Hacking a Locked Windows 10 Computer With Kali Linux - Pentestmag

Hacking a Locked Windows 10 Computer With Kali Linux

Hacking a Locked Windows 10 Computer With Kali Linux

by Graham Zemel, blog.grahamzemel.com


TL;DR- A neat trick I learned to hack locked Windows computers and access files. No, it’s not clickbait, but a bit of prior cli knowledge is recommended.

For a while now, Windows has deferred and disappointed hackers with somewhat secure lock screens for their computers. However, this exploit can bypass these login screens and gain access to internal files. I’ll be doing a full walkthrough on exactly how I did it and hopefully you can get some use out of it.

Disclaimer: Do not do anything mentioned or explained in this article to another person or entity without their permission, and I am not responsible for any actions taken using information from this post.

With that taken care of, let’s get started!

This is a neat bypass method, but you’ll need a few things before you get started →

    • A Kali Linux bootable USB (I’ll be making a short ‘how-to’ article after this is posted for those who aren’t familiar with Linux)
    • Legal access to the computer you’re testing on
    • (Optional) A bit of command line knowledge helps, but it’s not necessary.

Physically, you just need a Kali Linux USB. Then, we can head over to the ‘victim’ computer and begin.

1. Boot up the computer on Kali Linux (do NOT complete the boot)

Hopefully you read ahead a bit and didn’t actually load into the Kali Linux OS, because we do need to edit a few things once we get to this screen:

Once you’re on this screen and you’re on ‘Kali GNU/Linux’, press ‘e’. This will bring you to the edit screen for the boot option, and you’ll need to edit a couple of things for our purposes.

2. Edit boot code

Once you’ve hit ‘e’ and made it to this screen, you’ll see something a bit like this, probably with a different resolution. My text looks compacted because I’m on a virtual machine, but it makes little difference for our purposes. Somewhere on your screen, you’ll see ‘ro’ and then either ‘single’ or ‘quiet splash’.

You’ll need to change ‘ro’ to ‘rw’, as we have above. Then, after either ‘single’ or ‘quiet splash’, add ‘init=/bin/bash’. Press Control-X to reboot, and if everything works successfully and you’re presented with a shell move to step 3. Otherwise, repeat the process and change ‘/bin/bash’ to either ‘/bin/zsh’ or ‘/bin/csh’.

3. Root shell! Retrieve and modify some info with our root permissions.

Great. Now we’ve got some things we can do on this machine. We’ll run ‘mount’ to check our work, and if we’re still in the shell everything is good to go.

Run this command to view the usernames registered on the machine:

cat /etc/passwd

This will presumably dump a considerable amount of information, so you might need to sift through it to find the exact username you’re looking for. It should look a bit like this:

root:x:0:0:root:/root:/usr/bin/zsh
...
graham1234:x:1000:1000:graham1234,,,:/home/graham1234
...

A basic command after that…

passwd graham1234

and it will allow you to enter a new password, no checks or authentication required! It works like this for administrative and pretty much worst-case-scenario purposes, but we can use it to our advantage as pen-testers.

4. Lastly, reboot the system

Use this command to reboot, and you should see the default Kali Linux login page:

exec /sbin/init

You should be brought to this page:

Sign in with your credentials that you modified before, using the equivalent of ‘graham1234’ and the password you just set. You should be able to access the filesystem of the user, and now that you’ve changed their password you can use things like ransomware or steal their files (legally, of course). Pretty neat!

I hope this post was informative or helpful to you in some way. If you enjoyed learning about this method, hold down the clap button for a few seconds to support me. If you’d like to see similar articles, check out The Gray Area or grahamzemel.com.

To really contribute to my work and help me out as a writer, sign up for a Medium membership using my referral link.

Thanks!


Originaly published at: https://medium.com/the-gray-area/hacking-a-locked-windows-10-computer-with-kali-linux-82298bc28974 

Featured Photo by Renato Ramos Puma on Unsplash

November 14, 2022
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

5 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
punshLineLama
punshLineLama
21 days ago

I don’t see how a locked Windows 10 PC gets hacked?
You can bypass a kali login screen, yes, but windows??
So it seems like click-bait after all.

Justin
Justin
20 days ago
Reply to  punshLineLama

He wants to access the filesystem of the Windows 10 user, if you read the article he does so using a modded boot loader

punshLineLama
punshLineLama
13 days ago
Reply to  Justin

Ok, help me understand this pls. From what I understand: We have a kali live USB? What for? Do we boot into it? Anyhow, we somehow end up in the bootloader. The boot options for kali (which is already installed?) are modified correct? Then we get a root shell on kali? Then, we change the password of the user graham1234 of kali? (Afaik, /etc/passwd does not exit on windows, maybe wsl? And the home partition of this user is /home/graham, which is clearly on the kali machine. ) Then, reboot and log into kali with the modified creds? We never… Read more »

Last edited 13 days ago by punshLineLama
7 days ago
Reply to  punshLineLama

Hey there! Just to answer a few questions –
Yes, we have a Kali Linux USB, and we are booting into it but not all the way. We stop the boot to modify our bootloader, and we use the modded Kali distro to access the actual machine itself.

After, we can access credentials stored on the hard drive (through our root permissions), and then if we reboot we can get a GUI with an unprotected filesystem.

The Windows 10 machine is the machine we’re working on, and we don’t need to mount it as we’re just retrieving files and/or credentials.

punshLineLama
punshLineLama
7 days ago
Reply to  Graham

Hi Graham, Thanks for the clarification. But there are a few things that are still not clear to me. You boot into the the liveUSB, but then, then kali is on a different partition than the Windows OS? Maybe I need to try it myself to see how it works exactly. I know the infamous sticky keys method to bypass the windows login screen, but afaik it does not work on modern windows work-stations anymore. This method seems to be similar but different. Anyhow its an interesting method to bypass the kali login screen. Maybe you could add some more… Read more »

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013