1|P a g e

OffensiveSecurityPenetrationTestReportforInternalLabandExam

v.1.1

student@youremailaddress.com

OSID:XXXXX

©

AllrightsreservedtoOffensiveSecurity,2016

Nopartofthispublication,inwholeorinpart,maybereproduced,copied,transferredoranyotherrightreservedtoitscopyrightowner,

includingphotocopyingandallothercopying,anytransferortransmissionusinganynetworkorothermeansofcommunication,anybroadcast

fordistantlearning,inanyformorbyanymeanssuchasanyinformationstorage,transmissionorretrievalsystem,withoutpriorwritten

permissionfromOffensiveSecurity.

2|P a g e

AboutthisDocumentSubmitting your course exercises, PWK lab report, along with your exam report, may have its benefits. For example, up to 5 points may be earned by submitting your lab report along with your exercises. Although submitting your PWK lab report and the corresponding course exercises is completely optional, it is not difficult to see why it’s highly recommended to do so.

Thisdocumentisprovidedasanexampleofwhatisexpected,atminimum,inatypicallabreportthatissubmittedforreview.Youmustsuccessfullycompromisenolessthan10machinesinthelabsanddocumentallofyourstepsasillustratedinthe“OffensiveSecurityLabandExamPenetrationReport:Section3-Methodologies”template.Youmaychoosetoincludemorethan10machinesinyourreport,howeverthiswillnotprovideanyadditionalpointstoyourfinalexamscore.

Thesamplereportpresentedinthisdocumenthasbeenadaptedforthenon-nativeEnglishspeaker.Forthatreason,OffensiveSecurityhasoptedforamorevisual(i.e:morescreenshots)styleofreporting.Anarrativeofhowthemachinewascompromisedaswellasvulnerabilityinformationcanbeincludedinthereport,atyourdiscretion.Pleasenotethatthistemplateisonlyaguide,youmayoptnottouseitandcreateyourown.Thereport,regardlessofthetemplateused,mustbeclear,concise,andmostimportantly,itmustbereproducible.Inotherwords,wemustbeabletocompromisethemachineagainbysimplyfollowingthereport.

3|P a g e

TableofContents1.0OffensiveSecurityLabandExamPenetrationTestReport..............................................................4

1.1Introduction.......................................................................................................................................4

1.2Objective............................................................................................................................................4

1.3Requirements.....................................................................................................................................4

2.0Report–High-LevelSummary.........................................................................................................5

2.1Report-Recommendations...............................................................................................................5

3.0Report–Methodologies.................................................................................................................5

3.1Report–InformationGathering.........................................................................................................6

3.2Report–ServiceEnumeration...........................................................................................................6

3.3Report–Penetration..........................................................................................................................7

3.4Report–HouseCleaning..................................................................................................................14

4.0PWKCourseExercises...................................................................................................................14

4|P a g e

1.0OffensiveSecurityLabandExamPenetrationTestReport1.1IntroductionThe Offensive Security Lab and Exam penetration test report should contain all the steps taken to

successfullycompromisemachinesbothintheexamandlabenvironments.Accompanyingdatausedin

bothenvironmentsshouldalsobeincluded,suchasPoCs,customexploitcode,andsoon.Pleasenote

thatthisreportwillbegradedfromastandpointofcorrectnessandcompleteness.Thepurposeofthis

report is toensure that the studenthasa full understandingofpenetration testingmethodologiesas

well as the technical knowledge required to successfully achieve the Offensive Security Certified

Professional(OSCP)certification.

1.2ObjectiveTheobjectiveofthisassessmentistoperformaninternalpenetrationtestagainsttheOffensiveSecurity

LabandExamnetwork.Thestudentistaskedwithfollowingmethodicalapproachinobtainingaccessto

theobjectivegoals.Thistestshouldsimulateanactualpenetrationtestandhowyouwouldstartfrom

beginningtoend,includingtheoverallreport.Asamplepagehasbeenincludedinthisdocumentthat

shouldhelpyoudeterminewhatisexpectedofyoufromareportingstandpoint.Pleaseusethesample

reportasaguidetogetyouthroughthereportingrequirementofthecourse.

1.3RequirementsThestudentwillberequiredtocompletethispenetrationtestingreportinitsentiretyandtoincludethe

followingsections:

• OverallHigh-LevelSummaryandRecommendations(Non-technical)

• Methodologywalk-throughanddetailedoutlineofstepstaken

• Each findingwithaccompanying screenshots,walk-throughs, samplecode,andproof.txt file if

applicable.

• Anyadditionalitemsasdeemednecessary

5|P a g e

2.0Report–High-LevelSummaryOS-XXXXXwas taskedwithperformingan internalpenetration test in theOffensiveSecurity Labsand

Examnetwork.Aninternalpenetrationtestisasimulatedattackagainstinternallyconnectedsystems.

The focus of this test is to perform attacks, similar to those of a malicious entity, and attempt to

infiltrateOffensiveSecurity’sinternallabsystems–theTHINC.localdomain,andtheexamnetwork.OS-

XXXXX’s overall objective was to evaluate the network, identify systems, and exploit flaws while

reportingthefindingsbacktoOffensiveSecurity.

