73

For anyone that goes to a TVDSB school in Canada, you can gain access to admin account by following the steps:

1. Enter your username

2. Put your hand on the Ethernet cable (do not pull yet)

3. Enter your password

4. Press enter

5. Wait 1.5-3 seconds

6.unplug the Ethernet cable

7. Wait

8. Plug in the Ethernet cable when you are at the desktop screen and all app icons have loaded.

9.enjoy full admin access!!

Comments
  • 21
    I'm not even from Canada, but not all heroes wear capes. 💯👌
  • 3
    @jhh2450 I don't even remember how I discovered this.
  • 8
    I am going to post instructions on how to custom compile cmd so that it isn't blocked by school security.
  • 2
    At my old school, we had accounts that were at least partially local admin, (I think, it's been a couple years) so we could install software, but all changes made disappeared after reboot. I found that, by changing some registry keys, I could get past some things that were disabled by GP, (Task Manager, GPEdit, regedit (changed keys using a VBScript)). I made the mistake of storing the scripts in my school board network drive, and had my school user account suspended for a few days, and my school Google account suspended for a few weeks, while they "looked for harmful software". According to what the vice-principal who called me to her office told me, they thought I had the ability to control the teacher's computer remotely (I wish).
  • 6
    @0xTJ I took the easy route. "Hey teacher! Im doing research for your project, but I need to use a blocked site. Can I get your login information?" I actually had like 5 teachers login information, so I was set lol (This was to use the internet.)
  • 0
    @jhh2450 (1/2) At my school board, the only sites that were blocked were "nefarious" ones and adult ones. Most of the issues I had were when a domain that had a site where you could put your own content was blocked for something someone had put up at some point, but I wanted access to something else. In these cases, I could just click on a button on the page to fill out a form asking the company that runs the blocking service for the site to be unblocked, and it usually would be within 10 minutes. Because of this, there was never any reason to get teacher's creds, and even at that, regular teacher's additional computer privileges didn't go any further than unblocking a site, so since I never had issues with that, their login info wouldn't have been useful. One of the only times I saw a teacher unblock a site is when he didn't feel like teaching, he unblocked a sketchy streaming site so we could watch some movie. (Not course-related)
  • 0
    @jhh2450 (2/2) The only real time I had an issue with site blocking is when they blocked the steam domain name after I downloaded a couple hundred GB worth of games.
  • 2
    @0xTJ My county is poor asf (I used textbooks older than me most of my high school career) so we got stuck with shitty blocking companies.
  • 8
    In grade four the school's sysadmin noticed that I was really good with computers. So he gave me my own admin account and told me to use it to help others..
  • 1
    @ewpratten I used powershell or .bat files at my school because cmd was blocked. Doesn't that worked?
  • 0
    We had partially acces to cmd. So we made a timed event to logout. This way we could avoid the usual login screen and access the guest account.

    Then we had full rights on the pc
  • 2
    @Jifuna the schools block those now. The way I do it is I found a way to take the ms-dos executable from windows 9(I can't remember what number comes after the 9). Then you use some sketchy program to turn the .com file into a .exe after that you have to log in as admin and run it then edit a REG key to allow users to use powershell and bat scripts.
  • 4
    My university computers had a login screen that you could close with Alt+F4. You could use the computer as a normal user (not as a restricted, student account) without the need of logging in, though it wasn't a admin account, which is kinda sad
  • 0
    @ewpratten How about VBScript?
  • 1
  • 0
    @0xTJ Reason to use a proxy or vpn to download it - maybe the next time ^-^
  • 1
    Use Kon-Boot works really good.
  • 2
    If any here still have windows 7 on their school computers you could boot it up with a live-usb or cd with linux and replace the sticky keys file (sethc.exe) with cmd.exe. Then you can access cmd before you login by pressing shift five times.
    The pc is logged into an account with admin rights before you log in, so you can go ahead and make a local admin account from the command prompt.
    Sadly we're upgrading to windows 10 now so it wont be as easy but I can probably just ask them for local admin by now.
  • 1
    @jhh2450 ah good old social engineering
  • 3
    @eybro the computers block cmd.exe or any file with the same code
  • 2
    @eybro this trick still works in windows 10
  • 2
    Just take in mind that this might be very illegal. A guy at my highschool pulled something like this and the police got involved and hacking charges were made! I am very careful since that moment :).
  • 0
    What's their backend authentication system, what flaw are you exploiting by unplugging Ethernet and how in the world does that translate to granting the account admin access...have you determined any of that, can you share your findings? Might be better to report it than exploit it. I vaguely remember something like this ages ago, but not definitively. Would love to know more details, so many questions, nice find! 😉
  • 5
    @FractalSystems

    So it is a flaw in the authentication handshake.
    The way it works is this:
    1. Computer sends login info to server

    2. Server tells computer if it is a legit user

    If it is:

    3. Computer downloads all of the user's files and settings

    4. Server tells computer what privilege the user has

    Basically you are unplugging Ethernet before the server tells the computer that it is a student account and so the computer assumes that the user is actually a local user. Because of how the system works it assumes that all local users are the admin. This makes sense because only the admin knows the local login details.

