Module 06 - Practical
Last updated
Last updated
Those are the steps that I took to complete the flag-hunting session, in the current module of the CEH v12 Practical Course.
Run the Responder tool on the Ubuntu machine and find the NTLM hash for the user Jason on Windows 11. Simulate the user Jason (user: Jason and password: qwerty) on the Windows 11 machine. Enter the option that specifies the interface while running the Responder tool.
A: -I
Run L0phtCrack on the Windows 11 machine. You have the admin credentials (username: Administrator, password: Pa$$w0rd) of a target machine, which is at 10.10.1.22. Find the password of another user, Martin, on the machine at 10.10.1.22.
Launch L0phtCrack and follow these steps: Windows > A remote Machine > {Host: 10.10.1.22} {Username: Administrator} {Password: Pa$$w0rd} > Thorough Password Audit > Generate Report {CSV} > Run this job Immediately
A: apple
Search for the vulnerability "CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass)" on exploit-db.com. What is the CVE ID for this vulnerability?
Browser: exploit-db.com
Browser: Search for > CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass)
A: 2018-6892
For this task, use the Parrot Security machine (10.10.1.13) as the attacker’s system and the Windows 11 machine (10.10.1.11) as the target system. Run the Armitage tool from the attacker’s machine to exploit vulnerabilities on the target system. Interact with the target system and use the sysinfo command to find the build number of the target’s operating system.
You have to start a database to make Armitage works
Execute Application > Pentesting > Exploitation Tools > Metasploit Framework > Armitage
Metasploit Server information, to use it too
add the following information to send the exploit.
Open the target machine and execute the exploit
Armitage: Open the shell and execute sysinfo
A: 22000
Use the Ninja Jonin to gain access to the Windows Server 2022. Enter the name of the Windows Server machine that is captured in the Jonin console.
From the Free Trial Version of Ninja&Jonin, you have to change the HOST at constants.json
Open Jonin.win.exe with the attacker machine
Open Ninja.win.exe with the target
Now, with the attacker terminal, type List
This tool is excessively manual, so there is no point of using it usually
A: Server22
Use the Ninja Jonin to gain access to the Windows Server 2022. Enter the command that should be used to open shell on the target machine, using Jonin console.
Image from the documentation, the command that you need to execute after connect 1 is cmd
A: cmd
For this task, use the Parrot Security machine (10.10.1.13) as the attacker’s system and the Windows 11 machine (10.10.1.11) as the target system. Execute and exploit a vulnerable application, D:\CEH-Tools\CEHv11 Module 06 System Hacking\Buffer Overflow Tools\vulnserver\vulnserver.exe, to gain admin access to the target machine. Flag submission is not required for this task, enter "No flag" as the answer.
From this task, you must follow the step from Lab 1: Task 7, there are 150 steps in this task.
A: No flag
For this task, use the Parrot Security machine (10.10.1.13) as the attacker’s system and the Windows 11 machine (10.10.1.11) as the target system. Use the msfvenom tool on the attacker’s machine to exploit the target machine and gain SYSTEM-level access. Obtain the password hashes of the users on the target machine 10.10.1.11. Flag submission is not required for this task, enter "No flag" as the answer.
Using your Parrot Machine as root,
Create a sharing folder and copy the exploit there.
Now open the MSFconsole and change the variables.
Open the Windows machine, login, and with your browser go to "http://10.10.1.13/share" and download the file "Exploit.exe", don’t forget to execute it. [Remember to use service apache2 start to share the file from Parrot to Windows]
Now return to your Parrot machine, it detects a session, now you want to activate it.
Here, we are going to use a tool provided by EC-Council, at your parrot machine, copy and paste BeRoot at your desktop (Location: CEHv12 Module 06 System Hacking\Privilege Escalation Tools, but first you have to go to smb://10.10.1.11 using the Windows' credentials)
Now we will go further with another tool.
A: No flag
For this task, use the Parrot Security machine (10.10.1.13) as the attacker’s system and the Windows 11 machine (10.10.1.11) as the target system. Use the msfvenom tool on the attacker’s machine to create a backdoor and exploit the target machine to gain an MSF interactive shell. Find the number of interfaces on the target machine.
Same steps as before, and the same exploit (this time called Backdoor.exe), but at the first msfconsole you use " set payload windows/meterpreter/reverse_tcp " and you use the command ipconfig at the end.
