Reminds me of a hack I discovered in school.

I discovered that I could use VBA from Word to shell out to cmd bypassing all of the security. This opened a world of possibilities...

This being the era of AOL punters I created a neat VBA utility in a Word doc to that used netsend to spam other computers in the school. Shared the file widely.

Then I used the technique to explore the network... eventually was able to use net use to connect to a remote drive in the school administrator's office where I found a text file of every student birthday, home address, and SSN... which I then could use to sign into anyone's account (password was derivative of name and SSN).

Culminated with pwning a school rival by putting all his files in a password protected zip on the desktop and dropping a batch file in his startup folder that printed a text file with the password to the printer when he logged in.

Reminds me of high school. We also had locked down computers, but one day I noticed that one of the programs on the system had a directory structure of hundreds, if not thousands, of executable plugins that needed run-access for the program to execute properly.

My hypothesis was that the IT guys were lazy and just unblocked anything in that directory. Even if a networked computer didn't have this program on it, you could just recreate the directory structure and drop any portable executable there and run it. Pretty soon we were all playing brood war in every free period.

Ah, reminds me of the good ol' Windows 98 login bypass: https://epiclogon.ytmnd.com/

School PC "hacking" and bypassing locking was a great past-time.

One of the schools I went to had a computer lab in the Library, ran on Windows NT 4. I found so many work-arounds to their security controls that they ended up making me an admin and told me to fix them all. That was my intro into group policies and domain management.

Another student made a credential-phishing program - it was a full-screen VB6 app that looked like the normal NT4 login. They'd log in, launch the credential-phishing app, and then walk away. It wrote the stolen creds to their 'home' drive and then logged out after showing some fake "There was a problem with your password, try again" message.

Many years later, but still on NT4/Windows 2000, at technical school we found that the campus-wide internet was run through a single Windows-based proxy, with rules on the router to prevent traffic to the internet except from that proxy.

They also did various content-filtering things, allowing only certain white-listed sites.

At that time Windows's networking was iffy - and if it detected that another computer was using the same IP, it'd disconnect itself from the network.

Our class had a computer lab with removable 3.5" drives and we were learning about setting up networks. Well, install a Linux distro, install squid with rules to allow all traffic. Then once it was working, change your machine's IP to that of the proxy. Now the entire campus's internet traffic was going via your lab machine, and you had free access to the internet. We just kept a 'proxy' disk around and put it in anytime we needed something that wasn't whitelisted. I don't know if the network admins either didn't care, or didn't know because it wasn't fixed for a few years.

Ha, reminds me of high school. No command line access on the school PCs.

At the time, I was learning PHP, having stepped up from plain HTML/CSS. I had also discovered that I could run a web server (XAMPP).

So, one PHP script later, and sure enough… command line access through the browser!

In WinXP You could also use the File->Open in notebook to download URLs.

It's also possible to have binary files that only consist of readable bytes that can be saved in notepad.

In my school you had to rename the binaries to calc.exe and then they'd work.

I had something similar. They installed Windows 95, but the DOS files Windows 3.1 files were still there too. I was able to open Solitaire, QBASIC, and other programs, including the Windows 3.1 registry editor, which can display and edit parts of the Windows 95 registry but not all of them. (The Windows 95 registry editor did not load, due to the policies)

Using VBA in Microsoft Word, I also had figured out, too.

Once the teacher wanted took the students to the computer lab to make greeting cards, but the program to do so was no longer in the menu; fortunately I knew where it was and was able to describe (using VBA in Microsoft Word) so that everyone in the class could load the program.

Later, they removed many restrictions but all files were reset when rebooting, so any program could be accessed without damaging it.

Something less prohibited was defining a password for print jobs to avoid getting them mixed up with everyone else's.

In high school (using windows 7) cmd.exe was blocked, but only by launching it directly.

Creating a .bat file and double clicking on it got it loading just fine.

I didn't find any cool tricks to do with it besides just running it.