Privilege escalation: Windows admin thanks to Linux

In this tutorial, I will show you how to secure administrator rights on Windows PCs using a live boot CD. We will simulate two scenarios:

1. activate an admin account
2. upgrading a simple user to the administrator group

We will do this by manipulating the SAM Security_Accounts_Manager using a live Linux system.

On a Windows system, the users users and sysadmin are created. User has no administrator rights, is password-protected and activated. sysadmin on the other hand, is a member of the local administrators, also password-protected but deactivated.

In principle, you can use any live distribution. I have decided in favour of Lubuntu:

https://lubuntu.me/downloads/

After the download you have to port the image file to a bootable USB stick or DVD. To ensure that the boot process runs smoothly, you should adjust the following settings in the bios:

• Deactivate SafeBoot
• Change the boot sequence to the appropriate medium

Now start Lubuntu and configure the following:

• Change keyboard layout to German
• Open terminal
• Update package sources

Now we can install chntpw using:

sudo apt install chntpw

We are looking for the Windows partition.

sudo sfdisk -l

In our example, we find them on /dev/sda3. We will mount this in the next step.

We need a mount point for the partition and create it in our $HOME directory.

mkdir ~/win

We then mount the partition.

sudo mount /dev/sda3 ~/win

Now we navigate to the SAM directory.

cd ~/win/Windows/System32/config

Now it's time to start the tool we just installed.

sudo chntpw -i SAM

chntpw appears as shown above. We select item 1 and see an overview of the users.

We now want to create the user sysadmin user and reset the password.

• Select sysadmin user (03ea)

In the next dialogue we see an overview of the user and can now edit it.

• Option 1 - Clear (blank) user password
• Option 2 - Unlock and enable user account

We have managed the first user. We acknowledge with q and select the next user user user.

• Select user User (03eb)

And now we set the following options:

• Option 1 - Clear (blank) user password
• Option 3 - Promote User

We return to the main dialogue and end the program with q. We confirm the subsequent enquiry as to whether we want to write to the SAM.

Lubuntu can now be closed and the computer shut down.

To start the computer now, the following things must be set in the BIOS:

• Reset boot sequence
• Activate SafeBoot

After a restart, logging in without a password is possible for the users user and sysadmin users. Both accounts are members of administrators and therefore have full authorisations.

sysadmin and user can log in without a password

A look at the PowerShell shows us that our changes were successful.

sysadmin is no longer deactivated

User is member of the administrators group

The following measures can be taken to prevent this type of manipulation:

• Make physical access to the machine more difficult
• UEFI password
• Drive encryption e.g. BitLocker
• Educate and raise awareness of the dangers