OSCP Quals33
OSCP Quals33
OSCP Quals33
for
Offensive Security Certification
Pre-Selection Test
v.1.0
©
All rights reserved to AB Conseils, 2012
No part of this publication, in whole or in part, may be reproduced, copied, transferred or any other right reserved to its copyright owner,
including photocopying and all other copying, any transfer or transmission using any network or other means of communication, any broadcast
for distant learning, in any form or by any means such as any information storage, transmission or retrieval system, without prior written
permission from AB Conseils.
1 | Page
Table of Contents
1.1 Introduction 4
1.2 Objective 4
1.3 Requirements 4
2.1 Recommendations 6
3.0 Methodologies 6
3.2 Penetration 7
Dumped: 10.20.206.88 7
Service Enumeration 7
Exposed: 10.20.206.129 11
Service Enumeration 11
Privilege Escalation 13
Tears: 10.20.206.98 14
Service Enumeration 14
Privilege Escalation 15
Shared: 10.20.206.195 17
Service Enumeration 17
EggShell: 10.20.206.60 20
Service Enumeration 20
Crippled: 10.20.206.146 23
2 | Page
Service Enumeration 23
The password for the user nagios is nagios… which was easy to guess ! 25
Privilege Escalation 25
Lazy: 10.20.206.238 27
Service Enumeration 27
Privilege Escalation 29
Green: 10.20.206.158 31
Service Enumeration 31
Privilege Escalation 34
Disclosed: 10.20.206.196 35
Service Enumeration 35
Privilege Escalation 37
Gate: 10.20.206.214 39
Service Enumeration 39
Niba-DC : 10.20.206.48 41
Service Enumeration 41
Niba: 10.20.206.22 44
Service Enumeration 44
3 | Page
1.0 SEC-DOJO Lab Penetration Test Report
1.1 Introduction
The SEC-DOJO Lab penetration test report contains all efforts that were conducted in order to be selected
to pass the Offensive Security Certification. This report will be graded from a standpoint of correctness
and fullness to all aspects of the exam. The purpose of this report is to ensure that the student has a full
understanding of penetration testing methodologies as well as the technical knowledge to pass the
qualifications for the Offensive Security Certified Professional.
1.2 Objective
The objective of this assessment is to perform an internal penetration test against the Sec-DOJO Lab
network. The student is tasked with following a methodical approach in obtaining access to the objective
goals. This test should simulate an actual penetration test and how you would start from beginning to end,
including the overall report. An example page has already been created for you at the latter portions of
this document that should give you ample information on what is expected to pass this course. Use the
sample report as a guideline to get you through the reporting.
1.3 Requirements
The student will be required to fill out this penetration testing report fully and to include the following
sections:
4 | Page
2.0 High-Level Summary
I was tasked with performing an internal penetration test towards the SEC-DOJO Lab Exam. An internal
penetration test is a dedicated attack against internally connected systems. The focus of this test is to
perform attacks, similar to those of a hacker and attempt to infiltrate SEC-DOJO Lab’s internal exam
systems. My overall objective was to evaluate the network, identify systems, and exploit flaws while
reporting the findings back to AB Conseils.