    To summarize that messy paragraph, you are tricking the computer into giving a local account with admin access.

    This could be fixed by setting user privilege right after it verifies the user exists. That way there is an extremely small window of time for someone to interrupt the message.
  • 1
    @ewpratten ah, assumed it just blocked cmd after you were logged in
  • 2
    @ewpratten Sounds a little to me that the initial response should be the privilege level with a special value if the user is not legit, thus you can't login in without getting the right privilege (if you assume the connection to the server is not tampered)
  • 3
    @Flygger the school's server setup still sucks. There are so many ways to trick it into thinking you are someone else.
  • 6
    @Flygger I also discovered that you can install your own programs by installing them to the same folder that Google chrome is installed to.

    Because the whole c: drive is locked except Google chrome install files.
  • 3
    @ewpratten Hahaha how wonderful!
    When I was doing my masters thesis in software engineering they supplied me with a computer that was pretty much fresh the standard user image, so I couldn't change *anything* or even install an IDE or anything...
  • 3
    @Flygger I had gotten a laptop from my school and it was completely locked down. So I got creative. That's how I learn stuff like this.
  • 1
    @ewpratten Canadian but living in Paris here, and I was in the Thames Valley school district before... God this would have been gold in my school to do... Oh well I'll send it to friends who still live in the area so that they can have their fun 😆😄🤣😂 (meanwhile I tried and half-succeeded to do the same thing in my school in Paris, which has even worse security than in TVDSB hehe)
  • 3
    @chilledfrogs TVDSB sucks so much!
  • 1
    @eybro Apparently this method works just as well on Windows 10 too, it should be worth a try :)
  • 1
    @ewpratten Ikr! *high five? 😅😂*
  • 3
    @chilledfrogs what school did u go to. And what city?
  • 1
    @ewpratten But you can't change domain-wide settings with a local admin account right? At least I'm still looking for a way into the AD server with local admin account privileges (I used the method that @eybro used, works like a charm hehe)...
    In any case I guess I still have a better user experience on the school computers with a local admin account in any case so yeah 😁
  • 3
    @chilledfrogs correct. Although I ended up with my own real admin account somehow. So I can with that.
  • 3
    @chilledfrogs I have never tried making myself an actual local account. I will give it a try soon.
  • 1
    @ewpratten I would love to have that... I mean I know my (new) system administrator in my high school pretty well, she's quite nice but too busy to be honest for doing actual system admin work, which the school is in dire need of (being a physics/chemistry teacher as well), and I don't think she could give me more privileges, even though she trusts me, without getting into HUGE trouble :/
  • 1
    @ewpratten As long as the local disk isn't encrypted, the aforementioned method works amazingly (if sticky keys are disabled, Utilman.exe is the accessibility menu and osk.exe is the on-screen keyboard) :D. Then once you get the command prompt on the login screen, just issue the standard "net user <etc>", "net localgroup <etc>" and set a password for the new account. Voilà
  • 1
    @ewpratten Oh Ryerson Public School, London, Ontario (only in grade 5 mind you, and no I was not born there)
  • 3
    @chilledfrogs dang! That's like two blocks from where I live!
  • 3
    @chilledfrogs the stickykeys doesn't work because the cmd.exe program Is disabled
  • 3
    @chilledfrogs when did u go there?
  • 1
    @ewpratten Umm on the login screen it should independently of cmd.exe, I think
    And I said only in grade 5
  • 1
    @ewpratten But seriously what school are you going to then? Also Ryerson?
  • 3
    @chilledfrogs I went to Pearson last year and beal this year.
  • 3
    @chilledfrogs where you in jakson's class?
  • 1
    @ewpratten Oh seems I forgot to mention that I live in Paris since grade 6 😅🤣
  • 1
    @ewpratten So obviously not, but I do know those schools... Interesting for someone who likes programming but why not considering you like music too 😁
  • 3
    @chilledfrogs ya.. Pearson was for music. I'm joining beal robotics team.
  • 1
    @ewpratten I must be missing something... I know Beal for art and only art
  • 2
    @chilledfrogs there is beal. It is a regular highschool. Then you can take a class called bealart it is for art and let's you skip other classes.
  • 2
    @chilledfrogs I am taking a class called innovates it teaches kids regular school content using computers and new teaching methods
  • 1
    @ewpratten Wow I had no clue, having left London back in case 6 (I finished grade 10 this year)... Sounds really cool :D
  • 2
    @chilledfrogs ya. I'm quite excited to get started in a few weeks!
  • 2
  • 2
    @ewpratten 16 (and a half, currently)
  • 2
    @chilledfrogs oh so ur two years older than me.
  • 2
  • 2
    @Jifuna lol my old school did that too haha silly admins....gotta love em

    -block cmd because it allows "hacking", but since I dont know what powershell is im sure its safe to leave unblocked-
  • 0
    Thanks mate
Add Comment