Week 15 Final

Team Blood Ravens

Gunner Howell
Jose Mejia
Angie Leifson

Contents
Abstract ......................................................................................................................................................... 3
Section 1: Box One Spider ........................................................................................................................ 4
Reconnaissance ......................................................................................................................................... 4
Figure 1: Port scan of Spider................................................................................................................. 4
Attack Method .......................................................................................................................................... 4
Figure 2: Exploit used ........................................................................................................................... 5
Figure 3: Payload used .......................................................................................................................... 5
Figure 4: Loading payload into exploit ................................................................................................. 6
Results ....................................................................................................................................................... 6
Figure 5: Directory found in system ..................................................................................................... 7
Figure 6: Completed test of box ............................................................................................................ 7
Section 2: Box Two Fox ............................................................................................................................ 8
Reconnaissance ......................................................................................................................................... 8
Figure 7: Scan of 192.168.37.90 ........................................................................................................... 8
Figure 8: FTP server 192.168.37.30 ..................................................................................................... 9
Figure 9: Easy chat server ..................................................................................................................... 9
Attack Method ........................................................................................................................................ 10
Figure 10: Used metasploit to access chat server................................................................................ 10
Results ..................................................................................................................................................... 10
Figure 11: Found secret....................................................................................................................... 11
Figure 12:Got Fox ............................................................................................................................... 11
Section 3: Box Three Owl ....................................................................................................................... 12
Reconnaissance ....................................................................................................................................... 12
Figure 13: Found open port ................................................................................................................. 12
Attack Method ........................................................................................................................................ 12
Figure 13: Exploits used ..................................................................................................................... 13
Figure 14: got into FTP server ............................................................................................................ 13
Results ..................................................................................................................................................... 13
Figure 15: Got Owl ............................................................................................................................. 14
Section 4: Box four Mongoose ................................................................................................................ 14
Reconnaissance ....................................................................................................................................... 14
1

Figure 16: Nmap scans ........................................................................................................................ 15

Attack Method ........................................................................................................................................ 15
Figure 17: Attack was success ............................................................................................................ 16
Figure 18: Brute forced password ....................................................................................................... 16
Results ..................................................................................................................................................... 16
Figure 19: Got into Mongoose ............................................................................................................ 17
Figure 20: Attack was success ............................................................................................................ 17
Section 5: Box five Frog ......................................................................................................................... 17
Reconnaissance ....................................................................................................................................... 17
Figure 20: Nmap scan ......................................................................................................................... 18
Figure 21: Access screen for Frog ...................................................................................................... 18
Attack Method ........................................................................................................................................ 18
Figure 22: Hydra attack....................................................................................................................... 19
Figure 23: Hydra attack ....................................................................................................................... 20
Figure 26: IPconfig command ............................................................................................................. 21
Results ..................................................................................................................................................... 21
Figure 24: Hydra successful................................................................................................................. 21
Figure 25: Got Frog ................................................................................................................................. 22
Figure 25: E-mail found ....................................................................................................................... 22
Section 6: Box six Lion ............................................................................................................................. 22
Reconnaissance ....................................................................................................................................... 22
Figure 26 : Found it in Frog ................................................................................................................. 23
Attack Method ........................................................................................................................................ 23
Figure27 : Exploit used ........................................................................................................................ 23
Figure 28: Auxiliary TCP ...................................................................................................................... 24
Figure 29: Port access ......................................................................................................................... 24
Results ................................................................................................................................................. 24
Figure 30: Files found ......................................................................................................................... 25
Figure 31: GOT LION............................................................................................................................ 25
Overall Results ............................................................................................................................................ 25

Abstract
This paper outlines the methods used in order to gain access to the seven boxes that have been
set up in the virtual environment. We were required to try and gain access to each of the system
and determine key information about each system. This information includes the operating
system, system name, port access, and any other interesting pieces of data that can be found on
the systems. In addition to this we documented the methods and tools used to access the data.
Each section of this report outlines the methods and tools used to access that system specific
system as well as the data that was found on the system. It has a detailed report of the attack
methods used to open the systems including the specific data for that network.
Over the course of this paper we will outline all the steps that were taken to complete the
challenge that was given to us.

