OSCP Quals33

Download as pdf or txt
Download as pdf or txt
You are on page 1of 48
At a glance
Powered by AI
The key takeaways from the report are that the penetration test used information gathering, penetration testing, and maintaining access methodologies to identify vulnerabilities on multiple servers in the SEC-DOJO lab network. Various vulnerabilities like unpatched services, guessable passwords, and privilege escalation issues were exploited.

The report details that information gathering, penetration testing, and maintaining access methodologies were used. Information gathering involved service enumeration, penetration testing involved exploiting identified vulnerabilities, and maintaining access involved ensuring persistent access could be achieved.

The report identifies that the Niba server, with IP 10.20.206.22, was vulnerable to pass-the-hash attacks due to unrestricted authentication. Weak password policies and lack of monitoring for unusual authentication failures or connections also contributed to its vulnerabilities.

SEC-DOJO Lab Report

for
Offensive Security Certification
Pre-Selection Test
v.1.0

[email protected]

©
All rights reserved to AB Conseils, 2012

No part of this publication, in whole or in part, may be reproduced, copied, transferred or any other right reserved to its copyright owner,
including photocopying and all other copying, any transfer or transmission using any network or other means of communication, any broadcast
for distant learning, in any form or by any means such as any information storage, transmission or retrieval system, without prior written
permission from AB Conseils.

1 | ​Page
Table of Contents

1.0 SEC-DOJO Lab Penetration Test Report 4

1.1 Introduction 4

1.2 Objective 4

1.3 Requirements 4

2.0 High-Level Summary 5

2.1 Recommendations 6

3.0 Methodologies 6

3.1 Information Gathering 6

3.2 Penetration 7

3.2.1 LAB1 (Westeros) 7

Dumped: 10.20.206.88 7

Service Enumeration 7

Exposed: 10.20.206.129 11

Service Enumeration 11

Privilege Escalation 13

Tears: 10.20.206.98 14

Service Enumeration 14

Privilege Escalation 15

Shared: 10.20.206.195 17

Service Enumeration 17

EggShell: 10.20.206.60 20

Service Enumeration 20

3.2.2 LAB2 (Braavos) 23

Crippled: 10.20.206.146 23
2 | ​Page
Service Enumeration 23

The password for the user nagios is nagios… which was easy to guess ! 25

Privilege Escalation 25

Lazy: 10.20.206.238 27

Service Enumeration 27

Privilege Escalation 29

Green: 10.20.206.158 31

Service Enumeration 31

Privilege Escalation 34

Disclosed: 10.20.206.196 35

Service Enumeration 35

Privilege Escalation 37

Gate: 10.20.206.214 39

Service Enumeration 39

3.2.3 LAB3 (WinAcl) 41

Niba-DC : 10.20.206.48 41

Service Enumeration 41

Niba: 10.20.206.22 44

Service Enumeration 44

3.3 Maintaining Access 46

3.4 House Cleaning 46

4.0 Additional Items 47

Appendix 1 - Proof and Local Contents: 47

3 | ​Page
1.0 SEC-DOJO Lab Penetration Test Report

1.1 Introduction

The SEC-DOJO Lab penetration test report contains all efforts that were conducted in order to be selected
to pass the Offensive Security Certification. This report will be graded from a standpoint of correctness
and fullness to all aspects of the exam. The purpose of this report is to ensure that the student has a full
understanding of penetration testing methodologies as well as the technical knowledge to pass the
qualifications for the Offensive Security Certified Professional.

1.2 Objective

The objective of this assessment is to perform an internal penetration test against the Sec-DOJO Lab
network. The student is tasked with following a methodical approach in obtaining access to the objective
goals. This test should simulate an actual penetration test and how you would start from beginning to end,
including the overall report. An example page has already been created for you at the latter portions of
this document that should give you ample information on what is expected to pass this course. Use the
sample report as a guideline to get you through the reporting.

