It is less common than it used to be to find Windows 7 Operating systems in place, have they are still found across domains. Sometimes forbespoke applciatiosn or services that can’t be ported onto upto date Operating Systems for ‘reasons’.
I had this scenario on an engagement where I was in an office presented with a Windows7 Desktop, it was a BlackBox unautenticated test and the idea was to see if it was possible to get soem sort of access onto the domain using the workstation as an entry point. Just a not upfront that the only reason what im about to explain worked is because the hard drvie was not encrypted and that Bitlocker or other Hard Drive Encrypting software was not present at the time of the engagement. If it were then this would not have been possible using the method below.
AS i didnt have access to a Disc Drive, and the USB ports were all locked down in the BIOS that was password protected, I found that by turning on the workstation and then ubruptly switching it off as a dirty shutdown for about 5 times when I saw the Windows 7 logo, that as expected I presented with the Startup Repair menu.
From here I could perform tasks that would, in theory help to repair the hard drive that may of come corrupt in response to my intentional rebooting of the Operating System. I found that by starting the repair then cancelling it, or waiting for it to complete i was presented with a message that read “Startup Repair cannot repair this computer automatically” with the option to send a error report to Microsft. I f we then look at the details of this and scroll to the end, there is a link to read the privacy statement. By clicking on this, we are presented with the privacy statement opened with Notepad. Because we have Notepad open, we can use the ‘File’ menu to facilitate us in displaying access to the hard drive, system folders as we would have using Windows Explorer.
From here the would be multiple ways to achieve my goal, however the route I took was to use the ‘sethc.exe’ binary which is used for the sticky keys software on Windows 7. The reason we use this binary is that it is one of the only applications we can run from the login screen of Windows 7 before logging into the Oprtating System. We can invoke it by tapping the ‘Shift key’ 5 times.
So using this logic, we rename sethc to something else, doesnt matter what it is, followed by renanming cmd.exe to sethc.exe, when we invoke it during a normal boot by hitting Shift 5 or so times, the Operating System will look for a file called sethc.exe and run it. This will run our renamed Command Prompt file and present us with the Command Prompt on the screen.
As no one has loggedinto the machine at this time, the cmd.exe process is ran with SYSTEM level privileges. This level of privilege allows us to create a local administrative account, set a password and then add this account to the local administrators Group of which we can then use to log into the Operating System.
A created a video of this a while ago when i personally discovered i could do this, although this isnt anything that hasn’t be done or documented before and ahs been know for a long time - seems i was the only one who didn;t know about it!
Check out the video below, maybe it will be useful to you during an engagement if you are in the position I was.