Tutorial  Updated

Exploitation Of Windows 7 Start Up Repair and Sticky Keys

<!--Not Liable for Damages To System or Any Misuse Of Info-->
<!--Please read the comments in the "Source Of Info" May not work and can mess up your system->


Exploitation of Windows Startup Repair and Sticky Keys:

Boot windows when you see "Starting Windows" Turn off system.

Gkl3MSN.png


Turn on system than boot into windows this should pop up:

pIr536N.png


Click "Launch Startup Repair (recommended)
Let it do it's stuff. When you get this screen push "Cancel" (MUST DO THIS DO NOT CLICK "Restore")

pYxugvA.png


After pushing cancel it should pop up this Screen:

pHCiP16.png


Click on "Show problem details" then scroll down to the bottom and click the link on the very bottom. Notepad should open up. In notepad click File/Open then double click your Local Disk (The below picture is D: because of virtual box but your's should be C: if not using virtual box.)

MAyXFwT.png


Once in your "Local Disk" click "Windows" then "System32" DO EVERYTHING I DO FROM THIS POINT! IF NOT YOU MAY BREAK YOUR COMPUTER! Scroll down and find "cmd," then make a copy of it in the same folder (Ctrl-C, Ctrl-V). You should get a file named "cmd - Copy" or something like that. :

5HMRUFk.png


Then find "sethc" in the same folder. This file runs Sticky Keys (That thing when you click shift to many times.) Rename it to "sethc 1":

F7uuTRG.png


Then rename your copy of cmd ("cmd - Copy") to "sethc"

grcYqLB.png


Now exit Notepad and turn off your computer either by clicking "Finish" or Restart it manually. Now it should boot up to the login screen:

dZF2CDh.png


Click shift 5 times to open up cmd (As seen as above)
Next, we need to find out your local administrator is. To do this type in (To the cmd) "net localgroup Administrators" This will show all the admins on your PC look for an administrator account that does not have your school/work domain in front of it followed by "./" As you can see, one of the admins is named "qwaszx." This is common for schools to use random strings to ward off evil spirits (Kids).

GgF7xE2.png


Now we need to change the admin password to do so type (Into cmd) "net user <ACCOUNT NAME HERE> *" Then type in your new password twice (Into cmd) Now you can log on to the admin account! But some schools/workplaces like to disable this account if so just go and do the following things:

4J0GnCI.png


If admin disabled type "net user <ACCOUNT NAME HERE> /active:yes" This will allow you to access the admin account.

Ny5K0BL.png


(SOURCE OF INFO)
 
Last edited by Luglige,

Joom

 ❤❤❤
Member
Joined
Jan 8, 2016
Messages
6,067
Trophies
1
Location
US
Website
mogbox.net
XP
6,075
Country
United States
To the contrary if you wanted to get really evil you could install a Keylogger and get peoples passwords. Then after doing that you could create a Sigaint email and then email all the students (While using tor and a VPN in a coffee shop) with an injected .doc file (Using a RAT client) make it look legit type:
"School project idea"
and then the file.
Make them run it and boom got 20 infected PC's for your botnet!
If the schools were smart, they'd have Deep Freeze installed on all PCs. Mine eventually started doing that. Also, you can't inject DOC files. There are CVEs that generate MS Office 2007 macros that remotely download payloads, but these really only work in countries where governments supply OS updates. Also, using php-sendmail to spoof a domain without DKIM keys (most schools don't use these) is a smarter idea than Sigaint. As far as a keylogger goes, I wouldn't rely on that as they can be incredibly insecure. Using a stealer like Pony is much more efficient and secure.
 

Luglige

hiatus
OP
Member
Joined
Jan 24, 2016
Messages
1,414
Trophies
1
Location
under your bed
XP
883
Country
Antarctica
If the schools were smart, they'd have Deep Freeze installed on all PCs. Mine eventually started doing that. Also, you can't inject DOC files. There are CVEs that generate MS Office 2007 macros that remotely download payloads, but these really only work in countries where governments supply OS updates. Also, using php-sendmail to spoof a domain without DKIM keys (most schools don't use these) is a smarter idea than Sigaint. As far as a keylogger goes, I wouldn't rely on that as they can be incredibly insecure. Using a stealer like Pony is much more efficient and secure.
Oops Meant PDFs xD and Sigaint is anonymous and will work fine.
 

Joom

 ❤❤❤
Member
Joined
Jan 8, 2016
Messages
6,067
Trophies
1
Location
US
Website
mogbox.net
XP
6,075
Country
United States
Oops Meant PDFs xD and Sigaint is anonymous and will work fine.
Anonymity means nothing compared to legitimacy. There are free shell providers you can install PHP on that are just as anonymous. If you need more, VPSs go as cheap as $5 a month. Also, you'll catch more fish with extension spoofing using the Unicode reverse character. PDF injection requires a very specific CVE and version of Reader.
 

