search
Home

Search

hashtag
Penetration Test Report

hashtag
Introduction

The penetration test report contains all efforts that were conducted during client engagement. The purpose of this report is to ensure that the client has a full understanding of penetration testing methodologies as well as the technical knowlegde to remediate any security flaws.

hashtag
Objective

The objective of this assessment is to perform an internal penetration test against the network. The student is tasked with following methodical approach in obtaining full control of the network. This test should simulate an attacker and how an attacker would start from beginning to end.

hashtag
Requirements

The pentester will be required to fill out this penetration testing report fully and to include the following sections:

  • Overall High-Level Summary and Recommendations (non-technical)

  • Methodology walkthrough and detailed outline of steps taken

  • Each finding with included screenshots, walkthrough, sample code, and root.txt if applicable

  • Any additional items that were not included

hashtag
High-Level Summary

I was tasked with performing an internal penetration test towards the client network. An internal penetration test is a dedicated attack against internally connected systems. The focus of this test is to perform attacks, similar to those of a hacker and attempt to infiltrate internal systems. My overall objective was to evaluate the network, identify systems, and exploit flaws while reporting the findings back to the client.

When performing the internal penetration test, there were several alarming vulnerabilities that were identified on client's network. When performing the attacks, I was able to gain access to multiple machines, primarily due to outdated patches and poor security configurations. During the testing, I had administrative level access to multiple systems. All systems were successfully exploited and access granted. These systems as well as a brief description on how access was obtained are listed below:

  • 10.129.227.156 (hostname) - Name of initial exploit

hashtag
Recommendations

I recommend patching the vulnerabilities identified during the testing to ensure that an attacker cannot exploit these systems in the future. One thing to remember is that these systems require frequent patching and once patched, should remain on a regular patch program to protect additional vulnerabilities that are discovered at a later date.

hashtag
Methodologies

I utilized a widely adopted approach to performing penetration testing that is effective in testing how well the environments is secured. Below is a breakout of how I was able to identify and exploit the variety of systems and includes all individual vulnerabilities found.

hashtag
Information Gathering

The information gathering portion of a penetration test focuses on identifying the scope of the penetration test. During this penetration test, I was tasked with exploiting the client network. The specific IP addresses were:

Network

  • 10.129.227.0/24

hashtag
Penetration

The penetration testing portions of the assessment focus heavily on gaining access to a variety of systems. During this penetration test, I was able to successfully gain access to X out of the X systems.

hashtag
System IP: 10.129.227.156

Service Enumeration

The service enumeration portion of a penetration test focuses on gathering information about what services are alive on a system or systems. This is valuable for an attacker as it provides detailed information on potential attack vectors into a system. Understanding what applications are running on the system gives an attacker needed information before performing the actual penetration test. In some cases, some ports may not be listed.

Server IP Address
Ports Open

10.129.227.156

TCP: 53,80,88,135,139,389,443,445,464,593,636,3268,3269,8172,9389,49667,49693,49694,49704,49719

UDP:

Nmap Scan Results

Initial Shell - PowerShell Web Access

Viewing the landing page on the web server port 80

Landing Page

Scoping the website I see an interesting image

Zooming into this image it appears to show names and a password

Names and Passwords

I attempt to use a common naming scheme as the username and the presented password. The credentials were correct and shares were revealed.

With these credentials I receive a ticket by utilizing the impacket tool GetUserSPNs

Using hashcat the ticket was cracked

I grab domain information with new set of credentials and parse the generated json files for usernames

I proceed to passwordspray against the compiles usernames and see that edgar.jacobs is also using the web_svc password

With SMB open I proceed to scope edgar's share and find a file of interest in his desktop folder

Opening the file with libreoffice I can see there is a password protected sheet that can be easily bypassed.

Password Icon and hidden C column

Unzipping the xlsx file allows me to view the password protected sheet's xml markup and to remove the sheetprotection tag using any text editor.

Reopening the file shows the hidden column in the sheet revealing passwords

Unprotected Sheet

Using this information I begin to search for valid credentials and see that user sierra.frye is valid

I login as sierra.frye and being to search for files. Finding two files of interest I download the files.

The staff.pfx file appears to be a password protected certificate

Using a tool called crackpks12 I begin to bruteforce and crack the password

Certificate files are commonly used for web servers. I begin to enumerate directories to see where can I use the certificate and notice a staff directory

Selecting the certificate

I view the staff directory and select the certificate which brings me to a Windows PowerShell Web Access login page

Windows PowerShell Web Access

I use sierra's credentials and specify localhost to login and gain access

Logging In
Inital Foothold

Local.txt Proof Screenshot

Local.txt Contents

Privilege Escalation

With our previous information found with bloodhound sierra.fry has readgmsapassword which can be easily abused by the following

Using wmiexec we gain administrative access

root Screenshot Here

Root.txt

root.txt Contents

hashtag
Badge

Post Exploitation

hashtag
Maintaining Access

Maintaining access to a system is important to us as attackers, ensuring that we can get back into a system after it has been exploited is invaluable. The maintaining access phase of the penetration test focuses on ensuring that once the focused attack has occurred (i.e. a buffer overflow), we have administrative access over the system again. Many exploits may only be exploitable once and we may never be able to get back into a system after we have already performed the exploit.

hashtag
House Cleaning

The house cleaning portions of the assessment ensures that remnants of the penetration test are removed. Often fragments of tools or user accounts are left on an organization's computer which can cause security issues down the road. Ensuring that we are meticulous and no remnants of our penetration test are left over is important.

After collecting data from the network was completed, I removed all user accounts and passwords as well as the Meterpreter services installed on the system. the client should not have to remove any user accounts or services from the system.

hashtag
Additional Items

hashtag
Appendix - Proof and Local Contents:

IP (Hostname)
Local.txt Contents
Proof.txt Contents

10.129.227.156

d2fb84163f6279e4cba7cd697bc00992

e3a4149a6c84118bcc4085fe8facc5b0

PreviousReelNextQuerier

Last updated