Professional Documents
Culture Documents
REPORT SUBTITLE
Initial Reconnaissance
Reconnaissance was started by running NMAP to acquire IP addresses of potential targets
on the network. The results produced addresses at:
10.113.113.10
10.113.113.15
10.113.113.20
10.113.113.50
10.113.113.51
Knowing the addresses of the hosts on the network it was decided to run scans of each
address to assess the Operating System (OS) that each node was using so that a strategy
could be formulated for the attack approach.
PAGE 1
Exploitation Downs, Picone, Cravens
PAGE 2
Exploitation Downs, Picone, Cravens
PAGE 3
Exploitation Downs, Picone, Cravens
Having acquired the addresses of the targets on the network and determining the OS that
the targets were running, the next step was to begin searching for vulnerabilities on
individual targets.
An NMAP scan was now performed on the IP address at 10.113.113.10. This scan yielded
promising results as port #1337 was open. The approach adopted was to use netcat to enter
the machine using the open port.
PAGE 4
Exploitation Downs, Picone, Cravens
After starting a session we found a text file names secret1.txt. In this file was the
indocation that we accomplished the first level of the exploitation challenge and the name
of Box 2.
PAGE 5
Exploitation Downs, Picone, Cravens
Upon further inspection of the page yielded username and password results that we used
to enter the system
PAGE 6
Exploitation Downs, Picone, Cravens
After accessing the system with the username: admin and the password:
Th1sIS@SecureP@ssw0rd we searched the file system for a file with secret in the name.
We found that a file titled secret2 with the clue exploitdb for the win.
PAGE 7
Exploitation Downs, Picone, Cravens
PAGE 8
Exploitation Downs, Picone, Cravens
The decision was made to utilize this exploit on Box three, but we needed to add the
exploit to our Metasploit library. After a small series of steps, we had added to the exploit
to our library
PAGE 9
Exploitation Downs, Picone, Cravens
We now out the exploit in action to gain access and search for a file with secret in the
name. We found the secret3 text file. This file contained the indication that we had
achieved another level in the exercise. The text also indicated that Box three would have
to be used to infiltrate the next machine in the network.
PAGE 10
Exploitation Downs, Picone, Cravens
PAGE 11
Exploitation Downs, Picone, Cravens
This technique proved successful, we were able to get to the login screen for Box four but
still did not have a password at this point. We eventually got to what looked like a hash
but initially could not confirm.
PAGE 12
Exploitation Downs, Picone, Cravens
After trying a few decoders, we eventually concluded that the string was Base64. Putting
the text string into a Base64 decoder allowed us to gain access to the next clue.
PAGE 13
Exploitation Downs, Picone, Cravens
The secret4 text file gave us the clue for Box five.
PAGE 14
Exploitation Downs, Picone, Cravens
PAGE 15
Exploitation Downs, Picone, Cravens
The quip regarding lazy administrators led us to believe that the sticky keys approach may
work. Using this remote session, we tried a technique that uses the sticky keys feature
against windows and allows the administrator password to be reset. On the login screen
we pressed shift five times to bring up a command prompt.
PAGE 16
Exploitation Downs, Picone, Cravens
PAGE 17
Exploitation Downs, Picone, Cravens
PAGE 18