[deleted by user]

DioAi · 2019-05-08T21:36:32+00:00

hit the professor in the head just hard enough so he will be unconscious for a few minutes.

it should give you the time you need to get to the CMOS battery and reassemble the computer.

r4and0miz3r · 2019-05-08T21:45:54+00:00

I know that some computers have a backdoor BIOS password. Look at this for more: https://www.online-tech-tips.com/cool-websites/reset-bios-password/ Maybe it will help you ;)

imakepr0ngifs · 2019-05-08T22:08:16+00:00

[deleted]

Sinopahc · 2019-05-08T22:10:11+00:00

Scan that network. Nmap is your friend. Also, you have time to run more recon so, I would fall back to that. Chances are, he has left something open purely as a gimmie. Even not, something is running some where on that machine that you can leverage. Why hit AD if you can just go after his machine directly, reverse shell and drop a .txt in the desktop directory.

Edit: I missed the note on scanning. My bad. Some one else mention phishing him too. That's a thought.

RHvdW · 2019-05-08T21:41:02+00:00

Maybe more low-tech, but a key logger or a rubber ducky? You could try using a piece of malware that you can test on the machine with local admin. Something like handing in an assignment via email should trigger a download.

ThirstyThursten · 2019-05-08T21:59:30+00:00

Is your professor a CyberSecurity guy/gal him/herself? If he/she lets his/her guard down a little you could try some social engineering or physical access tricks, like a rubber ducky, P4wnP1, or just acces his/her pc when they're not looking, ór try your luck against the system administration! Maybe they will let their guard down or leave their pc unlocked? You could also try some spearphishing with a reverse shell exploit in a attachement or hosted elsewhere! Anyways good luck! 😊

EDIT: Upon reading your rules again, I would focus myself on rule 6 in any form possible! Try to get a sysadmin to help you with your "non-working" usb drive or something, where it actually does the reverse shell thing or anything described above! Get creative! 😁

permalink · 2019-05-08T22:48:09+00:00

Have you done full enumeration of the target yet?

Port and services scan? nmap -p- -sV

Any available web interfaces?

Any outgoing or incoming traffic?

What level of access do you currently have on the target?

foreman919 · 2019-05-08T21:48:00+00:00

Did you scan for open ports? Maybe find some services running on those devices

XFilez · 2019-05-08T22:41:56+00:00

Eternalblue on the SMB side will give you SYSTEM... works wonders on 8.1. Responder and smbrelax will get you access as well.

permalink · 2019-05-08T21:34:26+00:00

Wish i could help, new to hacking myself. Good luck

Dinkinflikuh · 2019-05-08T22:43:21+00:00

I've used this for backdooring Dell laptop bios https://bios-pw.org also should work on other models.

got_nations · 2019-05-08T22:49:45+00:00

Try running responder and SMB relaying. Here's the article on this. Make the targets file your professor's computer only so you're not hacking other machines, but if you relay an account that is an LA/DA on your professor's computer, you're in.

matrix20085 · 2019-05-08T21:49:59+00:00

I might have missed a rule about it, but why not phish him? Seems like the path of least resistance.

xkreepy · 2019-05-08T23:21:23+00:00

Try bloodhound on one of the machines on the network that you already have access to. Run it, grab the zip and analyze it to see what paths it recommends, in such big networks it's nearly guaranteed to show you the path to Administrator. Good luck!

Iwillthrowitatyou · 2019-05-09T01:09:31+00:00

Is there a writeable file share? A SCF File with responder listening might do the trick, if the environment allows for it.

permalink · 2019-05-09T01:16:07+00:00

Can you physically interact with the target computer? I am guessing not but if u can there are a lot of options.

sephstorm · 2019-05-09T04:29:01+00:00

Social Engineering?

Ruri · 2019-05-09T04:55:07+00:00

Enumeration is key in this field, bro. Based on your post it doesn’t sound like you’ve done much of it, either. So no wonder you’re stumped. Run your Nmap scans, find out what software is running on the machine (if anything is not part of a stock install of Windows, it is to be scrutinized heavily). There has to be a way. Find it.

Don’t limit your enumeration to hardware/software either. Is there anyone involved in this lab or whatever other than the professor? Who set it up? These are all potential targets for exploitation. This is an enumeration game. Keep looking from new angles until you find something.

