Intro to network penetration testing
Congrats! Welcome to your first network assessment. This guide will help you walk through our workshop.
Context
You've been given a VPN configuration to connect to the clients network. As per the agreed upon scope in the Rules of Engagement (what's an RoE?), you know your target lies at 10.150.0.3
on the clients internal network.
Connecting
You'll be given an OpenVPN file during the session, called session.ovpn
You can connect using the following command: sudo openvpn session.ovpn
Reconnaissance / Enumeration
Network penetration tests and assessments require that you think like a hacker or bad actor trying to break into an organizations assets so you can demonstrate risk for them to mitigate.
Being able to think like an attacker is crucial, as having this mindset will allow us to carry out a realistic operation/assessment.
Since we don't have physical access, we have to make use of the information we have been given so that we can collect more to formulate a plan of attack.
Since we have an IP address, we can use a tool like nmap (Network Mapper) to give us a picture of what services may be running on the remote host.
You can run the following command and nmap will perform a very basic port scan to tell you what ports are open.
nmap 10.150.0.3
Output
Now that we have an idea of what ports are running, we can try and narrow down what services are actually running using the following command:
nmap -sC -sV 10.150.0.3 -p 22,80,27000
Quick command breakdown: as per the nmap docs,
-sC
(Performs a script scan) will run nmap's default scripts to determine more about the services running.
-sV
(Version detection) will attempt to perform version detection on the services.
-p
(Ports) specify the ports to check, rather than scanning the top 1000 most common ports.
Output
Nmap scan report for 10.150.0.3
Host is up (0.062s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
27000/tcp open flexlm0?
| fingerprint-strings:
| DNSStatusRequestTCP:
<clipped for sanity>
Service detection performed. Please report any incorrect results at https://nmap.org/submit/
Nmap done: 1 IP address (1 host up) scanned in 89.90 seconds
First Steps
Now that we have some information about what's running, we can plan out our attack path.
We saw that SSH was running, but we don't have creds yet. Bummer. We'll remember this in case we find any.
Interestingly enough, there is a website running on port 80. There's also some weird service runnning on port 27000. We should definitely check that out later.
We want to gather as much information as possible, so we should maybe check out the website first.
Visit 10.150.0.3
in your preferred browser.
More Recon
If you've followed the above step, you'll understand what's running on that mysterious port (27000).
The webserver doesn't seem to contain much, so we should read carefully since it seems to be under construction.
Maybe some important information like version numbers of the mysterious service have been revealed! This is important information for us, as we can use this to google around and see if there are any known vulnerabilities that might exist for us to exploit.
Weaponization Phase
Only open the below if you are stuck.
HINT #1
Upon seeing that there is a well known LOGGING vulnerability in Java/the version of the service running, we might want to google around for Proof of Concept's (PoC's) or public exploits.SPOILER
[https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition](https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition)Exploitation
If you are stuck, contact merp on Discord or ask for the prez ;)
SPOILER
[https://github.com/davidbombal/log4jminecraft](https://github.com/davidbombal/log4jminecraft)Post-Exploitation
Your goal is to find flags. Read the hint on the website ;)
There may also be an additional flag hidden on the server!