Joom

 ❤❤❤
Member
Joined
Jan 8, 2016
Messages
6,067
Trophies
1
Location
US
Website
mogbox.net
XP
6,075
Country
United States
That made me vomit.
You'll learn. Just because you're anonymous doesn't mean you seem legitimate. In the black hat world, legitimacy means everything. I'm not suggesting you shouldn't be anonymous, but the idea is to socially engineer your victims at all costs.
 

Luglige

hiatus
OP
Member
Joined
Jan 24, 2016
Messages
1,414
Trophies
1
Location
under your bed
XP
883
Country
Antarctica
You'll learn. Just because you're anonymous doesn't mean you seem legitimate. In the black hat world, legitimacy means everything. I'm not suggesting you shouldn't be anonymous, but the idea is to socially engineer your victims at all costs.
That's true. But are 12 year olds gonna really notice another email extension. If it wasn't this scenario yeah I would want to use a more legit but this is 12-18 year olds we're talking about :P Also stop acting like you're greater than everyone else. It's not very cool :P
 

Joom

 ❤❤❤
Member
Joined
Jan 8, 2016
Messages
6,067
Trophies
1
Location
US
Website
mogbox.net
XP
6,075
Country
United States
I do have a point. You've only touched topsoil compared to a lot I've seen. I'm not being arrogant, it's just the truth. If you're serious about entering the world of information security, you're gonna meet a lot meaner people than me.
 

osaka35

Instructional Designer
Global Moderator
Joined
Nov 20, 2009
Messages
3,735
Trophies
2
Location
Silent Hill
XP
5,921
Country
United States
Tech horror stories? Oh lawed, I have a few. Mainly silly people who don't understand basic things, like you have to plug in a PC to the wall for it to have power. Or what a "mouse" is, or what a "window" is. Those are fun people to walk through troubleshooting over the phone. They're never easy problems either.
 
  • Like
Reactions: Luglige

Luglige

hiatus
OP
Member
Joined
Jan 24, 2016
Messages
1,414
Trophies
1
Location
under your bed
XP
883
Country
Antarctica
Tech horror stories? Oh lawed, I have a few. Mainly silly people who don't understand basic things, like you have to plug in a PC to the wall for it to have power. Or what a "mouse" is, or what a "window" is. Those are fun people to walk through troubleshooting over the phone. They're never easy problems either.
Speaker: No I have an apple.
Operator: Ok what are you doing with it?
Speaker: Eating it.
Operator: ...
Operator: What is your computer? Windows, Mac?
Speaker: Oh Windows XP
Operator: And your problem is?
Speaker: It's not turning on?
Operator: What are you pressing?
Speaker: That long button in the center on the bottom
Operator: That's not what you're supposed to press. Press the circle with a line through it should be on the side or on the Top-Left Or Top-Right
Speaker: Oh Ok, thanks!
-Hangs Up-
 
  • Like
Reactions: osaka35

osaka35

Instructional Designer
Global Moderator
Joined
Nov 20, 2009
Messages
3,735
Trophies
2
Location
Silent Hill
XP
5,921
Country
United States
I do have a point. You've only touched topsoil compared to a lot I've seen. I'm not being arrogant, it's just the truth. If you're serious about entering the world of information security, you're gonna meet a lot meaner people than me.
Any advice or guides you would suggest us casuals read to get up to speed and have as much knowledge as you? :D From beginner to elite, if you've a desire to help spread the knowledge love. And i mean that completely seriously, I honestly wish to learn more than I do.
 
Last edited by osaka35,
  • Like
Reactions: Luglige

Kayot

Well-Known Member
Member
Joined
Jan 24, 2010
Messages
362
Trophies
0
Website
sites.google.com
XP
490
Country
United States
Long post. If you're just skimming save some time and skip this one.

I'm a new IT Hire. I used to wonder why everyone wanted five years of experience and a bachelors. Now I know. They want to know that the person they're hiring is both compete and ready to do the job.

The place where I work is extreme entry. Like, I'm not getting anywhere near what I should be. I'm ok with that since all I have is an associates from a degree mill. I could write a book on how I feel about degree mills. My main goal is to get experience and a letter of recommendation.

When I entered this shop March of last year, they where using two Windows NT 4.0 machines, one for the file server and one for the Domain Controller. They had a rack server sitting on a desk running Server 2008r2 running SQL Server 2008. All the computers where using XP x86. Every system was a different model. They had Access 97 running backups, logs, and part of the database. The primary front end that all the people in the office used was an Access 97 database.

