Scribd
Upload
963 views15 pages

OSCP MemDump IN 2022 CAN39721

OSCP Leak from Data Bank - CAN39721 ShadowBrokersGroup Limited

Uploaded by

mhfehackify
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
963 views15 pages

OSCP MemDump IN 2022 CAN39721

OSCP Leak from Data Bank - CAN39721 ShadowBrokersGroup Limited

Uploaded by

mhfehackify
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
You are on page 1/ 15

OFFENSIVE SECURITY

OSCP Penetration Test Report


v.2.0

Copyright © 2022 Offensive Security Ltd. All rights reserved.

No part of this publication, in whole or in part, may be reproduced, copied, transferred or any other right reserved to its copyright owner,
including photocopying and all other copying, any transfer or transmission using any network or other means of communication, any broadcast
for distant learning, in any form or by any means such as any information storage, transmission or retrieval system, without prior written
permission from Offensive Security.

1 | Page
Table of Contents

1. Offensive Security OSCP Exam Penetration Test Report............................................................................................................... 3

1.1 Introduction ........................................................................................................................................................................... 3

1.2 Objective ................................................................................................................................................................................ 3

1.3 Requirements…………………………………………………………………………………………………………………………………………………………………….

2. High-Level Summary ..................................................................................................................................................................... 4

2.1 Recommendations ................................................................................................................................................................. 4

3. Methodologies .............................................................................................................................................................................. 4

3.1 Information Gathering ........................................................................................................................................................... 4

3.2 Service Enumeration………………………………………………………………………………………………………………………………………………………….5

3.3 Penetration ............................................................................................................................................................................ 5

3.4 Maintaining Access ................................................................................................................................................................ 5

3.5 House Cleaning ...................................................................................................................................................................... 5

4. Independent Challenges ............................................................................................................................................................... 7

4.1 Target #1 – 192.168.122.114 ................................................................................................................................................. 7

4.1.1 Service Enumeration ..................................................................................................................................................... 7


4.1.2 Initial Access ............................................................................................................................................................... 10
4.1.3 Privilege Escalation ...................................................................................................................................................... 12
4.2 Target #2 – 192.168.122.110 .................................................................................................................................................... 15

4.2.1 Service Enumeration ........................................................................................................................................................ 15

4.2.2 Initial Access ............................................................................................................................................................... 16


4.2.3 Privelege Escalation ..................................................................................................................................................... 22
5. Active Directory Set .................................................................................................................................................................... 26

5.1 Ajla – 10.4.4.10 .................................................................................................................................................................... 26

5.1.1 Initial Access – Password Brute-Forcing ...................................................................................................................... 26


5.1.2 Privilege Escalation – Sudo group................................................................................................................................ 32
5.1.3 Post-Exploitation .......................................................................................................................................................... xx
5.2 Poultry – 10.5.5.20 ................................................................................................................................................................xx

5.2.1 Initial Access – RDP login .............................................................................................................................................. xx


5.2.2 Post-Exploitation .......................................................................................................................................................... xx
5.3 DC – 10.5.5.30 .......................................................................................................................................................................xx
5.3.1 Initial Access – Remote Commands Execution ............................................................................................................. xx

2 | Page
5.3.2 Post-Exploitation ............................................................................................................. Error! Bookmark not defined.

1. Offensive Security OSCP Exam Penetration Test Report


1.1 Introduction

The Offensive Security Lab and Exam penetration test report contains all efforts that were con-
ducted in order to pass the Offensive Security course. This report should contain all items that
were used to pass the overall exam and it will be graded from a standpoint of correctness and
fullness to all aspects of the exam. The purpose of this report is to ensure that the student has a
full understanding of penetration testing methodologies as well as the technical knowledge to
pass the qualifications for the Offensive Security Certified Professional.

1.2 Objective

The objective of this assessment is to perform an internal penetration test against the Offensive
Security Lab and Exam network. The student is tasked with following methodical approach in
obtaining access to the objective goals. This test should simulate an actual penetration test and
how you would start from beginning to end, including the overall report. An example page has
already been created for you at the latter portions of this document that should give you ample
information on what is expected to pass this course. Use the sample report as a guideline to get
you through the reporting.

1.3 Requirements

The student will be required to fill out this penetration testing report fully and to include the follow-
ing sections:

• Overall High-Level Summary and Recommendations (non-technical)

• Methodology walkthrough and detailed outline of steps taken

• Each finding with included screenshots, walkthrough, sample code, and proof.txt if appli-
cable.

3 | Page
• Any additional items that were not included

2. High-Level Summary
John Doe was tasked with performing an internal penetration test towards Offensive Security
Labs. An internal penetration test is a dedicated attack against internally connected systems. The
focus of this test is to perform attacks, similar to those of a hacker and attempt to infiltrate Offen-
sive Security’s internal lab systems – the THINC.local domain. John’s overall objective was to
evaluate the network, identify systems, and exploit flaws while reporting the findings back to Of-
fensive Security.

When performing the internal penetration test, there were several alarming vulnerabilities that
were identified on Offensive Security’s network. When performing the attacks, John was able to
gain access to multiple machines, primarily due to outdated patches and poor security configura-
tions. During the testing, John had administrative level access to multiple systems. All systems
were successfully exploited and access granted.

