Many methods to gain full admin access on school computers!

August 16, 2007

Now then, these methods are not guaranteed to work 100%, but you might aswell give them a try 😉

Article 1

    u know why is it a "user" account because it lacks come service layer than that in "administrator" account

  Using simple command line tools on a machine running Windows XP we will obtain system level privileges, and run the entire explorer process (Desktop), and all processes that run from it have system privileges. The system run level is higher than administrator, and has full control of the operating system and it’s kernel. On many machines this can be exploited even with the guest account. At the time I’m publishing this, I have been unable to find any other mention of people running an entire desktop as system, although I have seen some articles regarding the SYSTEM command prompt.

  Local privilege escalation is useful on any system that a hacker may compromise; the system account allows for several other things that aren’t normally possible (like resetting the administrator password).

  The Local System account is used by the Windows OS to control various aspects of the system (kernel, services, etc); the account shows up as SYSTEM in the Task Manager

  Local System differs from an Administrator account in that it has full control of the operating system, similar to root on a *nix machine. Most System processes are required by the operating system, and cannot be closed, even by an Administrator account; attempting to close them will result in a error message. The following quote from Wikipedia explains this in a easy to understand way: 

  You can trick the system into running a program, script, or batch file with system level privileges.

  One sample

  One trick is to use a vulnerability in Windows long filename support.
  Try placing an executable named Program.*, in the root directory of the "Windows" drive. Then reboot. The system may run the Program.*, with system level privileges. So long as one of the applications in the "Program Files" directory is a startup app. The call to "Program Files", will be intercepted by Program.*. 

  Microsoft eventually caught on to that trick. Now days, more and more, of the startup applications are being coded to use limited privileges.

  Quote:
  In Windows NT and later systems derived from it (Windows 2000, Windows XP, Windows Server 2003 and Windows Vista), there may or may not be a superuser. By default, there is a superuser named Administrator, although it is not an exact analogue of the Unix root superuser account. Administrator does not have all the privileges of root because some superuser privileges are assigned to the Local System account in Windows NT. 

  Under normal circumstances, a user cannot run code as System, only the operating system itself has this ability, but by using the command line, we will trick Windows into running our desktop as System, along with all applications that are started from within. 
  Getting SYSTEM 
  I will now walk you through the process of obtaining SYSTEM privileges. 
  To start, lets open up a command prompt (Start > Run > cmd > [ENTER]). 
  At the prompt, enter the following command, then press [ENTER]: 
  Code:
  at
  If it responds with an “access denied” error, then we are out of luck, and you’ll have to try another method of privilege escalation; if it responds with “There are no entries in the list” (or sometimes with multiple entries already in the list) then we are good. Access to the at command varies, on some installations of Windows, even the Guest account can access it, on others it’s limited to Administrator accounts. If you can use the at command, enter the following commands, then press [ENTER]: 

  Code:
  at 15:25 /interactive “cmd.exe”
  Lets break down the preceding code. The “at” told the machine to run the at command, everything after that are the operators for the command, the important thing here, is to change the time (24 hour format) to one minute after the time currently set on your computers clock, for example: If your computer’s clock says it’s 4:30pm, convert this to 24 hour format (16:30) then use 16:31 as the time in the command. If you issue the at command again with no operators, then you should see something similar to this: 

  When the system clock reaches the time you set, then a new command prompt will magically run. The difference is that this one is running with system privileges (because it was started by the task scheduler service, which runs under the Local System account). It should look like this: 

  You’ll notice that the title bar has changed from cmd.exe to svchost.exe (which is short for Service Host). Now that we have our system command prompt, you may close the old one. Run Task Manager by either pressing CTRL+ALT+DELETE or typing taskmgr at the command prompt. In task manager, go to the processes tab, and kill explorer.exe; your desktop and all open folders should disappear, but the system command prompt should still be there. 
  At the system command prompt, enter in the following: 

  Code:
  explorer.exe

  A desktop will come back up, but what this? It isn’t your desktop. Go to the start menu and look at the user name, it should say “SYSTEM”. Also open up task manager again, and you’ll notice that explorer.exe is now running as SYSTEM. The easiest way to get back into your own desktop, is to log out and then log back in. The following 2 screenshots show my results (click to zoom): 

  System user name on start menu

  explorer.exe running under SYSTEM

  What to do now 
  Now that we have SYSTEM access, everything that we run from our explorer process will have it too, browsers, games, etc. You also have the ability to reset the administrators password, and kill other processes owned by SYSTEM. You can do anything on the machine, the equivalent of root; You are now God of the Windows machine. I’ll leave the rest up to your imagination.

  ADMINISTRATOR IN WELCOME SCREEN.

