Heaps of methods to gain full admin access to school computers!

August 16, 2007

Article 1

    u know why is it a "user" account because it lacks come service layer than that in "administrator" account

  Using simple command line tools on a machine running Windows XP we will obtain system level privileges, and run the entire explorer process (Desktop), and all processes that run from it have system privileges. The system run level is higher than administrator, and has full control of the operating system and it’s kernel. On many machines this can be exploited even with the guest account. At the time I’m publishing this, I have been unable to find any other mention of people running an entire desktop as system, although I have seen some articles regarding the SYSTEM command prompt.

  Local privilege escalation is useful on any system that a hacker may compromise; the system account allows for several other things that aren’t normally possible (like resetting the administrator password).

  The Local System account is used by the Windows OS to control various aspects of the system (kernel, services, etc); the account shows up as SYSTEM in the Task Manager

  Local System differs from an Administrator account in that it has full control of the operating system, similar to root on a *nix machine. Most System processes are required by the operating system, and cannot be closed, even by an Administrator account; attempting to close them will result in a error message. The following quote from Wikipedia explains this in a easy to understand way: 

  You can trick the system into running a program, script, or batch file with system level privileges.

  One sample

  One trick is to use a vulnerability in Windows long filename support.
  Try placing an executable named Program.*, in the root directory of the "Windows" drive. Then reboot. The system may run the Program.*, with system level privileges. So long as one of the applications in the "Program Files" directory is a startup app. The call to "Program Files", will be intercepted by Program.*. 

  Microsoft eventually caught on to that trick. Now days, more and more, of the startup applications are being coded to use limited privileges.

  In Windows NT and later systems derived from it (Windows 2000, Windows XP, Windows Server 2003 and Windows Vista), there may or may not be a superuser. By default, there is a superuser named Administrator, although it is not an exact analogue of the Unix root superuser account. Administrator does not have all the privileges of root because some superuser privileges are assigned to the Local System account in Windows NT. 

  Under normal circumstances, a user cannot run code as System, only the operating system itself has this ability, but by using the command line, we will trick Windows into running our desktop as System, along with all applications that are started from within. 
  Getting SYSTEM 
  I will now walk you through the process of obtaining SYSTEM privileges. 
  To start, lets open up a command prompt (Start > Run > cmd > [ENTER]). 
  At the prompt, enter the following command, then press [ENTER]: 
  If it responds with an “access denied” error, then we are out of luck, and you’ll have to try another method of privilege escalation; if it responds with “There are no entries in the list” (or sometimes with multiple entries already in the list) then we are good. Access to the at command varies, on some installations of Windows, even the Guest account can access it, on others it’s limited to Administrator accounts. If you can use the at command, enter the following commands, then press [ENTER]: 

  at 15:25 /interactive “cmd.exe”
  Lets break down the preceding code. The “at” told the machine to run the at command, everything after that are the operators for the command, the important thing here, is to change the time (24 hour format) to one minute after the time currently set on your computers clock, for example: If your computer’s clock says it’s 4:30pm, convert this to 24 hour format (16:30) then use 16:31 as the time in the command. If you issue the at command again with no operators, then you should see something similar to this: 

  When the system clock reaches the time you set, then a new command prompt will magically run. The difference is that this one is running with system privileges (because it was started by the task scheduler service, which runs under the Local System account). It should look like this: 

  You’ll notice that the title bar has changed from cmd.exe to svchost.exe (which is short for Service Host). Now that we have our system command prompt, you may close the old one. Run Task Manager by either pressing CTRL+ALT+DELETE or typing taskmgr at the command prompt. In task manager, go to the processes tab, and kill explorer.exe; your desktop and all open folders should disappear, but the system command prompt should still be there. 
  At the system command prompt, enter in the following: 


  A desktop will come back up, but what this? It isn’t your desktop. Go to the start menu and look at the user name, it should say “SYSTEM”. Also open up task manager again, and you’ll notice that explorer.exe is now running as SYSTEM. The easiest way to get back into your own desktop, is to log out and then log back in. The following 2 screenshots show my results (click to zoom): 

  System user name on start menu

  explorer.exe running under SYSTEM

  What to do now 
  Now that we have SYSTEM access, everything that we run from our explorer process will have it too, browsers, games, etc. You also have the ability to reset the administrators password, and kill other processes owned by SYSTEM. You can do anything on the machine, the equivalent of root; You are now God of the Windows machine. I’ll leave the rest up to your imagination.


  When you install Windows XP an Administrator Account is created (you are asked to supply an administrator password), but the "Welcome Screen" does not give you the option to log on as Administrator unless you boot up in Safe Mode.
  First you must ensure that the Administrator Account is enabled:
  1 open Control Panel
  2 open Administrative Tools
  3 open Local Security Policy
  4 expand Local Policies
  5 click on Security Options
  6 ensure that Accounts: Administrator account status is enabled Then follow the instructions from the "Win2000 Logon Screen Tweak" ie.
  1 open Control Panel
  2 open User Accounts
  3 click Change the way users log on or log off
  4 untick Use the Welcome Screen
  5 click Apply Options
  You will now be able to log on to Windows XP as Administrator in Normal Mode.