1.3 Requirements

The student will be required to fill out this penetration testing report fully and to include the following
sections:

● Overall High-Level Summary and Recommendations (non-technical)


● Methodology walkthrough and detailed outline of steps taken
● Each finding by including screenshots, walkthrough, sample code, and proof.txt if applicable.
● Any additional items that were not included

4 | ​Page
2.0 High-Level Summary

I was tasked with performing an internal penetration test towards the SEC-DOJO Lab Exam. An internal
penetration test is a dedicated attack against internally connected systems. The focus of this test is to
perform attacks, similar to those of a hacker and attempt to infiltrate SEC-DOJO Lab’s internal exam
systems. My overall objective was to evaluate the network, identify systems, and exploit flaws while
reporting the findings back to AB Conseils.

When performing the internal penetration test, there were several alarming vulnerabilities that were
identified on SEC-DOJO’s network. When performing the attacks, I was able to gain access to multiple
machines, primarily due to outdated patches and poor security configurations. During the testing, I had
administrative level access to multiple systems. All systems were successfully exploited and access
granted. These systems as well as a brief description on how access was obtained are listed below:

LAB1 (Westeros) :

● 10.20.206.88 (Dumped) - ​Extract Administrator Hash Through World Accessible LSASS Dump
● 10.20.206.215 (Exposed) - ​RCE in Rejetto HTTP File Server 2.3.x
● 10.20.206.98 (Tears) - ​RCE in SMB Service (MS17-EternalBlue)
● 10.20.206.195 (Shared) - ​Extract Administrator Hash Through a SAM Dump inside World
Readable Backup Share
● 10.20.206.60 (EggShell) - ​Domain Administrator Through Subverting Netlogon (ZeroLogon
Exploit)
LAB2 (Braavos) :
● 10.20.206.146 (Crippled) -​ Crack Nagios Password Through a World Readable NFS Directory
● 10.20.206.238 (Lazy) - ​Wordpress Admin Shell Upload Exploit (Weak Credentials)
● 10.20.206.158 (Green) - ​World Accessible PhpMyAdmin with Weak Credentials
● 10.20.206.196 (Disclosed) - ​Cracked Admin Password Through World Readable LDAP
● 10.20.206.214 (Gate) - ​SMTP VRFY Option allows User Enumeration
LAB3 (WinAcl) :
● 10.20.206.48 (Niba-DC) - ​Domain Administrator Through Subverting Netlogon (ZeroLogon
Exploit)
● 10.20.206.22 (Niba) - ​Pivot Through Domain Controller (Pass-The-Hash Attack)

5 | ​Page
2.1 Recommendations

I recommend patching the vulnerabilities identified during the testing to ensure that an attacker cannot
exploit these systems in the future. One thing to remember is that these systems require frequent patching
and once patched, should remain on a regular patch program to protect additional vulnerabilities that are
discovered at a later date.

3.0 Methodologies

I utilized a widely adopted approach to performing penetration testing that is effective in testing how well
the SEC-DOJO Lab environment is secured. Below is a breakout of how I was able to identify and exploit
the variety of systems and includes all individual vulnerabilities found.

3.1 Information Gathering

The information gathering portion of a penetration test focuses on identifying the scope of the penetration
test. During this penetration test, I was tasked with exploiting the exam network. The specific IP
addresses were:

Exam Network :

LAB1:
- 10.20.206.88
- 10.20.206.215
- 10.20.206.98
- 10.20.206.195
- 10.20.206.60
LAB2:
- 10.20.206.146
- 10.20.206.238
- 10.20.206.158
- 10.20.206.196
- 10.20.206.214
LAB3:
- 10.20.206.22
- 10.20.206.48

6 | ​Page
3.2 Penetration

The penetration testing portions of the assessment focus heavily on gaining access to a variety of systems.
During this penetration test,​ ​I was able to successfully gain access to 11 out of the12 systems.

3.2.1 LAB1 (Westeros)

Dumped: 10.20.206.88

Service Enumeration
The service enumeration portion of a penetration test focuses on gathering information about what
services are alive on a system or systems. This is valuable for an attacker as it provides detailed
information on potential attack vectors into a system. Understanding what applications are running on the
system gives an attacker needed information before performing the actual penetration test. In some cases,
some ports may not be listed.

Server IP Address Ports Open

10.20.206.88 TCP: 80, 135, 139, 445, 3389, 5985, 47001, 49664, 49665,
49666, 49667, 49669, 49670, 49673
UDP:
Nmap Scan Results:

The machine seems to be a Windows Server 2008 running some default services.

