1. Hack Administrative Access Windows 7
The PC was designed for the user to only have standard user account privilege (near guest account) where the user only have the right to read and execute certain data and application. Unlike administrator account doesn’t have the privilege to modify the PC’s setting for example uninstalling admin’s program, editing the registry, modify the services, set the startup, etc.
Here a method is explained for a standard user or non-user at all to gain administrative access. The method uses physical means through a bootable media such as CD or USB thumb drive to gain access to administrative command line (cmd.exe here) in order to create an administrator user using the vulnerability of sticky key (sethc.exe here). The simulation here uses Virtual Machine (VM) of Windows 7 since I don’t want to mess with my real Operating System (OS) (using VM is a great alternative for home experiment).
The concept is to use the vulnerability in Sethc.exe, more details can be referred to below video.
- Try hitting “Shift” button more than 5x, a sticky key should pop.
- Go to C:\Windows\System32.
- Replace “Sethc.exe” with “cmd.exe” by copying “cmd.exe” and renaming to “Sethc.exe”.
- Try hitting “Shift” button more than 5x again, a command prompt should pop.
2. sethc.exe vulnerability
The goal is how to unleash command prompt at startup. Sometimes the safe mode to start command prompt is disabled so another method is needed. The method here is to use the vulnerability in sticky key, replace “sethc.exe” with “cmd.exe”. To do this anything that could have the permission to read and write data on system’s directory will do. On the field I need to execute this quickly to avoid suspicion, so I boot “FreeDOS” from USB with “NTFSParagon” in it to write “cmd.exe” on the host’s directory. I even brought my own cmd.exe because the limit of “NTFSParagon”.
An easier way is to live boot an Operating System (OS) such as Windows, Linux, and MAC. The issue is the OS commonly used by people…