- Have you ever noticed that if you press your system’s SHIFT key >= 5 times continuously a pop up windows occurs with the name “Sticky Keys”? If it doesn’t pop up on your comp, then may be your shortcut is turned off. For enabling it, gotoControl
Panel -> Accessibility Options. In the accessibility options under the
keyboard tab, in sticky keys , click on settings and enable the
shortcut for sticky keys. And u can do this even with a guest account. - Finally if the following 2 requirements are setup on your system, then you are all set to enter into your admin’s account.
- On Pressing SHIFT >= 5 times, a pop up should appear.
- The windows System32 directory should be writable.
Concept:
When u press, the SHIFT key >= 5 times, a file with the name “sethc.exe” is
executed. You can verify this in TASK manager (don’t close the pop up
window). This file is located in C:\WINDOWS\system32 folder, or
where ever your windows is installed.
executed. You can verify this in TASK manager (don’t close the pop up
window). This file is located in C:\WINDOWS\system32 folder, or
where ever your windows is installed.
The Vulnerability
- When SHIFT key is pressed >=5 times, windows executes a file named
“sethc.exe” located in system32 folder. It doesn’t even check if its the
same file. Also it runs with the privilege of the CURRENT USER
which is executing the file i.e if u have logged on as a guest then in
the TASK manager under processes, it shows your user name as guest. - The file executes even if u log off, and have the windows login screen is
showed up, BUT THIS TIME SINCE NO USER HAS LOGGED IN IT RUNS WITH
SYSTEM PRIVILEGE.
Exploitation:
If u understand this much, then the exploitation is very simple for you. What we will do is that,
we pick cmd.exe , copy it at a folder other than system32, (because windows
won’t allow u to copy) rename it to sethc.exe, go to system32 folder,
and paste it. Windows will ask, “that another file exists, do u want to
replace?” and after pressing OK, you have replaced the sethc.exe with ur own
cmd.exe. Now if u press SHIFT key >=5 times, a command prompt will
pop-up.
Finally
- Now log-off or restart. When you reach the windows
login screen, press the shift key >=5 times. A command prompt will
pop up with SYSTEM privilege. - Enter the normal commands as follows:
- net user username /add
- net user localgroup administrators username /add
- And a new user called username with admin privilege will be added.
And thats it, you have admin privilege of the system and you can do what ever you want to with it.
Hiding your fake admin profile
Now you surely don’t want the real admin to track you. Here is what you will have to do to hide yourself from login screens as well as from control panel
Now you surely don’t want the real admin to track you. Here is what you will have to do to hide yourself from login screens as well as from control panel
- Goto registry editor and open this place.
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
- Here create a new DWORD value, write its name as the “user name” that u created for your admin account.
Thats it now you are invisible but still admin of the system. Live as admin forever and keep screwing the real admin forever.
Last but not the least (IMPORTANT)
Windows has two type of login screens:
Windows has two type of login screens:
- Where the accounts are listed with some pictures.
- Where u have to write username and password.
After making the hidden account u will have to login through the 2nd step only. If ur login screen is of Type 1, press ALT-CTRL-DEL twice to get the 2nd type screen.
mr.genious, how do i write to system32 without admin priviledges ?
ReplyDeleteHe won't. For tis not his post, several people have copied this and pasted lol I don't think there's a way to give yourself write access unless you already have access to an admin account, in which case you wouldn't be needing any of the above information
ReplyDelete