Extract Administrator Hash Through a World Accessible LSASS Dump

The first service that was discovered is the http service.

7 | ​Page
Visiting the website reveals that it’s a static website (probably python http server) that host some local
directories :

The dump directory contains 3 critical dumps :

- iexplorer.dmp : contains the dump of Internet Explorer, it may leak some sensitive information
like ​web cache, visited urls and probably some credentials.
- ServerManager.dmp​ : contains information about the running service on the windows server.
- lsass.dmp :​ contains all user’s password either in cleartext or hash format.

Vulnerability Explanation: ​The Local Security Authority Subsystem Service (LSASS.exe) process is a
Windows service responsible for system security policy. When a user logs on to a machine, their
credentials are stored in this process, whether in the form of NTLM hashes and/or plain text passwords.

We brought the file to our local machine and used the python version of Mimikatz tool (​pypykatz​),
whose main purpose is to extract passwords from Windows memory. We used a the module called lsa
minidump, which is used to read and extract credentials saved from the “lsass.dmp” file :

And we extract the Administration Hash:

8 | ​Page
Now that we have the hash we can combine it with the windows features that enables the user to
authenticate using their hash that is stored in the memory instead of re-entering their password. So, during
the authentication, we provide the hash instead of the password. Windows compares the hashes and
welcomes the attacker with open arms. ​This is what a Pass-the-Hash attack is in a nutshell.

Vulnerability Fix:

- Protect the website with some sort of strong authentication (login page, access code available
only internals, etc..): ​OWASP Authentication Best Practices
- Enable the option ​protect process​, so that the dumps doesn’t contain credentials
- If the dumps are needed for debug purposes, then use a more secure method to share them across
the local network (password protected smb shares, scp, rsync, etc…)

Severity: ​Critical : ​https://cwe.mitre.org/data/definitions/612.html

Proof of Concept: ​We can use ​wmiexec.py​ to perform the Pass-The-Hash attack :

9 | ​Page
Proof.txt Screenshot:

Proof.txt Contents:

● Dumped_Redouane-Taoussi-dcq73j3erj5orvlz5dyg4hd7df94unkp

10 | ​Page
Exposed: 10.20.206.129

Service Enumeration
Server IP Address Ports Open

10.20.206.129 TCP: 80, 135, 139, 445, 3389, 49153, 49154, 49155, 49161

UDP:
Nmap Scan Results:

RCE in Rejetto HTTP File Server 2.3.x

Visiting the website reveals that it’s an HTTP File Server (HFS) :

Looking down the page, we can find the version of the server which is HFS 2.3:

11 | ​Page
Searching for known vulnerabilities :

We can find an RCE ​(CVE-2014-6287)

Vulnerability Explanation:

According to the CVE details for this vulnerability (CVE-2014-6287), the findMacroMarker function in
parserLib.pas in Rejetto HTTP File Server (otherwise known as HFS or HttpFileServer) 2.3x (in versions
prior to 2.3c) allows remote attackers to execute arbitrary programs via a %00 sequence in a search
action.

Here is the vulnerable function:

function findMacroMarker(s:string; ofs:integer=1):integer;

begin result:=reMatch(s, '\{[.:]|[.:]\}|\|', 'm!', ofs) end;

The function will not handle a null byte safely, so a request to


http://localhost:80/search=%00{.exec|cmd.} will stop regex from parsing the macro, and remote code
injection will happen.

Vulnerability Fix: ​Update the Rejetto HFS to the ​latest version 2.3m

Severity: ​Critical : ​https://cwe.mitre.org/data/definitions/94.html

Proof of Concept: ​https://www.exploit-db.com/exploits/39161

We could use the Python Exploit or Metasploit Module.


For short timing reasons, we opted for metasploit so that we can elevate our privileges quickly when
needed :

12 | ​Page
Privilege Escalation
Vulnerability Exploited:​ Named Pipe Impersonation (In Memory/Admin)

Vulnerability Explanation: Named Pipes is a Windows mechanism that enables two unrelated processes
to exchange data between themselves, even if the processes are located on two different networks. This
functionality can be abused by provoking SYSTEM account to connect into the created pipe and steal
their privileges (token) during the authentication process.