Section 1: Box One Spider

Reconnaissance
For reconnaissance on the target we used the Nmap program in Kali Linux to find the first box.
Our Kali Linux box has and IP address of 192.168.1.1. The first box was named Spider and that
it was running Windows XP. We found that the box has an IP address of 192.168.1.90 and a
MAC address of 00:50:56:BB:AD:92.We proceeded to launch a port scan of the box for possible
access point. Referee to Figure 1 for results of port scan. After the scan was complete we found
that port three ports were open on the 192.168.1.90 box. After the open ports were found we
began the attack phase of the test.
Figure 1: Port scan of Spider

Attack Method
After we determined that port 80 was the best way to get into the box. We used metasploit in
Kali Linux to find an exploit for HTTP ports. The ms08_067_netapi TCP exploit was used to
gain access to the system. Referee to Figure 2 for exploit used. Next we determind the
windows/meterpreter/reverse http payload would work best with the exploit being used. Referrer
4

to figure 3 and 4 for payload. With the payload set with set in the exploit we were ready to
launch the attack against the system. After we were in we launched a metatrpreter shell in the
box to gain control of it. With the attack complete we began searching the system for the data we
needed to move on.

Figure 2: Exploit used

Figure 3: Payload used

Figure 4: Loading payload into exploit

Results
We were able to successfully gain access to the box using the reverse TCP exploit on the HTTP
port 80. Once we had control we used the ip config command line prompt and found some
interesting data. There was a second sub directory on the system with and IP address of
192.168.37.90. This is the address to the next box on our list to hack into. After that we were
able to start running the scans for the next box. Referrer to figure 6 for box one completion.

Figure 5: Directory found in system

Figure 6: Completed test of box

Section 2: Box Two Fox

Reconnaissance
After getting the IP address from the first box Spider we did a port scan on the address to try
and find any opened ports to use as access points. We did a Nmap scan on the 192.168.37.0/24
network range. Referrer to figure 7 for scan. We found three other boxes set up on the network
with one to three ports opened on each box. Target 192.168.37.30 was a FTP that lead us to a
chat server. When we tried to access the chat rooms we could only access first chat room. The
other three were closed because we did not have administration privileges. Referrer to figure 9
for chat server. We were not able to determine what operating system was running on the server
because it matched up with too many other operating systems. In figure 9 we show what the chat
room looked like.
Figure 7: Scan of 192.168.37.90

Figure 8: FTP server 192.168.37.30

Figure 9: Easy chat server

Attack Method
For this box we used a reverse TCP exploit using Kali Linux to access the easy chat server. After
we were in we launched a metaprefer shell to take control of the system. Referrer to figure 10 for
metasploit results. After we had control we used the ifconfig command prompt to search the
server directory. Once we were able to use the directory we could see all of the files that sear
saved on the system.

Figure 10: Used metasploit to access chat server

Results
The attack phase of the test was successful. We were able to view the directory and search the
files on the server to find secretfile.txt. Referrer to figure 11 for directory list. Once we found

10

our target we were able to move on to the next system fox. Referrer to figure 12 for
completion results.
Figure 11: Found secret

Figure 12:Got Fox

11

Section 3: Box Three Owl

Reconnaissance
Using the same port scan we had from the prior system we already had the IP address for Owl
which is 192.168.37.30 . Our scans only found two open ports on the system. Port 21 running ftp
services and port 8080 running http-proxy services. We were able to find exploits to run against
the target and hopefully can gain access.
Figure 13: Found open port

Attack Method
We used the easyftp_cwd_fixert exploit to access the server. Referrer to figure 13 for exploit
read out. The payload we selected was a reverse http payload. This gave us access to the system
and root access. Once we gained access to system 32 we were able to view the directory and start
searching for the our files.

12

Figure 13: Exploits used

Figure 14: got into FTP server

Results
Our attack against Owl was successful and we were able to search the directory for the files we
need to move on. In the directory we found the secretfile2.txt file. From there we completed
the lab and were able to move on to the next system.

