pro hacker teaches you how to bypass this!

00:00

whenever you log into a computer the

00:01

first thing you may do is to go ahead

00:03

and enter into command prompt so you

00:05

enter CMD you see command prompt app you

00:07

hit enter on and boom that's a problem

00:10

and just like me we are not a fan of

00:12

this problem and we have to fix it

00:16

[Music]

00:22

and this generally happens when you are

00:24

trying to log into a school laptop your

00:26

work laptop and you're restricted from

00:28

executing some super interesting stuff

00:30

because they restrict you from going to

00:32

command prom or Powershell I'm teaching

00:34

you how to bypass that you definitely

00:36

want to watch the end because I don't

00:38

know if YouTube is going to take down

00:40

this video and now before we get started

00:41

kids remember hacking is illegal if you

00:44

get caught hacking

00:47

now what we can do here is go ahead and

00:50

close off the command prompt that's not

00:51

working and what we can do now is go

00:53

ahead and enter into say notepad click

00:55

OK on that so what happens now is we

00:57

need to do a little bit of coding

00:59

trick the computer into executing what

01:02

we want them to run so the first thing I

01:04

do is enter Echo off so that whatever we

01:06

are executing do not get displayed so it

01:09

gives us a cleaner output so this is a

01:11

label that is the beginning of a loop

01:13

next up we set the variable com for

01:16

whatever is entered after CMD followed

01:18

by that Curly thing and a super

01:20

interesting part right here is where we

01:22

execute comment variable and finally we

01:26

jump back into the label and this allows

01:29

us to create an infinite Loop and once

01:31

you're ready go ahead and save this file

01:33

to your favorite location in this case I

01:35

will save it over to desktop and I'll

01:37

call this

01:39

hackerlaw.bat it's safe on that done so

01:42

what I can do now again go ahead and

01:43

execute on this so when I double click

01:45

you can see right here there is a prompt

01:47

so let me zoom in a little more so it's

01:49

easier for you to see click on your

01:51

phone click under say 28 click OK on

01:53

that and let's see what we can do right

01:55

here so what I'll do right now is to go

01:57

ahead and enter something like print

01:59

working directory all right so that does

02:01

not work because we're on windows so I

02:03

enter the IR

02:04

and you can see right here we are

02:05

directory of users

02:08

and we can list all of this information

02:10

in fact I can even enter say for example

02:14

all right let's see whether this work

02:16

who am I

02:20

and what if I enter something like net

02:23

user Loi Liang young what do we get

02:25

right here all right this user is part

02:28

of the administrator's group as you can

02:29

see right here and I can enter net user

02:32

and see the list of all of the users

02:34

that are within the computer and of

02:37

course we have one of our favorite

02:38

person here a script Kitty Loy

02:42

so when we try to do a direct access

02:44

into command prom over here what happens

02:47

is that we get a deny now the question

02:50

is is there something else we can use

02:52

that can help us call command and one of

02:55

the really interesting option is to use

02:57

the FTP Service to help us do the

03:00

command wait a minute you don't believe

03:02

Mr hack along

03:04

I told your best friend forever so now

03:06

when you go back to the Windows computer

03:07

all you got to do right here is go to

03:09

bottom left and through FTP hit run

03:11

command over here so let me once again

03:13

zoom in a little more so it's easier for

03:15

you to see so what I can do now is click

03:17

on properties and let's go ahead and

03:19

give a 28 font and what I can do right

03:21

here now is to enter some interesting

03:23

stuff which is an exclamation mark

03:25

followed by say dir alright so it shows

03:29

us all of this information right here I

03:31

can also go ahead and enter say net user

03:33

see what we get right here we have

03:35

loyally we have script kitty line

03:37

default user zero and all of that so

03:39

we're lavaging on a service which can

03:42

help us run those commands that we

03:45

wanted to execute on for us super cool

03:48

so this happens because of the local

03:50

Group Policy editor because the bottom

03:52

left side go ahead and enter local Group

03:55

Policy click enter edit group policy and

03:57

this is the place where you can

03:58

configure the Restriction of cmd.exe as

04:01

well as a Powershell so you go under you

04:04

user configuration amp Street templates

04:06

and over here what you can do is go

04:08

ahead and click on to click on the