When performing the internal penetration test, there were several alarming vulnerabilities that were
identified on SEC-DOJO’s network. When performing the attacks, I was able to gain access to multiple
machines, primarily due to outdated patches and poor security configurations. During the testing, I had
administrative level access to multiple systems. All systems were successfully exploited and access
granted. These systems as well as a brief description on how access was obtained are listed below:
LAB1 (Westeros) :
● 10.20.206.88 (Dumped) - Extract Administrator Hash Through World Accessible LSASS Dump
● 10.20.206.215 (Exposed) - RCE in Rejetto HTTP File Server 2.3.x
● 10.20.206.98 (Tears) - RCE in SMB Service (MS17-EternalBlue)
● 10.20.206.195 (Shared) - Extract Administrator Hash Through a SAM Dump inside World
Readable Backup Share
● 10.20.206.60 (EggShell) - Domain Administrator Through Subverting Netlogon (ZeroLogon
Exploit)
LAB2 (Braavos) :
● 10.20.206.146 (Crippled) - Crack Nagios Password Through a World Readable NFS Directory
● 10.20.206.238 (Lazy) - Wordpress Admin Shell Upload Exploit (Weak Credentials)
● 10.20.206.158 (Green) - World Accessible PhpMyAdmin with Weak Credentials
● 10.20.206.196 (Disclosed) - Cracked Admin Password Through World Readable LDAP
● 10.20.206.214 (Gate) - SMTP VRFY Option allows User Enumeration
LAB3 (WinAcl) :
● 10.20.206.48 (Niba-DC) - Domain Administrator Through Subverting Netlogon (ZeroLogon
Exploit)
● 10.20.206.22 (Niba) - Pivot Through Domain Controller (Pass-The-Hash Attack)
5 | Page
2.1 Recommendations
I recommend patching the vulnerabilities identified during the testing to ensure that an attacker cannot
exploit these systems in the future. One thing to remember is that these systems require frequent patching
and once patched, should remain on a regular patch program to protect additional vulnerabilities that are
discovered at a later date.
3.0 Methodologies
I utilized a widely adopted approach to performing penetration testing that is effective in testing how well
the SEC-DOJO Lab environment is secured. Below is a breakout of how I was able to identify and exploit
the variety of systems and includes all individual vulnerabilities found.
The information gathering portion of a penetration test focuses on identifying the scope of the penetration
test. During this penetration test, I was tasked with exploiting the exam network. The specific IP
addresses were:
Exam Network :
LAB1:
- 10.20.206.88
- 10.20.206.215
- 10.20.206.98
- 10.20.206.195
- 10.20.206.60
LAB2:
- 10.20.206.146
- 10.20.206.238
- 10.20.206.158
- 10.20.206.196
- 10.20.206.214
LAB3:
- 10.20.206.22
- 10.20.206.48
6 | Page
3.2 Penetration
The penetration testing portions of the assessment focus heavily on gaining access to a variety of systems.
During this penetration test, I was able to successfully gain access to 11 out of the12 systems.
Dumped: 10.20.206.88
Service Enumeration
The service enumeration portion of a penetration test focuses on gathering information about what
services are alive on a system or systems. This is valuable for an attacker as it provides detailed
information on potential attack vectors into a system. Understanding what applications are running on the
system gives an attacker needed information before performing the actual penetration test. In some cases,
some ports may not be listed.
10.20.206.88 TCP: 80, 135, 139, 445, 3389, 5985, 47001, 49664, 49665,
49666, 49667, 49669, 49670, 49673
UDP:
Nmap Scan Results:
The machine seems to be a Windows Server 2008 running some default services.
7 | Page
Visiting the website reveals that it’s a static website (probably python http server) that host some local
directories :
- iexplorer.dmp : contains the dump of Internet Explorer, it may leak some sensitive information
like web cache, visited urls and probably some credentials.
- ServerManager.dmp : contains information about the running service on the windows server.
- lsass.dmp : contains all user’s password either in cleartext or hash format.
Vulnerability Explanation: The Local Security Authority Subsystem Service (LSASS.exe) process is a
Windows service responsible for system security policy. When a user logs on to a machine, their
credentials are stored in this process, whether in the form of NTLM hashes and/or plain text passwords.
We brought the file to our local machine and used the python version of Mimikatz tool (pypykatz),
whose main purpose is to extract passwords from Windows memory. We used a the module called lsa
minidump, which is used to read and extract credentials saved from the “lsass.dmp” file :
8 | Page
Now that we have the hash we can combine it with the windows features that enables the user to
authenticate using their hash that is stored in the memory instead of re-entering their password. So, during
the authentication, we provide the hash instead of the password. Windows compares the hashes and
welcomes the attacker with open arms. This is what a Pass-the-Hash attack is in a nutshell.
