image
Home Credits Team CVE

Carleton College
Winter 2023 CS Comps

image
Home Team CVE Credit

Exploiting Security Vulnerabilities

How to Change Your Grades,  the Hard Way

No software is completely secure, not even against six undergrad CS majors with eight weeks on their hands. We replicated existing attacks for historically significant software vulnerabilities and flaws in software used daily at Carleton. We set up vulnerable systems, performed penetration testing with existing POCs (Proof-Of-Concept), and then wrote our own exploits and added them to Metasploit.
Vulneribilities

Tools We Used

Here are some tools we used to perform penetration-testing and automate our exploits
image

Kali Linux

Kali Linux is an open-source, Debian-based Linux distribution geared towards various information security tasks, such as Penetration Testing, Security Research, Computer Forensics and Reverse Engineering. Learn more
image

Metasploit

The Metasploit Framework is a Ruby-based, penetration testing platform that enables you to write, test, and execute exploit code. It is a collection of commonly used tools, providing complete environment for penetration testing and exploit development. Learn more
image

Metasploitable2

Metasploitable 2 is an intentionally vulnerable Ubuntu Linux virtual machine that is designed for testing common vulnerabilities, compatible with VMWare, VirtualBox, and other common virtualization platforms. Learn more
CVEs We Exploited CVE is short for Common Vulnerabilities and Exposures. It is a list of publicly disclosed computer security flaws. After studying the CVE database, we selected a small collection of CVEs for which to write exploits and set up automated attacks in Metasploit. Here are the list of CVEs we explored.
image
Apache Log4J CVE-2021-44228 Zero-day vulnerability in the Apache Log4j that allows easy-to-exploit remote code execution in Java applications Learn More
image

Moodle

Taking Over Moodle Demonstration of 4 vulnerbilities:
CVE-2020–25627, CVE-2020–14321, CVE-2020–25629, CVE-2019-11631 Learn More
image

EternalBlue

CVE-2017-0144 Zero-day Windows 7 exploit allowig arbitrary code execution by sending crafted messages to SMBv1 server Learn More
image
WordPress CVE-2022-1329 WordPress plugin vulnerability that allows attackers to upload malicious files to obtain remote code execution Learn More
image
Confluence CVE 2022-26134 An OGNL injection vulnerability that allows remote code execution on a Confluence Server or Data Center instance Learn More
image
Shellshcok CVE-2014-6271 Bash vulnerability that allows remote command execution through environment variables unintentionally Learn More
image
Andriod NMap CVE-2014-2630 NMap vulnerbility that allows hackers to escalate their privileges to those NMap has, often resulting in root access
Learn More
Carleton College CVE Comps, 2023