A: 2
Use a proof-of-concept code to execute the attack on the Parrot Security machine and escalate the privileges from a standard user to a root user. Flag submission is not required for this task, enter "No flag" as the answer.
Here, we are going to use an specific exploit, pkexec CVE-2021-4034
And done, you exploited yourself. Jokes aside, is a good tool if you manage to execute the exploit as a user inside a linux machine.
A: No Flag
Exploit misconfigured NFS to gain access and to escalate previleges on Ubuntu machine. Enter the command that was used to check if any share is available for mount in Ubuntu machine.
This is a question from the LAB 2 – task 4. After discovering the port 2049 (nsf_acl) with Nmap and install a tool with sudo apt-get install nsf-common. You prepare a linked folder for further uses.
A: showmount -e 10.10.1.9
Exploit misconfigured NFS to gain access and to escalate previleges on Ubuntu machine. What is the command that is used to view current processes along with their PIDs?
This is a question from the LAB 2 – task 4. It is extremely important to know about this, it will helps you a lot to solve machines.
A: ps -ef
Exploit Sticky keys feature to gain access and to escalate previleges on the Windows 11 machine. Enter the domain of Windows 11 obtained from sysinfo command in meterpreter session.
Same information as previous Metepreter exploits, and here we are going to use a lot of Meterpreter, I will create a block for "Classic Meterpreter"
------ START OF CLASSIC METERPRETER -----
Create a sharing folder and copy the exploit there.
Now open the MSFconsole and change the variables.
Open the Windows machine, login, and with your browser go to "http://10.10.1.13/share" and download the file "Exploit.exe", don’t forget to execute it. [Remember to use service apache2 start to share the file from Parrot to Windows]
------ END OF CLASSIC METERPRETER -----
A: WORKGROUP
Use Metasploit inbuilt Mimikatz module which is also known as kiwi to dump Hashes from Windows 11 machine. Enter the command that is used to open mimikatz in meterpreter session.
Follow the steps from Classic Meterpreter - Flag 13, then:
Check what variables need to be filled with show options, like set TARGET 0
A: load kiwi
Use the Power Spy tool on the Windows Server 2022 machine to monitor the target machine at 10.10.1.19. Use the user account Jason, with the password qwerty, to establish a Remote Desktop Connection with the target system. What is the default key combination to put Power Spy in the Stealth mode?
From the LAB 3 – TASK 1, at the step 33.
I don’t like this tool, so if someone want to add steps here, it is open, send me an email I will add the information here (Remember to add your webpage or LinkedIn to give the proper credits)
A: Ctrl+Alt+X
Use the Spytech SpyAgent tool on the Windows Server 2022 machine to monitor the target machine at 10.10.1.19. Use the user account Jason, with the password qwerty, to establish a Remote Desktop Connection with the target system. Which option will enable you to configure SpyTech Spy Agent to run in the total stealth mode, with all possible logging options preconfigured?
From the LAB 3 – TASK 2, at the step 23.
I don’t like this tool.
A: Complete + Stealth Configuration
In the Windows Server 2019 machine, use NTFS Streams to hide calc.exe inside the readme.txt file. Flag submission is not required for this task, enter "No flag" as the answer.
Using your Windows Machine, login, and go to the folder C:\magic, copy and paste there the file C:\Windows\System32\calc.exe and create a file called readme.txt with anything as a content.
A: No flag
On the Windows 11 machine, hide data into a text file using the whitespace steganography tool Snow. Flag submission is not required for this task, enter "No flag" as the answer.
Using your Windows Machine, login, and go to the folder" E:\CEH-Tools\CEHv12 Module 06 System Hacking\Steganography Tools\Whitespace Steganography Tools" and paste the folder "Snow" in the Desktop. And create a readme.txt with anything inside.
And done, now readme.txt is encrypted as readme2.txt, it will show the original content from readme.txt, and will hide the Sensitive Information, to see the content, type: snow -C -p "magic" readme2.txt
A: No flag
On the Windows Server 2019 machine, hide text inside an image using the OpenStego tool. Flag submission is not required for this task, enter "No flag" as the answer.
Using the Windows Machine, execute OpenStego
At Message File, add a file with any message.
At Cover File, upload any image
At Output, add a path and the result name
A: No Flag
Exploit a misconfigured startup folder to gain privileged access and persistence on the Windows 11 machine. What is the command used in this task to elevate previleges in this task?
This task is about using Metasploit + GhostPack Seabelt, from the Module 06, Lab 2, Task 1.
