How to brake into an operating system

go back / p4p1


Created on Tue. 28 Sep 2021


ad logo

Welcome back! Started working on a few blog-posts to come and had fun with the last dev-logs for XSS bomb that I found dope. I am also working on a blog post about game hacking I got a copy of assault cube I wanted to mess around with replaying packets to screw with the server a bit.

So for this blog post I wanted to write a quick essay on getting data from a unencrypted computer so that you can retrieve your files or just change the password. Basically booting into the machine without a password to booting into the machine with a password. I will be showcasing for linux and windows. I would like to do it with mac one day but I don't have one :/ to bad.

Linux

Let's start with the most basic one. Basically on linux there is a tool called chroot that basically allows you to load inside of an OS as root (Yes, that easy) and do whatever you want. I had a hard drive with a old install of Ubuntu gnome laying around my apartment before I moved out and I wanted to view what was inside. But the OS was protected by a password that I totally forgot since 5Years ago so I had to use a tool that I used to install arch-linux to boot into the OS from a sort of recovery mode and change the password

Let's say you are stuck on this screen. So the best thing for you to do is to get a copy of kali linux live usb (found here). Just quickly boot from that and open up a terminal. Keep in mind we don't want the installer iso because that would just be pointless.

From the terminal there are a few things we want to gather from the hard drive before starting. We mainly are looking for it's /dev/ file to then use chroot onto it. To do so run the following command:

          
            # fdisk -l
          
        

All of the commands have to be run as root so if it doesn't work just remember Root or you are doing something awfully wrong. This is the desired output from the previous command:

In my scenario the hard drive is located on /dev/sda1 in your case it will be different most of the time to determine which partition is correct you will need to look at the format type and if it's bootable and it's size. We are looking for the one with the OS saved (it usually is the biggest).

Above is the man of chroot so that you can look into it more but I basically will just mount the drive and use the easiest command ever which is:

          
            # mount /dev/sda1 /mnt/
            # /usr/sbin/chroot /mnt/
          
        

So to back track a bit we mount the drive to /mnt so that when we chroot we have the hard drive mounted. This part is critical in getting into the hard drive. If everything goes to plan you should be as root on the hard drive like so:

From there we can do whatever we want like login as any user change passwords etc..

          
            # passwd pleasebreakme
          
        

Now hopefully you understand the power of the chroot command now to windows!

Windows

For windows the approach is similar but different so you will need a windows iso (get here).

Imagine being stuck here so you can just boot into the iso that you previously downloaded and flashed on a usb. Booting on the iso should present you with the option to "Repair" you computer:

After selecting repair you should get a troubleshoot option which will give you more interesting things:

We are mostly interested in getting a Windows command prompt so that we can run commands from there. This shell tho is quite boring because it does not give you as much control so we need to fix that. To do so we will basically replace text to speech with cmd.exe. Remember the previous screenshot with the login page. Little known fact you are already signed in at that moment. You are actually signed in as NT AUTHORITY/SYSTEM which is basically root for windows. This will allow us to really have fun because if we get a cmd to pop up on that page we are basically golden. To do so just run those commands:

          
            X:> copy D:\Windows\System32\cmd.exe D:\Windows\System32\Utilman.exe
          
        

Of course if your drive is not D:\ change it to the appropriate one. From there just reboot into windows in safe mode. To do so inside of the recovery tool select Startup Settings mode it should prompt you with this page:

After restarting you can press f4 on the following page to boot in safe mode:

This safe mode boot will give you around 30 second window to type in you command to change the password so be quick you can use a rubber ducky for maximum effectiveness the command is:

          
            C:> new user Administrator /active passw0rd
          
        

From there you can reboot and login as Administrator with the password passw0rd.

Windows Dump Hash

Another cool trick with windows is that you can dump the SAM database if you boot on kali linux. That is what I used to use in high school to get some street cred. Like before boot on kali linux with the live version on the windows machine and open up the tool Ophcrack.

Inside of ophcrack load up an encrypted SAM through selecting the following folder:

          
            C:\WINDOWS\system32\config
          
        

You should then be presented with the ntml hashes that can then be decrypted locally or through a 3rd party service online.


Thank you for reading this post I'll be back soon with more ;) Consider reading the other posts and giving a shot at my tool xss_bomb

Questions / Feedback
For any questions or feedback you can contact me on LinkedIn or twitter / X. I also use twitter as a platform to update on new posts!
Donate
sponsor me image

If you like the content of my website you can help me out by donating through my github sponsors page.