We will go with the simplest of them all i.e Using Windows startup repair method
In this method we do not need to create a Linux bootable USB to get the system drive access nor Kon-boot CD or Privilege escalation assuming that we don’t have access to the system in any way.
or, on the login screen click on Power icon and press [Shift] + Restart. It’ll boot you into recovery mode.
Restart. Windows would launch an Automatic repair
In this method we do not need to create a Linux bootable USB to get the system drive access nor Kon-boot CD or Privilege escalation assuming that we don’t have access to the system in any way.
WARNING: I am NOT responsible for any expulsions or such if you do this at school/work!Let’s begin now
This tutorial is for Educational Purposes Only
Step 0: Get physical access
Sounds pretty obvious.. duh!Step 1: Restart the system
Press and hold the power button while booting until the system turns off (it won’t cause any damage).or, on the login screen click on Power icon and press [Shift] + Restart. It’ll boot you into recovery mode.
Restart. Windows would launch an Automatic repair
Step 2: Go to Advanced options
If you did it correctly, you should get this screen. Select “Advanced Options”
Step 3: Select Troubleshoot
Step 4: Select System Image Recovery / Command Prompt
Step 5: Click Cancel
We do not want to Retry and find the system image. So, click CancelStep 6: Click “Next >”
Step 7: Click Install a driver
Option says “Locate and install driver…”. Let’s locateStep 8: Click “Ok”
Yeah, we will SELECT THE DRIVER.Step 9: Browse to C:/Windows/System32
By default X:/System32 is selected. In order to make changes, go to System32 of Local Disk(C:) i.e the Windows drive.Your system drive may vary
Step 10: Clone cmd
Press CTRL-c and CTRL-v to make a copy of cmdUse Keyboard only
Step 11: Rename sethc
Left click on sethc and press <f2> to rename sethc to sethc1Right clicking anywhere lead me crashing the browsing window. May be Windows trying to defend, but we are going to get Admin access anyway.
Step 12: Rename cmd – Copy.exe
Rename cmd – Copy to sethcPress <f5> to see the changes made. Interface is kind of Lame.
Step 13: Continue to Windows 10 boot
Time to boot Windows 10…Step 14: Open command prompt [Sticky Keys Method]
Press <Shift> 5 times to launch command prompt (sethc.exe).Note the title bar
Step15: Reset admin password
Here we can reset password in 2 ways- Using GUI
- Using command line
Step 16: Log in with new credentials
Optional
Once you got the administrator level cmd shell, there are a number of interesting things that you can do. Not only using cmd but using Powershell also.But I’ll keep this tutorial in its expected scope only.Rest I’ll leave up to you.
Let me know in the comments section what else you discovered after this step.
It may happen sometime that the administrator account is set to hidden, like in school/college labs to prevent a standard user to log in or perform a brute-force attack remotely(if admin. username is known)
So, to bypass this a potential attacker can Enable/Disable the admin account right from the Log in screen
1. Enable/Disable administrator account
If STATUS=yes, Account is enable i.e visible to all users
If STATUS=no, Account is hidden
2. Create a hidden administrator account
Step 2.1: Create new user
Step 2.2: Set the account hidden
Step 2.3: Check admin account list
Step 2.4: Check hiddenuser‘s visibility
Prevention from Sticky-Keys attack
Unless it’s a public machine (home/work),you can prevent this by adding disk encryption or even a BIOS boot password.Just don’t forget them.
Also, Disable USB/CD/DVD from boot device priority, so that an attacker won’t be able to boot a Linux Live distro or a Windows recovery disk
In case you are not willing/authorised to perform any of them, you could also opt for disabling sticky keys(on Log in screen)
- Open an Elevated Command Prompt i.e run as Administrator
- Type or paste the following command, and press Enter
As it turned out that disabling sticky keys right from your logged in account doesn’t stop sticky keys from pooping up at log-in screen (not lock screen, keep in mind), because the setting you might have changed in the setting would be applied for current user only.
But we need to apply it system wide. So that it won’t get called even when no account is logged in i.e on Log-in screen
Conclusion
Attacker successfully compromised the system getting the administrator level privilege by setting up a backdoor on the machine (hiddenuser), which owner is unaware of.
The reason this works is that Windows doesn’t check the integrity of the Sticky Keys executable and just runs it regardless.
Further attacks can be performed since the system is owned.Sticky-keys method is applicable to Windows XP/7/8 also but due to change in automatic repair method the way to perform the attack differs. We’ll see that soon.
Stay Tuned.
Was this helpful ? Let me know about your experience. I would love to hear right from you in the comments
P.S: I respond to every comment
Next we will learn how to get root access on a Linux machine.
Keep Learning.
0 comments:
Post a Comment
Note: only a member of this blog may post a comment.