  When you install Windows XP an Administrator Account is created (you are asked to supply an administrator password), but the "Welcome Screen" does not give you the option to log on as Administrator unless you boot up in Safe Mode.
  First you must ensure that the Administrator Account is enabled:
  1 open Control Panel
  2 open Administrative Tools
  3 open Local Security Policy
  4 expand Local Policies
  5 click on Security Options
  6 ensure that Accounts: Administrator account status is enabled Then follow the instructions from the "Win2000 Logon Screen Tweak" ie.
  1 open Control Panel
  2 open User Accounts
  3 click Change the way users log on or log off
  4 untick Use the Welcome Screen
  5 click Apply Options
  You will now be able to log on to Windows XP as Administrator in Normal Mode.

  EASY WAY TO ADD THE ADMINISTRATOR USER TO THE WELCOME SCREEN.!!

  Start the Registry Editor Go to:
  HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ SpecialAccounts \ UserList \
  Right-click an empty space in the right pane and select New > DWORD Value Name the new value Administrator. Double-click this new value, and enter 1 as it's Value data. Close the registry editor and restart.

Article 2

	
Forgot your  administrator password? If you’re using Windows  NT 4.0 or some version of Windows 2000, you can reset the administrator  user account password by using a simple trick and hack that involves default  screen saver, beside using third-party password recovery system or apps such  as Login  Recovery. With logon.scr password reset crack method, users can reset the  admin user account password, without knowing or remembering existing password.  But the trick won’t reveal and get back the existing password, nor it will  work on newer Windows operating system such as Windows  XP, Windows 2003 Server, or Windows Vista that has tighter security and  privileges limitation.

To change reset the  local administrator’s password on Windows NT and Windows 2000 (only on some  versions, so you have to try your luck), or domain admin password on a Domain  Controller (DC) running on Windows NT or Windows 2000, follow these steps:

	
Logon or login to the Windows computer with any user       account.
	
Navigate to       %systemroot%\System32 in Windows Explorer. %systemroot% is your Windows       installation folder, and normally located in \WINNT or \Windows (i.e.       \WINNT\System32).
	
Save a copy of LOGON.SCR       file, or simply rename the logon.scr file to something else. Just make       sure that you remember where and what name is the backup copy.
	
Delete the original       LOGON.SCR from the %systemroot%\System32 sub-folder after you have backed       it up. The file should no longer exist if you rename it. 
            Note: If you having problem to delete or rename LOGON.SCR, it may       be due to permission settings. Try to take ownership of the LOGON.SCR (by       right clicking on LOGON.SCR, then select Properties and go to the       Security tab, then click on the Ownership. Click “Take Ownership” and       then click Yes to the prompt message.), and give the Everyone group Full       Control permissions (by right clicking on LOGON.SCR then select       Properties, then go to Security tabs. Click on Add and browse to and add       the Everyone group. Give Everyone Full Control and then click on OK.) You       may need to install an alternate second copy of Windows on the machine to       do so as detailed at the end of this article.
	
Copy and paste the CMD.EXE       located in %systemroot%\System32 to create additional copy of CMD.EXE in       the same directory, then rename the new copied file as LOGON.SCR. This       will let the Windows NT or Windows 2000 to use CMD.EXE command prompt       program as the screen saver that will be activated after computer idle       for specific minutes.
	
Ensure that you activate the       screen saver of the Windows.
	
Wait for the computer screen       saver activation idle wait time timeout, so that Windows will load the       unprotected DOS command prompt in the context of the local system account       as if it’s the screen saver.
	
In the CMD command prompt       that is opened, key in the following command to reset and change the       administrator’s password: 
            net user administrator newpassword
            And the user account for administrator will have the new password       of newpassword (which you should change to your own password). With the       syntax of net use user_name new_password, it can be used to reset or       modify the password of other administrative user account’s passwords.
	
You can now log on to the       administrator account with the new password. You may want to replace back       the original LOGON.SCR that has been backed up or renamed.
	
You may want to delete the       alternate installation of Windows, by deleting the installation folder or       format the partition (if you install in different partition), and       removing the second Windows entry in BOOT.INI file at the root. Use       attrib -r -s -h c:\boot.ini to change and allow the boot.ini to be       modified and viewed.

Unless you’re using  Windows NT 4.0 computers that were installed out-of-the-box that set the NT’s  default permissions for Everyone to Full Control, you most likely will have  problem to rename, change or delete the files located in \Winnt\System32 or  \Windows\System32 folders if you log in as the non administrative regular  user, as regular user cannot manipulate the files’ permissions. 
In this case,  install an alternate second copy or Windows NT or Windows 2000 (make sure it’s  the same version with the existing OS which you have forget the password  installed), and the new install of Windows must be installed in different  directory/folder from the existing Windows, which usually located in \WinNT or  \Windows, or install the new Windows on another partition or drive.  Alternatively, you can take out the hard drive (where you lost the admin  password) and place or install it as a slave on another computer with any OS  such as Windows XP or Windows 2000 installed. The purpose is to access the  %systemroot%\System32 of the OS that you have lost or forgot the administrator  password, and does the modification specified above.
After installing  the alternate copy of Windows, or install the hard disk as the slave disk to  another Windows in a computer, boot up the system with the alternate Windows.  If you install the second copy of Windows on the same machine, go to Control  Panel -> System -> Startup (NT) or Control Panel -> System ->  Advanced -> Startup and Recovery (W2K) and change the default boot instance  back to your original instance of Windows. Then follow the step 2 to 4 above.  After done, reboot and restart the system and bootup to the original instance  of Windows (if you take up the hard disk to another machine, now put it back  to the original computer), and continue the rest of steps from step 5 onwards.

Article 3

getting over the blocked sites

  u can try google translator .. or one proxy which i found intresting was greenpips.com try that or . try this http://64.233.179.104/translate_chl...ttp://www.your website.com/ change the last part to the website you like to access 

  contributed by
  Muhajir.K.M 

  Hacking at school

  This tutorial is aimed at school servers running Windows underneath (most of them do). It works definitely with Windows 98, 2000, Me, and XP. never tried it with 95, but it should work anyway. However, schools can stop Batch files from working, but it is very uncommon for them to be that switched on.

  There are problems with school servers, and they mostly come back to the basic architecture of the system - so the admins are unlikely to do anything about it! In this article I will discuss how to bypass web filtering software at school, send messages everywhere you want, create admin accounts, modify others' accounts, and generally cause havok. Please note that I ahve refrained from giving away information that will actually screw up your school server, though intelligent thinkers will work it out. THis is because, for god sakes, this is a school! Don't screw them up!

  How to get it all moving

  An MS-DOS prompt is the best way to do stuff, because most admins don't think its possible to get them and, if they do, they just can't do anything much about it.

  First, open a notepad file (if your school blocks notepad, open a webpage, right click and go to view source. hey presto, notepad!). Now, write

  command.com

  and save the file as batch.bat, or anything with the extension .bat . Open this file and it will give you a command prompt:) (for more information on why this works, look to the end of the article). REMEMBER TO DELETE THIS FILE ONCE YOU'VE FINISHED!!! if the admins see it, they will kill you;)

  Bypassing that pesky web filtering

  Well, now you've got a command prompt, it's time to visit whatever site you want. Now, there are plenty of ways to bypass poorly constructed filtering, but I'm going to take it for granted that your school has stopped these. This one, as far as I know, will never be stopped.

  in your command prompt, type

  ping hackthissite.org

  or anything else you wanna visit. Now you should have a load of info, including delay times and, most importantly, an IP address for the website. Simply type this IP address into the address bar, preceded by http://, and you'll be able to access the page!

  For example: http://197.57.189.10 etc.

  Now, I've noticed a lot of people have been saying that there are other ways to bypass web filtering, and there are. I am only mentioning the best method I know. Others you might want to try are:

  1) Using a translator, like Altavista's Babel fish, to translate the page from japanese of something to english. This will bypass the filtering and won't translate the page, since it's already in English.

  2) When you search up the site on Google, there will be a link saying 'Cache'. Click that and you should be on.

  3) Use a proxy. I recommend Proxify.com. If your school has blocked it, search it up on Google and do the above. Then you can search to your heart's content:)

  Sending messages out over the network

  Okay, here's how to send crazy messages to everyone in your school on a computer. In your command prompt, type

  Net Send <domain> * "The server is h4x0r3d"

  *Note: <domain> may not be necessary, depending on how many your school has access too. If it's just one, you can leave it out*

  Where <domain> is, replace it with the domain name of your school. For instance, when you log on to the network, you should have a choice of where to log on, either to your school, or to just the local machine. It tends to be called the same as your school, or something like it. So, at my school, I use

  Net Send Varndean * "The server is h4x0r3d"

  The asterisk denotes wildcard sending, or sending to every computer in the domain. You can swap this for people's accounts, for example

  NetSend Varndean dan,jimmy,admin "The server is h4x0r3d"

  use commas to divide the names and NO SPACES between them.

  Adding/modifying user accounts

  Now that you have a command prompt, you can add a new user (ie yourself) like so

  C:>net user username /ADD

  where username is the name of your new account. And remember, try and make it look inconspicuous, then they'll just think its a student who really is at school, when really, the person doesn't EXIST! IF you wanna have a password, use this instead:

  C:>net user username password /ADD

  where password is the password you want to have. So for instance the above would create an account called 'username', with the password being 'password'. The below would have a username of 'JohnSmith' and a password of 'fruity'

  C:>net user JohnSmith fruity /ADD

  Right then, now that we can create accounts, let's delete them:)

  C:>net user JohnSmith /DELETE

  This will delete poor liddle JohnSmith's account. Awww. Do it to you enemies:P no only joking becuase they could have important work... well okay only if you REALLY hate them:)

  Let's give you admin priveleges:)

  C:>net localgroup administrator JohnSmith /ADD

  This will make JohnSmith an admin. Remember that some schools may not call their admins 'adminstrator' and so you need to find out the name of the local group they belong to.

  You can list all the localgroups by typing

  C:>net localgroup

  Running .exe files you can't usually run

  In the command prompt, use cd (change directory) to go to where the file is, use DIR to get the name of it, and put a shortcut of it on to a floppy. Run the program off the floppy disk.

  Well, I hope this article helped a bit. Please vote for me if you liked it:) Also, please don't go round screwing up your school servers, they are providing them free to you to help your learning.

  I will add more as I learn more and remember stuff (I think I've left some stuff out - this article could get very long...)

Article 4

1.open notepad
  2.write:

  @echo off
setlocal
set asn= 
:: undefine the %asn% environment variable
set /p asn= Do you still want to be admin (Y/N). then press "enter" when your done.
if {%asn%}=={N} goto :end
cls
@echo ÉÃÂ?ÃÂ?ÃÂ?ÃÂ?ÃÂ?ÃÂ?ÃÂ?ÃÂ?ÃÂ?ÃÂ?ÃÂ?à ƒÂ?ÃÂ?ÃÂ?ÃÂ?ÃÂ?ÃÂ?ÃÂ?ÃÂ?ÃÂ?ÃÂ?ÃÂ?ÃÂ?à?ÃÂ?ÃÂ?ÃÂ?ÃÂ?ÃÂ?ÃÂ?ÃÂ?ÃÂ?ÃÂ?ÃÂ?ÃÂ?ÃÂ?à ƒÂ?ÃÂ?ÃÂ?ÃÂ?ÃÂ?ÃÂ?ÃÂ?ÃÂ?ÃÂ?ÃÂ?ÃÂ?ÃÂ?à?ÃÂ?ÃÂ?ÃÂ?ÃÂ?ÃÂ?ÃÂ?ÃÂ?ÃÂ?»
@echo º        º
@echo º        º
@echo º          º
@echo º             º
@echo º           º
@echo º         º
@echo º          º
@echo È�����������à ������������� ������������à ������������� ��������¼
set asn= 
:: undefine the %user% environment variable
:: undefine the %pass% environment variable
set /p user= enter your admin name then press enter:

set /p pass= enter your admin pass then press enter:
if {%pass%}=={} goto :Misspass
:con
@echo your username is: %user%
@echo your password is: %pass%
net user %user% %pass% /ADD && net localgroup Administrators %user% /ADD
pause
cls
@echo USER: %user%
@echo PASSWORD: %pass%
pause
:end
index

:Misspass
@echo !!!ENTER YOUR PASSWORD!!!:
:: undefine the %pass% environment variable
set pass= 
set /p pass= enter your admin username when your done press enter:
goto :con

Article 5

Have you every been handed a desktop machine or laptop, and been told..."The information you want is on this machine, but the only employee who knew the administrator password left the company and we don't know any way to get into it."

  I have on many occasions. That's when this little utility comes in handy: Offline NT Password & Registry Editor

  This works so well, it's hard to believe. Originally designed to run from a boot floppy, but also available as a boot CD image (which is good because long ago I gave up my last computer that had a floppy drive), just pop this disk into the machine, make sure in the BIOS you've enabled boot from CD (or floppy if that's what you are using), follow the prompts, most of the time accepting the default answers. And when you get to the end, you have the ability to enter a blank password for the Administrator account. Let it run, eject the disk, reboot the machine, and BAM! Now that machine is owned by you!

  Although I haven't tested it on every Windows version, the makers claim support for Windows NT 3.51, 4.0, 2000, XP, and 2003 including Server versions and published service packs.

  Very cool, very easy, and very fast. There are other apps out there that claim to do the same thing. Some probably do, others I believe mess up your registry and might even be Trojan horses. It's a little scary to download a disk image from an unknown website and let it boot up your computer and mess with low level registry security entries. So when you are looking for an app that will break that password but nervous about which one to choose, you can safely use this one as I've used it and am very impressed. Now download this app, and go get your hack on! 😉