A: getsystem -t 1
Exploit Active Directory Objects and adding Martin a standard user in Windows Server 2022, to Domain Admins group through AdminSDHolder. Enter the name of the user that is added into Domain Admins group in this task.
Using your parrot machine, create a malicious file with msfvenom
------ START OF CLASSIC METERPRETER -----
Create a sharing folder and copy the exploit there.
Now open the MSFconsole and change the variables.
Open the Windows machine, login, and with your browser go to "http://10.10.1.13/share" and download the file "Exploit.exe", don’t forget to execute it. [Remember to use service apache2 start to share the file from Parrot to Windows]
------ END OF CLASSIC METERPRETER -----
With powershell activated, we can do whatever we want, in this case, add Martin with permission.
In this case, he is just a GenericAll.
A: Martin
Exploit WMI event subscription to gain persistent access to the Windows 11 machine. Enter the server username that is acquired after exploiting the WMI event subscription.
Using your parrot machine, create 2 malicious files by using Metasploit.
------ START OF CLASSIC METERPRETER -----
Create a sharing folder and copy the exploit there.
Now open the MSFconsole and change the variables.
Open the Windows machine, login, and with your browser go to "http://10.10.1.13/share" and download the file "Exploit.exe", don’t forget to execute it. [Remember to use service apache2 start to share the file from Parrot to Windows]
------ END OF CLASSIC METERPRETER -----
Now open a new Parrot Terminal
From the last command, you get the answer.
A: NT AUTHORITY\SYSTEM
From the Parrot Security machine, navigate to CEHv12 Module 06 System Hacking\Covering Tracks Tools\Covert_TCP on the machine at 10.10.1.11 and copy the file covert_tcp.c. Compile the code in covert_tcp.c to create a covert TCP channel between the Parrot Security machine (10.10.1.13) and the Ubuntu machine at 10.10.1.9. For the Windows 11 machine, the username is Admin, and the password is Pa$$w0rd. Flag submission is not required for this task, enter "No flag" as the answer.
This program is used to send a message through TCP, you can read it by using wireshark. I don’t find this useful
A: No flag
On the Windows 11 machine, use Auditpol to enable or disable security auditing on local or remote systems and to adjust the audit criteria for different categories of security events. Which command is used to clear the audit policies?
Auditpol.exe is the command-line utility tool to change the Audit Security settings at the category and sub-category levels. You can use Auditpol to enable or disable security auditing on local or remote systems and to adjust the audit criteria for different categories of security events.
In the second module, lab 4, task 1, they use auditpol /clear /y to clear the audit policies
A: auditpol /clear /y
In the Windows 11 machine, use various Windows utilities such as Clear_Event_Viewer_Logs.bat, wevtutil, and Cipher to clear system logs. Which wevtutil command will clear all system logs (enter the complete command as the answer)?
The system log file contains events that are logged by the OS components. These events are often predetermined by the OS itself. System log files may contain information about device changes, device drivers, system changes, events, operations, and other changes.
There are various Windows utilities that can be used to clear system logs such as Clear_Event_Viewer_Logs.bat, wevtutil, and Cipher. Here, we will use these utilities to clear the Windows machine logs.
This is a theorical question from the module 06 - lab 4 - task 2 about the command used at the window machine to clear the system log.
A: wevtutil cl system
In the Parrot Security machine, clear the Linux machine event logs using the Bash shell. Which command will disable the Bash shell from saving the history?
The same as the previous question, but with LINUX. Here is a lot easier to complete the task, you can configure the history size to remove every saved command and delete the further ones.
You can use history -c to check.
A: export HISTSIZE=0
Use various commands to hide file in Windows and Linux machines. Enter the name of the user that is added in Windows 11 machine in this task.
Here they use many generic commands, is not worth learning about them.
In Windows, you hide a folder by changing the attributes.
A: Test
Use various commands to hide file in Windows and Linux machines. Enter the name of the text file that is hidden in Parrot Security machine in this task.
Just add a dot at the beginning of the file.
A: Secret.txt
In the Windows 11 machine, use the CCleaner tool located at E:\CEH-Tools\CEHv12 Module 06 System Hacking\Covering Tracks Tools\CCleaner to remove unused files and traces of Internet browsing details. Flag submission is not required for this task, enter "No flag" as the answer.
Ok, this is just executing CCleaner, there is no mystery here.
A: No flag
