Offensive Security

Penetration Test Report for

Internal Lab and Exam

Jose Rodriguez

©
All rights reserved to Offensive Security, 2016

No part of this publication, in whole or in part, may be reproduced, copied, transferred or any other right reserved to its copyright owner,
including photocopying and all other copying, any transfer or transmission using any network or other means of communication, any broadcast
for distant learning, in any form or by any means such as any information storage, transmission or retrieval system, without prior written
permission from Offensive Security.

1|Page
 Pentest

About this Document

Submitting your course exercises, PWK lab report, along with your exam report, may have its benefits.
For example, up to 5 points may be earned by submitting your lab report along with your exercises.
Although submitting your PWK lab report and the corresponding course exercises is completely
optional, it is not difficult to see why it’s highly recommended to do so.

This document is provided as an example of what is expected, at minimum, in a typical lab report that is
submitted for review. You must successfully compromise no less than 10 machines in the labs and
document all of your steps as illustrated in the “Offensive Security Lab and Exam Penetration Report:
Section 3 - Methodologies” template. You may choose to include more than 10 machines in your
report, however this will not provide any additional points to your final exam score.

The sample report presented in this document has been adapted for the non-native English speaker. For
that reason, Offensive Security has opted for a more visual (i.e: more screenshots) style of reporting. A
narrative of how the machine was compromised as well as vulnerability information can be included in
the report, at your discretion. Please note that this template is only a guide, you may opt not to use it
and create your own. The report, regardless of the template used, must be clear, concise, and most
importantly, it must be reproducible. In other words, we must be able to compromise the machine again
by simply following the report.

2|Page
 Pentest

Table of Contents
1.0 Offensive Security Lab and Exam Penetration Test Report ..............................................................4

1.1 Introduction ....................................................................................................................................... 4

1.2 Objective ............................................................................................................................................ 4

1.3 Requirements ..................................................................................................................................... 4

2.0 Report – High-Level Summary .........................................................................................................5

2.1 Report - Recommendations ............................................................................................................... 5

3.0 Report – Methodologies .................................................................................................................5

3.1 Report – Information Gathering ......................................................................................................... 6

3.2 Report – Service Enumeration ........................................................................................................... 6

3.3 Report – Penetration .......................................................................................................................... 7

3.4 Report – House Cleaning .................................................................................................................. 14

4.0 PWK Course Exercises ................................................................................................................... 14

3|Page
 Pentest

1.0 Offensive Security Lab and Exam Penetration Test Report

1.1 Introduction
The Offensive Security Lab and Exam penetration test report should contain all the steps taken to
successfully compromise machines both in the exam and lab environments. Accompanying data used in
both environments should also be included, such as PoCs, custom exploit code, and so on. Please note
that this report will be graded from a standpoint of correctness and completeness. The purpose of this
report is to ensure that the student has a full understanding of penetration testing methodologies as
well as the technical knowledge required to successfully achieve the Offensive Security Certified
Professional (OSCP) certification.

1.2 Objective
The objective of this assessment is to perform an internal penetration test against the Offensive Security
Lab and Exam network. The student is tasked with following methodical approach in obtaining access to
the objective goals. This test should simulate an actual penetration test and how you would start from
beginning to end, including the overall report. A sample page has been included in this document that
should help you determine what is expected of you from a reporting standpoint. Please use the sample
report as a guide to get you through the reporting requirement of the course.

1.3 Requirements
The student will be required to complete this penetration testing report in its entirety and to include the
following sections:

• Overall High-Level Summary and Recommendations (Non-technical)

• Methodology walk-through and detailed outline of steps taken
• Each finding with accompanying screenshots, walk-throughs, sample code, and proof.txt file if
applicable.
• Any additional items as deemed necessary

4|Page
 Pentest
2.0 Report – High-Level Summary
OS-XXXXX was tasked with performing an internal penetration test in the Offensive Security Labs and
Exam network. An internal penetration test is a simulated attack against internally connected systems.

The focus of this test is to perform attacks, similar to those of a malicious entity, and attempt to
infiltrate Offensive Security’s internal lab systems – the THINC.local domain, and the exam network. OS-
XXXXX’s overall objective was to evaluate the network, identify systems, and exploit flaws while
reporting the findings back to Offensive Security.

While conducting the internal penetration test, there were several alarming vulnerabilities that were
identified within Offensive Security’s network. For example, OS-XXXXX was able to gain access to
multiple machines, primarily due to outdated patches and poor security configurations. During testing,
OS-XXXXX had administrative level access to multiple systems. All systems were successfully exploited
and access granted. These systems as well as a brief description on how access was obtained are listed
below:

• Target #1 – Obtained a low-privilege shell via the vulnerable web application called 'KikChat'.
Once in, access was leveraged to escalate to 'root' using the 'getsystem' command in
Meterpreter.

