
Antonio Gabor
Certified Ethical Hacker and Network Security Engineer

Today, we’re diving headfirst into an adrenaline-pumping tale that unveils the enigmatic world of penetration testing, where virtual battlegrounds hold the keys to unravelling security mysteries. So, strap in as we navigate through the intricacies of a pen-testing simulation like no other, one that has become a rite of passage for those who dare to wield the prowess of a true cybersecurity virtuoso – the unofficial Offensive Security Certified Professional (OSCP) training curriculum.
In this captivating instalment, we’ll be peeling back the layers of my voyage, venturing deep into the heart of OSCP’s clandestine challenges.
Picture this: a realm where firewalls and encryption stand as virtual fortresses, their digital ramparts begging to be stormed by intrepid hackers armed with cunning and skill. It’s an odyssey that unfolds like a symphony of code-breaking, network-dancing, and vulnerability-unearthing, all set against the backdrop of a training course that separates the security novices from the true sentinels of the digital age.
But why, you may ask, is this journey so crucial? The answer lies in the very essence of cybersecurity – the art of staying a step ahead of those who seek to exploit vulnerabilities for malicious gain. As we immerse ourselves in the narrative of this pentesting simulation, we’ll come to understand the intricacies of white-hat hacking, where we wield our digital swords not for malevolent purposes, but to fortify the walls of our digital fortresses against the ever-looming shadows of cyber threats.
I pretty much own all my penetration testing knowledge to gamified learning with websites like hackthebox and tryhackme which I highly recommend. Another brilliant course is from TCM academy called Practical Penetration Testing and there is also a free version of the same that can be found on youtube.
We have selected a first in line from the infamous NetSecFocus Trophy Room list.
This vulnerable machine is called DC 9 and can be freely downloaded from vulnhub. Vulnhub is a repository of vulnerable virtual machines that can easily be deployed using hypervisors like VirtualBox and VMware. DC-9 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.
The ultimate goal of this challenge is to get root and read the only flag.
The first step is to deploy the machine in your penetrations testing lab where your offensive client resides, by importing it with your favourite hypervisor.

Once the machine is imported, we can initiate the first boot by powering on the vulnerable lab. I have experienced some difficulties where I had to disable USB 2.0 and change the network adapter to Internal-Host only, however after those it was smooth sailing. Let us dive in.
Network Enumeration
When performing a penetration test we must be aware of the network surrounding, and using a trusty network mapper called Nmap we can do just that. Network enumeration is the first step in our active reconnaissance, and below is the command we used. Note: Your virtual network might differ!
# nmap -sn 192.168.56.0/24
And we have discovered our target IP address.
MAC Address: 08:00:27:5C:31:61 (Oracle VirtualBox virtual NIC)
From there we perform version scanning and Aggressive enumeration using Nmap switches -sV and -A

From the above, we can conclude that this machine is running some kind of web server on port 80 and also has a ssh port that seems to be filtered. Further, we discover headers on port 80 enumerating the version of the Apache httpd service version 2.4.38 that score us low-level finding of information disclosure. Further, browsing the HTTP service reveals a search bar that we can further enumerate for possible SQL injections.

Using a Fuzzing tool called wfuzz we can search for directories and files on the target website.
While using –hc to hush all not found responses and return only interesting ones.
The syntax is as follows:
wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/raft-large-files.txt –hc 404 “$URL”

And we were able to discover quite a few HTTP response codes 200 which return working responses.
To manually try a few SQL injections we will be abusing SQL logic where an apostrophe breaks the sequence and logic OR where 1=1 is true will return effectively all results.

We will be using Burp Suite which is a web vulnerability scanner and security testing tool used by professionals to find and fix security issues in web applications. It helps with tasks like intercepting traffic, automated scanning for vulnerabilities, manual testing, and more.
To closer inspect this request in the backend we have fired up the Burp Suite free community edition and turned our intercept to ON.

You can observe that the search parameter is being passed to the backend of the server together with some URL encoding. We will save this request to a file named req and try to utilize sqlmap to automate injection testing. We have adjusted the value of the search parameter to FUZZME.
sqlmap -r req –dump –batch –dbms=mysql –dbs
Et Voila!

Now we see there is an additional database called users so we will try to dump that as well.

As we can observe this dump contains all users and passwords that are located on this machine

We have obtained a hash for the user admin of the database which can be further offline cracked, and with a bit of luck on crackstation.net it has already been cracked.

These credentials worked to give us admin access to the website with the new ability to add Records to the database. This is something that potentially can be further exploited.
However, there is another avenue to explore and that is further fuzzing! Now we will be performing authenticated fuzzing with a valid session id. We can utilize Burp Suite and intercept our session thus retrieving the session id.
wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt –hc 404 –hh 963 -b “PHPSESSID=3drg6phqektbs84st5p3u6rctv” “$URL”
To better understand the attack vector, a PHP parameter is a value passed to a PHP script or function in web development. It can be part of the URL (query string) or submitted via a form. Query string parameters are visible in the URL (e.g., example.com/page.php?name=John), while form parameters are included in the request’s body

Wfuzz has returned a successful response for the parameter file.
Let us try some directory traversal while abusing this newly discovered parameter.
http://192.168.56.110/welcome.php?file=../../../../../../etc/passwd
Bingo!