13

Figure 15: Got Owl

Section 4: Box four Mongoose

Reconnaissance
For this system we ran a Nmap scan to try and find open ports on the system but could not local
any easy access points. Referrer to figure 16 for scan results. We found a way in but it was going
to be difficult. We found that port 24 was open and running MSQL so we decided to use that port
to access the system. When we looked closer we found that we will need to use a brute force
attack to access the system.

14

Figure 16: Nmap scans

Attack Method
We used a mssql exploit and brute force to gain access to the system. Referrer to figure 18 for
brute force list. For the brute force password we used hydra in Kali Linux to launch the attack
against the system. We accidentally preformed a DDoS attack against the server a few times but
after a few hours we were able to access the system. The attack was successful in braking the
into the system. Referrer to figure 17 for success results.

15

Figure 17: Attack was success

Figure 18: Brute forced password

Results
The brute force attack by hydra was successful in braking into the system. Referrer to figure 20
for success results. After we were in began to launch a metasploit shell to take control of the
system. Once we had control of the system we were able to give ourselves administration access.
After that we started looking through the files and found secretfile3.txt. Referrer to figure 19
for completion. Once we had the file we moved onto the next system

16

Figure 19: Got into Mongoose

Figure 20: Attack was success

Section 5: Box five Frog

Reconnaissance
We did a Nmap scan of the IP address 192.168.37.250 to find a way into Frog. Referrer to figure
20 for scan. We did not find any open ports but we did find a log in site for the server. Referrer
to figure 21 for log in. We found the only way into the server was to brute force the system with
a Hydra attack. Referrer attack method for details of attack. Now that we know how were going
to get in we are ready to start the attack.

17

Figure 20: Nmap scan

Figure 21: Access screen for Frog

Attack Method
For Frog we tried a Hydra attack to brute force the password. We created a word list called
rockyou.txt with a possible password results. Referrer to figures 22 and 23 for attack details.
Once we had access to the system we found a password and email that allow us to upgrade our
privileges to administration le vel. After a few hours we managed to find all brake the password
and gain root access to the system. Once we were in we opened a metasploit shell and took
control of the system we used ipconfig /all to view all the users on the system. Referrer to figure
26 for command prompt. Now that the attack is ready to go we can launch it and see what
happens.

18

Figure 22: Hydra attack

19

Figure 23: Hydra attack

20

Figure 26: IPconfig command

Results
Our brute force attack on the system was successful. We learned the password was one of the
emails addresses we found backwards. Referrer to figure 24 for results of hydra attack. In
gaining control of the system we also learned that there is another server on the 192.168.37.0/24
network that was hidden from our early scans. We also found that the other servers are now
useless and cannot help us brake into the hidden server only Frog can. Referrer to figure 26 for
hidden server finding. Now we can plan out the last phase of the attack.
Figure 24: Hydra successful

21

Figure 25: Got Frog

Figure 25: E-mail found

Section 6: Box six Lion

Reconnaissance
Since the last box is hidden and only accepts traffic from trusted systems we need to find another
way into the system. The only reconnaissance data that we can fine for the system is found in
Frog. After the section was completed we were given the hint to pivot from frog to the next
system. Referrer to figure 26 for hint. We know how we have to access the system we just need
to find out how were going to access it.

22

Figure 26 : Found it in Frog

Attack Method
Our attack on Lion was successful! In order to attack Lion we had to pivot through Frog to find
Lion first. After we found it we were able to use metasploit in Kali Linux to gain access to the
system. We used a psexec exploit with an auxiliary TCP payload to get into system on port 445.
Referrer to figure 27 for exploits. Referrer to figure 28 for port access information. From here we
were able to gain administrative access and view the files on the system.
Figure27 : Exploit used

23

Figure 28: Auxiliary TCP

Figure 29: Port access

Results

We were able to locate and hack into the hidden system Lion. All we were able to view all the
files on the system and locate the lastsecretfile.txt using the ipconfig /all command line prompt.
Referrer to figure 30 for files found. We successfully took control of the final box completing the
last lab. Referrer to figure 31 for completion.
24

Figure 30: Files found

Figure 31: GOT LION

Overall Results
We have successfully completed every aspect of the lab that was assigned. All box including the
hidden system Lion have been hacked into. Each box required a different method of attack in
order gain access. This final was the most difficult and fun test we have ever done.

25