  Start the Registry Editor Go to:
  HKEY_LOCAL_MACHINE  SOFTWARE  Microsoft  Windows NT  CurrentVersion  Winlogon  SpecialAccounts  UserList 
  Right-click an empty space in the right pane and select New > DWORD Value Name the new value Administrator. Double-click this new value, and enter 1 as it's Value data. Close the registry editor and restart.

Article 2

  • Forgot your administrator password? If you’re using Windows NT 4.0 or some version of Windows 2000, you can reset the administrator user account password by using a simple trick and hack that involves default screen saver, beside using third-party password recovery system or apps such as Login Recovery. With logon.scr password reset crack method, users can reset the admin user account password, without knowing or remembering existing password. But the trick won’t reveal and get back the existing password, nor it will work on newer Windows operating system such as Windows XP, Windows 2003 Server, or Windows Vista that has tighter security and privileges limitation. To change reset the local administrator’s password on Windows NT and Windows 2000 (only on some versions, so you have to try your luck), or domain admin password on a Domain Controller (DC) running on Windows NT or Windows 2000, follow these steps:
    • Logon or login to the Windows computer with any user account.
    • Navigate to %systemroot%System32 in Windows Explorer. %systemroot% is your Windows installation folder, and normally located in WINNT or Windows (i.e. WINNTSystem32).
    • Save a copy of LOGON.SCR file, or simply rename the logon.scr file to something else. Just make sure that you remember where and what name is the backup copy.
    • Delete the original LOGON.SCR from the %systemroot%System32 sub-folder after you have backed it up. The file should no longer exist if you rename it. Note: If you having problem to delete or rename LOGON.SCR, it may be due to permission settings. Try to take ownership of the LOGON.SCR (by right clicking on LOGON.SCR, then select Properties and go to the Security tab, then click on the Ownership. Click “Take Ownership” and then click Yes to the prompt message.), and give the Everyone group Full Control permissions (by right clicking on LOGON.SCR then select Properties, then go to Security tabs. Click on Add and browse to and add the Everyone group. Give Everyone Full Control and then click on OK.) You may need to install an alternate second copy of Windows on the machine to do so as detailed at the end of this article.
    • Copy and paste the CMD.EXE located in %systemroot%System32 to create additional copy of CMD.EXE in the same directory, then rename the new copied file as LOGON.SCR. This will let the Windows NT or Windows 2000 to use CMD.EXE command prompt program as the screen saver that will be activated after computer idle for specific minutes.
    • Ensure that you activate the screen saver of the Windows.
    • Wait for the computer screen saver activation idle wait time timeout, so that Windows will load the unprotected DOS command prompt in the context of the local system account as if it’s the screen saver.
    • In the CMD command prompt that is opened, key in the following command to reset and change the administrator’s password: net user administrator newpassword And the user account for administrator will have the new password of newpassword (which you should change to your own password). With the syntax of net use user_name new_password, it can be used to reset or modify the password of other administrative user account’s passwords.
    • You can now log on to the administrator account with the new password. You may want to replace back the original LOGON.SCR that has been backed up or renamed.
    • You may want to delete the alternate installation of Windows, by deleting the installation folder or format the partition (if you install in different partition), and removing the second Windows entry in BOOT.INI file at the root. Use attrib -r -s -h c:boot.ini to change and allow the boot.ini to be modified and viewed.
    Unless you’re using Windows NT 4.0 computers that were installed out-of-the-box that set the NT’s default permissions for Everyone to Full Control, you most likely will have problem to rename, change or delete the files located in WinntSystem32 or WindowsSystem32 folders if you log in as the non administrative regular user, as regular user cannot manipulate the files’ permissions. In this case, install an alternate second copy or Windows NT or Windows 2000 (make sure it’s the same version with the existing OS which you have forget the password installed), and the new install of Windows must be installed in different directory/folder from the existing Windows, which usually located in WinNT or Windows, or install the new Windows on another partition or drive. Alternatively, you can take out the hard drive (where you lost the admin password) and place or install it as a slave on another computer with any OS such as Windows XP or Windows 2000 installed. The purpose is to access the %systemroot%System32 of the OS that you have lost or forgot the administrator password, and does the modification specified above. After installing the alternate copy of Windows, or install the hard disk as the slave disk to another Windows in a computer, boot up the system with the alternate Windows. If you install the second copy of Windows on the same machine, go to Control Panel -> System -> Startup (NT) or Control Panel -> System -> Advanced -> Startup and Recovery (W2K) and change the default boot instance back to your original instance of Windows. Then follow the step 2 to 4 above. After done, reboot and restart the system and bootup to the original instance of Windows (if you take up the hard disk to another machine, now put it back to the original computer), and continue the rest of steps from step 5 onwards.

