Back in 2017 the game
got really popularAt the time I was in high school and there was this technology related class where we had a pc for each alumni, they were windows 7 pc’s networked together into a local network. The class was not of my interest so I spent the opportunity exploring what could be done.
All pcs had a secondary less privileged account that the alumni used. This was shared and using the same password for all pc, this given the way windows works allowes you to connect to the local folder for the users remotely using the Net
tab and gives you I/O access to the common folders like
We started fooling around with other users dropping files in the desktop of others, this was a really innocent prank that didn't offer much uses until we introduced .bat
files. This files can be opened like an executable and they run a series of bash
(command line) commands. They have a lot of power but we used them to open tens of windows, change configurations and others insidious pranks
By this point we could run any executable on the users pc using the secondary account. We could drop the file in a special windows folder and the OS would do the rest to execute the program. But this was only for secondary users, we needed more privileges.
Thankfully there are a few ways of escalating privileges on windows, may it be using a vulnerability that is not patched or using the following ways that we used:
This is far the easiest, we can use public software to do it but the admin password needs to be loaded in memory, like when admin has a session open
This is the more ‘TV-hacker’ way, but it turns out that decrypting a password is almost never the easy way. We first find the registry file where the passwords are stored, copied that to a usb and brought it home Once home we found the password hash and tried to break it. Luckily the password was a combination of common words and we could use a dictionary attack and get the password.
Now that we have admin privileges in all computers we need to make some custom piece of code to do the fun stuff. We had to be able to remotely control de computers and make them do some fun stuff.
Over the course of 6 months (That’s a long time) I developed a series of networked programs that made this class particularly ejoiable
This is a .exe
executable that was going to be running on the infected host. In our case the pc’s of users. It needed to connect to some other server to allow us to control the pc remotely and give it commands.
You can find the full code here:
Once the executable got to the machine and got executed, it would copy itself to a safe location, add a key to the registry to auto start on reboots and it would change it’s name to go under cover. From then on it would try to connect with the server.
This is a node.js
application running on a publicly accessible server, it listened for connections from infected computers and allowed you to send them commands.
The connections to the servers were done over the tor network. This gave me some deniability in case of getting kicked out of the class.
You can find the code here:
PICTURE HERE CLINow that we had a way to control the pc’s we needed a way to control them remotely, this is where the android app comes in.
Code here:
This was a very basic app with a list of buttons detailing different actions that you could perform, they included:
This commands were sent to the server and then get relayed to the infected computers.
Once the whole system was in place we set to infect the teacher’s computer. One morning we drop the file into the special folder in the teacher’s computer using the networking tab. The way this works need a restart for it to execute the program, that means we had to wait for the next morning to see if it worked.
Next morning comes, I log into the server logs and see: PC:Professor - connected
:)
All was online and working, the pc computer had reached the server and was live, waiting for orders. We waited until the hour for this class came. Once in the class we anxiously waited for the teacher to setup a screen projector to showcase some file. At that moment I got the new app, just like in the game watchdog, pressed a button and, there it was, a prank error message on the screen been displayed for the whole class to see.
Only a few friends of the class knew what was actually happening and it was incredibly hilarious.
Technology and programming is really powerful and interesting, some of the projects in this blog I wouldn't have thought were even possible to do in such an easy for fast manner as a solo developer. I have learn a lot doing this kind of borderline illegal projects because they keep me interested long after I start (like for 6 months in this project) said that I hope the reader used this for the same thing I did and learns something from my code and uses it in a purely educational or recreational way. Thanks!