Vulnerability Fix:
- Protect the website with some sort of strong authentication (login page, access code available
only internals, etc..): OWASP Authentication Best Practices
- Enable the option protect process, so that the dumps doesn’t contain credentials
- If the dumps are needed for debug purposes, then use a more secure method to share them across
the local network (password protected smb shares, scp, rsync, etc…)
Proof of Concept: We can use wmiexec.py to perform the Pass-The-Hash attack :
9 | Page
Proof.txt Screenshot:
Proof.txt Contents:
● Dumped_Redouane-Taoussi-dcq73j3erj5orvlz5dyg4hd7df94unkp
10 | Page
Exposed: 10.20.206.129
Service Enumeration
Server IP Address Ports Open
10.20.206.129 TCP: 80, 135, 139, 445, 3389, 49153, 49154, 49155, 49161
UDP:
Nmap Scan Results:
Visiting the website reveals that it’s an HTTP File Server (HFS) :
Looking down the page, we can find the version of the server which is HFS 2.3:
11 | Page
Searching for known vulnerabilities :
Vulnerability Explanation:
According to the CVE details for this vulnerability (CVE-2014-6287), the findMacroMarker function in
parserLib.pas in Rejetto HTTP File Server (otherwise known as HFS or HttpFileServer) 2.3x (in versions
prior to 2.3c) allows remote attackers to execute arbitrary programs via a %00 sequence in a search
action.
Vulnerability Fix: Update the Rejetto HFS to the latest version 2.3m
12 | Page
Privilege Escalation
Vulnerability Exploited: Named Pipe Impersonation (In Memory/Admin)
Vulnerability Explanation: Named Pipes is a Windows mechanism that enables two unrelated processes
to exchange data between themselves, even if the processes are located on two different networks. This
functionality can be abused by provoking SYSTEM account to connect into the created pipe and steal
their privileges (token) during the authentication process.
Vulnerability Fix: Detect it using a SIEM that looks for the creation then a connection to a named pipes
Severity: Critical
Proof.txt Screenshot:
Proof.txt Contents:
● Exposed_Redouane-Taoussi-n929imz70gv86spp0fctkherelyl944p
13 | Page
Tears: 10.20.206.98
Service Enumeration
Server IP Address Ports Open
10.20.206.98 TCP: 135, 139, 445, 3389, 49152, 49153, 49154, 49155, 49160
UDP:
Nmap Scan Results:
First thing, we notice from the nmap scan is that the smb port reveals that the machine is a Windows 7
7601 SP1. It’s highly probable that this version is vulnerable to the well known NSA Windows 0 day
exploit a.k.a Eternal Blue.
Vulnerability Explanation:
The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft
Windows mishandles specially crafted packets from remote attackers, allowing them to execute arbitrary
code on the target computer. More details can be found here.
Vulnerability Fix: Disable SMBv1 and apply the patch recommended by Microsoft
14 | Page
Proof of Concept:
Privilege Escalation
Vulnerability Exploited: Named Pipe Impersonation (In Memory/Admin)
Vulnerability Explanation: Named Pipes is a Windows mechanism that enables two unrelated processes
to exchange data between themselves, even if the processes are located on two different networks. This
functionality can be abused by provoking SYSTEM account to connect into the created pipe and steal
their privileges (token) during the authentication process.
Vulnerability Fix: Detect it using a SIEM that looks for the creation then a connection to a named pipes
Severity: Critical
Proof Screenshot:
Proof.txt Contents:
There was no proof.txt due to some problems with the machine while loading up the default configuration
:
15 | Page
We can confirm that by search recursively from C: folder for files with name of proof.txt
16 | Page
Shared: 10.20.206.195
Service Enumeration
Server IP Address Ports Open
UDP:
Nmap Scan Results:
From the smb service, we can tell that the machine is a Windows Server 2016.
