hack Windows before even finishing setup
Key Takeaways
The video demonstrates how to hack Windows before finishing setup using various techniques such as shift F10 hotkey, accessibility tools like magnifier, and registry tweaks, highlighting potential cybersecurity vulnerabilities in the Windows installation process.
Full Transcript
Security researchers found a new way to break out of the Windows installation process or OBE, the outof-box experience that allows them to get into a local administrator's command line. Let me show you. So, to be able to play with this, I'm going to be using a Windows 11 virtual machine that I have set up here in VMware Workstation. Now, this is a completely fresh VM. I wanted to be able to show you this process just so we could get into that OBE or out ofbox experience that you might be used to to set the keyboard configuration to add new users to deal with privacy settings yada yada yada. So from here we're booting into Windows for the very first time. Say we're booting up to the installation media, the disk to be able to actually install Windows. And let me cruise through this process just so we can see where we would usually land. I don't have a product key in this case. And once we get through here, it'll ask us, oh, what version of Windows do we want to install? I'll use Windows Pro. Whatever. Click on next. But then it'll tell us, hey, currently right now, as it stands with my virtual machine, we're not able to run Windows 11 because Windows 11 was one of the first ones that required a TPM or trusted platform module. You might have seen that screen where it was checking our PC if it were able to run Windows. But we know, or you might know, I think I've showcased this in a video, or at least I really hope so. we can bypass the TPM check or even the RAM check, storage check, CPU check, and all of the checks that Windows does to determine whether or not it's able to be installed. Let me just speedrun through this and then we'll get to the actual OB breakout. We could, if we really wanted to, modify the settings of the virtual machine and then just add hardware for a TPM or trusted platform module. Now, I can't do that right now because the machine is on, but even when we do this, then the drive gets encrypted and you can as easily clone the VM from a snapshot or any other use case. So, I really like to try and bypass those checks. But here's the thing, I always forget how to do this. I feel like I've done it once and it was sort of a set and forget because then I have a base image or VM that I can use and clone and use for any purposes that isn't drive encrypted. So, anyway, I needed to go track down the steps again to install Windows 11 into VM without TPM. Now, there is a manual way to do this by opening regedit and using the command prompt to create a couple registry tweaks, but this is all done via a terminal that you open at this guey or graphical user interface screen using the special hotkey combination shift F10. That'll open up the command prompt and you'll be an administrator. So, that technique, which is not what we're talking about today, has historically been used for quite a bit to be able to add other local admin accounts, back door system when you have access. But what I want to do is use these commands that essentially do all the same thing as the manual action, but I can at least copy paste that into the VM. So, back at the Windows installation prompt, before we've even done this, let me go ahead and shift F10, get that admin prompt open, and then I'll rightclick and actually go to the edit window to paste in all of these commands. And to be clear, with shift F10, you do get that admin prompt, but that can be disabled. So, this is all about another way that you could actually break out of this OBE out-of-box experience during the installation process. And I want to show you that now that we can finally get Windows installed. Let me click through again. We'll get to the install process after we agree to the terms. Yep. Yep. Yep. Looks fine to me. Let's go ahead and install to the VM disc and go ahead and do it. Okay. Now that Windows is installing, after that, we can take a look at the OBBE breakout. It's easier than you think. But before we do, while we're waiting for Windows to install, please let me take just a quick moment to tell you about the sponsor of today's video, Anyesk. The best choice for remote desktop access. Anyesk is fast, even on low bandwidth connections. With 99.98% uptime, it's reliable, backwards compatible with older operating systems, even with file transfer functionality, and a clean user interface. It feels like you're sitting at the remote device. And the best part is Anyesk is completely free for personal use. There are customtailored business plans to help your whole team stay connected with tons of use cases like video editing, remote 3D printing, and general collaboration across your organization. Connect your own devices for access anywhere and even help support family members with troubleshooting and those everpresent tech support asks. Use Anyesk to save time and effort with the easily customizable, secure, and smart choice for remote access. Whether it's in the cloud, on premise, or even on mobile, Anyesk is trusted by over 185,000 businesses worldwide. Get started with Anyesk and connect your world with my link below in the video description. jh.live/nyesk. Huge thanks to Anyesk for sponsoring this video. Okay, now Windows has been installed to the disc and it's booting up for the very first time to the OBBE or out ofbox experience. Remember, this is when it'll ask you about your region, your location, the privacy settings you want, adding a second keyboard layout, all that. But the question is, how could we get an administrative command prompt? So, we could do whatever we wanted to do even from this screen. Well, we know that we could use that shift F10 hotkey to be able to open up that admin command prompt, but that could be disabled. That might be turned off on some systems. So, what are the alternatives? Well, think of when you're usually operating and working on your Windows desktop. Well, you could open up the start menu or I don't know, you hit control altdelete maybe. Let me try that real quick. We could try here. I'll send control altdelete to that virtual machine, but nothing really happens. I can I can keep clicking that and it's just not doing it right. So this is where it's simple because in all reality we could use some tricks using some of the even accessibility tools that are available here for us. So if I click that menu down at the bottom you might be able to see the magnifier contrast themes narrator voice access on screen keyboard etc. But magnifier is actually a special one because that will open up another window for us. If