Hacking Devices with Physical Access
⚠️ WARNING!
This article is only intended for educational purposes. Attempting anything mentioned in this article without permission could result in legal or other consequences. You attempt anything mentioned in this article at your own risk. The CerebralDatabank (Gopal Othayoth) does not guarantee the validity of the information provided in this article and assumes no liability for any damages caused by this article and actions mentioned herein. Remember that by accessing and using this website, you are agreeing to the CerebralDatabank ToS.
Steps for various operating systems are included in this article. Also take note that these only provide local administrator access, not domain administrator access.
Windows (all versions, including Windows 7)
Note: This method requires the following:
- Personal computer
- An empty (you will lose everything on this drive, so back up all files on it beforehand) USB flash drive with a minimum of 2 GB
- Go to your personal computer.
- Download Rufus (a bootable USB drive creator).
- Download the latest version of Ubuntu (Any live environment will work, but Ubuntu is highly recommended since it is signed by the Microsoft Secure Boot key, so it will boot on UEFI Secure-Boot-enabled Microsoft systems). Make sure the file you downloaded is an ISO file (e.g. ubuntu.iso).
- Use Rufus to write the Ubuntu ISO to your USB flash drive. WARNING: You will lose everything on this drive, so please back up any files located on it.
- Go to the target computer.
- Turn the computer off. (If the OS is Windows 8 or higher, hold Shift while clicking Shut Down or clicking Restart to disable the "Fast Startup" feature.)
- Turn it on, and repeatedly press the UEFI/BIOS key.
- Choose the option that directly boots from USB, if available. If there are only options to change the boot priority order, move the USB device option to the top of the list (or most priority/try booting first, so the computer boots from a USB first if detected instead of the internal storage) and reboot.
- Wait for Ubuntu Live to boot.
- Select "Try Ubuntu", "Try Ubuntu without installing", or any option that says "Live CD".
- Open the Ubuntu file manager, select "Other locations" (or any similar options) and mount the computer's internal storage.
- Navigate to C:\Windows\System32\.
- Find Utilman.exe and rename it to Utilman.exe.hacked (or another random file extension).
- Make a copy of cmd.exe and rename it to Utilman.exe
- Close all windows and restart the computer.
- At the login screen, click on the Ease of Access button (usually at the bottom left corner).
- An administrator command prompt window should appear. Run the following commands (change usernames and passwords to your preference):
> net user Hacker /add /active:yes
> net user Hacker * - When prompted for a password, enter one or just leave it blank and hit Enter twice.
- Run the following commands:
> net localgroup users Hacker /delete
> net localgroup administrators Hacker /add
> exit - Restart the computer and log in to the newly created Hacker account (or whatever you named it).
- To return the computer to normal functionality, log in to the Hacker account, delete the Utilman.exe, and rename the Utilman.exe.hacked file back to Utilman.exe. If you want to remove the Hacker account as well, remove it first and then use this tutorial except restore the original files in the Ubuntu file manager.
Note: The UEFI/BIOS key may be different on different machines. Keep rebooting and try different keys (all function (F1, F2, etc.) keys, Del, Esc, etc.). You should arrive at a menu where you can boot from a specific device or change the boot priority order.
Windows 7 (no extra hardware required)
- Turn off the computer or laptop.
- Turn it back on. As soon as you see the Starting Windows screen, hold down the power button until the computer turns off. The computer must be force-shutdown during the Starting Windows screen, so start holding down the power button as necessary (depending how long a force shutdown takes for the device, usually it's 5 seconds) to make sure the computer turns off at the "Starting Windows" screen. (The goal of this step is to force-shutdown the computer during its boot process.)
- Turn the computer back on.
- Select "Launch Startup Repair".
- Wait for the system scan. After about 3-5 minutes, it will ask you if you want to use System Restore. Press "Cancel".
- The scan will continue for about 15-20 minutes. Wait for it to complete.
- A window will pop up asking to send error information to Microsoft. Click "View problem details". Scroll all the way down and click the offline privacy policy link (it will usually be X:\Windows\System32\en-US\errofflps.txt or at least start with X:\).
- Notepad will open. In Notepad, click File > Open...
