Lock Screen/BitLocker bypass/Privilege

Elevation in BitLocker

Scenario​:  
❏ Windows 10 installed PC with hard-drive encrypted by BitLocker 
❏ Ability to add Administrator Accounts 
 
Short Summary: 
❏ At the Sign-In screen select “​I have forgotten my password​” 
❏ Bypass lock screen and enable autoplay of removable devices. 
❏ Insert an USB stick with my malicious .exe file and a junction folder. 
❏ Run the .exe file and remove the thumb drive and go to the main 
screen. 
❏ Next Launch narrator, that will execute a dll payload planted earlier. 
❏ Add a user account called h​ acker​ with password ​hacker ​with 
administrator membership. 
❏ To update the list with accounts to log into we click on “​I forgot my 
password​” and then return to the main screen. 

Lock screen bypass: 

❏ First we select “​I have forgotten my password/PIN​” 
❏ Now an additional session is launched, with an account that gets 
created/deleted as needed,user profile service calls it an default 
account. 
❏ It will have the first available name of defaultuser1, defaultuser100000, 
defaultuser100001 etc. 
❏ To escape the lock we will use the ​Narrator​, because- if we manage to 
launch something we cannot see it, but using the narrator and 
direction keys we will be able to navigate it. 
❏ But the question that remains is how do we launch something??? 
 

 
 
❏ Well we could press the Shift key 5 times quickly and from this pop-up 
box we have a link to open the ​Settings a​pp but however we cannot 
see the launched settings app. 
❏ Giving the launched settings app focus is a little bit tricky, we have to 
click the link and then click a place on the screen where the launched 
app would be, if it had been visible, with the correct timing. 
❏ Easy way out: 
❖ Keep clicking on the link ~ 2 times a second 
❖ The sticky keys windows will disappear 
❖ We keep clicking and now we see a focus box drawn in the 
middle of the screen which is the settings app and we need to 
stop clicking when it gets focus. 
❖ Now we can navigate the Settings app using “ ​[Caps Lock] + ← 
arrow​”, and we keep pressing that until we reach “Home”. 
 ❖ When Home has focus we hold down “[​Caps Lock​]​ and press 
enter​”. 
❖ Now using “​[Caps Lock] + → arrow​” navigate to Devices and 
“​[Caps lock] + Enter​” when it has focus again. 

 
 
❖ Now we navigate to A ​ utoplay​,and choose to “​Open Folder to view 
files(File Explorer)​” 
❖ Next we insert the prepared USB drive, and wait some seconds, 
the Narrator will announce the drive has been opened and the 
window will focus. 
❖ Now select the file Exploit.exe and execute it with “​[Caps lock] + 
Enter​”  
❖ Thus we have a​ rbitrary code execution​without using any 
passwords, but we are limited by running as the default profile. 
 
Elevation of privilege: 
 ❏ The root cause as to why such an attack vector exists is:  
❏ When a usb stick is mounted Bitlocker will create a directory 
named C ​ lientRecoveryPasswordRotation​ in S​ ystem Volume 
Information​ and set permissions to: 
❏ NT AUTHORITY\Authenticated Users:(F) 
❏ NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) 
❏ To redirect the create operation, a symbolic link in NT namespace is 
needed as that allows us to control the file-name and its existence. 
❏ Do not abort the operation as it is still creating the directory. 
❏ Therefore, we take an usb drive and make ​\System Volume 
Information​ a mount point targeting \​ RPC Control 
❏ Then we make a symbolic link in \​ RPC 
Control\ClientRecoveryPasswordRotation​ targeting 
C:\Windows\system32\Narrator.exe.local 
❏ If the usb stick is reinserted the folder 
C:\windows\system32\Narrator.exe.local​ will be created with 
permissions that allows us to create a subdirectory: 
❏ amd64_microsoft.windows.common-controls_6595b64144ccf1
df_6.0.18362.657_none_e6c5b579130e3898 
❏ And inside that we drop a payload dll named c​ omctl32.dll 
❏ Now the next time narrator is triggered, it will load the dll 
❏ We chose narrator as the attack vector as that is triggerable from the 
login screen as system and is not autoloaded 
❏ So if anything goes wrong we can still reboot and repeat the process 
 
Entire Exploit Chain: 
❏ For the C
​ lientRecoveryPasswordRotation​ exploit to work it requires a 
symbolic link in ​\RPC Control. 
 ❏ The executable on the USB drive will create the link using two calls to 
definedosdevice​, as that will make the link permanent- so they can 
survive a l​ ogout/login​ if needed. 
❏ Then a loop will be started, the malicious exe file will: 
❏ Try to create the aforementioned subdirectory 
❏ Plant the payload c​ omctl32.dll​ inside it. 
❏ It is easy to see when the loop is running as the narrator will move its 
focus box and say Access denied every ~1 sec. 
❏ Now we can use the link created in “​RPC Control​”, just unplug the 
usb stick and reinsert it. 
❏ Now the writeable directory will be created in s​ ystem32, 
❏ On the next loop iteration the payload will get planted and E ​ xploit.exe 
will exit. 
❏ To test if the exploit has been successful we close the Narrator and try 
to start it all over again. 
❏ If the narrator does not work it is because the dll has been planted and 
the narrator executes it but it fails to add an account because it is 
launched as ​defaultuser1​. 
❏ When payload is planted we click “​Back to login screen​” and start 
Narrator 
❏ 3 beeps should play and a message box saying the dll have been loaded 
as ​SYSTEM​should show. 
❏ If the account has been created but it is not in the list, we press “​I 
forgot my password​” and click back to update the list. 
❏ A new account named ​hacker​ should appear with password ​hacker 
 
 
 
 
 
 
USB Device Creation: 
 
C:\Users\frostbite>format D: /​fs:ntfs​ /q
Insert ​new​ disk ​for​ drive D:
and​ press ENTER when ready...
The ​type​ of the ​file​ ​system​ ​is​ NTFS.
QuickFormatting ​30.0​ GB
Volume label (​32​ characters, ENTER ​for​ none)?
Creating ​file​ ​system​ structures.
Format ​complete​.
30.0​ GB total disk space.
30.0​ GB are available.
 
Now we need to elevate to admin to delete “​System Volume Information​” 
 
C:\Users\frostbite>d:
D:\>takeown /F ​"System Volume Information"
SUCCESS: The ​file​ (​or​ folder): "
​ D:\System Volume
Information"​ now owned by user
"DESKTOP-LTJ\frostbite"​.
D:\>icacls ​"System Volume Information"​ /grant
Everyone:(F)
processed ​file​: System Volume Information
Successfully processed ​1​ ​files​; Failed processing ​0
files
D:\>rmdir /s /q ​"System Volume Information"
 
We will use James Forshaws tool publicly available on github in order to 
create the exploit.exe :) 
 
 
D:\>createmountpoint ​"System Volume Information"
"\RPC Control"
D:\>​copy
c​:\Users\frostbite\​source​\repos\exploitKit\x64\Relea
se\exploit.​exe​ .
1​ ​file​(s) copied.