Trouble getting into windows 7 computer


(idenatin) #1

I’m out of ideas :frowning: . I have physical access to a windows 7 computer and I’m trying to get admin on it. CMD is disabled by network administrator for basic accounts, but using the live boot method of renaming the startup shortcuts (such as magnify or osk) to cmd, I have some level of access using cmd prior to signing in. Although I can use net user commands and it says they were successful, signing into hidden admin account, making an account admin, or changing an admins password doesn’t work. I’ve tried clearing the passwords using chntpw in kali, but no luck. I did find that the hidden admin account is in fact enabled through chntpw, but can’t sign into it. I was recently told to try using mimikatz, but I can’t run it (blocked by administrator). The only thing I can think of now is using Ophcrack and someone create a custom work list (never used Ophcrack) and try to brute force the login. Anywho, I’m curious on others thoughts. Thanks in advance. :helicopter:


#2

There are UAC bypasses available to acquire administrative access. What you require is a technique called DLL Hijacking and it is detailed here by our @Joe_Schmoe on Null Byte - Bypass UAC Using DLL Hijacking.


(idenatin) #3

Cool. I’ll check that you. Thank you.


(Monkey Wrench) #4

Also check out tools for offline password reset / blanking. Sorry for not providing links for the lookup, but haven’t used 'em in a while, so I won’t recommend anything particular.

The method relies on the fact that the password hashes are stored in the SAM store of Windows registry. If you have phys access, you can modify the reg with any registry offline editor (admin tools, freely available) and blank out the entry or set your own hash.
If the default local admin acc is used, it always has the same SID, so it’s easy to recognize.
If you blank out a local entry for a Domain Admins login (cached/offline login has to be enabled, is by default), the computer will revert to a local (user) login only.

NOTE: although this is the same method used by chntpw, the tool itself didn’t always work for me, that’s why I’m posting about the general method.

Good luck!