Skip to content

Intro to network penetration testing

Congrats! Welcome to your first network assessment. This guide will help you walk through our workshop.

Context

You've been given a VPN configuration to connect to the clients network. As per the agreed upon scope in the Rules of Engagement (what's an RoE?), you know your target lies at 10.150.0.3 on the clients internal network.

Connecting

You'll be given an OpenVPN file during the session, called session.ovpn

You can connect using the following command: sudo openvpn session.ovpn

Reconnaissance / Enumeration

Network penetration tests and assessments require that you think like a hacker or bad actor trying to break into an organizations assets so you can demonstrate risk for them to mitigate.

Being able to think like an attacker is crucial, as having this mindset will allow us to carry out a realistic operation/assessment.

Since we don't have physical access, we have to make use of the information we have been given so that we can collect more to formulate a plan of attack.

Since we have an IP address, we can use a tool like nmap (Network Mapper) to give us a picture of what services may be running on the remote host.

You can run the following command and nmap will perform a very basic port scan to tell you what ports are open.

nmap 10.150.0.3

Output 
Starting Nmap 7.80 ( https://nmap.org ) at 2024-03-27 17:06 ADT
Nmap scan report for 10.150.0.3
Host is up (0.063s latency).
Not shown: 997 filtered ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
27000/tcp open  flexlm0
Nmap done: 1 IP address (1 host up) scanned in 7.51 seconds

Now that we have an idea of what ports are running, we can try and narrow down what services are actually running using the following command:

nmap -sC -sV 10.150.0.3 -p 22,80,27000

Quick command breakdown: as per the nmap docs,

-sC (Performs a script scan) will run nmap's default scripts to determine more about the services running.

-sV (Version detection) will attempt to perform version detection on the services.

-p (Ports) specify the ports to check, rather than scanning the top 1000 most common ports.

Output 
Nmap scan report for 10.150.0.3
Host is up (0.062s latency).
PORT      STATE SERVICE  VERSION
22/tcp    open  ssh      OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
80/tcp    open  http     nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
27000/tcp open  flexlm0?
| fingerprint-strings: 
|   DNSStatusRequestTCP:
<clipped for sanity>

Service detection performed. Please report any incorrect results at https://nmap.org/submit/
Nmap done: 1 IP address (1 host up) scanned in 89.90 seconds


First Steps

Now that we have some information about what's running, we can plan out our attack path.

We saw that SSH was running, but we don't have creds yet. Bummer. We'll remember this in case we find any.

Interestingly enough, there is a website running on port 80. There's also some weird service runnning on port 27000. We should definitely check that out later.

We want to gather as much information as possible, so we should maybe check out the website first.

Visit 10.150.0.3 in your preferred browser.

More Recon

If you've followed the above step, you'll understand what's running on that mysterious port (27000).

The webserver doesn't seem to contain much, so we should read carefully since it seems to be under construction.

Maybe some important information like version numbers of the mysterious service have been revealed! This is important information for us, as we can use this to google around and see if there are any known vulnerabilities that might exist for us to exploit.

Weaponization Phase

Only open the below if you are stuck.

HINT #1 Upon seeing that there is a well known LOGGING vulnerability in Java/the version of the service running, we might want to google around for Proof of Concept's (PoC's) or public exploits.
SPOILER [https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition](https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition)

Exploitation

If you are stuck, contact merp on Discord or ask for the prez ;)

SPOILER [https://github.com/davidbombal/log4jminecraft](https://github.com/davidbombal/log4jminecraft)

Post-Exploitation

Your goal is to find flags. Read the hint on the website ;)

There may also be an additional flag hidden on the server!