Vulnerability Fix: ​Detect it using a SIEM​ that looks for the creation then a connection to a named pipes

Severity: ​Critical

Proof.txt Screenshot:

Proof.txt Contents:

● Exposed_Redouane-Taoussi-n929imz70gv86spp0fctkherelyl944p

13 | ​Page
Tears: 10.20.206.98

Service Enumeration
Server IP Address Ports Open

10.20.206.98 TCP: 135, 139, 445, 3389, 49152, 49153, 49154, 49155, 49160

UDP:
Nmap Scan Results:

RCE in SMB Service (MS71-EternalBlue Exploit)

First thing, we notice from the nmap scan is that the smb port reveals that the machine is a Windows 7
7601 SP1. It’s highly probable that this version is vulnerable to the well known NSA Windows 0 day
exploit a.k.a Eternal Blue.

We can confirm that by using the metasploit MS17 scanner :

Vulnerability Explanation:

The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of ​Microsoft
Windows mishandles specially crafted packets from remote attackers, allowing them to execute arbitrary
code on the target computer. More details can be found ​here​.

Vulnerability Fix: ​Disable SMBv1 and apply the patch recommended by ​Microsoft

Severity: Critical : ​https://www.cvedetails.com/cve/CVE-2017-0143/

14 | ​Page
Proof of Concept:

Using the ms17_010_eternalblue module of metasploit :

Privilege Escalation
Vulnerability Exploited:​ Named Pipe Impersonation (In Memory/Admin)

Vulnerability Explanation: Named Pipes is a Windows mechanism that enables two unrelated processes
to exchange data between themselves, even if the processes are located on two different networks. This
functionality can be abused by provoking SYSTEM account to connect into the created pipe and steal
their privileges (token) during the authentication process.

Vulnerability Fix: ​Detect it using a SIEM​ that looks for the creation then a connection to a named pipes

Severity: ​Critical

Proof Screenshot:

Proof.txt Contents:

There was no proof.txt due to some problems with the machine while loading up the default configuration
:
15 | ​Page
We can confirm that by search recursively from C: folder for files with name of proof.txt

16 | ​Page
Shared: 10.20.206.195

Service Enumeration
Server IP Address Ports Open

10.20.205.195 TCP: 135, 445, 3389, 5985, 5986

UDP:
Nmap Scan Results:

From the smb service, we can tell that the machine is a Windows Server 2016.

Extract Administrator Hash Through a SAM Dump inside a World Readable SMB Backup Share

Running the default smb scripts of nmap, showed that there is a Backup Share Folder inside the SMB
service :

We can use smbmap to download them :

This folder contains 3 confidential files which are hives of the SAM, SECURITY, SYSTEM registries.
17 | ​Page
Vulnerability Explanation:

The SAM hive contains user passwords as a table of hash codes; the Security hive stores security
information for the local system, including user rights and permissions, password policies and group
membership. (​https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-hives​ )

Vulnerability Fix:

- Add authentication to the smb share backup folder


- Enable the option ​protect process​, so that the dumps doesn’t contain credentials
- If the dumps are needed for debug purposes, then use a more secure method to share them across
the local network (password protected smb shares, scp, rsync, etc…)
- Follow ​SMB Share Best Practices

Severity: ​Critical : ​https://cwe.mitre.org/data/definitions/284.html

Proof of Concept :

Using the python script secretdump.py, we can dump the Administrator hash :

Then, we can use wmiexec.py to perform Pass-The-Hash Attack (explained above) :

18 | ​Page
Proof Screenshot:

Proof.txt Contents:

● Shared_Redouane-Taoussi-58dnd37u6hrxas3nphlg0azr6dh8lp7m

19 | ​Page
EggShell: 10.20.206.60

Service Enumeration
Server IP Address Ports Open

10.20.206.60 TCP: 53, 135, 139, 445, 3268, 3389

UDP:
Nmap Scan Results:

The SMB service reveals that this machine is a Windows Server 2016.
The DNS service reveals also that it’s highly probable that this one is the Domain Controller.

Domain Administrator Through Subverting Netlogon (ZeroLogon Exploit)

Seeing the version of Windows Server 2016 and having the list of affected windows machines ​by the new
vulnerability ZeroLogon. I attempted to test if it’s the case in our situation. And it was vulnerable !

