Ethical Hacking

 

Old Dominion University

CYSE 301 Cybersecurity Techniques and Operations

Assignment 4: Ethical Hacking (v3)

Edwin C Wells IV

Task A.        
Exploit SMB on Windows XP with Metasploit

In this task, you need to complete the following steps to exploit SMB vulnerability on Windows XP.

  1. Run a port scan against the Windows XP using nmap command to identify open ports and services.
  2. Identify the SMB port number (default: 445) and confirm that it is open.
    1. Used command nmap 192.168.10.0/24 -p- -sV to find open ports and services in the 192.168.10.0/24 subnet
  • Launch Metasploit Framework and search for the exploit module: ms08_067_netapi
  • Use ms08_067_netapi as the exploit module and set meterpreter reverse_tcp as the payload.
  • Use 4498 as the listening port number. Configure the rest of the parameters. Display your configurations and exploit the target.
    • Set the rhosts, lhost, and lport with set commands
  • Successfully exploited and established a session
  • [Post-exploitation] Execute the screenshot command to take a screenshot of the target machine if the exploit is successful.
    • Used screenshot to take a screenshot
  • Image taken
  • [Post-exploitation] In meterpreter shell, display the target system’s local date and time.
    • Used localtime command
      • Time was 2023-10-19 16:08:33 EST
  • [Post-exploitation] In meterpreter shell, get the SID of the user.
    • Used getsid command
      • SID : S-1-5-18
  • [Post-exploitation] In meterpreter shell, get the current process identifier.
    • Used getpid command
      • Pid: 1168
  • [Post-exploitation] In meterpreter shell, get system information about the target.
    • Used sysinfo command

Task B.         
Exploit EternalBlue on Windows Server 2008 with Metasploit

In this task, you need to use similar steps to exploit the EternalBlue vulnerability on Windows Server 2008. Make sure to search and replace the exploit module against Windows Server 2008 accordingly.

  • Ran nmap scan for open ports and services using command namp 192.168.10.0/24 -p- -sV
  • Started Metasploit and searched from eternalblue
  • Used exploit option 2
  1. Configure your Metasploit accordingly and set DDMMYY as the listening port number. Display the configuration and exploit the target.
    1. set payload and other configurations
      1. attempted to use date but unfortunately it was out of range and used 4498 for lport instead
  • exploited machine successfully
  • [Post-exploitation] Execute the screenshot command to take a screenshot of the target machine if the exploit is successful.
    • used command screenshot -p /root/windows08.jpg
      • screenshot is on next page with the rest of the post-exploitation tasks
    • image
  • [Post-exploitation] In meterpreter shell, display the target system’s local date and time.
    • Used command localtime
  • [Post-exploitation] In meterpreter shell, get the SID of the user.
    • Used command getsid
  • [Post-exploitation] In meterpreter shell, get the current process identifier.
    • Used command getpid
  • [Post-exploitation] In meterpreter shell, get system information about the target.
    • Used command getsysinfo

Task C.       
Exploit Windows 7 with a deliverable payload.

In this task, you need to create an executable payload with the required configurations below. Once your payload is ready, you should upload it to the web server running on Kali Linux and download the payload from Windows 7, then execute it on the target to make a reverse shell. Of course, don’t forget to configure your Metasploit on Kali Linux before the payload is triggered on the target VM.

The requirements for your payload are:

  • Payload Name: Use your MIDAS ID
    • Used msfvenom to create deliverable payload
  • Listening port: 4498
    • set lport and lhost in meterpreter
    • started exploit (waiting for connection)
  • Started apache 2
  • Copied ewell007.exe payload to apache2
  • Ran ewell007.exe on windows 7
  • Session was successfully opened on internal kali meterpreter


[Post-exploitation] Once you have established the reverse shell connection to the target Windows 7, complete the following tasks in your meterpreter shell:

  1. Execute the screenshot command to take a screenshot of the target machine if the exploit is successful.
    1. Used command screenshot -p /root/windows07.jpeg
  • image
  • Create a text file on the attacker Kali named “IMadeIT-YourMIDAS.txt” (replace YourMIDAS with your university MIDAS ID) and put the current timestamp in the file. Upload this file to the target’s desktop. Then log in to Windows 7 VM and check if the file exists. You need to show me the command that uploads the file.
    • Created file on internal kali
  • Used command upload [filename] to window 7 desktop
  • Verified


[Privilege escalation, extra credit] Background your current session, then gain administrator-level privileges on the remote system. After you escalate the privilege, complete the following tasks:

  • Create a malicious account with your name and add this account to the administrator group. You need to complete this step on the Attacker Side.
    • Used a UAC bypass to increase the privileges of our connection to create user EdwinW with password iamhere
    • Then elevated the shadow account to the administrator group for future access
  • Remote access to the malicious account created in the previous step and browse the files belonging to the user, “Windows 7”, in RDP.

Task D.         Extra Credit

  • Find another exploit that targets on either Windows XP or Windows Server 2008.
  • Used nmap 192.168.10.0/24 -p- -sV to scan open ports and services
  • Ran nessuss to scan for vulnerabilities of 192.168.10.11
  • Started, searched and gained information on ms12-020
  • Configured settings and exploited 192.168.10.11
  • Windows 2008 side blue screen of death