PentestIT Test lab v.9

PentestIT Test lab v.9

 

Penetration testing laboratories “Test lab” emulate an IT infrastructure of real companies and created for a legal pentesting and improving penetration testing skills. Laboratories are always unique and contain the most recent and known vulnerabilities.

Test lab v.9 is a professional software development company, engaged in the development of various information security systems and applications, so CyBear 32C* is well protected against hacker attacks. For compromise CyBear 32C*’s corporate network attackers needs a good penetration testing skills.

Network diagram

https://lab.pentestit.ru/images/labs/TL9_map.png

To access the Internal network first we have to bypass the gateway 192.168.101.8

Nmap Scan out put

Starting Nmap 6.47 ( http://nmap.org ) at 2016-05-28 06:37 EDT
Nmap scan report for cybear32c.lab (192.168.101.8)
Host is up (0.18s latency).
Not shown: 994 filtered ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 6.0p1 Debian 4+deb7u4 (protocol 2.0)
25/tcp   open  smtp       Postfix smtpd
80/tcp   open  http       nginx 1.10.0
443/tcp  open  http       nginx 1.8.1
3128/tcp open  http-proxy Squid http proxy 3.4.8
8100/tcp open  http       nginx
Service Info: Host: -mail.cybear32c.lab; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port 80 and 443 is not accessible with browser. and with port 8100 I could access the roundcube mail application. I tried to enumerate the application using “dirb” but not found interesting. It seems port 80 and 443 are protected by WAF. When I try  to access the port 80 every time I am getting error message. So I have added DNS name with IP in /etc/host file and then reloaded the page. It lands me correct page, tried same dirb on 80 port. Nothing has given correct information. At last try I enumerated the port 443 and noticed interesting 😉 HeartBleed vulnerability.

nmap -sV --script=ssl-heartbleed 192.168.101.8

Starting Nmap 6.47 ( http://nmap.org ) at 2016-05-28 06:58 EDT
Nmap scan report for cybear32c.lab (192.168.101.8)
Host is up (0.17s latency).
Not shown: 994 filtered ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 6.0p1 Debian 4+deb7u4 (protocol 2.0)
25/tcp   open  smtp       Postfix smtpd
80/tcp   open  http       nginx 1.10.0
443/tcp  open  http       nginx 1.8.1
| ssl-heartbleed: 
|   VULNERABLE:
|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL 
|   cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
|     State: VULNERABLE
|     Risk factor: High
|     Description:
|       OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
|           
|     References:
|       http://www.openssl.org/news/secadv_20140407.txt 
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
|_      http://cvedetails.com/cve/2014-0160/
3128/tcp open  http-proxy Squid http proxy 3.4.8
8100/tcp open  http       nginx
Service Info: Host: -mail.cybear32c.lab; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Exploited the HeartBleed vulnerability usign metasploit auxiliary module “auxiliary/scanner/ssl/openssl_heartbleed “.

After exploiting the multiple time I got the inserting /var/www path. Using the same path I navigated the page and got the BYPASS token.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s