Vulnerability Explanation:

ZeroLogon CVE-2020-1472 is a result of a flaw in the Netlogon Remote Protocol cryptographic


authentication scheme. The protocol authenticates users and machines in domain-based networks and is
also used to update computer passwords remotely. Through the vulnerability, an attacker can impersonate
a client computer and replace the password of a domain controller (a server that controls an entire
network and runs Active Directory services), which lets the attacker gain domain admin rights.

Vulnerability Fix: ​Apply the ​patch​ suggested by Microsoft.

Severity: ​Critical​ : ​https://nvd.nist.gov/vuln/detail/CVE-2020-1472

Proof of Concept :

Using the metasploit module, we can run the ZeroLogon exploit against the Domain Controller SRV-DC1
of lab.secdojo.local :

20 | ​Page
This exploit set the password of the Domain Controller to an empty string.
After that we can use a DCSync attack to dump all the hashes :

21 | ​Page
Now that we have all the hashes, we can use Pass-The-Attack to get Administrator of the whole
lab.secdojo.local domain :

Proof Screenshot:

Proof.txt Contents:

● Eggshell_Redouane-Taoussi-7n20hzww0btcodyjgoaqgks2cabi8h5v

22 | ​Page
3.2.2 LAB2 (Braavos)

Crippled: 10.20.206.146

Service Enumeration
Server IP Address Ports Open

10.20.206.146 TCP: 22, 111, 2049, 38477, 49789, 53009, 54383

UDP:
Nmap Scan Results:

Crack User Password Through a World Readable NFS Directory that Contains Shadow File

SSH Service shows that we are dealing with a Linux (ubuntu) machine.

NFS and Mountd services are not usual on a Linux machine.

First thing, we can check if there is any folder shared from this machine :

There is a shared folder​ /etc

Vulnerability Explanation:

The /etc folder stores confidential files like passwd and shadow, these files store information about all
users including their hashed password inside shadow.
In our case the shadow file was not world readable but there was a backup shadow file that contained the
SHA512 hash of Nagios user

23 | ​Page
Vulnerability Fix:

- Add password ​to the mountd/nfs service


- Restrict permissions​ on backup files
- Use strong password policy (minimum 12 mixed characters Uppercase, Lowercase, Numbers,
Special Characters )

Severity: ​High​ : ​https://cwe.mitre.org/data/definitions/530.html

Proof of Concept:

Using the command :

$ unshadow passwd shadow > hashes.txt

We can then crack the hash using JohnTheRipper :

24 | ​Page
The password for the user nagios is nagios… which was easy to guess !
We can then use the password to connect using ssh.

Privilege Escalation
Once connected as nagios. We can check if we have privileges to execute any command as root user :

Vulnerability Exploited:​ Privilege Escalation Through Exploiting Sudo Right

Vulnerability Explanation:

The user nagios can execute the command /scripts/*/*/setup.sh with root privileges without supplying a
password of root !

This can be abused by executing malicious command inside the setup.sh file

Vulnerability Fix:

- Fix the content of setup.sh


- Remove write permissions for setup.sh
- Follow ​sudo best practises

Severity: ​Critical​ : ​https://cwe.mitre.org/data/definitions/250.html

Exploit Code:

We can easily create two directories a and such us we have a path /scripts/a/b then we create inside a
setup.sh that execute a reverse shell to our machine :

25 | ​Page
Proof Screenshot:

Proof.txt Contents:

● Crippled_Redouane-Taoussi-ipzpe7t6by5ryslcb7u5xoa6gem7bv0k

26 | ​Page
Lazy: 10.20.206.238

Service Enumeration
Server IP Address Ports Open
10.20.206.238 TCP: 22, 80

UDP:
Nmap Scan Results:

Wordpress Admin Shell Upload Exploit (Weak Credentials)

Since we have only 2 ports and ssh doesn’t seem to be vulnerable, we will focus on the http port.
We start by visiting the website :

It’s a wordpress website !

Vulnerability Explanation:

Going to the login page at wp-login.php, and using some default credentials like : ​admin:admin

27 | ​Page
Will give us access to the website as an admin :

The nmap scan shows that the version of wordpress website is 5.5.1. This version is by default vulnerable
to a shell upload via the admin panel !

