YellowKey working irl?
Posted by jobunocru@reddit | sysadmin | View on Reddit | 27 comments
Anybody manage to get YellowKey working for them?
We're testing our machines against all the latest vulnerabilities, and I just cannot get this one to work. It boots into the command prompt, but when I check the C: drive it says that "This drive is locked by BitLocker Drive Encryption."
CopyFail on Linux was so easy, and even Dirty Frag worked. We managed to run BitUnlocker (then applied mitigations!), but YellowKey does nothing. Any ideas, gng? Maybe we're just safe?
SensitiveFrosting13@reddit
Yep. Already used it on a red team.
coming-around@reddit
disclaimer, coming from a place of ignorance
why? there's not a patch for it, so what would "hitting" it do? is it just to raise the issue in a report as an unresolvable vuln to track?
InverseX@reddit
Because it gets your further access that achieves goals of the red team. Assuming it’s an *actual* red team that differs from a pentest where you’re just trying to enumerate vulnerabilities.
For example, that bitlocker bypass may allow the dumping of local hashes, those local hashes could reveal a shared local admin password across the environment, and that gives domain admin access when used against the DC. It’s an attack chain not possible without actually exploiting the vulnerability.
Ssakaa@reddit
That's a really good explanation of the point behind defense in depth, too.
strongest_nerd@reddit
Windows 11? It does not work on Win 10.
jobunocru@reddit (OP)
Yup - tried Win 11 25H2 and 24H2
Zaiakusin@reddit
Read it has to be done on the mechine it came from.
Connection-Terrible@reddit
What does that mean?
Zaiakusin@reddit
The exploit seems to only work when the encrypted drive is in the computer it came from. Something about the decryption code being stored on the TPM chip
iratesysadmin@reddit
It works fine. Try another flashdrive, some people report that certain drives wouldn't work for them.
jobunocru@reddit (OP)
Tried a Cruzer and a PNY so far. Looking for others. Do you know if it's a brand problem, or a size problem?
ender-_@reddit
Worked for me with an ancient 2GB Toshiba USB drive, FAT32-formatted.
deathhand@reddit
Yeah it baffles me that people are talking about HD size and not the table format.
iratesysadmin@reddit
I have an older 8GB USB 2 flashdrive that this works with, my 64GB USB3 FD it did not work with.
The usb2 one is unbranded, got it as some swag with some marketing on it years ago. The 64GB is a Kingston.
This isn't the first time the 64GB doesn't work for some reason, my car's radio updates (I know, I know, but 2013 was not a great year) don't work on it either.
jobunocru@reddit (OP)
Thanks! I just rebuilt a laptop and enabled BitLocker with a local recovery key (not stored Entra/AD). The exploit worked with all three drives that I found. Trying to figure out why it didn't work on my Entra-joined laptop, but the standalone was vulnerable.
Loveangel1337@reddit
Wait, does it work if the machine is joined in Entra? The key needs to be 100% local, one of the remediations is making the key networked, I read something or other about that earlier today. You might have a GPO that mitigates it outright
jobunocru@reddit (OP)
No, it never worked on the Entra-joined machine. Haven't tried a domain-joined machine yet, but it worked on a standalone.
Loveangel1337@reddit
What I mean is this: https://www.reddit.com/r/sysadmin/comments/1tcoyp3/comment/olpzkbk/ TPM+network instead of pure TPM is a mitigation, I'm just not sure if Entra can provide the network part or not (cause I'm not a windows person), but it looks like it might??
I might also be saying nonsense, in which case, sorry!
ender-_@reddit
My laptop is hybrid domain and Entra joined, and YellowKey worked.
Traditional-Set-8483@reddit
Try an older USB 2 drive formatted as FAT32. Some modern drives just refuse to work with it.
SirG33k@reddit
How are you copying the exploit to a USB? Since the folder is owned by system and not writable, I have been taking ownership of the system volume information folder, copying files then putting it back to BUILTIN\Administrstors
Still haven't gotten it work. I get a little flash of a cmd window when it goes to recovery, but that's it. (And yes I tried alt tabbing to it just in case.) I'm curious if anyone has gotten it to work and how so.. just doing this for a poc so I can show my security team that bitlocker should go the way of the dodo...
thekohlhauff@reddit
Use psexec to get system cli or just use linux
SirG33k@reddit
Good call with psexec!
Still not working for me across a dozen USB drives, but at least I got the files there without taking ownership. Thank you.
Fuskeduske@reddit
Worked for a colleague of mine, haven’t tried it myself
tankerkiller125real@reddit
Worked for me, but could not get it working from a fresh boot or from the login screen. I could only get it to trigger after already being logged in to start (and then doing the Shift + Restart option)
Gpidancet@reddit
yes. Scary
thekohlhauff@reddit
Worked for me immediately