mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
Merge pull request #1130 from HackTricks-wiki/update_Framework_13__Press_here_to_pwn_20250715_124547
Framework 13. Press here to pwn
This commit is contained in:
SirBroccoli
GitHub
commit
b9d1b0a7fd
@ -14,46 +14,107 @@ In cases where the BIOS password is unknown, entering it incorrectly **three tim
|
|||||||
|
|
||||||
For modern systems using **UEFI** instead of traditional BIOS, the tool **chipsec** can be utilized to analyze and modify UEFI settings, including the disabling of **Secure Boot**. This can be accomplished with the following command:
|
For modern systems using **UEFI** instead of traditional BIOS, the tool **chipsec** can be utilized to analyze and modify UEFI settings, including the disabling of **Secure Boot**. This can be accomplished with the following command:
|
||||||
|
|
||||||
`python chipsec_main.py -module exploits.secure.boot.pk`
|
```bash
|
||||||
|
python chipsec_main.py -module exploits.secure.boot.pk
|
||||||
|
```
|
||||||
|
|
||||||
### RAM Analysis and Cold Boot Attacks
|
---
|
||||||
|
|
||||||
|
## RAM Analysis and Cold Boot Attacks
|
||||||
|
|
||||||
RAM retains data briefly after power is cut, usually for **1 to 2 minutes**. This persistence can be extended to **10 minutes** by applying cold substances, such as liquid nitrogen. During this extended period, a **memory dump** can be created using tools like **dd.exe** and **volatility** for analysis.
|
RAM retains data briefly after power is cut, usually for **1 to 2 minutes**. This persistence can be extended to **10 minutes** by applying cold substances, such as liquid nitrogen. During this extended period, a **memory dump** can be created using tools like **dd.exe** and **volatility** for analysis.
|
||||||
|
|
||||||
### Direct Memory Access (DMA) Attacks
|
---
|
||||||
|
|
||||||
|
## Direct Memory Access (DMA) Attacks
|
||||||
|
|
||||||
**INCEPTION** is a tool designed for **physical memory manipulation** through DMA, compatible with interfaces like **FireWire** and **Thunderbolt**. It allows for bypassing login procedures by patching memory to accept any password. However, it's ineffective against **Windows 10** systems.
|
**INCEPTION** is a tool designed for **physical memory manipulation** through DMA, compatible with interfaces like **FireWire** and **Thunderbolt**. It allows for bypassing login procedures by patching memory to accept any password. However, it's ineffective against **Windows 10** systems.
|
||||||
|
|
||||||
### Live CD/USB for System Access
|
---
|
||||||
|
|
||||||
|
## Live CD/USB for System Access
|
||||||
|
|
||||||
Changing system binaries like **_sethc.exe_** or **_Utilman.exe_** with a copy of **_cmd.exe_** can provide a command prompt with system privileges. Tools such as **chntpw** can be used to edit the **SAM** file of a Windows installation, allowing password changes.
|
Changing system binaries like **_sethc.exe_** or **_Utilman.exe_** with a copy of **_cmd.exe_** can provide a command prompt with system privileges. Tools such as **chntpw** can be used to edit the **SAM** file of a Windows installation, allowing password changes.
|
||||||
|
|
||||||
**Kon-Boot** is a tool that facilitates logging into Windows systems without knowing the password by temporarily modifying the Windows kernel or UEFI. More information can be found at [https://www.raymond.cc](https://www.raymond.cc/blog/login-to-windows-administrator-and-linux-root-account-without-knowing-or-changing-current-password/).
|
**Kon-Boot** is a tool that facilitates logging into Windows systems without knowing the password by temporarily modifying the Windows kernel or UEFI. More information can be found at [https://www.raymond.cc](https://www.raymond.cc/blog/login-to-windows-administrator-and-linux-root-account-without-knowing-or-changing-current-password/).
|
||||||
|
|
||||||
### Handling Windows Security Features
|
---
|
||||||
|
|
||||||
#### Boot and Recovery Shortcuts
|
## Handling Windows Security Features
|
||||||
|
|
||||||
|
### Boot and Recovery Shortcuts
|
||||||
|
|
||||||
- **Supr**: Access BIOS settings.
|
- **Supr**: Access BIOS settings.
|
||||||
- **F8**: Enter Recovery mode.
|
- **F8**: Enter Recovery mode.
|
||||||
- Pressing **Shift** after the Windows banner can bypass autologon.
|
- Pressing **Shift** after the Windows banner can bypass autologon.
|
||||||
|
|
||||||
#### BAD USB Devices
|
### BAD USB Devices
|
||||||
|
|
||||||
Devices like **Rubber Ducky** and **Teensyduino** serve as platforms for creating **bad USB** devices, capable of executing predefined payloads when connected to a target computer.
|
Devices like **Rubber Ducky** and **Teensyduino** serve as platforms for creating **bad USB** devices, capable of executing predefined payloads when connected to a target computer.