Vulnerability Fix:

- Use strong password policy (minimum 12 mixed characters Uppercase, Lowercase, Numbers,
Special Characters )
- Prevent file upload

Severity: ​High​ : ​https://cwe.mitre.org/data/definitions/521.html

Proof of Concept:

Using the metasploit module

We get a shell as ​www-data​.

28 | ​Page
Privilege Escalation
The whole home directory of the uadmin user is world readable including the .ssh folder.

Vulnerability Exploited:​ Weak permission on the private ssh key of uadmin user

Vulnerability Explanation: We can read the private key of the uadmin user and use it to connect as
uadmin.

Vulnerability Fix:

- Protect the home folder with restricted permissions

Severity: ​High​ : ​https://cwe.mitre.org/data/definitions/732.html

Exploit Code:

We can read the private key

Use it to connect as uadmin :

29 | ​Page
uadmin is considered as root user, he can execute all commands as root :

Proof Screenshot:

Proof.txt Contents:

● Lazy_Redouane-Taoussi-ws2veeuvw1dzr8b99z8d0jabpcanq48d

30 | ​Page
Green: 10.20.206.158

Service Enumeration
Server IP Address Ports Open
10.20.206.158 TCP: 22, 80

UDP:
Nmap Scan Results:

World Accessible PhpMyAdmin with Weak Credentials

The machine seems to be a Linux ubuntu from the SSH banner.


Checking the http service at port 80, we find a static (home made) website :

31 | ​Page
Default credentials ​admin:admin​ are used for the login page :

All the functionalities (Users, Apartments, Search) were vulnerables to SQL injections or XSS.
We don’t want to go through this long round, maybe we can find a shorter path ?

Vulnerability Explanation:

Doing a directory enumeration shows that there is a phpmyadmin available on the website :

The PhpMyAdmin was world accessible and protected with weak credentials admin:admin :

32 | ​Page
There is a confidential data that has some sensitive information ( user credentials in clear text )

Vulnerability Fix:

- Restrict PhpMyAdmin access to localhost only.


- Use a Strong Password.
- Don’t store user Password in cleartext inside databases.
- Update PMA to the latest version.
- Follow ​Security Best Practice​s for PMA.

Severity: High : ​https://cwe.mitre.org/data/definitions/284.html

Proof of Concept:

Using the password from credential table :

Local.txt Screenshot:

Local.txt Contents:

● Green_Redouane-Taoussi-dvcxyu0blt9mlreic14ubgdr0n1jsose

33 | ​Page
Privilege Escalation
Vulnerability Exploited:​ Privilege Escalation Through Exploiting Sudo Right

Vulnerability Explanation:

The user ubuntu can execute any command with root privileges. In other words, ubuntu is another root
user !

Vulnerability Fix:

- Follow ​sudo best practises

Severity: ​Critical​ : ​https://cwe.mitre.org/data/definitions/250.html

Exploit Code:

Proof Screenshot:

Proof.txt Contents:

● Green_Redouane-Taoussi-67lx7yyodaggqw5gmgkqxabmrmex9fx3

34 | ​Page
Disclosed: 10.20.206.196

Service Enumeration
Server IP Address Ports Open
10.20.206.196 TCP: 22, 389

UDP:
Nmap Scan Results:

Cracked User Password Through World Readable LDAP

The ldap service is not password protected, any user can query it for anything stored in the ldap server.

Vulnerability Explanation:

There is a tool called ​ldapsearch ​which allows you to execute queries against the LDAP server. Before
we begin using this tool, we need to figure out the “dc” name. We can grab this information using this:

The result provides the following output: ​dc=disclosed,dc=local

An Attacker will then be able to query for other sensitive information using the dc information.

35 | ​Page
Vulnerability Fix:

- Setup authentication to the OpenLDAP


- Add Strong Password Policy
- Follow Ldap ​Security Best Practices

Severity: ​High​ : ​https://cwe.mitre.org/data/definitions/522.html

Proof of Concept:

We can input this into our query to enumerate more detailed information. The complete command is this:

ldapsearch -x -h 10.20.206.196 -p 389 -b “dc=disclosed,dc=local”

After we run the ​ldapsearch command, we get a pretty verbose output including information about
organizational unit (OU), usernames, and password hashes.

