8

Skip to the fifth paragraph for the actual question, before that is some background.

I am a highschool student with an interest in computers and penetration testing. Given the restrictions placed on student-level access on the computers at my school, I often attempt privilege escalation in order to gain more complete access to resources that I need (at times school-related, but restricted nonetheless). Although I do that type of stuff pretty often, I never really expect any major success.

A while ago I was taken aback to discover a local admin account without a password, but that did not provide access to anything I couldn't already access, with the exception of the C:\ drive and tools such as the Task Manager and Command Prompt. In other words: it was far from a big discovery for me.

More recently, I stumbled upon a Fuzzy Security post-exploitation/privilege escalation tutorial (here) which mentioned looking for sensitive data in config files left behind by automated desktop setup. I know from quite a bit of searching that the 513 computers on the schools network have been set up in this way. I was still surprised to find the network admin password in plaintext in C:\sysprep\unattend.xml.

Since finding it, I have further investigated what can be done. The things I have found range from accessing all student and teacher files (which, in some cases include exams and exam keys) to remotely connecting to the school server and the district server to add users as students, teachers, admins, and staff, and modify said users' netlogon files to cause them to run malicious programs when they log on. Much of this I have investigated but not tested for fear of being caught.

My question is whether or not I should tell the school tech staff before someone who would abuse it finds it, and if so, how to go about doing so in a way that wouldn't result in my punishment. My worry is that if I report it, evidence of my explorations of network admin capabilities will appear malicious to them. I want to do the right thing, but I would rather not get in trouble if that's what would happen as a result.

Anders
  • 65,052
  • 24
  • 180
  • 218
Anonymous
  • 81
  • 1

2 Answers2

9

Although your intentions are good, schools and colleges are notorious for being heavy-handed with this kind of thing. They may well want to kick you out for (a) violating school policy and (b) making them look like idiots.

My advice would be to detail the problems you found in an anonymous letter, explain very clearly that you're not trying to be malicious or attack the network, and you just want them to know about the issue so that they can fix it. Explain that you're writing anonymously because your education is valuable to you, and you're worried about the number of cases where schools take things the wrong way, and you'd prefer not to become part of that statistic. Drop the letter in a mailbox, addressed to the head of school, at the school address.

Usual opsec applies here: don't tell anyone what you're doing, don't brag about it to your friends, don't include any details that might identify you (e.g. your year or any subject you study), and don't write the letter by hand (print it out!).

Polynomial
  • 133,763
  • 43
  • 302
  • 380
  • Thanks for the tip. Would I deliver the letter to a school/district administrator, or would I be better off getting it delivered to someone responsible for the district's technology? – Anonymous May 27 '14 at 01:04
  • Give it to the tech guy, they'll hopefully know more than the admins. – Jon May 27 '14 at 04:30
  • 1
    @Anonymous I'd say deliver it to the administrative head for the school (e.g. headteacher / principal). They'll forward it on to tech once they've decided how to handle it. Sending it direct to tech feels like you're going "around" the system a bit. – Polynomial May 27 '14 at 10:45
8

Contra Position

I wish to take the position of Devils Advocate here.

Your schooling/future is WAY more important to you than the security of the schools network.

You should take the point of view that NOTHING good can come of you mentioning this issue.

Consider the following scenarios:

  1. The School actually investigates this issue.

    • You become the prime suspect (because no-one else knows the computers like you do).
    • They bring in a forensic investigator and find somewhere you have not covered your tracks (what about CCTV correlation).
    • Even your teacher allies cannot help you as it becomes too political.
    • They convict you and blame you for the cost of the investigation.
  2. The School ignores you.

    • Nothing happens until you complain louder (see scenario 1)
Andrew Russell
  • 3,653
  • 1
  • 20
  • 29