1

I'm a 7th grader. The school district I'm in likes to try to make it look like they are the most secure school in the world. I discovered a major flaw in their security system. This was a shell that wasn't running bash or any other command line language I knew. This was clearly an admin-only thing but I decided to investigate.

Using a simple run command from the help command I was able to view everybody's password. At the time it was just the same as their username. I knew what could be done if the district's computer system was compromised. The school district only thought to keep the shell locked from grades 8-12. This leaves an opening, if some person was to get a password from a younger grade, then they could do some damage.

In 2017, I found a different shell. This time it was the CMD in Windows 8. This time it was on shell. I went and typed in netsh. From there I could control all of the network components.

I've been thinking about writing a letter to an admin but I don't know what to say or use as any reason he should care. Should the admin, everyone else, and me be worried about this?

schroeder
  • 123,438
  • 55
  • 284
  • 319
AdrienDaBoss
  • 111
  • 3
  • Potential duplicates: https://security.stackexchange.com/questions/100097/as-a-student-how-do-i-safely-and-responsibly-disclose-a-serious-security-issue https://security.stackexchange.com/questions/120158/how-should-i-tell-school-that-they-are-vulnerable-when-i-wasnt-given-permission/120175#120175 – schroeder Aug 25 '18 at 22:12
  • 1
    The problem is that depending on a lot of factors, disclosing it might get you into trouble for accessing systems without permission. As you are in the States, this is a real concern. Please look through the duplicate questions for ideas on how to disclose the problem without exposing yourself too badly. And good luck! – schroeder Aug 25 '18 at 22:15
  • And do keep poking around (responsibly) and finding problems. A wonderful career is open to you. – schroeder Aug 25 '18 at 22:17

1 Answers1

1

If this shell allows you to send reverse shell or anything else in that nature you should report this immediately to the sysadmin so he can take care of the issue. Everyone's data is at risk.

Should the admin, everyone else, and me be worried about this?

Think about it. Would you let a rouge exploit roam around the network being unpatched? If this exploit allows you to see ALL THE PASSWORDS then you can login to the accounts and cause mischief on all the students.

zucc0nit
  • 203
  • 1
  • 10