I click that on you can see it's opened up and now I'm zoomed in to the 200%. Let me bring that out to 100%. But while I have this window open, it's another window. So I actually get to do a little bit more regular Windows desktop things like alt tab on my keyboard and switching or navigating between different windows. We could see what's open, even the Microsoft account kind of vague amorphous blob there. And we could even use the Windows key and R on our keyboard to open up the run dialogue box. So I pressed that. You might not have seen it. You might have seen oh the screen flicker for a quick second. We lost focus to the magnifier because it's been created. It's opened the window, but it's in the background. It's behind the screens. Then we can't really see it. But if I alt tab, we do have a run dialogue box. I can click into it, and it's still not shown. It's still not present or visible, but it is focused. So, I could type in here cmd.exe. And if I wanted to hit enter to open up that command prompt or I could hit control shift enter on our keyboard and that will run it with administrator privileges like UAC user account control. We get our little popup. Do you want to allow this app to make changes to your device? Windows command processor cmd.exe. Yes, but it doesn't show up. It's still in the background though. If I alt tab look around, there is our administrator prompt. And I can try and type in here who am I? Even if I can't see it, I'll hit enter. And it's really tough to see, okay, the results there. But you can run commands. So you can net add local admin, create another backdoor user, do anything else you might particularly want to. Now, I've tried to experiment with this. I've wanted to use like alt space to open the context menu, and then alt space m to try and move it. You can see my cursor jumped, and I tried to drag that around, but it's still just stuck behind the scenes. Maybe alt space x to maximize it or alt space n to minimize it and then try and bringing it back. It doesn't seem to work. I've even tried to close that Microsoft account. So nothing else really changes. Just now that window's gone apparently, but you can still type in execute run commands. How could we get this to the foreground? I don't know if you always need to, but remember we were discussing shift F10. That might not always be available, but if it is, let me show you. We could close out of uh the magnifier and then try to close out alt space c for our command prompt there. Now clicking into obe the regular out of boss experience if I did that shift f10 obviously administrator command prompt opens and I can run who am I here you'll see we are the user default zero which is currently in the net user administrator groups. We could actually go take a look at that. net local group administrators default user zero will give you the admin access right then and there but now that we've opened this window if I were to try to use the windows key and R the run dialogue box is completely visible and any subsequent things that we open like another cmd.exe exe will be displayed in the foreground because I guess the shift f10 terminal lets us bring that there and Windows is installed. You can see our prompt in the command prompt is a C colon drive no longer the X colon drive like you saw before we had installed cuz it was on the disc. So we could do anything on the Windows system. Neat. Cool. I hope that's just neato. And again maybe some of you are thinking like okay so what this only happens when the machine is being provisioned or just set up but I want to talk about that. I also want to discuss and chat a little bit more about the Shift F10 old school option. Please let me give credit where credit is due. This was seen, found, discovered, shared, and publicized just a bit ago, uh the 12th of August by an individual, another security researcher or folks doing this stuff with the handle BKA. The about section here, he discusses how he writes about it and security and in-depth technical stuff. He's on Blue Sky X or LinkedIn. So, big shout out, credit, kudos, props, all the things that reserve for Bastion, senior security consultant at SSSE Secure in Germany and handle BKA. I'll be sure to put his link, his blog, all the references in the video description. Now, he discusses the Windows OBE or out ofbox experience breakout, discussing how we can get into that default user zero admin command prompt. And then he sets the stage, you know, telling everyone that the Windows out-of-box experience is everything that we're used to. You could end up using that with CIS prep. So if you're preparing golden images, maybe you steamrun roll over that, maybe using the initial configuration for the settings or it could just be brought up with any sort of machine management like intoune. When shift F10 kind of was hitting the streets as folks were able to use this to do whatever they might want to even when the Intune company portal had machines get reset, then they could do anything from there. But if the shift F10 hotkey were not desired, you could end up removing it or disabling it by placing an empty file with this specific name in this specific folder. There's another blog or link to be able to discuss that. I think this is uh Rudy who is putting this out and discussing a lot of things that would be handy and helpful to do and have here. And then he uncovered that with that specific file. So again, link in the video description if this is interesting or helpful for you. But now with shift F10 out of play and hey, we need some other potential alternative. Is there a way to do a breakout? He's thinking, you know what, this is simple. This is easy. Just use the run dialogue box and you aren't relying on shiftn. You can still run commands while you use that magnify.exe and the rest of the regular Windows tricks. He's got a sweet gif here or a little animated gif, however you weirdos like to pronounce it. Now, he uses the onscreen keyboard, which I think is handy. You can use that, but I did want to demonstrate pressing the keys naturally on your keyboard. Once you have the magnifier open, it'll just work. Obviously, this could be used and abused to create backdoor accounts or manipulate the system, do whatever you would like. And Microsoft doesn't consider that really a security issue because OOB is going to naturally run an admin session and leaving the new device unattended during the setup is like leaving the machine unlocked. Totally true. He gets into a little bit more Intune specific stuff that I hope might be helpful for some of you. Granted, I don't think I am too smart on that. I do want that to be available though. So again, links in the video description. And I think it's another neat little thing just to be able to pop open that admin command prompt.
