andigandhi
Issue getting the original BCD
Something that seem so "easy" in both the 38C3 talk by th0mas and the writeup at the blog is getting the original BCD just by "shift-rebooting Windows, going “Troubleshoot > Advanced options > Command Prompt”".
Except that this doesn't work (anymore?).
Tried on a current Windows 11 Pro (Version 24H2, Build 26100.2894) on my Thinkpad T14 Gen1. Secure boot enabled, TPM only mode.
When I'm still on the login screen, I can press and hold shift while clicking "Restart" in the lower right menu as often as I want, Windows will not boot into the "advanced" or "recovery" restart screen.
With no way of getting to this screen, it's kind of hard to get the BCD and to craft the custom BCD required for this exploit.
Anyone care to elaborate on this step?
Does this "shift rebooting" only work when already logged in? Then this whole exploit is kind of useless, isn't it?
Depends. If the boot priority goes to pxe or usb first you do not need that step for the exploit. Otherwise its still usable for privesc from normal user to admin and for dumping credentials. Try it when logged in please.
