6

How do you go on getting "the admin password"? (School, CS teacher)

You're ideas are ofc just thought experimental and won't be used in reality......... 😉

Comments
  • 3
    >>Have a teacher that likes you
    >>Ask for it to do research for a project in their class
    >>Get it on a sticky note
    >>Use whenever

    I had 4 different passwords from 4 teachers lol
  • 1
    📍😅
  • 5
    You see. The passwords are stored in what's called the memory guard block (MGB)

    It's located inside the computer, looks kind of like a coin. You have to remove it from the computer. Then the password for the computer will be gone and you will be able to log in as admin without any password at all.

    Just don't forget to put the MGB back into the system again otherwise the guard dog kennel will start barking when your teacher starts the computer again and he will know EXACTLY what is going on.
  • 2
    @Stuxnet I already got hin close to giving it to me for my blender project since he was occupied and I needed a (admin) share folder. But he said that he can't give it to me after rethinking and made the folder for me.
    I think/hope he likes me. We were even nerding around, talking about some stuff like tor and shit with a physics teacher. (Me, 2 teacher nerds = smalltalk lol)
  • 1
    @BigBoo Shit, really?! I gotta research this stuff.

    I tried (in the library network) to change the password (laptop, offline) of the admin via this old backdoor. But that's not good practice for an larger open system.
  • 1
    Let's say the farthest I got in breaking into a school network (let's face it honestly for me it would only be to fix stuff and as yet another argument for them to move their asses and let me demonstrate a Linux network to them, considering my school's IT department, who knows me well and which is composed of a pathetic 3 teachers obviously can't keep a Windows network in shape all by themselves) was getting local computer admin access, but that's not very far 😅😅 hence my curiosity
  • 2
    @BambuSource What backdoor did you try?
  • 2
    For me it was as simple as:
    net user admin *
    *press enter twice*
    Done
  • 2
    @EaZyCode would* ofc i have never done this
  • 1
    @BigBoo probably the same as @chilledfrogs - it's about crashing the pc in bootup thus launching the windows repair tool. After a few minutes of "windows repair" the system provides you with a few options. One of them leads to the "restore". If you show the problem detail, you get a little text and a link to a txt of the windows agreement or something like that. It opens in notepad. Notepad can open, and the "open file" explorer is enough rights to rename the windows exe files. Copy&rename cmd to the Ease of Access exe (rename that beforehand) and reboot.

    Now in lockscreen, launch Ease of Access / now you have an full right console and can add/change the admins password.

    https://imgur.com/gallery/H8obU
  • 2
    @BambuSource Ah. The moon men (aka Bluehats, https://en.m.wikipedia.org/wiki/...)
    Fixed that a while ago. So that's a no go since the Return to Sender exposure.
  • 1
    @BigBoo might be true. Microsoft knew about this since, I dunno, win98? If they fixed it by now, cool. Yet - our school still runs old (partly unlicensed lol) windows, where this still works. But it only gives local admin rights.
  • 1
    @BambuSource Actually, you can still do that but by booting up a live Linux distro USB or CD and doing the same rename schtick from there; any with a file browser and NTFS/FAT32 filesystem tools (so pretty much any distro out there) should work... Much quicker and more reliable than the boot-up recovery method, which seems to work with Windows 7 but nothing after that ;)
  • 2
    We were doing a practice about users and permissions so the teacher created an user called 'user' with password '1234'. He added it to the 'wheel' group and didn't removed it in the end of the class. So we could ssh into the teacher's pc and gain root permissions. Don't think that someone used it never though. Except of me, that I turned off the computer in some lessons of THAT teacher everyone hates :)
  • 1
    @NefixEstrada Wait, UNIX-like OS at your school? 🤤 Or university?
  • 2
    We only use free software in the IT part of our school :D @chilledfrogs (and all the servers are Linux too)
  • 2
    @NefixEstrada God my fucking dream... I mean actually the IT department in my school seems interested to try out Linux (if the school board lets us 😑🙄 French bureaucracy), they just have no time like at all considering they're all teachers as well... But a friend of mine and I have a plan to get them to get some time 😅
  • 6
    You know, asking that question like that and the people answering to it could be regarded as a crime. Next time ask it as "I want to crack the password of a VM running Windows [version] in my lab. What's the best way to do this?" And there's plenty of tutorials out there for this so you might as well ask a search engine.