Original Description
https://jh.live/anydesk || Join the fight against scammers alongside AnyDesk, with fast remote desktop software and access from anywhere! https://jh.live/anydesk
https://blog.kanbach.org/post/windows-oobe-breakout-revived/
https://call4cloud.nl/the-oobe-massacre-the-beginning-of-shift-f10/
https://bsky.app/profile/bka-sec.bsky.social
https://www.linkedin.com/in/bastian-kanbach/
https://x.com/_bka_
Learn Cybersecurity and more with Just Hacking Training: https://jh.live/training
See what else I'm up to with: https://jh.live/newsletter
ℹ️ Affiliates:
Learn how to code with CodeCrafters: https://jh.live/codecrafters
Host your own VPN with OpenVPN: https://jh.live/openvpn
Get Blue Team Training and SOC Analyst Certifications with CyberDefenders: https://jh.live/cyberdefense
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from John Hammond · John Hammond · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
Tutorials? MySQL connection with PHP and Bash!
John Hammond
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
JavaScript Splits The URL!
John Hammond
HTML Tables in Python!
John Hammond
HTML, Net Shares, GML!
John Hammond
Python 08 Programming Style and Comments
John Hammond
Python 26 Object Oriented Programming
John Hammond
75 Python Tutorials, Out Now!
John Hammond
Batch 14 Mathematical Expressions
John Hammond
Batch 85 Array Append
John Hammond
Batch 86 Array Count
John Hammond
Batch 87 Array Index
John Hammond
Batch 88 Array Insert
John Hammond
Batch 89 Array Remove
John Hammond
Batch 90 Array Reverse
John Hammond
Python [colorama] 00 Installing on Linux
John Hammond
Python [colorama] 09 Cursor Position
John Hammond
Python [hashlib] 02 Algorithms
John Hammond
Python 00 Installing IDLE on Linux
John Hammond
Python [pygame] 11 Rectangular Collision Detection
John Hammond
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
Python [XML-RPC] 01 Research
John Hammond
Python [pyenchant] 03 Personal Word Lists
John Hammond
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
Python 04: PEP8 Coding
John Hammond
Python Challenge! 17 COOKIES
John Hammond
Google CTF 2016: Ernst Echidna
John Hammond
Google CTF 2016: Spotted Quoll
John Hammond
Google CTF 2016: Can you Repo It?
John Hammond
Google CTF 2016: No Big Deal
John Hammond
Google CTF 2016: In Recorded Conversation
John Hammond
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
Homemade CTF Challenge: 04 "UPX"
John Hammond
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
Juniors CTF 2016 :: Six Strange Tales
John Hammond
Juniors CTF 2016 :: Lost Code
John Hammond
Juniors CTF 2016 :: Here Goes!
John Hammond
Juniors CTF 2016 :: Southern Cross
John Hammond
Juniors CTF 2016 :: Clone Attack
John Hammond
Juniors CTF 2016 :: Dirty Repo
John Hammond
Juniors CTF 2016 :: Hackers Blog
John Hammond
Juniors CTF 2016 :: Voting!!!
John Hammond
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
Juniors CTF 2016 :: Stop Thief!
John Hammond
Juniors CTF 2016 :: ROFL
John Hammond
Juniors CTF 2016 :: Restriced Area
John Hammond
Juniors CTF 2016 :: Oh SSH!
John Hammond
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
HackCon CTF 2017 "Bacche" Challenges
John Hammond
More on: Security Basics
View skill →Related Reads
📰
📰
📰
📰
Active Directory Enumeration & Password Spraying: A Hands-On Guide
Medium · Cybersecurity
The Quantum Internet Explained: How the Next Generation of Communication Could Be Unhackable
Medium · Cybersecurity
Zero Trust Starts Before Login: Lessons From Cloud Security
Medium · DevOps
Zero Trust Starts Before Login: Lessons From Cloud Security
Medium · Cybersecurity
🎓
Tutor Explanation
DeepCamp AI