we modify a user account and assign it the same RID as the Administrator account, for all intents and purposes, we are an administrator.