|
||||||
|
|
||||||
#### Volume Shadow Copy
|
### Volume Shadow Copy
|
||||||
|
|
||||||
Administrator privileges allow for the creation of copies of sensitive files, including the **SAM** file, through PowerShell.
|
Administrator privileges allow for the creation of copies of sensitive files, including the **SAM** file, through PowerShell.
|
||||||
|
|
||||||
### Bypassing BitLocker Encryption
|
---
|
||||||
|
|
||||||
|
## Bypassing BitLocker Encryption
|
||||||
|
|
||||||
BitLocker encryption can potentially be bypassed if the **recovery password** is found within a memory dump file (**MEMORY.DMP**). Tools like **Elcomsoft Forensic Disk Decryptor** or **Passware Kit Forensic** can be utilized for this purpose.
|
BitLocker encryption can potentially be bypassed if the **recovery password** is found within a memory dump file (**MEMORY.DMP**). Tools like **Elcomsoft Forensic Disk Decryptor** or **Passware Kit Forensic** can be utilized for this purpose.
|
||||||
|
|
||||||
### Social Engineering for Recovery Key Addition
|
---
|
||||||
|
|
||||||
|
## Social Engineering for Recovery Key Addition
|
||||||
|
|
||||||
A new BitLocker recovery key can be added through social engineering tactics, convincing a user to execute a command that adds a new recovery key composed of zeros, thereby simplifying the decryption process.
|
A new BitLocker recovery key can be added through social engineering tactics, convincing a user to execute a command that adds a new recovery key composed of zeros, thereby simplifying the decryption process.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Exploiting Chassis Intrusion / Maintenance Switches to Factory-Reset the BIOS
|
||||||
|
|
||||||
|
Many modern laptops and small-form-factor desktops include a **chassis-intrusion switch** that is monitored by the Embedded Controller (EC) and the BIOS/UEFI firmware. While the primary purpose of the switch is to raise an alert when a device is opened, vendors sometimes implement an **undocumented recovery shortcut** that is triggered when the switch is toggled in a specific pattern.
|
||||||
|
|
||||||
|
### How the Attack Works
|
||||||
|
|
||||||
|
1. The switch is wired to a **GPIO interrupt** on the EC.
|
||||||
|
2. Firmware running on the EC keeps track of the **timing and number of presses**.
|
||||||
|
3. When a hard-coded pattern is recognised, the EC invokes a *mainboard-reset* routine that **erases the contents of the system NVRAM/CMOS**.
|
||||||
|
4. On next boot, the BIOS loads default values – **supervisor password, Secure Boot keys, and all custom configuration are cleared**.
|
||||||
|
|
||||||
|
> Once Secure Boot is disabled and the firmware password is gone, the attacker can simply boot any external OS image and obtain unrestricted access to the internal drives.
|
||||||
|
|
||||||
|
### Real-World Example – Framework 13 Laptop
|
||||||
|
|
||||||
|
The recovery shortcut for the Framework 13 (11th/12th/13th-gen) is:
|
||||||
|
|
||||||
|
```text
|
||||||
|
Press intrusion switch → hold 2 s
|
||||||
|
Release → wait 2 s
|
||||||
|
(repeat the press/release cycle 10× while the machine is powered)
|
||||||
|
```
|
||||||
|
|
||||||
|
After the tenth cycle the EC sets a flag that instructs the BIOS to wipe NVRAM at the next reboot. The whole procedure takes ~40 s and requires **nothing but a screwdriver**.
|
||||||
|
|
||||||
|
### Generic Exploitation Procedure
|
||||||
|
|
||||||
|
1. Power-on or suspend-resume the target so the EC is running.
|
||||||
|
2. Remove the bottom cover to expose the intrusion/maintenance switch.
|
||||||
|
3. Reproduce the vendor-specific toggle pattern (consult documentation, forums, or reverse-engineer the EC firmware).
|
||||||
|
4. Re-assemble and reboot – firmware protections should be disabled.
|
||||||
|
5. Boot a live USB (e.g. Kali Linux) and perform usual post-exploitation (credential dumping, data exfiltration, implanting malicious EFI binaries, etc.).
|
||||||
|
|
||||||
|
### Detection & Mitigation
|
||||||
|
|
||||||
|
* Log chassis-intrusion events in the OS management console and correlate with unexpected BIOS resets.
|
||||||
|
* Employ **tamper-evident seals** on screws/covers to detect opening.
|
||||||
|
* Keep devices in **physically controlled areas**; assume that physical access equals full compromise.
|
||||||
|
* Where available, disable the vendor “maintenance switch reset” feature or require an additional cryptographic authorisation for NVRAM resets.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
- [Pentest Partners – “Framework 13. Press here to pwn”](https://www.pentestpartners.com/security-blog/framework-13-press-here-to-pwn/)
|
||||||
|
- [FrameWiki – Mainboard Reset Guide](https://framewiki.net/guides/mainboard-reset)
|
||||||
|
|
||||||
{{#include ../banners/hacktricks-training.md}}
|
{{#include ../banners/hacktricks-training.md}}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user