Bitlocker Auto encryption bypass / postponed forever.

By -
Dear reader
As you know we update this blog once we get in some kind of trouble in our daily life, So today our organization started Bitlocker implementation on all systems which will encrypt all drives, I have allowed encryption on only C (windows) drive, but soon after that, the bitlocker started giving me popups like encrypt your D,E drive.

I have clicked on postponed multiple times but it keeps on appearing after few minutes.


Sooooo, if you have faced such issue below is the an awesome trick to bypass it, also you won't find this trick any where else on internet as its completely self learned.

So I knew that this Bitlocker is some how communicating to its centralized server for policy updates or may be for some other communication or keys recovery or reports etc, and I knew that server information will be stored in Registry. But the problem was to search for those registry keys and find the server information and edit the host file and assigning the localhost to server host. OK enough talking lets start....


1st you must have admin rights on your system doesn't matter if local or provided by Active directory.

Next Open the registry, (windows button + R, type regedit and hit enter)

Go to any of below Registry keys you will find the information about Bitlocker centralized server.


  1. HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\22000040    (Value of Element)
  2. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement (Value of StatusReportingServiceEndpoint)
  3. HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\FVE (Value of RecoveryKeyUrl)
  4. HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\FVE\MDOPBitLockerManagement (Value of StatusReportingServiceEndpoint)

The Key which contains the server information are written inside Small brackets. e.g the server information is something like this;
http://mbam.organization.com/selfservice

Note down this URL mbam.organization.com

 Next open the NOTEPAD as administrator, its important because you won't be able to edit the host file.
In Notepad click on file and click on OPEN, go to c:\Windows\System32\drivers\etc now click on dropdown which it says TEXT Documents (*.txt) and select ALL FILES once you do it, you will show HOST file. double click on host file.



Now the host file is open, at the bottom of the file write this line

127.0.0.1     mbam.organization.com


Remember to replace mbam.organization.com with you own orgnazation URL which you noted from registry key
Once all done press Cntrl+S for saving the host file. And done the popup will not appear again.






Comments

Post a Comment

Popular posts from this blog

GRANDING UTime Master - IDOR (CVE-2023-45393)

By -
Image
  Hi All, I was able to identify IDOR Vulnerability in one online attendance system i.e. GRANDING UTime Master (v  UTime Master_9.0.7-Build:Apr 4,2023 ).  CVE ID: CVE-2023-45393 UTime Master is a powerful web-based time and attendance management software that provides a stable connection to GRANDING’s standalone push communication devices by Ethernet/Wi-Fi/GPRS/3G and working as a private cloud to offer employee self-service by mobile application and web browser. Using IDOR any user of the application can fetch Logs which are only meant to be accessible to administrators only. These logs also contains sensitive information like user password which is used to do the attendance by employees. Login to UTime Master using any account. Capture the request in burpsuite with the valid cookies. modify the URL to "/base/adminlog/table/?page=1&limit=200" Forward the request and it will fetch all the admin logs. IDOR has been fixed in latest versions after 9.0.7-Build:Apr 4,2023.
Read more

GRANDING UTime Master - Stored XSS (CVE-2023-45391)

By -
Image
  Hi All, I was able to identify stored XSS in one online attendance system i.e. GRANDING UTime Master (v  UTime Master_9.0.7-Build:Apr 4,2023 ). CVE ID: CVE-2023-45391 UTime Master is a powerful web-based time and attendance management software that provides a stable connection to GRANDING’s standalone push communication devices by Ethernet/Wi-Fi/GPRS/3G and working as a private cloud to offer employee self-service by mobile application and web browser. Login to UTime Master using admin account Click on Personnel > Employee Management >Employee Select Any employee or create a new employee In First name Section embed you payload. For test case I used "/><img src=a onerror=alert(22)> XSS payload embedded in EMP NAME field. Save the employee details, Once the page refreshed it will execute your payload. our payload executed successfully. I have also observed multiple other fields are also vulnerable to XSS e.g. Device Name, Department etc. XSS has been fixed in la
Read more

Ericsson BSCS iX R18 Billing & Rating (ADMX, MX) - Stored XSS (CVE-2020-29144, CVE-2020-29145)

By -
Image
Dear Reader, I was able to identify stored XSS in multiple web base modules of Ericsson BSCS iX R18 Billing & Rating platform  Below are its details: # Software description: Ericsson Billing is a convergent billing solution for telecoms that combines an unrivaled combination of out-of-the box features and high configurability. As an evolution of the widely-installed Ericsson BSCS iX, Ericsson Billing provides a low-risk but effective route to capture and secure revenue streams and take advantage of business opportunities from both traditional telecom services as well as digital services, 5G and IoT. # Technical Details & Impact: There are multiple web base modules in BSCS iX e.g. ADMX, MX (monitoring center), CX etc. It was observed that ADMX and MX are vulnerable to stored XSS, In most test cases session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or exploiting admin's browsers using beef
Read more