# Phyisical and hardware

## BIOS Bypass

Try these to bypass BIOS password:

```
- Remove battery of motherboard and wait 1-60m (depends on model)
- Find motherboard model, find CMOS reset pins, shortcircuit
- LIVE USB BOOT? CmosPWD (chance to recover password which is always a + )
```

## RAM **Dump**

Long story short. Depending on the motherboard, software, blablabla. **Data might still** **be** **recoverable** from RAM for a brief amount of time, usually anywhere between **1 to 2 minutes**. The colder it is, the longer the data will stay in memory. Usually, you'd grab those pressurized air can (the one to clean your electronics) and just blow it ALL on the RAM, it will get cold but not as cold as my ex. HA. You can then try to run a LIVE USB OS and dump the whole RAM. **Pick the lightest OS to save RAM of course**

## Windows Login Bypass

You can use kon-boot (only on local environments), but it's not free. It **really** is situational, because if you have more time you can think of something better that will probably cost nothing or less. <https://kon-boot.com/><br>

```
Boot live USB
Mount Windows partition
backup oks.exe oks.bak
copy cmd.exe onto oks.exe
Exit
Boot into windows
Open on-screen keyboard
Enjoy your SYSTEM
```

&#x20;So yeah, just reset the password, create an account, download pornhub, do your thing chicken wing.

## Sticky Keys

Replace any of these binaries with cmd or any binaries and it will get executed as SYSTEM.

* **SETHC:** *sethc.exe* is invoked when SHIFT is pressed 5 times
* **UTILMAN:** *Utilman.exe* is invoked by pressing WINDOWS+U
* **OSK:** *osk.exe* is invoked by pressing WINDOWS+U, then launching the on-screen keyboard
* **DISP:** *DisplaySwitch.exe* is invoked by pressing WINDOWS+P

## [Full Screen Escape](/hacking-methodologies/layer-0-phyisical-and-hardware/full-screen-escape.md)

If you are stuck on a GUI (school, library, police station, etc)\ <br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.turbosec.net/hacking-methodologies/layer-0-phyisical-and-hardware.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.