This seems to be Local file inclusion.
Further attempting to obtain /etc/knockd.conf, we have recovered yet another file.

This is very valuable as it contains a sequence that will be used for port knocking.
Port Knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s).
We will be using a siren security script for port knocking.

We have successfully executed port knocking attack and the previously filtered ssh port is now open! Now that is what I call magic.

As we have earlier discovered database with usernames and passwords we can perform password spraying attack while utilizing a tool called Hydra with the below command
sudo hydra -L usr -P passwords ssh://192.168.56.110

And we have a winner at last!

This is a low-privileged user so we will have to look for another user with sudoers privileges.
Going through users we find that the user janitor has an interesting directory containing yet another password file. This feels like a treasure hunt at this stage.

Nice, so once again we can attempt to password spray with Hydra to see if any new credentials are valid

And we have a new user credential!
Immediately we try to see if he has any sudo privileges and we have struck gold!

Seems that anything in the test folder can be run with root privileges.
Let us discover what lies within this folder.
It seems that a file is meant to be run as test.py

Let us find test.py and explore what it does. Below is the output from the Python script which takes the first file as an argument and appends the second file to it.

We can be creative and exploit this trust and the fact it can be run as a root.
Firstly, we will create a file called offset using the touch command and echo the below line into it.
touch offset
echo ‘siren:$1$/UTMXpPC$Wrv6PM4eRHhB1/m1P.t9l.:0:0:siren:/home/siren:/bin/bash’ > offsec
If we use sudo on the test binary with the first argument being a new user formatted in passwd style, and further second argument being /etc/passwd we will be able to add a new user with root privileges.
$ sudo /opt/devstuff/dist/test/test /var/tmp/offsec /etc/passwd
And surely enough we could execute this and we have inserted our rouge user.

And just like that, we have become root users! Game over!

In conclusion, my journey through the world of penetration testing, as illustrated by the exploration of the DC-9 vulnerable machine, has been a riveting adventure into the realm of cybersecurity. This narrative has taken us through the fundamental steps of reconnaissance, vulnerability discovery, exploitation, and privilege escalation. From network enumeration using Nmap to uncovering SQL injection vulnerabilities, leveraging directory traversal, and implementing port knocking, each technique has demonstrated the complexity and diversity of challenges within this domain, and linking them together to create a kill chain.
Certainly, protecting against the vulnerabilities and techniques outlined in this article is crucial to maintaining a secure digital environment.
Here are some recommendations to enhance your defense against these threats:
- Regular Patching and Updates: Keep all your systems, applications, and plugins up to date with the latest security patches. Regularly update your operating system and software to address known vulnerabilities.
- Web Application Security:
- Employ input validation and sanitization techniques to prevent SQL injection and other injection attacks.
- Use a Web Application Firewall (WAF) to detect and block malicious traffic.
- Follow secure coding practices and utilize frameworks that have built-in security features.
- Secure Network Configuration:
- Implement proper firewall rules and configurations to prevent unauthorized access.
- Regularly review network perimeter settings and ensure minimal exposure to critical services.
- User Authentication and Password Management:
- Enforce strong password policies, including complexity and rotation requirements.
- Encourage multi-factor authentication (MFA) for user accounts to add an extra layer of security.
- Directory Traversal Protection:
- Validate and sanitize user inputs to prevent directory traversal attacks.
- Set strict permissions on sensitive files and directories to limit access.
- Port Knocking:
- Consider using more secure methods of remote access, such as VPNs, instead of relying solely on port knocking.
- If using port knocking, implement it carefully and avoid easily guessable sequences.
- Password Spraying Prevention:
- Implement account lockout policies to thwart brute-force attacks.
- Monitor and detect unusual login patterns that could indicate malicious activity.
- Privilege Escalation Mitigation:
- Implement the principle of least privilege to restrict user access only to what is necessary for their roles.
- Regularly review and audit user privileges to prevent unauthorized escalation.
- Regular Security Assessments:
- Conduct regular security assessments, including penetration testing and vulnerability scanning, to identify and address weaknesses.
- Engage in ethical hacking to proactively discover vulnerabilities before malicious actors exploit them.
- Employee Training and Awareness:
- Train your employees on security best practices and raise awareness about common attack vectors.
- Encourage a culture of reporting and addressing potential security incidents promptly.
- Monitoring and Incident Response:
- Implement robust real-time monitoring solutions to detect and respond to suspicious activities.
- Develop an incident response plan to swiftly address security breaches and minimize damage.
- Secure Coding Practices:
- Train developers to follow secure coding practices, including input validation, output encoding, and using prepared statements to prevent injection attacks.
By implementing these recommendations, you can significantly bolster your organization’s defenses against the techniques demonstrated in the penetration testing journey and maintain a more resilient and secure digital environment.
Stay vigilant and stay safe!