WJS
CYBERSECURITY | LINUX LOVER | NETWORKING | ATTACK-DEFEND MINDSET

/var/log/BLOGS

Mock Penetration Test

ACTIVITY COMPLETED: July 9, 2023

Scenario

The in-house offensive security team at StackFull Software was recently hired by Fullstack Academy to perform a penetration test. During this initial test, Will Schmidt, SOC Analyst I, was given an opportunity to shadow the in-house team. 

Fullstack Academy was so pleased with the rigor and findings from the first penetration test that they asked StackFull Software to perform a follow-up test. However, they only wanted to test an isolated portion of their network that wasn’t included in the scope of the first penetration test.

Given his aptitude, StackFull’s in-house offensive security team decided that this was a task Will Schmidt could handle on his own. The rules of engagement for his test were to: 

  • Scan and attack systems that reside on the /20 subnet that his machine was also on

  • Conduct vulnerability assessments on the systems on the network

  • Find ways to compromise and exploit the systems on the network

  • Provide detailed documentation, label vulnerabilities, and explain exploits in depth

  • Suggest security strategies that can help remediate or avoid risk

  • Avoid all forms of social engineering to discover details about the network

  • Not install any additional tools than what’s already on his machine

Problem

Challenge 1: Network Scanning

  1. Perform a NMap port scan on the /20 subnet on which your Kali resides. Be sure to scan all 65535 ports for any systems found

  2. From the scan results, do you see any systems with port 1013 open?

  3. From the scan results, do you see any servers with port 2222 open?

  4. From the scan results, how many Windows systems can you identify on the network?

Challenge 2: Initial Compromise

Can you figure out a way to compromise the service running on port 1013 to gain command line access to the system running it?

Challenge 3: Pivoting

Can you find any files on this web server that will allow you to laterally move to the system with port 2222 open?

Challenge 4: System Reconnaissance

Are there any privilege escalation opportunities on this system you laterally moved to? Check for sensitive files with passwords in them. A privilege escalation checker script has been provided to you in the /opt directory for this purpose.

Challenge 5: Password Cracking

Can you crack the hash found within the sensitive file found on this system? Make sure to use the wordlists found on your Kali instance within /usr/share/wordlists.

Challenge 6: Metasploit

Now that you have a username/password, can you establish a Meterpreter session on a Windows system found on the network with this username/password?

Challenge 7: Passing the Hash

Are there any accounts found on this system that can be used to laterally move to another Windows system on the network?

Challenge 8: Finding Sensitive Files

  1. Now that you have laterally moved to another Windows system, can you find the secrets.txt file on it? Part of penetration testing is figuring out new ways to utilize your existing toolsets. There is a search function within Meterpreter that can prove useful for this purpose.

  2. What command from Meterpreter can be used to print the contents of files?

  3. Determine what is contained within the secrets.txt file.

Read a Detailed Walkthrough and Full Scope of the Findings

William Schmidt