Lab 12.1 - Physical Access (Windows)

Windows VM Creation (if performing virtually)

For this lab, I didn't have access to VMWare Workstation so I installed VirualBox on my Macbook. Luckily, I ended up getting this working but the Windows ISO we were asked to use was corrupted so I just installed the official ISO from Microsoft's website. It can be downloaded [HERE]. You'll also need a ISO of Kali Live from [HERE].
Open VirtualBox, and create a VM. Name it whatever you want, and select the Windows 10 ISO you downloaded. Go ahead and leave the skip unattended installation option unchecked as well.
It will ask you to create an account - create one, it won't really matter since we won't use it but we can't skip it so make one anyway.
Give the VM a good bit of juice, since it's Windows. I did 4gb and 4 CPUs.
Leave the Virtual Disk size at 50gb, or make it smaller. 50 is usually fine for a Windows install.
Finish up the install - it'll automatically start, so wait for it to boot and shut it down via Windows. Kali won't like it if you shut it down in a weird way.

Go into Settings for the virtual machine -> Storage -> Controller: SATA, add an optical drive to it and at the top left select "Add", and select the Kali ISO you installed. Select it again from the list, and hit "Choose". Once this is done, click on the CD of the Kali ISO and tick the "Live CD/DVD" box, and hit OK. Delete the Windows install Disk as well under the SATA section, or else its gonna try installing again.
Start it back up again. While the VirtualBox logo shows, hit F12 and then hit C for CD/DVD boot. It should boot you into Kali!

You will first need to create the install USB. Install the live ISO of Kali, and install BalenaEtcher from [HERE]. Install the ISO to your USB using Etcher.
Once installed, plug the USB drive into a port, and boot into the BIOS (will vary based on motherboard manufacturer). In the BIOS, do a one-time boot or change the boot order to get Kali up and running.

Now that we're in Kali, open a terminal window and elevate to root. Navigate to /home/kali/Desktop and create a new directory there called something like temp so it's easy to recognize and delete later.
Run fdisk -l to see the name of your Windows partition. It should have the name of the device (partition) we want to target under the "Device" section. Take note of the device name (should be something like /dev/sda1)
Now run mount /dev/<device identifier> <name of folder you made>. Assuming all worked, you can move on to the next step.
CD into the folder you made, and cd to -> Windows/System32. We need to rename a few key system processes, and this can be done with the following commands:

cp Utilman.exe Utilman-old.exe
cp cmd.exe Utilman.exe

Now, shut down the Kali VM and boot back into Windows like normal. It may log you in automatically, but if it does log out and get to the login/user select screen.
At the bottom of the screen, you will see 3 options and one of them is the Ease of Access menu, which runs as an executable when selected. This process is the Utilman.exe one that we just renamed, and replaced with cmd.exe so in theory when we click it, an administrator command prompt should open.
Assuming this does happen, we now need to create an admin user to exploit the machine. This can be done with the following commands:

net user <username> <password> /add
net localgroup Administrators <username> /add

If no errors occur, then you should now have a custom admin user on this system! Reboot the Windows machine and you should see your new account on the login screen.