    Also use whatever answers you've got here for lab pentesting purposes only. Cracking the password of your teacher could very well get you into big trouble.
  • 2
    Put a keylogger on the computer. Tell the teacher you can't log in. Persuade him to log in with his credentials. After his keystrokes are logged, use his login.
  • 1
    @codechimp I only used a python keylogger that is active when you're on your desktop, logged in.

    Any keylogger that would also work in the login screen? Or would I need a "hardware" keylogger?
  • 2
    @Condor thanks for your comment. I hope it's not illegal "looking for weapons" without using them. This all theory and should be provoking, and satisfy my curiosity how other devs would do it. Sorry if that bothers you.

    I won't actually try this on my school/teacher. I'm just curious.
    But still thanks for your advice
  • 2
    Well, I'm studying IT in my school, so the teachers have plenty of time for it :D

    Also, I was took as intern this year at the school for sysadmining, so I created and managed lots of servers, networks, machines...

    @chilledfrogs
  • 4
    @BambuSource Well when you "look for weapons" why would you look for them? To use them, right? In pentesting there's the exception where you may want to use the tools in the lab to find out more about the system and what its weaknesses are.. similar to how you could use a firearm in a shooting range I guess.

    So, I'll assume that you'd like to use this information in a test lab and that the whole teacher stuff just rolled off the tongue - or the keyboard here - as a sort of sample scenario.

    When I think about the school that I went to at the time, we had a 10 minute smoking break during the tutoring session. When everyone went outside, the teacher would lock the classroom door to protect our laptops, external hard drives and if applicable, the hardware we were assembling. If however one or more students would stay in the classroom, this student would be responsible for keeping the other students' possessions secure from theft, vandalism etc and the classroom door would stay open. This means that there's a potential time frame during which I'm alone in the classroom and have physical access to my teacher's PC.

    During that timeframe I could power off the PC, sideload my own Linux system and copy in the SAM file that holds the passwords in Windows. When that's done, I could reboot the PC and into the login screen it goes, ready for them to authenticate. This would be possible only because my teacher (not sure about this tbh but it serves the purpose for our hypothetical scenario) responsibly closes all her applications and locks the PC before walking away.

    Later on when I get back home, I could then attempt to crack that SAM file and from it get the admin password of my teacher's PC.

    Note that this is a sample scenario wherein I made a lot of assumptions about various parameters. They probably aren't fully applicable to yours, and that's intentional. Be creative. Lastly I'd like to waive all responsibility for your actions. If you fuck up, I will only laugh at you.
  • 2
    @Condor nice one. "Crack" in means of rainbow tables? ;D They're still hashed, are they?

    Anyways: I fooled about this with a friend who has a million crazy ideas, just to think of them, he never actually puts it to practise. And I talked to a few friends about it. So actually DOING it would be really, really silly. For me it's more like asking "How'd you hack the NSA?" - and people discuss. I wouldn't/couldn't hack them anyways but it's an interesting topic.

    Like you said, I'd be better of talking more inaccurately as if I was making my own penetration. That however, imo, is more "conspicuous" than joking about it.
  • 4
    @BambuSource hmm, good point 🤔 I know that they're stored in SAM files and that there's some tools in the likes of Kali to crack them, but never looked into it further than that. Probably cracking the SAM file will take some time though.
  • 2
    @Condor I gather that those hashes in there are a tiny bit easier to crack than one might think actually, I'm not sure what tool to use though 😅
  • 4
    @chilledfrogs resetting and pushing back the modified SAM file is easy, recovery is hard.. just like it is with any hash really. But changing the password would be a big red flag for said teacher I think 🤔
  • 2
    @Condor Of course. But like I heard that the hash algorithm seems to be a bit weaker than some other ones out there
  • 3
    @chilledfrogs could be, but no clue ¯\_(ツ)_/¯ pretty sure that it's weaker than the shadow file in Unix systems though, because you know.. Windows 😛
  • 2
    @Condor I was thinking the exact same thing 😅🤣
  • 2
    @Condor could you give me a brief explanation of it? The name sounds cool (I could look it up but shh)
  • 4
    @BambuSource The shadow file? It's stored in /etc/shadow and holds the hashed user passwords. Apparently my Ubuntu 18.04 WSL environment uses SHA512, which is pretty decent. You can read more about it at https://cyberciti.biz/faq/... :)
  • 2
    Create a program that pops up a fake UAC prompt with a password sniffer.

    Ask for help when the prompt comes up.
  • 1
    @ewpratten not bad. I wonder if anyone has ever done that :D
    We actually had ideas about remaking the login screen - but an admin-access windows seems more intelligent
  • 2
    @BambuSource I did it. It's a good way to get a password
Add Comment