We can extract some valid users :

Using nmap ldap-search will try to get the userPassword from the response and decode it, some password
are in cleartext and others are hashed :
36 | ​Page
The cleartext password didn’t work. We tried first to crack the SSHA Hash but with no success. Let’s try
and crack the MD5 hash :

Googling for the MD5 hash :

Now, we can connect as admmark to the machine :

Privilege Escalation
Vulnerability Exploited:​ Privilege Escalation Through Exploiting Sudo Right

Vulnerability Explanation:

The user ubuntu can execute the command ​apt with root privileges. This command can be abused to
execute other malicious commands.

Vulnerability Fix:

- Follow ​sudo best practises

37 | ​Page
Severity: ​Critical​ : ​https://cwe.mitre.org/data/definitions/250.html

Exploit Code:

And we get a root shell :

Proof Screenshot:

Proof.txt Contents:

● Disclosed_Redouane-Taoussi-d1myehhsjkrjk9xceq1kg0hqsxvr9of3

38 | ​Page
Gate: 10.20.206.214

Service Enumeration
Server IP Address Ports Open
10.20.206.214 TCP: 22, 25

UDP:
Nmap Scan Results:

SMTP VRFY Option allows User Enumeration

Any user that is able to interact with the SMTP Server can do a user enumeration.

Vulnerability Explanation:

The VRFY functionality of SMTP is enable, so a user can do :

39 | ​Page
Vulnerability Fix:

- Disable the VRFY functionality

Severity: ​Medium​ : ​https://cwe.mitre.org/data/definitions/676.html

Proof of Concept:

Using the metasploit module to automate user enumeration :

We can find to non regular users : ​adm​ and ​backup

This could have been combined with an SSH Brute force for the user ​adm

Proof Screenshot:

Proof.txt Contents:

40 | ​Page
3.2.3 LAB3 (WinAcl)

NOTE:

I could have used the same exploit to pwn the whole LAB1 in a shorter time but I did the LAB1 as it
was intended.

For the LAB3, I know this wasn’t the intended solution, but since I didn't have time and I could see
another shorter path to pwn the LAB, I took it.
I will come back for this LAB in January to do it the intended way and test the platform.

Niba-DC : 10.20.206.48

Service Enumeration
Server IP Address Ports Open
10.20.206.48 TCP: 53, 135, 139, 445, 3268, 3389

UDP:
Nmap Scan Results:

The SMB service reveals that this machine is a Windows Server 2016.
The DNS service reveals also that it’s a Domain Controller.

Domain Administrator Through Subverting Netlogon (ZeroLogon Exploit)

Seeing the version of Windows Server 2016 and having the list of affected windows machines ​by the new
vulnerability ZeroLogon. I attempted to test if it’s the case in our situation. And it was vulnerable !

Vulnerability Explanation:

ZeroLogon CVE-2020-1472 is a result of a flaw in the Netlogon Remote Protocol cryptographic


authentication scheme. The protocol authenticates users and machines in domain-based networks and is
also used to update computer passwords remotely. Through the vulnerability, an attacker can impersonate
a client computer and replace the password of a domain controller (a server that controls an entire
network and runs Active Directory services), which lets the attacker gain domain admin rights.

41 | ​Page
Vulnerability Fix: ​Apply the ​patch​ suggested by Microsoft.

Severity: ​Critical​ : ​https://nvd.nist.gov/vuln/detail/CVE-2020-1472

Proof of Concept :

We first scan the smb for more information about the NetBIOS Name and the domain name :

Using the metasploit module, we can run the ZeroLogon exploit against the Domain Controller
EC2AMAZ-OTF6H7V of niba.local :

This exploit set the password of the Domain Controller to an empty string.
After that we can use a DCSync attack to dump all the hashes :

42 | ​Page
Now that we have all the hashes, we can use Pass-The-Attack to get Administrator of the whole niba.local
domain :

Proof Screenshot:

Proof.txt Contents:

● niba_dc_Redouane-Taoussi-pkrmpkvf9x99b0ytv4cqnnue2ci32ipp

43 | ​Page
Niba: 10.20.206.22

Service Enumeration
Server IP Address Ports Open
10.20.206.22 TCP: 135, 139, 445, 3389

UDP:
Nmap Scan Results:

Pass-The-Hash Attack using Administrator Hash from The Domain Controller

The Administrator of The DC, will be able to connect to the NIBA Client machine using his hash

Vulnerability Explanation:

It’s a windows feature that enables the users to authenticate using their hash that is stored in the memory
instead of re-entering their password. So, during the authentication, we provide the hash instead of the
password. Windows compares the hashes and welcomes the attacker with open arms. ​This is what a
Pass-the-Hash attack is in a nutshell.

