Follow us on Twitter!
It is never to LATE to become what you never WERE.
Wednesday, April 23, 2014
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Members Online
Total Online: 25
Guests Online: 23
Members Online: 2

Registered Members: 82885
Newest Member: ConiBE
Latest Articles

Root in Under Five

Arrow Image For Schools and Such

Hey everyone.
This article is about hacking schools. Since any longer than five minutes, you risk getting caught, this is *hopefully* going to teach you how to get root in five minutes or less. So, lets get started.

* Dedicated to H4xguy *

To those of you that think by getting root, you own the school, sorry to disapoint you. But, by getting root, you only own the comp your on. There is however, a way to get domain root, which I\'ll discuss later.

Your first step is to try and get access to DOS. You can start by clicking

\"start>all programs>accessories>cmd\" or \"start>run> type in \'cmd\'\"

If neither of those work, create a new text document. Name it \"anything.bat\"
right click on it and click edit. Type \"cmd\" save and close it. Open it. If you see a black box and are able to type, you now have dos.

If that didn\'t work, instead of typing \"cmd\", type

@echo off
echo hello

Open it, if you see \"hello\", create a new text document and name it \"anything.reg\", right click and edit.


This changes the registry value that blocks dos. So, type \"cmd\" in the .bat and see if it works. If that also didn\'t work, theres still other ways.

If it didn\'t work because for whatever reason, you can\'t create a .bat, open up microsoft word, which I\'m sure all schools have.
Now, type in your commands and click \"file>save as>\" for the type, put \"text document, and save as \"anything.bat\".
If that wasn\'t the reason, I hope you have access to the C drive.
If you do, go here \"C:\\Windows\\system32\\\" and create a new folder.
Now, find \"cmd.exe\" and \"scrnsave.scr\" and copy them to the new folder.
Goto the folder and rename \"scrnsave.scr\" to \"scrnsaveold.scr\", and \"cmd.exe\" to \"scrnsave.scr\" And replace it with the real one in system32. Now the next time your screen saver appears, it will be full access dos. So, if you can, on the desktop, right click and select properties. Change the time to one minute. On windows xp, you may have to make sure the screensaver is \"scrnsave\".

If that didn\'t work, you can try the control panel, I\'m not sure if you will be able to unblock dos from there or not, but you can try. If access to the control panel is disabled. Create a new folder and name it one of these. (only the {....} part)

Printers: {2227A280-3AEA-1069-A2DE-08002B30309D}
Control panel: {305CA226-D286-468e-B848-2B2E8E697B74}
Dial-up networking: {992CFFA0-F557-101A-88EC-00DD010CCC48}
Scheduled tasks: {D6277990-4C6A-11CF-8D87-00AA0060F5BF}
Folder options: {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}
Dial-Up Networking: {992CFFA0-F557-101A-88EC-00DD010CCC48}
Scheduled tasks: {D6277990-4C6A-11CF-8D87-00AA0060F5BF}
Taskbar and startmenu: {0DF44EAA-FF21-4412-828E-260A8728E7F1}
Microsoft FTP folder {63da6ec0-2e98-11cf-8d82-444553540000}
Temporary Internet files {7BD29E00-76C1-11CF-9DD0-00A0C9034933}
ActiveX Cache folder {88C6C381-2E85-11D0-94DE-444553540000
Subscriptions folder {F5175861-2688-11d0-9C5E-00AA00A45957}
History {FF393560-C2A7-11CF-BFF4-444553540000}

Another way to get dos, is to create a prog. Uber0n has created such a program. You can find it at You\'ll need a c++ compiler.

If so far, nothing has worked. You need to crack the sam file. Pretty sure Cain & Abel has this option.

If you did get dos, it\'s time to create yourself an admin acct. Type this.

@echo off
net user winsys password /add
net localgroup administrators winsys /add
reg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\" /v winsys/t REG_DWORD /d 0

First Line just hides the file address and stuff.
Second Line Creates the user \"winsys\" with the password of \"password\".
Third Line adds \"winsys\" to the administrators group.
Fourth Line makes the acct \"winsys\" a hidden acct.
If you see \"The command completed successfully.\" or something similiar, congragulations. You now have root. If it didn\'t work, it means you have limited access dos, use the screensaver thing.

If you want domain root, you can either find the domain admin\'s username and type

@echo off
net user [username] [newpassword]

That will change his/her pass.
Or, if you can get on his/her comp, type this in dos.

net group \"Domain Admins\" [username] /add

This will add an acct to the domain admins.

Also, if you don\'t have access to the C drive, or any other drive, theres a few ways to view it\'s contents. You just need to be able to install programs.
Google has a program called \"Google Desktop\" which indexes the computer and makes it searchable. Or, you can download a web browser such as Opera.
In the url bar type this \"file://\" you should now see a list of drives. Enjoy.