All the variables where global and often times derived from other variables. The majority of sub routines were stored in a module despite only being used in one place. This front end also served a hosts of command line programs that did a variety of different tasks. One was to use FTP to upload files that Clients might requests. The site was written in a combination of pre-written javascript, PHP, and HTML. The PHP was written as long sheets of code in a daisy chain where one would pass to the next. There weren't any functions or subs at all. To change database credentials would required 20+ edits.

There was a machine sitting in a wide open room that had the backups on it. This machine also ran a copy of the front end that did said various tasks. Backups from the SQL Server where being handled by an Access 97 program that sent the SQL command to the server to do the backup.

Also, all the servers were sitting out in the open with the ADDC sitting next to a publicly available printer.

One of my personal favorite issues is that every now and then the Access 97 front end will just stop compiling. I have to empty a module, remake it and put all the code back into it just to get it to compile.

It gets worse. I wrote a eighteen page report on the setup, issues, and how I felt about it. I submitted this to the owner and generally expected my brief career to end in flames. The kludge was just too much for me.

So the owners calls me into their office. I figure I say something witty or condescending and then go back to the warehouse I crawled out of. They say, "Can you rebuild our setup."

Now, dogs chase cars. If they ever caught one... well, they wouldn't know how to handle it assuming they didn't die in the process. I was that dog. I told them I could rebuild the whole thing in two years at 40 hours a week, I'd need a key, and it would cost them $20,000 dollars in both hardware and software. This was in January of this year.

Flash forward...

I'm almost done. I won't tell them that until I know it to be true.

The whole setup is now on a single server. I virtualized Exchange and I've brought the website home. The company that was handling it (email, website) had a nasty tendency to stop working and when I would call them up, the issue was always on my side. As in the whole United States and any proxy servers I tried.

I decided to use Exchange mainly because the Owners wanted everything to be Microsoft and I couldn't use Linux; even in a virtual terminal, since I'm writing manuals and they are actually reading them. I couldn't drop something like Postfix or Dovecot without them Googling it. Side note, I was putting some crude jokes in there since I assumed only IT would read them. Not the best idea I've ever had.

Exchange server likes to omm nom nom the memory and is dependent on the ADDC so I have it starting after the main server is up. I did a taboo and put the SQL Server on the ADDC mainly to cut hardware costs. I considered vSphere, but the cost was too great and the features where overkill for my needs. I decided that Hyper-v was a good trade off.

I have the server doing it's own backups. I have it using Deduplication instead of compression. The drives are scrubbed once a month. Every day the backup drives fill another 20~80MB instead of the 28GB daily backups they used to have. The drives will die before they fill up. The main drive is in a Raid1.

The Access 97 front end was using a lot of reports. They were terribly written and I often spent hours hunting down all the parts to do simple fixes. I remade those in SSRS and put them on the SQL Server. The SQL went from several steps, temporary tables, VBA functions, and stored procedures to single code executions that half the time fit nicely as a single stored procedure or function directly in the SQL Server. I considered Crystal Reports, but I didn't use it and I'll explain why in a bit.

The whole system is encrypted using Bitlocker set to 256bit AES-CBC. Once Server 2016 is released I plan to bump that to AES-XTS. I'll also bump SQL Server 2014 to 2016 and compress the Audit tables. I'm already using Exchange 2016.

The original website was a PHP nightmare even after I did some maintenance to relocate all the credentials and common code to a single functions file. The HTML was created using a WYSIWYG editor. So I scraped it. I figured, they have a MS box all the way. So I'm going with an IIS ASP.NET setup. What goes great with ASP.NET? SSRS! No more crazy report generation, print to pdf, and send to site. Now the client can generate their own reports and save them in whatever formats the report tool exports to.

The new desktops are all running Windows 10. I'm using a ADDC authenticated network unlock for the systems Bitlocker. I've implemented Roaming Profiles and Personal Folders and locked out the rest of the system. They've gone from Office 97 to Office 2016. I upgraded the network from a 10/100 to a gigabit. I built all the computers myself. I insisted on i5 4k Intels instead of that Celeron/AMD crap. All systems are identical. Their BIOS/EFIs are of course locked out.

I tried to put a focus on security.

As this is my first job, I'm sure I've made lots of mistakes. I constantly think about how I would go about attacking the system. Twice now I found security holes. In both cases it required intimate knowledge of the system.

The replacement front end isn't quite ready. One thing that keeps slowing me down is feature creep. The owners look at my dev builds and then get stars in their eyes. I've written way to many custom controls. The word innovation is now cringe worthy. The worse part is I'm still supporting the older front end. I had to explain that I can't innovate while holding the original architecture.