2.1 Recommendations

John recommends patching the vulnerabilities identified during the testing to ensure that an at-
tacker cannot exploit these systems in the future. One thing to remember is that these systems
require frequent patching and once patched, should remain on a regular patch program to protect
additional vulnerabilities that are discovered at a later date.

3. Methodologies
John utilized a widely adopted approach to performing penetration testing that is effective in test-
ing how well the Offensive Security Labs and Exam environments are secure. Below is a breakout
of how John was able to identify and exploit the variety of systems and includes all individual
vulnerabilities found.

3.1 Information Gathering

The information gathering portion of a penetration test focuses on identifying the scope of the
penetration test. During this penetration test, John was tasked with exploiting the lab and exam
network. The specific IP addresses were:

4 | Page
Exam Network:

172.16.203.133, 172.16.203.134, 172.16.203.135, 172.16.203.136

3.2 Service Enumeration

The service enumeration portion of a penetration test focuses on gathering information about
what services are alive on a system or systems. This is valuable for an attacker as it provides
detailed information on potential attack vectors into a system. Understanding what applications
are running on the system gives an attacker needed information before performing the actual
penetration test. In some cases, some ports may not be listed.

3.3 Penetration

The penetration testing portions of the assessment focus heavily on gaining access to a variety
of systems. During this penetration test, John was able to successfully gain access to 10 out of
the 50 systems.

3.4 Maintaining Access

Maintaining access to a system is important to us as attackers, ensuring that we can get back into
a system after it has been exploited is invaluable. The maintaining access phase of the penetra-
tion test focuses on ensuring that once the focused attack has occurred (i.e., a buffer overflow),
we have administrative access over the system again. Many exploits may only be exploitable
once and we may never be able to get back into a system after we have already performed the
exploit.

John added administrator and root level accounts on all systems compromised. In addition to the
administrative/root access, a Metasploit meterpreter service was installed on the machine to en-
sure that additional access could be established.

3.5 House Cleaning

The house cleaning portions of the assessment ensures that remnants of the penetration test are
removed. Often fragments of tools or user accounts are left on an organizations computer which
can cause security issues down the road. Ensuring that we are meticulous and no remnants of
our penetration test are left over is important.

5 | Page
After the trophies on both the lab network and exam network were completed, John removed all
user accounts and passwords as well as the Meterpreter services installed on the system. Offen-
sive Security should not have to remove any user accounts or services from the system.

6 | Page
4. Independent Challenges
4.1 Target #1 – 192.168.122.114

4.1.1 Service Enumeration

Port Scan Results

IP Address Ports Open

192.168.112.114 TCP: 21, 22, 80, 139, 445

FTP Enumeration

Upon manual enumeration of the available FTP service, since ftp service was opened,
logged in using Anonymous login. And downloaded all the files. When I analyzed all the files,
one of the pdf files was found to have an audit report which contained passwords.

7 | Page
By using these creds, I created a password list.

8 | Page
After that, I used a wpscan for enumerating port 80, which showed a WordPress vulnerable
plugin called MailMasta which led to a LFI Vulnerability.

EXPLOIT LINK:

https://www.exploit-db.com/exploits/40290

9 | Page
We successfully exploited the MailMasta plugin on port 80 and were able to get username
from /etc/passwd.

4.1.2 Initial Access using SSH

Vulnerability Explanation: Ability Server 2.34 is subject to a buffer overflow vulnerability in


STOR field. Attackers can use this vulnerability to cause arbitrary remote code execution
and take completely control over the system.

Vulnerability Fix: The publishers of the Ability Server have issued a patch to fix this known
issue. It can be found here: http://www.code-crafters.com/abilityserver/

Severity: Critical

10 | Page
Steps to reproduce the attack: The operating system was different from the known public
exploit. A rewritten exploit was needed in order for successful code execution to occur. Once
the exploit was rewritten, a targeted attack was performed on the system which gave John
full administrative access over the system.

Using these users and password I tried brute-force ssh using hydra and I got a successful login

Proof of Concept:

11 | Page
4.1.3 Privilege Escalation

Steps to reproduce: After establishing a foothold on target, I tried checking whether the user
has sudo privileges

So, the user was having sudo privileges. so, I tried to escalate privilege by abusing

12 | Page
/usr/bin/mawk Using the command which I got from GTFO Bin

Vulnerability Fix: Since this is a custom web application, a specific update will not properly
solve this issue. The application will need to be programmed to properly sanitize user-input
data, ensure that the user is running off of a limited user account, and that any sensitive data
stored within the SQL database is properly encrypted. Custom error messages are highly
recommended, as it becomes more challenging for the attacker to exploit a given weakness
if errors are not being presented back to them.

Severity: Critical

Steps to reproduce the attack:

13 | Page
4.1.3 post-Exploitation

14 | Page
4.2 Target #2 – 192.168.122.110

4.2.1 Service Enumeration

Port Scan Results

IP Address Ports Open

192.168.112.110 TCP: 21, 22,80,84,89,700,1117,2034,2602,


3306,6025,6666,7435,8080,8081,13722,34573,

15 | Page

You might also like