bmpstegtool to see if there are any hidden files:
bmpsteg -r -i example.bmp
<b>BLUE IS BEAUTIFUL</b>... and ...
<u>GOLD IS GORGEOUS</u>
rdesktopcommand allows remote login to a Windows host, similar to how ssh allows remote access to a Unix host.
aes— a command-line tool for symmetric encryption
md5— a command-line tool for computing MD5 hashes
bmpsteg— a command-line tool steganographically hiding & revealing information
msfconsolein a terminal window.
exploit. The tool below will generate the commands for you based on the services and operating systems.
usecommand selects an exploit (e.g. buffer overflow exploit of Apache 2.1.0 web server) to use against a target. A small list of exploits is provided below as a drop-down menu, from which, at least one of the exploits will give you administrator access to at least one of the hosts on your opponent's network. It is up to you and your team to try them all until you find the one that works.
setcommand is used to set the target IP address and payload to use against the target (Note: RHOST stands for Remote Host). Do this by entering the following command in the Metasploit console:
Note that Metasploit may take several minutes to either successfully complete the exploit, or give up if it fails. Sometimes an exploit works right away, sometimes after a few minutes, sometimes not at all.
exploitcommand executes the exploit and, in our case, will establish a remote shell on the target system. Metasploit is now ready to exploit your vulnerable target. Begin the exploit with the following:
meterpreter>. The meterpreter shell is actually just a program that interprets your commands so that the target system understands them. This is particularly useful when penetrating many systems with different operating systems and different shell commands.
gedit, which is a Notepad-esque program for Unix). for editing. Go to Applications-->Accessories-->Gedit.
lsinto the shell - do you see your filename? If not - ask for help.
shellin meterpreter, which will give you a command shell on the host WWW, and then you should go to ACTIONS for guidance as to what you can do with that shell.
john, with the appropriate options and arguments (given below), in your shell (not in the meterpreter shell!). The program,
johntakes an input file, which contains the password hashes obtained from an actual host. At this point in the lab, you will be using JtR to crack the Windows password hash file obtained above, copied, and saved onto your student host.
john --wordlist=/root/passwords/rockyou.txt hashFileName
Loaded 1 password hashFileName(hashesfile will be whatever filename you chose to save the password hashes)
SUPERFL (Administrator:1)and no second part for the password, then you can have JtR leverage the weaknesses specifically found in the LAN Manager hashing algorithm to finish the job. Enter this command into your shell (again, replace hashFileName with the filename you chose when you saved the password hashes):
john --incremental=lanman hashFileName
--showoption to display the passwords in a more user-friendly format (passwords are highlighted in green to demonstrate where they appear in the output):
john --show hashFileName
findstr /I /P /S "secret confidential" C:\Inetpub\*
type "<filename>"(replace <filename> with the actual file name, but leave the quotes) to view the contents of the file(s) to the screen. Otherwise, write down the pathname so you can find it later. Once you discover account passwords for this host, you will be able to remotely log in to this host using
rdesktopand view the file(s) within the Windows environment.
C:\Program Files\Apache Software Foundation\Apache2\htdocs\Key files (index.htm and aboutus.htm) can be modified using
net user <username> <password> /add net localgroup Administrators <username> /add