How to pwn an unattended laptop, according to Humans

Raymond Chen

One of my colleagues who pays attention to this sort of thing pointed out that Season 3 Episode 5 of the television documentary Humans demonstrates how you can take over an unattended laptop:

Administrator: C:\windows\system32\cmd.exe
Microsoft Windows [Version 10.0.15063]
(c) 2017 Microsoft Corporation. All rights reserved.
C:\windows\system32>powershell Set-ExecutionPolicy 'Unrestricted' -Scope CurrentUser -Confirm:$false
C:\windows\system32>powershell.exe -File C:\Windows\config54725.ps1
No rules match the specified criteria.
Updated 3 rule(s).
Exploit installed

Apparently hackers have graduated from Notepad and are now using PowerShell.

My colleague was pleasantly surprised that this screen shot is reasonably accurate! The first line allows all scripts to run, and the second line runs a script that from the output appears to be updating firewall rules.

The “Exploit installed” is just showing off.

Previously: There’s this documentary which showed how to trace email via inspection of headers.


Discussion is closed. Login to edit/delete existing comments.

  • Dan Bugglin 0

    The script being run has been dropped into C:\Windows, so possibly this falls under the “airtight hatchway” category of “exploits”.

    • Raymond ChenMicrosoft employee 0

      Not only that, you have to be an administrator to change firewall settings. It’s hard to see on screen, but the title of the command prompt says “Administrator”. I’ll update the screen shot.

    • Alex Martin 0

      To be fair, attacking an unattended laptop is frequently an “already on the other side of the hatchway” situation. On almost all common operating systems, personal machines are usually set up with the normal user’s account as an admin, and at least for Windows 10 in a typical setup you don’t need the password to say “yes” to UAC if you’re logged on as an administrator. It’s really a matter of gaining persistence more than actually escalating privileges.

  • Mystery Man 0

    It’s refreshing to see the film industry has gotten so close to real-life accuracy. Usually, they are wildly inaccurate. You see screenshots that are amalgamations of different versions of Windows, macOS, and Linux. (Cue in Ocean’s 8.) They usually show a brute-force attack that guesses a password’s characters independently, as if it is a combination lock on a cheap 50’s purse.

    One thing that I don’t understand, however, is why they insist on blurring out (or otherwise censoring) logos. It’s not like showing them is a violation of trademark laws. (In the case of Microsoft, the company offers a straightforward use permit with attribution requirements.) I’m guessing there is a state, Hollywood, or MPA policy at work here because Koreans don’t censor logos.

    • Peter Cooper Jr. 0

      I suspect removing logos is primarily about not wanting to “advertise” or have product placement without getting paid for it. That is, if one company is paying them to have their brand show up on the screen somewhere, that company might get annoyed if some other company was getting their brand on the screen without needing to pay for it. It may be that even if one specific show isn’t doing regular product placement, that their production company or distributor or whatever (I don’t know the real terminology) does in some cases, and finds it easier to just have a blanket policy of “no logos showing without a contract allowing such”. Might make things easier on their legal team, too, rather than them needing to research and confirm whether a specific usage of a brand is both fair use and not likely to get nastygrams from the owner.

      • Mystery Man 0

        That actually makes sense. Thanks a lot.

  • Neil Rashbrook 0

    But why are they starting PowerShell from cmd.exe? Hasn’t PowerShell been the default on the Start right-click menu for some time now?

    • Mystery Man 0

      Not to mention that PowerShell is free and open-source, under a permissive license.

Feedback usabilla icon