Extract Administrator Hash Through a SAM Dump inside a World Readable SMB Backup Share
Running the default smb scripts of nmap, showed that there is a Backup Share Folder inside the SMB
service :
This folder contains 3 confidential files which are hives of the SAM, SECURITY, SYSTEM registries.
17 | Page
Vulnerability Explanation:
The SAM hive contains user passwords as a table of hash codes; the Security hive stores security
information for the local system, including user rights and permissions, password policies and group
membership. (https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-hives )
Vulnerability Fix:
Proof of Concept :
Using the python script secretdump.py, we can dump the Administrator hash :
18 | Page
Proof Screenshot:
Proof.txt Contents:
● Shared_Redouane-Taoussi-58dnd37u6hrxas3nphlg0azr6dh8lp7m
19 | Page
EggShell: 10.20.206.60
Service Enumeration
Server IP Address Ports Open
UDP:
Nmap Scan Results:
The SMB service reveals that this machine is a Windows Server 2016.
The DNS service reveals also that it’s highly probable that this one is the Domain Controller.
Seeing the version of Windows Server 2016 and having the list of affected windows machines by the new
vulnerability ZeroLogon. I attempted to test if it’s the case in our situation. And it was vulnerable !
Vulnerability Explanation:
Proof of Concept :
Using the metasploit module, we can run the ZeroLogon exploit against the Domain Controller SRV-DC1
of lab.secdojo.local :
20 | Page
This exploit set the password of the Domain Controller to an empty string.
After that we can use a DCSync attack to dump all the hashes :
21 | Page
Now that we have all the hashes, we can use Pass-The-Attack to get Administrator of the whole
lab.secdojo.local domain :
Proof Screenshot:
Proof.txt Contents:
● Eggshell_Redouane-Taoussi-7n20hzww0btcodyjgoaqgks2cabi8h5v
22 | Page
3.2.2 LAB2 (Braavos)
Crippled: 10.20.206.146
Service Enumeration
Server IP Address Ports Open
UDP:
Nmap Scan Results:
Crack User Password Through a World Readable NFS Directory that Contains Shadow File
SSH Service shows that we are dealing with a Linux (ubuntu) machine.
First thing, we can check if there is any folder shared from this machine :
Vulnerability Explanation:
The /etc folder stores confidential files like passwd and shadow, these files store information about all
users including their hashed password inside shadow.
In our case the shadow file was not world readable but there was a backup shadow file that contained the
SHA512 hash of Nagios user
23 | Page
Vulnerability Fix:
Proof of Concept:
24 | Page
The password for the user nagios is nagios… which was easy to guess !
We can then use the password to connect using ssh.
Privilege Escalation
Once connected as nagios. We can check if we have privileges to execute any command as root user :
Vulnerability Explanation:
The user nagios can execute the command /scripts/*/*/setup.sh with root privileges without supplying a
password of root !
This can be abused by executing malicious command inside the setup.sh file
Vulnerability Fix:
Exploit Code:
We can easily create two directories a and such us we have a path /scripts/a/b then we create inside a
setup.sh that execute a reverse shell to our machine :
25 | Page
Proof Screenshot:
Proof.txt Contents:
● Crippled_Redouane-Taoussi-ipzpe7t6by5ryslcb7u5xoa6gem7bv0k
26 | Page
Lazy: 10.20.206.238
Service Enumeration
Server IP Address Ports Open
10.20.206.238 TCP: 22, 80
UDP:
Nmap Scan Results:
Since we have only 2 ports and ssh doesn’t seem to be vulnerable, we will focus on the http port.
We start by visiting the website :
Vulnerability Explanation:
Going to the login page at wp-login.php, and using some default credentials like : admin:admin
27 | Page
Will give us access to the website as an admin :
The nmap scan shows that the version of wordpress website is 5.5.1. This version is by default vulnerable
to a shell upload via the admin panel !