Article 3

getting over the blocked sites

  u can try google translator .. or one proxy which i found intresting was greenpips.com try that or . try this website.com/ change the last part to the website you like to access 

  contributed by

  Hacking at school

  This tutorial is aimed at school servers running Windows underneath (most of them do). It works definitely with Windows 98, 2000, Me, and XP. never tried it with 95, but it should work anyway. However, schools can stop Batch files from working, but it is very uncommon for them to be that switched on.

  There are problems with school servers, and they mostly come back to the basic architecture of the system - so the admins are unlikely to do anything about it! In this article I will discuss how to bypass web filtering software at school, send messages everywhere you want, create admin accounts, modify others' accounts, and generally cause havok. Please note that I ahve refrained from giving away information that will actually screw up your school server, though intelligent thinkers will work it out. THis is because, for god sakes, this is a school! Don't screw them up!

  How to get it all moving

  An MS-DOS prompt is the best way to do stuff, because most admins don't think its possible to get them and, if they do, they just can't do anything much about it.

  First, open a notepad file (if your school blocks notepad, open a webpage, right click and go to view source. hey presto, notepad!). Now, write


  and save the file as batch.bat, or anything with the extension .bat . Open this file and it will give you a command prompt:) (for more information on why this works, look to the end of the article). REMEMBER TO DELETE THIS FILE ONCE YOU'VE FINISHED!!! if the admins see it, they will kill you;)

  Bypassing that pesky web filtering

  Well, now you've got a command prompt, it's time to visit whatever site you want. Now, there are plenty of ways to bypass poorly constructed filtering, but I'm going to take it for granted that your school has stopped these. This one, as far as I know, will never be stopped.

  in your command prompt, type

  ping hackthissite.org

  or anything else you wanna visit. Now you should have a load of info, including delay times and, most importantly, an IP address for the website. Simply type this IP address into the address bar, preceded by http://, and you'll be able to access the page!

  For example: etc.

  Now, I've noticed a lot of people have been saying that there are other ways to bypass web filtering, and there are. I am only mentioning the best method I know. Others you might want to try are:

  1) Using a translator, like Altavista's Babel fish, to translate the page from japanese of something to english. This will bypass the filtering and won't translate the page, since it's already in English.

  2) When you search up the site on Google, there will be a link saying 'Cache'. Click that and you should be on.

  3) Use a proxy. I recommend Proxify.com. If your school has blocked it, search it up on Google and do the above. Then you can search to your heart's content:)

  Sending messages out over the network

  Okay, here's how to send crazy messages to everyone in your school on a computer. In your command prompt, type

  Net Send <domain> * "The server is h4x0r3d"

  *Note: <domain> may not be necessary, depending on how many your school has access too. If it's just one, you can leave it out*

  Where <domain> is, replace it with the domain name of your school. For instance, when you log on to the network, you should have a choice of where to log on, either to your school, or to just the local machine. It tends to be called the same as your school, or something like it. So, at my school, I use

  Net Send Varndean * "The server is h4x0r3d"

  The asterisk denotes wildcard sending, or sending to every computer in the domain. You can swap this for people's accounts, for example

  NetSend Varndean dan,jimmy,admin "The server is h4x0r3d"

  use commas to divide the names and NO SPACES between them.

  Adding/modifying user accounts

  Now that you have a command prompt, you can add a new user (ie yourself) like so

  C:>net user username /ADD

  where username is the name of your new account. And remember, try and make it look inconspicuous, then they'll just think its a student who really is at school, when really, the person doesn't EXIST! IF you wanna have a password, use this instead:

  C:>net user username password /ADD

  where password is the password you want to have. So for instance the above would create an account called 'username', with the password being 'password'. The below would have a username of 'JohnSmith' and a password of 'fruity'

  C:>net user JohnSmith fruity /ADD

  Right then, now that we can create accounts, let's delete them:)

  C:>net user JohnSmith /DELETE

  This will delete poor liddle JohnSmith's account. Awww. Do it to you enemies:P no only joking becuase they could have important work... well okay only if you REALLY hate them:)

  Let's give you admin priveleges:)

  C:>net localgroup administrator JohnSmith /ADD

  This will make JohnSmith an admin. Remember that some schools may not call their admins 'adminstrator' and so you need to find out the name of the local group they belong to.

  You can list all the localgroups by typing

  C:>net localgroup

  Running .exe files you can't usually run

  In the command prompt, use cd (change directory) to go to where the file is, use DIR to get the name of it, and put a shortcut of it on to a floppy. Run the program off the floppy disk.

  Well, I hope this article helped a bit. Please vote for me if you liked it:) Also, please don't go round screwing up your school servers, they are providing them free to you to help your learning.

  I will add more as I learn more and remember stuff (I think I've left some stuff out - this article could get very long...)

Article 4


2 Responses to “Heaps of methods to gain full admin access to school computers!”

  1. Bomber Says:

    It doesnt help putting them in those boxes, makes it harder to read.

  2. Snark Says:

    Yeah, I agree with Bomber. Nice site though, thought Article 3 was very good… Thanks!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: