Hacking into Admin on a School Computer

Thomas Lai | February 8, 2016

This article is for educational purposes only, and the listed steps were performed with permission from the teacher. I am not responsible if you get in trouble. Follow at your own risk.

I recently gained experience from hacking into the administrator account on a school computer and obtaining unlimited access.

What you will need:
  • USB thumb drive (at least 2GB)
  • A disk image Ubuntu Desktop
  • PenDriveLinux’s Universal USB Installer
  • A school computer running Windows 7
The first step of this process is to create a bootable live USB of Ubuntu. A live USB means the operating system can be booted directly through the USB drive without an installation. To do this, you’ll want to open the UUI and select the Linux disk image, then click "create." Once you have that ready, bring it to school.

On the school computer that you want to hack, you’ll need to adjust the BIOS in order to boot from your USB drive. Depending on the machine, you’ll be able to access the BIOS settings usually by pressing a function key repeatedly on the boot screen. To find out how to access the BIOS on a particular machine, boot it up and the instructions should be somewhere on the screen with the manufacturer logo. Once you have access to the settings, you’ll need to adjust the boot order and move the USB device to the top of the list. If the BIOS is locked with a password, you can try to use the default passwords from the manufacturer listed here. If that doesn’t work, you’re out of luck.

Once you have the settings ready, boot from the thumb drive into Ubuntu (do not install; just run it live) and go to the file explorer. Navigate to the machine's internal hard drive partition that holds Windows (usually the C: drive). Go into Windows > System32. Look for a file named “sethc.exe” (this is the program that holds the Windows Sticky Keys feature, which nobody uses) and rename it to something like “sethc2.exe”. Then, look for “cmd.exe” (the Command Prompt program) and rename it to “sethc.exe”. This way, since we’re usually able to access Sticky Keys from the login menu on Windows, we’ll not be able to access the Command Prompt with full administrator privileges.

Restart the machine and boot into the default Windows OS. After the login screen shows up, do not log in. Hit your left shift key five times for the Command Prompt to open, then type "net user". Look for a listing that resembles an administrator account (usually something like “Admin” or “Local-Administrator”. This is the default Windows local administrator account, and it’s disabled by default. If you do not see this listing, skip to the next step. Type “net user [account name] /active:yes” and hit enter. This will enable access to the account. Then, type “net user [account name] [password]” to change the password to that account (password can be anything you want). You’ll now be able to log in with that account.

If, instead of using the local administrator account, you want to create a custom one, type “net user /add [username] [password]” to create a new account. This will be a standard user account, so to give it administrator privileges, type “net localgroup administrators [account name] /add”.

If you are not prompted to enter a username and password on the login screen, hit ctrl+alt+delete twice and a login menu should show up. There, you can enter your new credentials, log in, and have fun.