2.1 Report - Recommendations

OS-XXXXX recommends patching the vulnerabilities identified during the penetration test to ensure that
an attacker cannot exploit these systems in the future. One thing to remember is that these systems
require frequent patching and once patched, should remain on a regular patch program in order to
mitigate additional vulnerabilities that may be discovered at a later date.

3.0 Report – Methodologies

OS-XXXXX utilized a widely adopted approach to performing penetration testing that is effective in
testing how well the Offensive Security Labs and Exam environments are secure. Below is a summary of
how OS-XXXXX was able to identify and exploit a number of systems.

5|Page
 Pentest
3.1 Report – Information Gathering
The information gathering portion of a penetration test focuses on identifying the scope of the
penetration test. During this penetration test, OS-XXXXX was tasked with exploiting the lab and exam
network. The specific IP addresses were:

Lab Network

10.0.2.20

3.2 Report – Service Enumeration

The service enumeration portion of a penetration test focuses on gathering information about what
services are alive on a system or systems. This is valuable to an attacker as it provides detailed
information on potential attack vectors into a system. Understanding what applications are running on
the system provides an attacker with vital information before conducting the actual penetration test. In
some cases, some ports may not be listed.

Server IP Address Ports Open Service/Banner

192.168.31.218 TCP: 80, 3389 Apache / RDP

6|Page
 Pentest

Server IP Address Ports Open Service/Banner

nmap -sV -p- 10.0.2.20 -T 3

Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-15 23:10 CEST
Nmap scan report for 10.0.2.20
Host is up (0.00082s latency).
Not shown: 65513 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
22/tcp open ssh OpenSSH 7.1 (protocol 2.0)
80/tcp open http Microsoft IIS httpd 7.5
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3306/tcp open mysql MySQL 5.5.20-log
3389/tcp open ssl/ms-wbt-server?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
8020/tcp open http Apache httpd
8027/tcp open papachi-p2p-srv?
8383/tcp open http Apache httpd
8585/tcp open http Apache httpd 2.2.21 ((Win64) PHP/5.3.10 DAV/2)
9200/tcp open wap-wsp?
9300/tcp open vrace?
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49187/tcp open msrpc Microsoft Windows RPC
49188/tcp open msrpc Microsoft Windows RPC

6|Page
 Pentest

Ahora haremos un escaneo exaustivo de puertos y caracteristicas de cada umo.

Server IP Address Ports Open Service/Banner

nmap -AO -oX Pent-Metwin.xml 10.0.2.20 -T3

Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-16 00:04 CEST
Nmap scan report for 10.0.2.20
Host is up (0.0011s latency).
Not shown: 986 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH 7.1 (protocol 2.0)
| ssh-hostkey:
| 2048 a330aed36f542c6056ce77bc62cd08ac (RSA)
|_ 521 8118a79ca4937c944b005790b67e9b9d (ECDSA)
80/tcp open http Microsoft IIS httpd 7.5
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Microsoft-IIS/7.5
| http-methods:
|_ Potentially risky methods: TRACE
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds
3306/tcp open mysql MySQL 5.5.20-log
3389/tcp open tcpwrapped
| rdp-ntlm-info:
| Target_Name: VAGRANT-2008R2
| NetBIOS_Domain_Name: VAGRANT-2008R2
| NetBIOS_Computer_Name: VAGRANT-2008R2
| DNS_Domain_Name: vagrant-2008R2
| DNS_Computer_Name: vagrant-2008R2
| Product_Version: 6.1.7601
|_ System_Time: 2022-10-15T22:06:40+00:00
| ssl-cert: Subject: commonName=vagrant-2008R2
| Not valid before: 2022-10-11T18:33:04
|_Not valid after: 2023-04-12T18:33:04
|_ssl-date: 2022-10-15T22:07:01+00:00; +1s from scanner time.
8383/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: 400 Bad Request

6|Page
 Pentest
Server IP Address Ports Open Service/Banner

9200/tcp open wap-wsp?

| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 400 Bad Request
| Content-Type: text/plain; charset=UTF-8
| Content-Length: 80
| handler found for uri [/nice%20ports%2C/Tri%6Eity.txt%2ebak] and method [GET]
| GetRequest:
| HTTP/1.0 200 OK
| Content-Type: application/json; charset=UTF-8
| Content-Length: 305
| "status" : 200,
| "name" : "Elven",
| "version" : {
| "number" : "1.1.1",
| "build_hash" : "f1585f096d3f3985e73456debdc1a0745f512bbc",
| "build_timestamp" : "2014-04-16T14:27:12Z",
| "build_snapshot" : false,
| "lucene_version" : "4.7"
| "tagline" : "You Know, for Search"
| HTTPOptions:
| HTTP/1.0 200 OK
| Content-Type: text/plain; charset=UTF-8
| Content-Length: 0
| RTSPRequest, SIPOptions:
| HTTP/1.1 200 OK
| Content-Type: text/plain; charset=UTF-8
|_ Content-Length: 0
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following
fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9200-TCP:V=7.93%
MAC Address: 08:00:27:EA:43:DB (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Microsoft Windows 7|2008|8.1
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/
o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/
o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8,
or Windows 8.1 Update 1
Network Distance: 1 hop 6|Page
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
 Pentest
Server IP Address Ports Open Service/Banner

Host script results:

| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 210:
|_ Message signing enabled but not required
|_nbstat: NetBIOS name: VAGRANT-2008R2, NetBIOS user: <unknown>, NetBIOS MAC:
080027ea43db (Oracle VirtualBox virtual NIC)
| smb2-time:
| date: 2022-10-15T22:06:40
|_ start_date: 2022-10-15T22:01:20
|_clock-skew: mean: 1h24m01s, deviation: 3h07m50s, median: 0s
| smb-os-discovery:
| OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard
6.1)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: vagrant-2008R2
| NetBIOS computer name: VAGRANT-2008R2\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2022-10-15T15:06:40-07:00

TRACEROUTE
HOP RTT ADDRESS
1 1.13 ms 10.0.2.20
 Pentest

► Ahora haremos un escaneo de vulnerabilidades con la herramienta

Nikto.
En el puerto 80 realiza un escaneo de vulnerabilidades en
servidores web en busca de múltiples elementos, incluidos archivos
y programas peligrosos y versiones desactualizadas del software
del servidor web. Tambien comprueba errores de configuración del
servidor y las posibles vulnerabilidades que puedan existir.

Jose Rodriguez
 Pentest

3.3 Report – Penetration

The penetration testing portion of the assessment focuses heavily on gaining access to a variety of
systems. During this penetration test, OS-XXXXX was able to successfully gain access to 10 out of the 50
systems.

Vulnerability Exploited: KikChat - (LFI/RCE) Multiple Vulnerability

System Vulnerable: 192.168.31.218

Vulnerability Explanation: The KikChat web application suffers from a Local File Include (LFI), as well as
a Remote Code Execution (RCE) vulnerability. A combination of these vulnerabilities was used to obtain
a low privilege shell.

Privilege Escalation Vulnerability: Named Pipe Impersonation (In Memory/Admin)

Vulnerability Fix: No known patch or update for this issue.

Severity: Critical

Information Gathering:

7|Page
 Pentest
Empezamos con un moduo auxiliar de metasploit para fuerza bruta con ssh.

8|Page
 Pentest
Continuamos buscando usuarios y contraseñas con diferentes diccionarios.

9|Page
 Pentest
Continuamos buscando usuarios y contraseñas con diferentes diccionarios.

Vamos encontrando diferentes usuarios y contraseñas con el fin de tener un login

exitoso desde ssh.

9|Page
 Pentest
Probamos con ssh que los usuarios y contraseñas encontrados nos den una conexión.

Ahora una vez conectamos averiguamos todos los usuarios existentes en el

sistema.

9|Page
 Pentest
Ahora podemos ver los datos de los diferentes usuarios encontrados.

9|Page
 Pentest
No podiamos encontrar la contraseña del usuario Guest. Y en su información vemos
que es debido a que no tiene.

Ahora una vez conectamos averiguamos todos los usuarios existentes en el

sistema.

9|Page
 Pentest
Ahora con la info del Administrador y con el comando scp, enviamos un script de
visual basic para poder hacer una copia de os archivos SAM y system.

hemos conseguido crear una copia de estos archivos en el sistema de la

victima.

9|Page
 Pentest
Copiamos esos archivos que tienen SAM y system a una ruta mas facil para la
extracción.

Ahora utilizando de nuevo el comando scp los enviamos a nuestra

maquina, los archivos SAM y system.
9|Page
 Pentest

Mediante el comando hashdump vemos el contenido de los archivos SAM y

system.

Ahora utilizando de nuevo el comando scp los enviamos a nuestra

maquina, los archivos SAM y system.
9|Page
 Pentest
A continuación mediante John the ripper y diferentes diccionarios como
rockyou o Kaonashi, intentamos desencriptar las contraseñas. Y como se
ve, se consigue con algunas.

9|Page
 Pentest
Ahora lo intentaremos de otra forma, directamente utilizando una
vulnerabilidad dw Windows server 2008, con eternal blue. Como vemos
conseguimos un shell sin problema.

9|Page