Vulnerability Detection:

An individual needs to implement a large number of measures if they want to detect the PtH attack in
their network.

● Monitor logs for alerts about PtH tools mentioned in this article
● Monitor unusual activity on hosts like attempts of tampering the LSASS process. (Sysmon)
● Monitor unusual changes made in configurations that can be altered in case the PtH attack is
performed. (LocalAccountTokenFilterPolicy, WDigest, etc)
● Monitor multiple successful and failed connections from a single IP address

Vulnerability Fix:

● Disable LocalAccountTokeFilterPolicy setting


● Implement Local Administrator Password Solution (LAPS)
● Implement strong Authentication Policies

44 | ​Page
Severity: ​High​ : ​https://attack.mitre.org/techniques/T1550/002/

Proof of Concept:

Proof Screenshot:

Proof.txt Contents:

● niba_client_Redouane-Taoussi-ivo8bstgjydlb3pn18z86f6y5ooqdk5r

45 | ​Page
3.3 Maintaining Access

Maintaining access to a system is important to us as attackers, ensuring that we can get back into a system
after it has been exploited is invaluable. The maintaining access phase of the penetration test focuses on
ensuring that once the focused attack has occurred, we have administrative access over the system again.
Many exploits may only be exploitable once and we may never be able to get back into a system after we
have already performed the exploit.

3.4 House Cleaning

The house cleaning portions of the assessment ensures that remnants of the penetration test are removed.
Often fragments of tools or user accounts are left on an organization's computer which can cause security
issues down the road. Ensuring that we are meticulous and no remnants of our penetration test are left
over is important.

After collecting trophies from the exam network was completed, the student removed all user accounts
and passwords as well as the Meterpreter services installed on the system. AB Conseil should not have to
remove any user accounts or services from the system.

46 | ​Page
4.0 Additional Items

Appendix 1 - Proof and Local Contents:

IP (Hostname) Local.txt Contents Proof.txt Contents

10.20.206.88 (Dumped) Dumped_Redouane-Taoussi-dcq73j3er


j5orvlz5dyg4hd7df94unkp

10.20.206.215 (Exposed) Exposed_Redouane-Taoussi-n929imz7


0gv86spp0fctkherelyl944p

10.20.206.98 (Tears) Pwned but no proof.txt

10.20.206.195 (Shared) Shared_Redouane-Taoussi-58dnd37u6


hrxas3nphlg0azr6dh8lp7m

10.20.206.60 (EggShell) Eggshell_Redouane-Taoussi-7n20hzw


w0btcodyjgoaqgks2cabi8h5v

IP (Hostname) Local.txt Contents Proof.txt Contents

10.20.206.146 (Crippled) Crippled_Redouane-Taoussi-ipzpe7t6b


y5ryslcb7u5xoa6gem7bv0k

10.20.206.238 (Lazy) Lazy_Redouane-Taoussi-ws2veeuvw1


dzr8b99z8d0jabpcanq48d

10.20.206.158 (Green) Green_Redouane-Taoussi-dvcxyu0blt9m Green_Redouane-Taoussi-67lx7yyoda


lreic14ubgdr0n1jsose ggqw5gmgkqxabmrmex9fx3

10.20.206.196 (Disclosed) Disclosed_Redouane-Taoussi-d1myeh


hsjkrjk9xceq1kg0hqsxvr9of3

10.20.206.214 (Gate)

IP (Hostname) Local.txt Contents Proof.txt Contents

10.20.206.48 (NibaDC) niba_dc_Redouane-Taoussi-pkrmpkvf


9x99b0ytv4cqnnue2ci32ipp

10.20.206.22 (Niba) niba_client_Redouane-Taoussi-ivo8bst


gjydlb3pn18z86f6y5ooqdk5r

47 | ​Page
48 | ​Page

You might also like