Watchdog in class

Back in 2017 the game

got really popular In it the main character had a phone that he used to control the world around him, and I thought it was very impressive and wanted to replicate it, this is that story. Let’s get started :)

Background

At the time I was in high school and there was this technology related class where we had a pc for each alumni, they were windows 7 pc’s networked together into a local network. The class was not of my interest so I spent the opportunity exploring what could be done.

  • Humble beginnings

All pcs had a secondary less privileged account that the alumni used. This was shared and using the same password for all pc, this given the way windows works allowes you to connect to the local folder for the users remotely using the Net tab and gives you I/O access to the common folders like

  • User home
  • Desktop
  • Documents
  • etc...
  • Messing around

We started fooling around with other users dropping files in the desktop of others, this was a really innocent prank that didn't offer much uses until we introduced .bat files. This files can be opened like an executable and they run a series of bash (command line) commands. They have a lot of power but we used them to open tens of windows, change configurations and others insidious pranks

Getting admin

By this point we could run any executable on the users pc using the secondary account. We could drop the file in a special windows folder and the OS would do the rest to execute the program. But this was only for secondary users, we needed more privileges.

Thankfully there are a few ways of escalating privileges on windows, may it be using a vulnerability that is not patched or using the following ways that we used:

  • Extract admin password from memory

This is far the easiest, we can use public software to do it but the admin password needs to be loaded in memory, like when admin has a session open

  • Decrypt the password

This is the more ‘TV-hacker’ way, but it turns out that decrypting a password is almost never the easy way. We first find the registry file where the passwords are stored, copied that to a usb and brought it home Once home we found the password hash and tried to break it. Luckily the password was a combination of common words and we could use a dictionary attack and get the password.

Getting serious

Now that we have admin privileges in all computers we need to make some custom piece of code to do the fun stuff. We had to be able to remotely control de computers and make them do some fun stuff.

Over the course of 6 months (That’s a long time) I developed a series of networked programs that made this class particularly ejoiable

  • The client file, AKA the virus

This is a .exe executable that was going to be running on the infected host. In our case the pc’s of users. It needed to connect to some other server to allow us to control the pc remotely and give it commands.

You can find the full code here:

Once the executable got to the machine and got executed, it would copy itself to a safe location, add a key to the registry to auto start on reboots and it would change it’s name to go under cover. From then on it would try to connect with the server.

  • The server

This is a node.js application running on a publicly accessible server, it listened for connections from infected computers and allowed you to send them commands.

The connections to the servers were done over the tor network. This gave me some deniability in case of getting kicked out of the class.

You can find the code here:

PICTURE HERE CLI

  • The app

Now that we had a way to control the pc’s we needed a way to control them remotely, this is where the android app comes in.

Code here:

This was a very basic app with a list of buttons detailing different actions that you could perform, they included:

  • Showing an error message on the screen
  • Opening a program on the computer
  • Logging off
  • Shutting down
  • Opening a website

This commands were sent to the server and then get relayed to the infected computers.

Putting it in action

Once the whole system was in place we set to infect the teacher’s computer. One morning we drop the file into the special folder in the teacher’s computer using the networking tab. The way this works need a restart for it to execute the program, that means we had to wait for the next morning to see if it worked.

Next morning comes, I log into the server logs and see: PC:Professor - connected  :)

All was online and working, the pc computer had reached the server and was live, waiting for orders. We waited until the hour for this class came. Once in the class we anxiously waited for the teacher to setup a screen projector to showcase some file. At that moment I got the new app, just like in the game watchdog, pressed a button and, there it was, a prank error message on the screen been displayed for the whole class to see.

Only a few friends of the class knew what was actually happening and it was incredibly hilarious.

Closing remarks

Technology and programming is really powerful and interesting, some of the projects in this blog I wouldn't have thought were even possible to do in such an easy for fast manner as a solo developer. I have learn a lot doing this kind of borderline illegal projects because they keep me interested long after I start (like for 6 months in this project) said that I hope the reader used this for the same thing I did and learns something from my code and uses it in a purely educational or recreational way. Thanks!