It was 9 P.M, I was staring at my laptop screen, like most of the time and I was bored. So, I logged out of my Windows 10 account immediately and now I wanted to log in. Silly, right ? I remember the password, I can just put that in. But that's not fun ! So, I decided to pull some old school windows hacks to get me in .
Ofcourse , normally you will do all this if you forgot your admin password and want to reset it or maybe your windows crashed and you want to recover some files , but hey boredom is a REAL thing too!
We are on login screen . We have three icons in the bottom right corner . On the extreme right , we have the power button where we can shutdown or restart the computer . Let's restart the computer while holding the SHIFT key to access the Advanced Options in windows. We have a lot of options here . We have a command prompt too! Let's go there. As soon as click on it, Windows want us to choose a account and the account password . Duhh!
I tried the other options too (just one more to be honest , I am lazy!) , but Windows needs a password for everything . Pretending like its secure . Duhh! Ok , maybe this is too normal for windows , you know holding shift and restart . Let's scare it with some real odd situation.
If there is something wrong while windows boots like power down or any other weird stuff , it goes in a self repair mode . We can simulate that , I guess ! Let's shutdown the laptop . Now , start it and while the windows boots (you know that never ending stupid loop !) , hold the power button for 5 sec and kill the power . Again , start the laptop , while it boots , kill the power . Ok , windows is convinced there is something wrong . Next time I boot up , It goes in Repair mode and now I have again the troubleshooting options . Go to troubleshoot -> Advanced Settings -> CMD but again it wants a password . What !!
Now, if you want, you can play around with Startup Settings , boot in safe mode and try some stuff there or maybe do System Image Recovery (if you see that option) and mess up with windows registry hives but that's boring ! Let me just get my USB and just enter , Mr Robot Style !
I took my 16GB sandisk cruzer blade. Fortunately, I also found a Windows 10 ISO which I downloaded for a VM at some point, but if you don't have that , you can always download the Microsoft Media Creation Tool and build one from there (It's just a few clicks !) . Now , to burn the ISO in USB , I used Rufus, which is so amazing, I mean literally, it makes the process so easy. Just plug your USB , it will automatically detect it, select the ISO you wanna burn in , and it does all the work for you now .
Now , we have our bootable USB ready . Now , normally you can't just plug in the USB and boot windows from it, it will still boot from the Windows Boot Manager. To boot from USB , you have to change the boot priority . Enter the BIOS mode (For HP , just hold down the ESC key while starting the machine ) and in boot options , put USB at the top . Now , if you created the ISO from Media Creation Tool , it is official and there shouldn't be any problem with booting it , but mine was not official Microsoft Windows 10 .I tried booting with it and windows booting manager took precedence . To make it work, I had to DISABLE the secure boot mode in BIOS.
Secure Boot is a Windows BIOS configuration which checks the hash of the software you are booting with to prevent any insecure access(Duhhh!). So, turn that off and you are good to go.
Now , plug in USB , boot the machine and you will have a standard windows installation box apearing on the screen.
Press SHIFT + F10 and you are in command prompt (A limited Command prompt ) . Now , you have to find your system drive .
You will see all the partitions now , the biggest one is usually the one we want (or just bruteforce ). Mine was C: . Go to the real stuff , system32 .
1C:2cd Windows3cd System32
Now , we are in the system32 directory where all the magic of windows lives . We want to exploit anything that we can access from the login screen . On login screen , we have three buttons , and in middle we have EASE OF ACCESS , the Utilman.exe . Let's copy cmd.exe to this . Then we can acess CMD from login screen.
1copy Utilman.exe Utilman1.exe -- for reverting later2copy cmd.exe Utilman.exe
Now , exit the windows installation and remove your USB , so windows boots normally from hard drive. On login screen , click on utilman and we have cmd with admin rights . Now , do whatever the F*** you want to do. You can reset admin password and get in but I love being sneaky. I went with making another acount and putting it in administrator group.
1net user Elliot Elliot /add2net localgroup administrators Elliot /add
Now , Reboot the computer and we can see the login option for our new user. WE ARE IN. Don't forget to cover your tracks (the obvious ones atleast) on your way out. Windows may be insecure but it LOGS a lot of stuff. Delete the user you formed. Make utilman normal and just sneak out (In case it was someone else's computer xD ) .
Hope you learned something new and thanks for reading .