n3s0 || journal

    Playing With The Windows 10 Sticky Keys Bypass

    Posted on 5 mins

    Infosec

    Table of Contents

    Summary

    Old but gold way for getting into workstations in any sense. Haven’t needed to use it. But, decided to try it. Now its time to document.

    Sticky Keys is an accessibility feature in Windows so modifier keys like Ctrl and Del remain as if they’ve been pressed even after they’ve been released. I’ve never used it. But, it’s intended to relieve stress from your fingers so you don’t have to keep holding down those keys.

    Sticky Keys is generally activated by pressing the Shift key five times. The name of it’s executable is sethc.exe. and it’s located in the C:\Windows\System32\ directory. This can be done anywhere you can visibly see in Windows. This includes your Desktop, Login Screen, other Desktops, etc.

    For system recovery reasons this “feature” is useful because if I need to I can do this to access almost any Windows 10 workstation that isn’t protected by a BIOS password or some sort of full drive encryption like Bitlocker. However, someone who is more skilled will not be detered by these things. It will just take more time.

    In this post I am using an installer for Windows 10 20H2. You will boot to a USB flash drive and access a command prompt. This will copy the binary that runs Sticky Keys to another directory and put the command prompt in the same directory as the sticky keys binary. Once you attempt to initiate Sticky Keys after booting to Windows again. An admin shell will pop up instead of Sticky Keys. Create a new user as a local administrator and you’re done.

    I will also provide a method for cleaning up after yourself when you’re done doing this.

    Performing The “Exploit”

    Performing the exploit can consist of going into Advanced Recovery Options and opening a command prompt. In the beautiful year of 2021, you have to login to a local administrator account that’s on the computer. But, if you need to do this when you don’t know the password. It’s kind of hard to do so.

    I will document how I did it. I will leave some instructions out just to keep this brief. Hopefully I explain this well enough without having to provide too many pictures.

    1. Create a bootable USB of Windows 10.
      • I will probably need to create an instructional on this at some point.
      • For now, go to the following link, download the file, and have a USB flash drive that is at least 8 GB so you can go through the process of creating the bootable USB disk.
    2. Boot to the Windows 10 flash drive on your computer. This should boot to the installation for Windows 10.
    3. In the initial page for Windows Setup, make sure the language and keyboard locals are set correctly and click Next.
    4. Click Repair your Computer.
    5. Click Troubleshoot.
    6. Click Command Prompt. This will open up a command prompt that is on the USB disk.
    7. Verify that you can see the C: drive/partition using the fsutil command.
    X:\Sources>fsutil fsinfo drives

Drives: C:\ D:\ X:\
    1. Looks like the C: drive/partition is available for abuse. We will copy the sethc.exe file to the root of the C: drive and then copy cmd.exe to C:\Windows\System32\ while renaming it to sethc.exe. Once that is done, I’ll exit the command prompt.
    X:\Sources>copy C:\Windows\System32\sethc.exe C:\sethc.exe
X:\Sources>copy C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
X:\Sources>exit
    1. Click Continue.
    2. Spam your Shift key about five times and a black Command Prompt will appear. You should have Administrator access to the workstation. Should also be able to enter any command that you see fit. In my case, I needed to access a workstation, so I just typed the following commands to create a local administrator account for myself. Then I exited the command prompt.
    C:\WINDOWS\System32>net user timbo password /add
C:\WINDOWS\System32>net localgroup administrators timbo /add
C:\WINDOWS\System32>exit
    1. Once the command prompt has been closed, go ahead and login to the workstation using the newly created account. You should be a local administrator on the computer and all that fun stuff.

    Cleaning Up

    This section will explain how to cleanup once the process is completed should anyone wish to.

    1. Reboot the computer.
    2. Boot to the Windows 10 flash drive.
    3. In the initial page for Windows Setup, click Next.
    4. Click Repair your Computer.
    5. Click Troubleshoot.
    6. Click Command Prompt. (This will open a command prompt.)
    7. Copy the sethc.exe file back to its original location using the following command. Type yes to the prompt.
    X:\Sources>copy C:\sethc.exe C:\Windows\System32\sethc.exe
Overwrite C:\Windows\System32\sethc.exe (Yes/No/All): yes
        1 file(s) moved.
    1. Delete the sethc.exe file in the C:\ drive.
    X:\Sources>del C:\sethc.exe
    1. Exit out of Command Prompt using the exit command.
    2. Click Continue.
    3. You can now login using the new account or test to see if Sticky Keys is functioning the same by pressing the Shift key five times.

    Mitigations

    There isn’t a whole lot you can do to mitigate this that. Not simple ways anyway. You could disable Sticky Keys all together. But, I don’t see much of a benefit to that. If a user actually uses it, they wont be able to. Two basic ways to prevent or make this more difficult can be shown below.

    1. Configure a BIOS password on your workstation.
    2. Utilize Bitlocker or another full disk encryption mechanism.

    Yes, you will need another password to login to your computer. If you don’t decide to do it, it can still happen. These are simple ways it can be prevented. Microsoft doesn’t plan on fixing this really. Mostly because Sticky Keys is a feature in Windows. There are other ways. I will need to do more research on them before I provide them for discussion.

    Conclusion

    In this article, I showed one method of performing the Sticky Keys Exploit. This is something that I’ve understood the concept of, just never needed to perform practically for myself until now. I also explained one way of cleaning up after yourself after the accounts you want to create, are created.

    I will provide more ways to mitigate from this. But, unless your laptop is stolen and people aren’t breaking into your laptop to do this, you should be fine. Hope someone learned something from this experience. I certainly learned a few things. Have an awesome day, everyone!