PEN-200 Lab Report
PEN-200 Lab Report
PEN-200 Lab Report
No part of this publication, in whole or in part, may be reproduced, copied, transferred or any other right reserved
to its copyright owner, including photocopying and all other copying, any transfer or transmission using any
network or other means of communication, any broadcast for distant learning, in any form or by any means such as
any information storage, transmission or retrieval system, without prior written permission from Offensive Security.
1 | Page
Table of Contents
2 | Page
Offensive Security Lab Penetration Test Report
1. Objective
When performing the internal penetration test, there were several alarming
vulnerabilities that were identified on Offensive Security’s network. When
performing the attacks, OS-XXXXXX was able to gain access to multiple ma-
chines, primarily due to outdated patches and poor security configurations.
During the testing, OS-XXXXXX had administrative level access to multiple
systems. All systems were successfully exploited and access granted.
2. Lab Network
Offensive Security Complete Guide machines (alpha and beta) may not be in-
cluded in your lab report, they are for demonstration purposes only.
For more information regarding the Bonus Points requirements, please visit
the following URL:
Exam-Guide – Alpha
3 | Page
After inspecting the HTTP headers of the landing page on port 80 we discov-
ered that it is running under Apache/2.4.7 (Ubuntu) and PHP/5.5.9-1ubun-
tu4.4. We can confirm the presence of a CGI-bin and a possible Shellshock
arbitrary code execution vulnerability (EDB 34900) by running a directory
brute-forcing attack or using a vulnerability scanner such as Nikto. We can
interact with the script directly to receive a reverse shell on our attacker ma-
We can reuse this password on one of the user's accounts present on this
machine - gibson. After changing our user with the su gibson command,
we immediately discovered that this user takes part of the ‘sudo’ group,
meaning that the escalation of privileges was possible using the su com-
mand once again:
su gibson
sudo su
4 | Page – Beta
From the Initial Service Scan, we can observe the presence of several open
ports related to the James Server - a mail server maintained by Apache.
The most uncommon in this list is Apache's James Remote Administration on
port 4555. By interacting with it using netcat we confirmed it uses the de-
fault credentials ‘root/root’. Utilizing this service, we reset the email address
passwords for all the users present on this service.
nc 4555
setpassword ryuu 123456
After resetting the password, we can log in to the POP3 server on port 111 to
read the emails. One of the emails in Ryuu's inbox contained the SSH cre-
dentials that allowed us the Access on this machine ‘ryuu/QUHqhUPRKX-
5 | Page
Lateral Movement – Escaping a Restricted Shell
We quickly fix the path using the export command. Checking the OS and the
kernel to find our they both are outdated. Based on our target being Ubuntu
11.01, 3.0.0-12-generic and 32bit, we chose the 'Mempodipper' Local Privi-
lege Escalation exploit (EDB 35161). gcc is already installed on our target, so
we can download the exploit and obtain the root shell using the following
gcc 35161.c -o beta
python -c 'import pty;pty.spawn("/bin/bash")'
export PATH="/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games"
6 | Page
3. Exercises
Reporting is not required for the exercises below, they are for demonstra-
tion purposes only. For more information regarding the reporting require-
ments, please visit the following link
7 | Page
3. Find your favorite tool and review its documentation.
5. Use find to identify any file (not directory) modified in the last day, NOT
owned by the root user and execute ls -l on them.
8 | Page - dpkg
9 | Page