Backstory

One day I was on site with client and was tasked with assessing an application for them. This was troubling for two reasons: 1.) This was my first on site assessment and 2.) due to the nature of the content I was tasked to work with, my little visit there required full supervision, which meant that my primary point of contact (POC) watched over my shoulder as I worked on this application for about 4 or so hours.

On top of that I wasn’t working from my work laptop which was full of hack tools and con-booting this machine wasn’t necessarily in scope. Needless to say it was a tad bit nerve wrecking also considering the fact that this thing was LOCKED down in terms of being able to access any of the underlying Windows functionality; Or so I thought!

The Hacking Part - TLDRers Start here ⤵

So after spending a bunch of time poking around on this thing I noticed that ctrl+alt+delete worked, which brought up the screen below:

Image of Windows 7 lock options
Image of Windows 7 lock options

From playing around in the past in the past and partially out of desperation I decided to open up the infamous On Screen Keyboard in hopes that this thing would give me additional Windows options:

Image of On-Screen Keyboard options
Image of On-Screen Keyboard options

Once the on-screen keyboard options were available, I was able to select the Control whether the On-Screen Keyboard starts... option which brought up the following screenshot where I was then able to access the Use Speech Recognition option:

Selecting Speech Recognition
Selecting Speech Recognition

If you can get to this point it’s pretty much game over. Here I just selected the control panel option and could access a whole bunch of other things. I mean right clicking and opening a command prompt could have probably worked sooner but this is what I did at the time.

Image of Control Panel option
Accessible Control Panel option

Something to note about this vector is that it does require prior authentication and the PC needs to be unlocked when you hit ctrl+alt+delete. You cant simply walk up to a locked pc and access the accessibility options as the Control whether the On-Screen Keyboard starts... option will be missing if you do. Also, in this example the user that was authenticated at the time had local system administrative privileges so this instance was pretty bad but you may run in to other obstacles that makes this vector more or less viable for you to pull off. Just keep this in the back of your mind the next time you feel like checking out some of the complementary systems you have access to out there in the wild and remember: Do nothing without permission!

```bash __________ < We Fr0gz > ---------- \ \ oO)-. .-(Oo /__ _\ /_ __\ \ \( | ()~() | )/ / \__|\ | (-___-) | /|__/ ' '--' ==`-'== '--' ' 
</center>