- In the Open File dialog, navigate to C:\Windows\System32\.
- Find Utilman.exe and rename it to Utilman.exe.hacked (or another random file extension).
- Make a copy of cmd.exe and rename it to Utilman.exe
- Close all windows and restart the computer.
- At the login screen, click on the Ease of Access button (usually at the bottom left corner).
- An administrator command prompt window should appear. Run the following commands (change usernames and passwords to your preference):
> net user Hacker /add /active:yes
> net user Hacker * - When prompted for a password, enter one or just leave it blank and hit Enter twice.
- Run the following commands:
> net localgroup users Hacker /delete
> net localgroup administrators Hacker /add
> exit - Restart the computer and log in to the newly created Hacker account (or whatever you named it).
- To return the computer to normal functionality, log in to the Hacker account, delete the Utilman.exe, and rename the Utilman.exe.hacked file back to Utilman.exe. If you want to remove the Hacker account as well, remove it first and then use this tutorial except restore the original files in the Notepad Open File dialog.
Chrome OS
WARNING: This MAY unenroll/remove school administration from the Chromebook (with the only way to re-enroll being taking the Chromebook to your school's IT department) and WILL wipe all local data off the Chromebook. Do not attempt - see warning at top of page.
- Turn off the Chromebook.
- Turn in back on and hold down the Esc and ↻ (Refresh) keys for about 5 seconds.
- Press Ctrl + D and agree to the dialog box that appears. WARNING: This will erase all local data on the Chromebook.
- Restart the Chromebook.
- Press Ctrl + Alt + 🡪 (Forward) (not the arrow keys, the arrow buttons on the top).
- Type the following commands (replace the date and time placeholders with the correct date and time):
$ date -s "DD MM YYYY HH:MM:SS"
- Press Ctrl + Alt + 🡨 (Back) (not the arrow keys, the arrow buttons on the top).
- Log in with your school credentials.
- Download Crouton to your Downloads folder.
- Open Crosh by pressing Ctrl + Alt + T and type shell.
- Type the following commands:
$ cd ~/Downloads
$ sudo sh -e ./crouton -t unity - After the installation completes, type the following command:
$ sudo startunity
- To switch between OSes, use the following keyboard shortcuts:Chrome OS: Ctrl + Alt + 🡨 (Back)
Shell: Ctrl + Alt + 🡪 (Forward)
Ubuntu: Ctrl + Alt + ↻ (Refresh) - You can log out of the Ubuntu session at any time.
Note: While the Chromebook is in Developer Mode, every time you boot it you will have to press Ctrl + D (or wait 30 seconds). Do not press Space unless you want to turn off Developer Mode.
Max OS X (High Sierra or earlier)
- At the log in screen, type root as the username and leave the password blank. Click the "Log in" button several times until you log in as root.
- Marvel at one of the greatest mishaps of Apple.
- There is also another interesting bug; when a prompt appears to enter the password, it shows the actual password in the "Password Hint" field instead of the password hint. In that case, just enter that password.
Mac OS X
- Turn off the MacBook.
- Turn it back on and hold down the ⌘ Cmd + R keys until the Apple logo appears.
- On the top menu, click Utilities > Terminal.
- Run the following command:
# resetpassword
- Follow the intructions to reset the password of any user. Reset the System Administrator's (root's) password to gain access to the keychain.
Linux
If your school has Linux (most distros) devices (pretty cool, but unlikely since MDM is better on Windows, macOS, and iOS), use this section.
- Press any key to interrupt the boot process. You should arrive at a GRUB menu.
- Press E to edit the selected option (should be the default "boot normally" option).
- Navigate your cursor to the like starting with kernel.
- Navigate to the end of the line (usually after "quiet" or "quiet splash").
- Type a space and then a "1" (or sometimes "single"), so it looks like: "... quiet splash 1".
- Press F10 or Ctrl + X (or whichever keys it tells you to press to boot) to boot. The OS should boot in Single-User Mode.
- Type
passwd
to reset the root password. - You may reboot the computer by typing
reboot now
orexit
. - Log in as root with the password that you set. Now you can modify other (local) users' passwords and files.