04:10

system and right here you can see the

04:11

following prevent access to command

04:13

prompt double clicked on this and you

04:15

can easily enter enable alright so this

04:17

will allow us to disable the Run of CMD

04:21

and you can see right here too don't run

04:23

specific Windows application and in this

04:26

case it could also be a restriction of

04:28

Powershell so once I click on the don't

04:29

run specify Windows application you can

04:31

see right here we have the list of this

04:34

along application I click show and you

04:36

can see the information over here which

04:38

is

04:38

powershell.exe so when you go to the

04:41

bottom left side again I enter

04:43

Powershell

04:45

dot ex you hit OK on that and it stays

04:47

the phone the operation has been

04:49

canceled due to restrictions in effect

04:51

on this computer please contact your

04:53

system administrator so the question of

04:55

course is how can we bypass that again

04:58

one simple simple trick is to think

05:00

about what else can call power shells

05:02

and of course in this case Powershell

05:03

underscore inc.exe

05:05

allow us to do Powershell alright so in

05:08

this case what is ISE well it is

05:11

basically an integrated scripting

05:13

environment so literally we can do

05:14

whatever we want here by entering all

05:17

those commands see for example I can

05:18

enter the same command here by

05:20

enumerating or listing down all the

05:21

users between the local computer I can

05:23

enter net user looking at all the lists

05:25

of the users within the computer say for

05:27

example your best friend script Katie

05:28

Lloyd right here if I copy the same file

05:31

somewhere else would that still work

05:33

because it could be pointing to a path

05:36

so that's the first option you want to

05:37

try now the first option here is to go

05:39

ahead and copy where Powershell is

05:41

located and now we want to Target it

05:43

into the desktop directory hit enter on

05:46

that okay

05:47

and now we've done the copy now the

05:49

question is would this work so once I'm

05:52

here I double clicked on it it says the

05:54

following this operation has been

05:55

canceled due to restrictions in fact in

05:57

this computer please contact your system

05:59

administrator no worries we just have to

06:01

try harder and what I do now is I'm

06:04

going to rename

06:05

powershell.exe into say Powershell

06:09

hackeralloy.exe is the same file it's

06:11

just a rename of the file I double

06:13

clicked on it

06:14

boom we are in look at that this is

06:17

crazy how can this even work

06:20

are we naming the fall the other

06:22

interesting part is they could be using

06:24

the hash value of the file as you can

06:26

see right here we on Windows settings

06:28

and then followed by security settings

06:30

and then under software restriction

06:32

policy and additional rules and right

06:34

here we have powershell.exe which takes

06:36

in as a hash of value so when I double

06:39

click onto here

06:41

you can see the following which is Hash

06:42

rule alright so when I go ahead and

06:45

browse we can Target any form of

06:46

executables and this allows the use and

06:50

check of those hash value based on the

06:52

executable and we can easily change this

06:54

up a little which will then allow us to

06:57

still execute on the file so what I'll

07:00

do now is go ahead and disable don't run

07:03

specified Windows application click

07:04

apply on that click OK because we're

07:06

testing out the hotter hash rule here so

07:09

what I can do right now is go ahead and

07:11

launch a good friend and what I can do

07:13

here is to change up a little bit of the

07:16

value in powershell.exe and see whether

07:19

we're able to execute on it so what I've

07:21

entered here is to copy from system2

07:23

Windows Powershell version 1.0

07:25

Powershell exe into user desktop I go

07:29

ahead and hit enter and that done so we

07:32

can see the file on the left so we have

07:34

the powershell.exe right here so the

07:37

proof and pass it out let's go ahead and

07:39

move this over into the center a little

07:41

and I double clicked on it and it says

07:42

defaulting your system illustrator has

07:45

blocked this program for more

07:46

information contact consistent registry

07:47

or whatever

07:48

so what we want to do now is to change

07:50

up the value of this a little and see if

07:52

we're able to launch Powershell and what

07:54

we'll do here is to append it to

07:56

powershell.exe hit enter done double

07:59

click on the powershell.exe boom we're

08:02

in we managed to change up the value of

08:05

the executable and this gives us access

08:07

to Powershell and remember kids that's

08:11

how you do hacking