If we have physical access to the machine (or RDP in our case), you can backdoor the login screen to access a terminal without having valid credentials for a machine.
We will look at two methods that rely on accessibility features to this end.
Sticky Keys
When pressing key combinations like CTRL + ALT + DEL
, you can configure Windows to use sticky keys, which allows you to press the buttons of a combination sequentially instead of at the same time. In that sense, if sticky keys are active, you could press and release CTRL
, press and release ALT
and finally, press and release DEL
to achieve the same effect as pressing theย CTRL + ALT + DEL
combination.
To establish persistence using Sticky Keys, we will abuse a shortcut enabled by default in any Windows installation that allows us to activate Sticky Keys by pressing SHIFT
5 times. After inputting the shortcut, we should usually be presented with a screen that looks as follows:
After pressing SHIFT
5 times, Windows will execute the binary in C:\Windows\System32\sethc.exe
. If we are able to replace such binary for a payload of our preference, we can then trigger it with the shortcut. Interestingly, we can even do this from the login screen before inputting any credentials.
A straightforward way to backdoor the login screen consists of replacing sethc.exe
ย with a copy of cmd.exe
. That way, we can spawn a console using the sticky keys shortcut, even from the logging screen.
To overwrite sethc.exe
, we first need to take ownership of the file and grant our current user permission to modify it. Only then will we be able to replace it with a copy of cmd.exe
. We can do so with the following commands:
C:\> takeown /f c:\Windows\System32\sethc.exe
SUCCESS: The file (or folder): "c:\Windows\System32\sethc.exe" now owned by user "PURECHAOS\Administrator".
C:\> icacls C:\Windows\System32\sethc.exe /grant Administrator:F
processed file: C:\Windows\System32\sethc.exe
Successfully processed 1 files; Failed processing 0 files
C:\> copy c:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
Overwrite C:\Windows\System32\sethc.exe? (Yes/No/All): yes
1 file(s) copied.
After doing so, lock your session from the start menu:
You should now be able to press SHIFT
five times to access a terminal with SYSTEM privileges directly from the login screen:
Utilman
Utilman is a built-in Windows application used to provide Ease of Access options during the lock screen:
When we click the ease of access button on the login screen, it executes C:\Windows\System32\Utilman.exe
with SYSTEM privileges. If we replace it with a copy of cmd.exe
, we can bypass the login screen again.
To replace utilman.exe
, we do a similar process to what we did with sethc.exe
:
C:\> takeown /f c:\Windows\System32\utilman.exe
SUCCESS: The file (or folder): "c:\Windows\System32\utilman.exe" now owned by user "PURECHAOS\Administrator".
C:\> icacls C:\Windows\System32\utilman.exe /grant Administrator:F
processed file: C:\Windows\System32\utilman.exe
Successfully processed 1 files; Failed processing 0 files
C:\> copy c:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe
Overwrite C:\Windows\System32\utilman.exe? (Yes/No/All): yes
1 file(s) copied.
To trigger our terminal, we will lock our screen from the start button:
And finally, proceed to click on the โEase of Accessโ button. Since we replaced utilman.exe
with a cmd.exe
copy, we will get a command prompt with SYSTEM privileges: