Sethc: Access to every PC and become local Admin

This article talk about to connetting to a pc when you don’t have password and:
– you have physical access to the pc
– you can boot from a CD/usb/other HD

This is an old method that I rediscovered after many years and, with big surprise, is still present on modern MS operating systems (win 7 and 8).
At the base of this “feature” I’m going to describe there is a windows executable: c:\windows\system32\sethc.exe (but it’s not the only way: you can also use shutdown.exe).

If you have a Windows system you can activate this program by pressing 5 times the left SHIFT, this operation runs the executable (sethc.exe).

There are two problems if you analyze this situation: first it can be runned also in the login screen before authentication, second the privilege used to run the executable is SYSTEM (in the login screen no user is already logged in)
This is quite terrible.
Before, in XP sp2 and early xp sp3, this file was used to escalate privilege whitout phisycal access to the pc: the file was accessible by everyone and was not locked by the system, so a user could remove the legittimate sethc.exe, copy the cmd.exe from the same folder and rename it in sethc.exe.

What was the window that poped-up when the user hits CTRL for 5 times after this alteration? A CMD shell! What was the privilege of this shell? System!
Luckily Microsoft patched this problem in late XP sp3 and now the file is locked and can’t be manipulated when the Operating System is started, but the setch.exe is still there.

Some weeks ago I had some problems to access a windows laptop (win 7 SP1). Although I had the authorization to access to it I didn’t have the password to enter and no options to recover it. so I tried this:
I put a linux bootable CD and boot the pc using it. Then I simply mounted the windows file system and used some command like this:

[root@localhost /]#  mkdir -p /media/c
[root@localhost /]#  mount -t ntfs /dev/hd02 /media/c
[root@localhost /]#  cd /media/c/Windows/System32
[root@localhost /]#  cp sethc.exe _sethc.exe
[root@localhost /]#  cp cmd.exe sethc.exe

Than I rebooted the system from HD and, when in the login screen, I simply pressed 5 times the left SHIFT.Ta-da! I got a SYSTEM shell.
I used a basic command line to create a new user and put it in Administrators group and, less than 5 minutes later, I had the full graphic control of the box.

This caused me a hundred of ideas, so, put aside this latop, I went on with my tests.
I tried it over a Win8 box, on a domain PC and against a server with strong domain policy and every time it worked fine.

So this is my assume (but you can refute):
If you have physical access and if you can boot from an external device (using bios or physically adding a new HD to the pc case) you can log into a Windows pc using SYSTEM privilege.

That’s why in every Company, that believe in IT security, the external device booting, the PXE, and the access to the PC case must be regulated.

ASAP I will write some example to become Domain admin strarting from this point, to highlight how dangerous is every litle door that a sys admin leaves open.

Leave a Reply

Your email address will not be published.