Well, thats all for this article. Hope it\'s understandable and enjoyable. If anyone else has anything to add, please let me know and I will add it. If anyone has any suggestion, please let me know.


only_samuraion December 06 2006 - 15:21:28
not a bad article. looks really similar to one of mine, but its got a few fresh ideas. not bad mate
hacker_jacobon December 06 2006 - 16:38:20
Nice, i like it... lots of ways to try to access command prompt. il be tryin those 2morrow Smile
mastergameron December 06 2006 - 16:40:49
lol jacob, me too, espescially the CLSID folder names, I forgot about them unti now Smile
BluMooseon December 06 2006 - 17:17:29
Very nice, a lot of great info and ideas, and presented nicely Smile Amazing Grin
SwiftNomadon December 06 2006 - 18:54:37
this is nice. Thanks for taking the time and writing this.. It will help alot of people.
zeldageekon December 07 2006 - 01:08:26
Very nice article! I don't have the guts to try it out, though. =P
h4xguyon December 07 2006 - 02:03:47
W00t it's dedicated to me!!!
ssscubasssteveon December 09 2006 - 03:51:09
also another way to get to dos is go into system32 and click the "command" file it is really called but it gets you to dos in case it is blocked :ninja:
ssscubasssteveon December 09 2006 - 03:51:54
sorry forgot to give rating on last comment
ssscubasssteveon December 09 2006 - 03:53:02
forget what i just said im stupid:xx:
adlezon December 09 2006 - 17:58:38
lol. Thanks for the comments, glad everyone liked it.
ziggythebearon December 10 2006 - 04:54:33
@scubesteve sometimes access to the C drive is denied on some comps...but very nice article I will be trying to add an admin account tomy school comp on monday but i doubt it will work seeing as access to regedit is denied. and what do you mean by "use the screensaver thing"
adlezon December 15 2006 - 01:56:47
@ztb - whenever the screensaver comes on, the file "scrnsave.scr", in "C:\windows\system32\" is ran, so if you rename cmd.exe to "scrnsave.scr", cmd will be ran instead of the real screensaver.
Echoon December 19 2006 - 20:13:14
You told us hot to gain root on Windows XP..what if your trying to gain root on a Apple iBook..I mean seriously; not all of us have Windows here..good article though. Frown
sakarinon March 22 2007 - 18:06:24
lol i couldn't stop laughing while reading your article. try this if doesnt work try this if it doesnt work try this if it doesnt work try this... lol that were lots of ways and at least one will work i rate it awseome just for the effort =)
Ayr4on May 28 2007 - 00:24:21
You could also try to open notepad and type "command" and save it as test.bat and run itSmile
SnigelSniperon June 26 2007 - 18:18:07
I changed my cmd to scrnsave.scr and replaced the original scrnsave but windows automatically replaces it back with the original scrnsave Frown
sToRm_seveNon July 31 2007 - 08:08:18
fti - gaining root is only applicable to *nix systems
adlezon August 24 2007 - 21:04:56
@SnigelSniper - yea I think that only works on windows 2000 or less, can't remember...
ice_sdon March 28 2008 - 16:49:26
It says access is denied when I try to create a new folder in sys32, is there any way to get access?
j4k3on April 01 2009 - 12:28:01
And here's me thinking Windows didn't have a root account >:?
gothicbobon May 03 2009 - 03:44:27
Most of these ways will only succeed in bringing up a console, not giving you administrator privileges. And the screensaver trick hasn't worked for years.
jelmeron May 31 2009 - 03:50:43
im disliking the idea behind this entire article... "To those of you that think by getting root, you own the school, sorry to disappoint you. But, by getting root, you only own the comp your on. There is however, a way to get domain root, which I'll discuss later." why would you want such a status in your school network? The only purpose i can come up with is to annoy the system maintainers. Youd better set up something like virtual box and try this in.
mestaron June 07 2009 - 11:54:50
good article, but totally useless now and it was useless back in 2006 when it was created, i mean come on schools hire experts to secure computers, and they don't make such dumb mistakes and holes so that you can get access, because if they did, they wouldn't be experts and they should be fired most of schools these days give you the possibility to open cmd but it's a restricted cmd so you can't do stuff like adding users or doing a regedit
starofaleon June 10 2009 - 17:09:44
@mestar: From what I've heard, school administrators aren't all experts. The ones at my school are pretty good though, so I can't do anything much there.
ranmaon June 25 2009 - 15:52:19
At first I was like sigh, this will be pretty pointless, but it turns out it's a pretty good and well-rounded one. Cheers!
deadsunon September 22 2009 - 03:18:48
Just another thing to add, I'm not 100% sure y this worked but if u creat a batch file and put an infinte loop in it opening another program it will crash comp, but when the comp came back up anyone who loged in to it had full acess to control panel and everthing, it like didn't bring back up the scurity software, I know this is a very old post but just somthing to try and play with, by the way nice article even if it is a little outdated u can still use the same concepts just change it around a little bit (ps. Forgive the poor spelling\grammer)
Napoleonon May 27 2011 - 20:21:26
On a limited Windows XP User Account (no other forms of security present) I get the error: System Error 5 Access Denied. Sad It only works if I already have administrator privileges.
ellipsison April 11 2012 - 11:20:39
@mestar In '07, I was able to get command prompt and Windows Messaging Service just happened to be open. I net sent messages like "The matrix has you..." to every computer throughout my high school, the junior highs, and even a few computers at the administration service center. I was suspended for two weeks and my computer privileges were revoked for the remainder of the year. Teachers received an email with my school photograph with a message telling them not to allow me on a computer. So it was most certainly possible...and even though Windows Messaging Service is disabled now, you can still get a command-line. Not that having a command-line with a limited account is very useful. ; @jelmer The only reason anyone would need a command-line is to brag or show off. If they want Administrator, they could mount the hard-drive and a flashdrive, copy the SAM, and crack it when they get home. Then they might do something malicious.
dami3non August 17 2012 - 20:47:57
@ellipsis - Fail. At least the admins did there job right to avoid any further frustration. Now did you learn a valuable lesson from this? Dont get caught use another machine or cover your tracks man Sad. Im sure now you have come along way from something slightly seen as a bit foolish.
Post Comment


You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.