After showing this to friend today i thought i should also write it down for quick reference. There’s nothing new here, this trick has been around forever - but it’s the best, quickest example i have of how unencrypted windows disks are dangerous from a data theft perspective, but also because they allow for simple local machine compromise.

If your Windows machine doesn’t have full disk encryption, it’s probably going to be possible to get root level (nt authority\system) access to the machine in five minutes or less.

Requirements:

• Just a Windows 10 bootable image. (USB, ISO or DVD is fine, depending on the machine you are breaking). Also, this works on servers.

Process:

Reboot the machine with the bootable Windows media in the drive (or mounted as an ISO)

Start the installation process

Press “shift” + F10 on the first screen the locate the drive letter of the OS you are targeting (it wont always be c: - you might have to try a few options)

Then we backup sethc.exe and replace it with cmd.exe

copy c:\windows\system32\sethc.exe c:\windows\
copy c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe

We exit out of setup and let the machine reboot to the normal login prompt.

Now, just press the ‘shift’ key five or so times.

You’ll get a command shell, and the command shell will be in the context of the nt authority/system user; in other words root, god mode, or whatever you like to call it. It’ll all over from there.

For a quick example i use the shell to add a new account that is a local admin, but you can get as creative as you like.

net user /add hackerman P@ssw0rd123
net localgroup administrators hackerman /add

Dont forget to use the .\ syntax to log in with your local admin account if the machine is domain joined, otherwise it will go looking for the hackerman account on the domain.

And, we’re done. In under five minutes :)