The Test lab is a free platform for checking up and enhancement of testing skills on penetration presenting a corporative virtual company network consisting of vulnerable and invulnerable components of (servers, network equipment and working stations). Access to laboratories and how to connect Instructions for setting up OpenVPN connection for Linux and Windows platforms is on their main web page. After getting a connection gateways 192.168.101.14 and 192.168.101.15 become available, after which there are situated the rest laboratory gateways.
We start with a nmap scan of gateway 192.168.101.14 and find out open ports 80, 143 and 8080.
Upon attempting to connect to port 80 (192.168.101.14:80) to get to the web application, we are redirected on site.test.lab, but the web browser can’t find it (ERR_NAME_NOT_RESOLVED). In order to access the web site, we have to add it's record to /etc/hosts using vi or any editor of your choice
The site has employees emails which we save for later use.
Upon viewing the HTML source code for the webpage, we find that it's running word press. We initiate WPScan to find vulnerabilities and find that it is vulnerable to Local file inclusion vulnerablity (LFI) which can be exploited via Exploit-DB's 40290 exploit.
We then user BURP Suite proxy to capture web page traffic (LFI path included) but get an error upon fowarding it with Burp's repeater. This is an indication that the web site is probably secured by a Web Application Firewall (WAF). This is confirmed by a wafw00f scan for web application firewalls.
To evade the WAF, we use two forward slashes on /etc/passwd like this //etc//passwd.
Scrolling down at the bottom of the /etc/passwd file out put, we find our first token which we submit and get a 5 % progress :) .
Pentestit V14 - Token 2 (Mail Token):
We visit the site.test.lab web page using open port 8080 per our intial nmap scan and find a Roundcube Webmail.
Open port 143 has a IMAP service used by email clients to retrieve email messages from a mail server. We use our earlier list of saved emails and hydra to bruteforce for a password. hydra -L email.txt -P /usr/share/john/password.lst imap://192.168.101.14
The picked email and password is - support@test.lab: PASSWORD. We use this email and password to log in to the round cube mail application and on the users inbox we find the second token and several files: client.jar, certificate.zip and vpn.zip.
Finally, submit this token and get to 10 % progress
Pentestit V14: Java and Terminal 1 Token
On the email sent folder of the Round cube web mail that we got access to are client.jar, certificate.zip and a vpn.zip files. We unzip the .zip file extension files and find a vpn.conf file which we start using openvpn with the --config command
The vpn.conf files connects to and reveals a 172.16.0.0/16 Network which we can use for ssh access. Command: sudo openvpn --config vpn.conf
We open the jar-file from the zip archive using jd-gui and find that it consists of one Main class. Upon opening Main.class, we find another IP, Port (172.16.20.2, 22), and ssh string password.
The string/password is decompiled using an online java decompiler and we find information for ssh connection. The password is actually the Java token.
Using the SSH information retrieved from main.class of the client jar file, and decompiled password, we are able to ssh into the dev account and find the token on the opt folder.
Submission of both token brings progress to 20 %.
Comments
Post a Comment