administration, system recovery,

Using Amazon Windows Images

agowa338 agowa338 Jul 16, 2018 · 2 mins read
Share this

If you tried to use some windows images on aws, you may have noticed, that they have no password specified. In fact, there agent fails to set one. I've tried multiple ways to reset the password, after the support told me, that in order to help me I first need to buy a higher support level... The one that was the simplest and easiest is usually the utilman.exe trick, but as aws does not allow to interact with the console session, this is out of scope. So I've tried different autostart locations, but most are only invoked after a user has logged on. Therefore mounting the volume on another instance and editing the registry to add a custom service was one possibility and it worked.

  1. Spawn one of the buggy instances e.g. one using "2016 Base Datacenter"
  2. Start the buggy instance once, to check if amazon has fixed the bug to receive the admin password.
  3. If this bug is still there, stop this instance again (not terminate!)
  4. Go to volume and disconnect, and attach to the server 2016 server instance as 'xvdf'
  5. Remote into the 2016 image as usual
  6. Open the disk manager
  7. Switch the 2nd drive online (and keep the window open for later)
  8. Open Regedit
  9. Load the System hive from the offline windows as 'offline.SYSTEM'.
  10. Copy the following text into a text file a.reg on the desktop. 
    Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\offline.SYSTEM\ControlSet001\Services\test]
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):22,00,43,00,3a,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,\
  73,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,63,00,6d,\
  00,64,00,2e,00,65,00,78,00,65,00,22,00,20,00,2f,00,43,00,20,00,6e,00,65,00,\
  74,00,20,00,75,00,73,00,65,00,72,00,20,00,41,00,64,00,6d,00,69,00,6e,00,69,\
  00,73,00,74,00,72,00,61,00,74,00,6f,00,72,00,20,00,50,00,40,00,73,00,73,00,\
  77,00,30,00,72,00,64,00,00,00
"DisplayName"="test"
"ObjectName"="LocalSystem"
"Description"="Test"
"FailureActions"=hex:10,0e,00,00,00,00,00,00,00,00,00,00,15,00,00,00,14,00,00,\
  00,01,00,00,00,88,13,00,00,01,00,00,00,88,13,00,00,01,00,00,00,88,13,00,00,\
  01,00,00,00,88,13,00,00,01,00,00,00,88,13,00,00,01,00,00,00,88,13,00,00,01,\
  00,00,00,88,13,00,00,01,00,00,00,88,13,00,00,01,00,00,00,88,13,00,00,01,00,\
  00,00,88,13,00,00,01,00,00,00,88,13,00,00,01,00,00,00,88,13,00,00,01,00,00,\
  00,88,13,00,00,01,00,00,00,88,13,00,00,01,00,00,00,88,13,00,00,01,00,00,00,\
  88,13,00,00,01,00,00,00,88,13,00,00,01,00,00,00,88,13,00,00,01,00,00,00,88,\
  13,00,00,01,00,00,00,88,13,00,00,00,00,00,00,88,13,00,00
  11. Apply this registry keys to the registry by double clicking it.
  12. Unload the hive
  13. Switch the drive offline again
  14. Make sure rdp from the buggy instance is only available from your ip (not 0.0.0.0) before continuing.
  15. Detach the drive from the 2016 image.
  16. Attach the drive to the buggy image as '/dev/sda1' (yes, it is windows, but you need to specify this here, or the instance is unable to start)
  17. Start the buggy instance.
  18. Connect to it with "Administrator" and "P@ssw0rd"
  19. Open Regedit and delete 'HKLM\SYSTEM\ControlSet001\Services\test'
  20. Set a secure Password
  21. Install OpenSSH https://github.com/PowerShell/Win32-OpenSSH/wiki/Install-Win32-OpenSSH
  22. Add your public key to "C:/Users/Administrators/.ssh/authorized_keys"
  23. Remove the ports TCP-3389 and UDP-3389 from your security group. It is not recommended to have rdp publicly available to the internet (if you still want to connect over public set up a remote desktop gateway, as it is intended to be accessible publicly and in combination with ADFS even allows onetime passwords for pre-authentication.

administration hacking system recovery aws
agowa338
Written by agowa338
Add chapters to mp4
Windows protocols