Vulnerability Fix:
- Use strong password policy (minimum 12 mixed characters Uppercase, Lowercase, Numbers,
Special Characters )
- Prevent file upload
Proof of Concept:
28 | Page
Privilege Escalation
The whole home directory of the uadmin user is world readable including the .ssh folder.
Vulnerability Exploited: Weak permission on the private ssh key of uadmin user
Vulnerability Explanation: We can read the private key of the uadmin user and use it to connect as
uadmin.
Vulnerability Fix:
Exploit Code:
29 | Page
uadmin is considered as root user, he can execute all commands as root :
Proof Screenshot:
Proof.txt Contents:
● Lazy_Redouane-Taoussi-ws2veeuvw1dzr8b99z8d0jabpcanq48d
30 | Page
Green: 10.20.206.158
Service Enumeration
Server IP Address Ports Open
10.20.206.158 TCP: 22, 80
UDP:
Nmap Scan Results:
31 | Page
Default credentials admin:admin are used for the login page :
All the functionalities (Users, Apartments, Search) were vulnerables to SQL injections or XSS.
We don’t want to go through this long round, maybe we can find a shorter path ?
Vulnerability Explanation:
Doing a directory enumeration shows that there is a phpmyadmin available on the website :
The PhpMyAdmin was world accessible and protected with weak credentials admin:admin :
32 | Page
There is a confidential data that has some sensitive information ( user credentials in clear text )
Vulnerability Fix:
Proof of Concept:
Local.txt Screenshot:
Local.txt Contents:
● Green_Redouane-Taoussi-dvcxyu0blt9mlreic14ubgdr0n1jsose
33 | Page
Privilege Escalation
Vulnerability Exploited: Privilege Escalation Through Exploiting Sudo Right
Vulnerability Explanation:
The user ubuntu can execute any command with root privileges. In other words, ubuntu is another root
user !
Vulnerability Fix:
Exploit Code:
Proof Screenshot:
Proof.txt Contents:
● Green_Redouane-Taoussi-67lx7yyodaggqw5gmgkqxabmrmex9fx3
34 | Page
Disclosed: 10.20.206.196
Service Enumeration
Server IP Address Ports Open
10.20.206.196 TCP: 22, 389
UDP:
Nmap Scan Results:
The ldap service is not password protected, any user can query it for anything stored in the ldap server.
Vulnerability Explanation:
There is a tool called ldapsearch which allows you to execute queries against the LDAP server. Before
we begin using this tool, we need to figure out the “dc” name. We can grab this information using this:
An Attacker will then be able to query for other sensitive information using the dc information.
35 | Page
Vulnerability Fix:
Proof of Concept:
We can input this into our query to enumerate more detailed information. The complete command is this:
After we run the ldapsearch command, we get a pretty verbose output including information about
organizational unit (OU), usernames, and password hashes.
Using nmap ldap-search will try to get the userPassword from the response and decode it, some password
are in cleartext and others are hashed :
36 | Page
The cleartext password didn’t work. We tried first to crack the SSHA Hash but with no success. Let’s try
and crack the MD5 hash :
Privilege Escalation
Vulnerability Exploited: Privilege Escalation Through Exploiting Sudo Right
Vulnerability Explanation:
The user ubuntu can execute the command apt with root privileges. This command can be abused to
execute other malicious commands.
Vulnerability Fix:
37 | Page
Severity: Critical : https://cwe.mitre.org/data/definitions/250.html
Exploit Code:
Proof Screenshot:
Proof.txt Contents:
● Disclosed_Redouane-Taoussi-d1myehhsjkrjk9xceq1kg0hqsxvr9of3
38 | Page
Gate: 10.20.206.214
Service Enumeration
Server IP Address Ports Open
10.20.206.214 TCP: 22, 25
UDP:
Nmap Scan Results:
Any user that is able to interact with the SMTP Server can do a user enumeration.