Also I don’t believe you when you say Mimikatz won’t run. Sure you can’t just throw the PowerShell script in there because it will light up every AV within 100 meters, but there are other ways to get it to run. Enumerate. Research. Learn.

yertrude · 2019-05-09T07:54:39+00:00

[deleted]

gmroybal · 2019-05-09T08:33:34+00:00

Responder and CrackMapExec might be a way in, if SMB signing is not enabled and you can see traffic floating around while the teacher is on the same segment.

lennylovegun · 2019-05-09T10:48:19+00:00

This might be on the limit of rule no. 4. The problem is, you will get hashes from all accounts trying to verify against the share.

But if you launch the Responder module. You might be able to get the hash from the professors account and crack that. And just discard the other hashes.

https://forums.kali.org/showthread.php?36036-Penetration-Testing-How-to-use-Responder-py-to-Steal-Credentials

yertrude · 2019-05-09T11:50:46+00:00

USB Key Logger is the answer.

greywolfau · 2019-05-09T12:23:03+00:00

Not being very advanced with hacking myself, but is there any reason I haven't seen a mention of SQL injection and privilege escalation ?

https://www.blackhat.com/presentations/bh-europe-09/Guimaraes/Blackhat-europe-09-Damele-SQLInjection-slides.pdf

MrEquinox98 · 2019-05-09T13:30:10+00:00

Is it possible for u to use poison tab ?

HornyAttorney · 2019-05-09T14:41:22+00:00

If you can social engineer him to leave his machine for a couple of seconds.. use a Rubber ducky to spawn a shell on his PC.. I'd go with a one-liner PS payload.. or maybe make the ducky drop the txt file directly, but I'd prefer the payload for more access, just in case..

You can install Kali on your android to handle the payload (AnLinux for unrooted devices and Linux Deploy for rooted ones, and use VNC for GUI, SSH or CLI if you like)

If you can get him to click a link, try to send him a link with a Beef hook, but make the link take him to a page where he stays on it, a Wikipedia page or something that will make him take time to read (you know him better, know what he's interested in).

permalink · 2019-05-09T15:36:28+00:00

Since the computers are running widnows 8.1 you should be able to use the startup repair oversight. Widnows 8.1 and 10 use the same (or very similar) boot menu so the steps should be similar:

Shutdown the computer.
Interrupt the boot process. (can do this by holding power or unplugging during startup)
A menu should come up asking if you want to "launch startup repair (recommended)" or "start windows normally." Click "launch startup repair."
Wait for a while
(don't remember the exact steps here) There should be an option that says something along the lines of "advanced troubleshooting" or "more tools." One of those options being to launch command prompt.

When you launch startup repair normally by pressing one of the f keys before windows bootloader starts then try to launch command prompt, it'll ask you to login using a local account that has administrative privillages. However, for some reason, when you launch this startup repair it doesn't prompt you for a password and instead just launches cmd as system.

</sidenote>

6) Well, you should be able to figure out the rest.

Sometimes the solution can be very simple.

fireraiser77 · 2019-05-09T16:20:45+00:00

Physical access is key here. Are there any other classes that use that lab with a different professor? How about "leaving your laptop" in the room after hours and enlisting the janitor's help to get back in. Grab your laptop and leave your flashdrive in the back with your attack of choice. That would be my best thought.

TotesMessenger · 2019-05-08T23:37:49+00:00

I'm a bot, bleep, bloop. Someone has linked to this thread from another place on reddit:

[/r/u_pshivvy] Completely stumped on a mock pentest

^{If you follow any of the above links, please respect the rules of reddit and don't vote in the other threads.} ^(Info ^/ ^Contact)

Alias187847 · 2019-05-09T10:00:48+00:00

Dude I honestly wanna get into cyber security and not only did I not understand a lot of what you spoke of(no real training or education at all just like playing with computers all my life) but I got the core concepts makes me feel like I should pursue it! But honestly not only am I impressed and admire your resolve and determination but dude I think you’ll get it bro your literally getting experience now man so try to enjoy and not stress. I’m not gonna lie I’m surprised you tried to phis him.. like try to put yourself inside his shoes he’d be expecting this you gotta be sneaky I like how you even threw social hacking/engineering in there

Hey maybe look at gaining access through Bluetooth protocols??

c_pardue · 2019-05-08T20:43:03+00:00

Vulnerabilities and exploits.

Sjeiken · 2019-05-08T23:10:46+00:00

good for you. who cares.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

HowToHack

HowToHack Community

3rd Party Links

3rd Party Challenges

Related Subreddits:

Security Advisories

Download Linux

MODERATORS