While conducting the internal penetration test, therewere several alarming vulnerabilities thatwere

identified within Offensive Security’s network. For example, OS-XXXXX was able to gain access to

multiplemachines,primarilyduetooutdatedpatchesandpoorsecurityconfigurations.Duringtesting,

OS-XXXXXhadadministrative levelaccess tomultiple systems.All systemsweresuccessfullyexploited

andaccessgranted.Thesesystemsaswellasabriefdescriptiononhowaccesswasobtainedarelisted

below:

• Target#1–Obtainedalow-privilegeshellviathevulnerablewebapplicationcalled'KikChat'.

Oncein,accesswasleveragedtoescalateto'root'usingthe'getsystem'commandin

Meterpreter.

2.1Report-RecommendationsOS-XXXXXrecommendspatchingthevulnerabilitiesidentifiedduringthepenetrationtesttoensurethat

anattacker cannotexploit these systems in the future.One thing to remember is that these systems

require frequent patching and once patched, should remain on a regular patch program in order to

mitigateadditionalvulnerabilitiesthatmaybediscoveredatalaterdate.

3.0Report–MethodologiesOS-XXXXX utilized a widely adopted approach to performing penetration testing that is effective in

testinghowwelltheOffensiveSecurityLabsandExamenvironmentsaresecure.Belowisasummaryof

howOS-XXXXXwasabletoidentifyandexploitanumberofsystems.

6|P a g e

3.1Report–InformationGatheringThe information gathering portion of a penetration test focuses on identifying the scope of the

penetration test.During thispenetration test,OS-XXXXXwas taskedwithexploiting the labandexam

network.ThespecificIPaddresseswere:

LabNetwork

192.168.31.218

3.2Report–ServiceEnumerationThe service enumeration portion of a penetration test focuses on gathering information about what

services are alive on a system or systems. This is valuable to an attacker as it provides detailed

informationonpotentialattackvectorsintoasystem.Understandingwhatapplicationsarerunningon

thesystemprovidesanattackerwithvitalinformationbeforeconductingtheactualpenetrationtest.In

somecases,someportsmaynotbelisted.

ServerIPAddress PortsOpen Service/Banner

192.168.31.218 TCP:80,3389 Apache/RDP

7|P a g e

3.3Report–PenetrationThe penetration testing portion of the assessment focuses heavily on gaining access to a variety of

systems.Duringthispenetrationtest,OS-XXXXXwasabletosuccessfullygainaccessto10outofthe50

systems.

VulnerabilityExploited:KikChat-(LFI/RCE)MultipleVulnerability

SystemVulnerable:192.168.31.218

VulnerabilityExplanation:TheKikChatwebapplicationsuffersfromaLocalFileInclude(LFI),aswellas

aRemoteCodeExecution(RCE)vulnerability.Acombinationofthesevulnerabilitieswasusedtoobtain

alowprivilegeshell.

PrivilegeEscalationVulnerability:Named Pipe Impersonation (In Memory/Admin)

VulnerabilityFix:Noknownpatchorupdateforthisissue.

Severity:Critical

InformationGathering:

8|P a g e

FullNmapscanofallports:

Niktoscanontarget’sport80:

9|P a g e

Contentoftarget’srobots.txt(usingcurl):

Furtherenumerationofport80usingabrowser:

SearchingExploit-DBforPoConKikChat’svulnerability:

10|P a g e

ProofOfConceptCode:https://www.exploit-db.com/exploits/30235/

ConfirmingRCE:UsingthePoCfromExploit-DB,additionalinformationaboutthewebserverisgathered

bycreatingaphpfilewith'phpinfo()',andviewingit.

Commandissuedfromterminal:

curl -s http://192.168.31.218/8678576453/rooms/get.php\?name\=info.php\&ROOM\="<?php+phpinfo()+?>"

Viewingcustomphpfileinthebrowser:

11|P a g e

GettingLow-Privilegeshell:

Using theRCEvulnerability,createaphp filecalled 'shell.php' thatwilldownload 'nc.txt'.Save itasa

batchfile,create'nc.exe'andconnectbacktoattacker:

Hosting'nc.txt'file:

RCEcommandtodownload'nc.txt',run'shell.php',andconnecttoattackingmachine:

Listeneronattackingmachine:

12|P a g e

PrivilegeEscalation:UsingMetasploit,ameterpreterphpreverseshelliscreated.Oncecreated,itisthenuploadedtothetargetmachinethesamewayasthe'nc.txt'file,andthenitisexecutedusing'curl'.

CreatingMeterpreterPHPreverseshell:

Hosting&executingmaliciousfile:

13|P a g e

CreatingaMeterpreterreverseTCPshell,executingit,andescalatingwith'getsystem':

14|P a g e

Prooffile:

3.4Report–HouseCleaningThe house-cleaning portion of the assessment ensures that remnants of the penetration test are

removed.Oftentimes,fragmentsoftoolsoruseraccountsareleftonanorganization’scomputer,which

can cause security issues down the road. Ensuring that we are meticulous and no remnants of our

penetrationtestareleftoverisparamountimportance.

Aftertheobjectivesonboththelabnetworkandexamnetworkweresuccessfullycompleted,OS-XXXXX

removedalluseraccountsandpasswordsaswellastheMeterpreterservices installedonthesystem.

OffensiveSecurityshouldnothavetoremoveanyuseraccountsorservicesfromanyofthesystems.

4.0PWKCoursesExercisesCourseexercisesaretobedocumented,andaddedinthissectionofthereport.