Current issues are, we're not using the R in RDBMS. Foreign keys are a foreign thought. We have a ton of orphan entries. We are storing our audit tables in the main database. We have tables that only I can access and aren't being used. The naming convention is terrible and has no real standard. The main table needs to be split up. Sections of other tables need to be on the main table. Sections of other tables need to be on other, other tables. The file system is a chaotic mess with no logical structure and so far my attempts to organize it have been met with extreme resistance from the staff. This same staff didn't notice that I remove 9/10th's of the files and assured me that they need every file on the server and that they use them all, all of the time. We aren't using Filestreams on files that the database references and that aren't interacted with anywhere else. This last one will be fixed once I kill Access 97.

My main hurdles have been the owners and staff. While the owners have been very lenient of the whole project, I feel like they think I'm taking my time. The staff tries to be helpful, but they are fixed in their ways. I could automate some of their jobs, but I don't want anyone to get terminated. The job that is in the most danger is mine. Once this is done, I'm so replaceable. I'm making thousands of comments and notes, writing manuals, and documenting everything. Something I wish my last five predecessors would have done. The problem is that this makes replacing me really easy. This is both a good thing and a bad thing.

I'm only one guy and I'm basically rebuilding an entire IT infrastructure with no real experience. The degree mill was awful and didn't teach the basics. It was more expensive than a traditional college too.

My pay is $16 an hour before taxes. I made $19.50 in the warehouse. This work is fun and I enjoy doing it so I'm willing to take the pay hit. When I took this job I had no idea what I was getting myself into. I've done things with SQL and .NET that I didn't know was possible just a year ago. I like to look back from where I started rather than where I'm going. The journey looks like it will be so long and that I've only been on it for a short time. It's when I look back I see how far I've come. Then it doesn't seem so hard.
 

Joom

 ❤❤❤
Member
Joined
Jan 8, 2016
Messages
6,067
Trophies
1
Location
US
Website
mogbox.net
XP
6,075
Country
United States
Any advice or guides you would suggest us casuals read to get up to speed and have as much knowledge as you? :D From beginner to elite, if you've a desire to help spread the knowledge love. And i mean that completely seriously, I honestly wish to learn more than I do.
I don't know where to begin honestly. There's so many topics within the field that I really don't know a good starting place for most people.

These are some good blogs to keep up with.
http://krebsonsecurity.com
http://www.malwaretech.com/
http://www.xylibox.com/ (not as updated anymore but the guy behind it is a very talented reverse engineer)
http://malware.dontneedcoffee.com/
http://thehackernews.com/

You can also search on YouTube for speeches at the Defcon and Virus Bulletin conferences. If you want a basic understanding of malware encryption, Google for "The Crypter Blueprint". It doesn't go entirely too in depth and only covers VB6 crypters, but it's worth a read.
 

Youkai

Demon
Member
Joined
Jul 1, 2004
Messages
2,552
Trophies
1
Age
36
Location
Germany , NRW
XP
2,444
Country
Germany
You know it security is something you can study right ? As joom said there are a lot of things you would need to learn and it could possibly take you several years and after that a lot of your knowledge is outdated again XD

Maybe Start with the Basics like some Network Protokolls ... if you know exactly how they work you can use this to your advantage ... some basic stuff like dns attacks still work usually so that you could build your own gbatemp and make some dns Server Link gbatemp.net to your ip instead of the real one xD

But you need to learn how all those things work ...
 

Joom

 ❤❤❤
Member
Joined
Jan 8, 2016
Messages
6,067
Trophies
1
Location
US
Website
mogbox.net
XP
6,075
Country
United States
Maybe Start with the Basics like some Network Protokolls ... if you know exactly how they work you can use this to your advantage ... some basic stuff like dns attacks still work usually so that you could build your own gbatemp and make some dns Server Link gbatemp.net to your ip instead of the real one xD
DNS hijacking isn't that simple. The three ways it can be done are with either having access to the domain's registrar account, having access to the hosting server for the site, or by malicious host file manipulation on the target victim's local machine. A fourth way is with ARP poisoning with Ettercap, though a lot of routers and personal firewalls prevent this now.
 

TheLegendofMario

Well-Known Member
Member
Joined
May 15, 2016
Messages
179
Trophies
0
Age
25
XP
330
Country
United States
So at my high school the computers are running Windows 7 and they're so slow, and so me and friend are Mainly Linux users, the Tech guys hadn't locked the Bios on most of the computers, so we were booting Linux, during our Intro to computers class(the only computer related class, there.), every week we would be booting different distros, until one day they cracked down on my friend for running Kali, they disable his computer account, which forced him to have to bring his thinkpad to school. It was so nice while it lasted.
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
    LeoTCK @ LeoTCK: hmm