Vulnerability Explanation:
39 | Page
Vulnerability Fix:
Proof of Concept:
This could have been combined with an SSH Brute force for the user adm
Proof Screenshot:
Proof.txt Contents:
40 | Page
3.2.3 LAB3 (WinAcl)
NOTE:
I could have used the same exploit to pwn the whole LAB1 in a shorter time but I did the LAB1 as it
was intended.
For the LAB3, I know this wasn’t the intended solution, but since I didn't have time and I could see
another shorter path to pwn the LAB, I took it.
I will come back for this LAB in January to do it the intended way and test the platform.
Niba-DC : 10.20.206.48
Service Enumeration
Server IP Address Ports Open
10.20.206.48 TCP: 53, 135, 139, 445, 3268, 3389
UDP:
Nmap Scan Results:
The SMB service reveals that this machine is a Windows Server 2016.
The DNS service reveals also that it’s a Domain Controller.
Seeing the version of Windows Server 2016 and having the list of affected windows machines by the new
vulnerability ZeroLogon. I attempted to test if it’s the case in our situation. And it was vulnerable !
Vulnerability Explanation:
41 | Page
Vulnerability Fix: Apply the patch suggested by Microsoft.
Proof of Concept :
We first scan the smb for more information about the NetBIOS Name and the domain name :
Using the metasploit module, we can run the ZeroLogon exploit against the Domain Controller
EC2AMAZ-OTF6H7V of niba.local :
This exploit set the password of the Domain Controller to an empty string.
After that we can use a DCSync attack to dump all the hashes :
42 | Page
Now that we have all the hashes, we can use Pass-The-Attack to get Administrator of the whole niba.local
domain :
Proof Screenshot:
Proof.txt Contents:
● niba_dc_Redouane-Taoussi-pkrmpkvf9x99b0ytv4cqnnue2ci32ipp
43 | Page
Niba: 10.20.206.22
Service Enumeration
Server IP Address Ports Open
10.20.206.22 TCP: 135, 139, 445, 3389
UDP:
Nmap Scan Results:
The Administrator of The DC, will be able to connect to the NIBA Client machine using his hash
Vulnerability Explanation:
It’s a windows feature that enables the users to authenticate using their hash that is stored in the memory
instead of re-entering their password. So, during the authentication, we provide the hash instead of the
password. Windows compares the hashes and welcomes the attacker with open arms. This is what a
Pass-the-Hash attack is in a nutshell.
Vulnerability Detection:
An individual needs to implement a large number of measures if they want to detect the PtH attack in
their network.
● Monitor logs for alerts about PtH tools mentioned in this article
● Monitor unusual activity on hosts like attempts of tampering the LSASS process. (Sysmon)
● Monitor unusual changes made in configurations that can be altered in case the PtH attack is
performed. (LocalAccountTokenFilterPolicy, WDigest, etc)
● Monitor multiple successful and failed connections from a single IP address
Vulnerability Fix:
44 | Page
Severity: High : https://attack.mitre.org/techniques/T1550/002/
Proof of Concept:
Proof Screenshot:
Proof.txt Contents:
● niba_client_Redouane-Taoussi-ivo8bstgjydlb3pn18z86f6y5ooqdk5r
45 | Page
3.3 Maintaining Access
Maintaining access to a system is important to us as attackers, ensuring that we can get back into a system
after it has been exploited is invaluable. The maintaining access phase of the penetration test focuses on
ensuring that once the focused attack has occurred, we have administrative access over the system again.
Many exploits may only be exploitable once and we may never be able to get back into a system after we
have already performed the exploit.
The house cleaning portions of the assessment ensures that remnants of the penetration test are removed.
Often fragments of tools or user accounts are left on an organization's computer which can cause security
issues down the road. Ensuring that we are meticulous and no remnants of our penetration test are left
over is important.
After collecting trophies from the exam network was completed, the student removed all user accounts
and passwords as well as the Meterpreter services installed on the system. AB Conseil should not have to
remove any user accounts or services from the system.
46 | Page
4.0 Additional Items
10.20.206.214 (Gate)
47 | Page
48 | Page