Final Lab-Exploitation: Report Subtitle

Final Lab-Exploitation
REPORT SUBTITLE
John Downs, Dominic Picone, Mark Cravens| NTS330 | 12/7/2017

Exploitation Downs, Picone, Cravens
Initial Reconnaissance
Reconnaissance was started by running NMAP to acquire IP addresses of potential targets
on the network. The results produced addresses at:
10.113.113.10
10.113.113.15
10.113.113.20
10.113.113.50
10.113.113.51
The command used was nmap -sn 10.113.113.2-99
Knowing the addresses of the hosts on the network it was decided to run scans of each
address to assess the Operating System (OS) that each node was using so that a strategy
could be formulated for the attack approach.
PAGE 1
PAGE 2
PAGE 3
Having acquired the addresses of the targets on the network and determining the OS that
the targets were running, the next step was to begin searching for vulnerabilities on
individual targets.
Target one Vulnerabilities and attack approach

It was now time to target individual machines. We began with the lowest numerical IP
address in the list that we acquired from the NMAP scan of the network.
An NMAP scan was now performed on the IP address at 10.113.113.10. This scan yielded
promising results as port #1337 was open. The approach adopted was to use netcat to enter
the machine using the open port.
The command used was nc 10.113.113.10 1337
PAGE 4
After starting a session we found a text file names secret1.txt. In this file was the
indocation that we accomplished the first level of the exploitation challenge and the name
of Box 2.
Target two Vulnerabilities and attack approach

After examining the OS scan for IP address 10.113.113.15 we noticed that port #3339 was
open indicating that a netcat backdoor was already running. Our next step was to put the
IP of 10.113.113.15 in the web browser to see what we came up with.
The result on the surface seemed like a dead end
PAGE 5
Upon further inspection of the page yielded username and password results that we used
to enter the system
PAGE 6
After accessing the system with the username: admin and the password:
Th1sIS@SecureP@ssw0rd we searched the file system for a file with secret in the name.
We found that a file titled secret2 with the clue exploitdb for the win.
PAGE 7
Target three Vulnerabilities and attack approach

Knowing from the clue that we needed to exploit box three we decided to put the IP
address 10.113.113.20 into the web browser to see if that approach yielded any results. We
were met with a generic login screen but at the top left was the number of a specific
Metasploit exploit. Performing a Google search, we found that 9.9.16 refers to an exploit
known as Disk Pulse Enterprise 9.9.16 GET Buffer Overflow.
PAGE 8
The decision was made to utilize this exploit on Box three, but we needed to add the
exploit to our Metasploit library. After a small series of steps, we had added to the exploit
to our library
PAGE 9
We now out the exploit in action to gain access and search for a file with secret in the
name. We found the secret3 text file. This file contained the indication that we had
achieved another level in the exercise. The text also indicated that Box three would have
to be used to infiltrate the next machine in the network.
PAGE 10
Target four Vulnerabilities and attack approach

Since we knew that Box three had to be used to get into Box 4 we decided to try port
forwarding:
PAGE 11
This technique proved successful, we were able to get to the login screen for Box four but
still did not have a password at this point. We eventually got to what looked like a hash
but initially could not confirm.
PAGE 12
After trying a few decoders, we eventually concluded that the string was Base64. Putting
the text string into a Base64 decoder allowed us to gain access to the next clue.
PAGE 13
The secret4 text file gave us the clue for Box five.
PAGE 14
Target Five Vulnerabilities and attack approach

The last clue indicated that were dealing with a newer OS on Box five, so we decided to
take a chance and try exploiting a flaw in Windows 7. We knew from previous
reconnaissance that port 80 and 3389 were open on box five so a remote desktop session
was established with IP address 10.113.113.51. We did try the IP in the web browser just to
see if there were any clues and there was a small hint.
PAGE 15
The quip regarding lazy administrators led us to believe that the sticky keys approach may
work. Using this remote session, we tried a technique that uses the sticky keys feature
against windows and allows the administrator password to be reset. On the login screen
we pressed shift five times to bring up a command prompt.
PAGE 16
PAGE 17
PAGE 18

Final Lab-Exploitation: Report Subtitle

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Final Lab-Exploitation: Report Subtitle

Uploaded by

Copyright:

Available Formats

Final Lab-Exploitation

John Downs, Dominic Picone, Mark Cravens| NTS330 | 12/7/2017

The command used was nmap -sn 10.113.113.2-99

Target one Vulnerabilities and attack approach

The command used was nc 10.113.113.10 1337

Target two Vulnerabilities and attack approach

The result on the surface seemed like a dead end

Target three Vulnerabilities and attack approach

Target four Vulnerabilities and attack approach

Target Five Vulnerabilities and attack approach

You might also like