Quick Summary: We are going to learn how to hack Windows 8 and get administrator rights to anyone without knowing the login information. This was my solution during a hackaton that happened here in Australia some time ago and I decided to share with you guys.
If you’re really in a hurry, here’s how it works…
Before the solution, a quick chit-chat…
The debugger process takes very high execution precedency in Windows. As a matter of fact, the debugger actually is running at the moment in your windows background and you never realised that.
If you’ve been around long enough to remember the old MS-DOS days, back then there was an application called SideKick. SideKick was executed at the computer boot and then stayed there hibernating. Then when the used pressed Ctrl+Alt, it magically appeared in the screen. It was awesome! Best thing ever! You could call this application from anywhere. It was done because during the initial execution, SideKick placed itself between the keyboard pressing command and the actual call in the CPU. It was a “man in the middle” kind of application, for the good.
That’s the same principle here, and to prove the point that the debugger is always running on Windows we will do this cool experiment in 3 Steps:
1) Open RegEdit and find the Registry Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
2) Create a new string key called DisplaySwitch.exe. In this key set Name: Debugger, Data:cmd.exe
3) Lock your windows and press WindowsKey+P
Amazing hey! You’re calling the Command Prompt from your windows login screen. How about that for a power show-off with your infrastructure friends
The Explanation
The Debugger process is always running and intercepting all the calls made on windows, even during the login screen, and checking against the list defined in that registry key we talked about at the beginning. Now we only had to find an application, a service or anything that can be executed and send the instruction to the debugger to execute something else for us. That’s where the DisplaySwitch.exe comes into play.
DisplaySwitch.exe is executed when we press WindowsKey+P to allow us to select multiple monitors. The registry entry says “If the DisplaySwitch.exe gets called, call the Debugger instead and pass the parameter cmd.exe”. We are intercepting the keyboard call and making it execute the command prompt. Neat hey!
by Edge Pereira