# OffSec Certified Professional Exam Report - Wook Lee - [email protected] - OSID: 57181489 ![[Pasted image 20251113222436.png]] Copyright © 2024 OffSec Ltd. All rights reserved. No part of this publication, in whole or in part, may be reproduced, copied, transferred or any other right reserved to its copyright owner, including photocopying and all other copying, any transfer or transmission using any network or other means of communication, any broadcast for distant learning, in any form or by any means such as any information storage, transmission or retrieval system, without prior written permission from OffSec. --- # Table of contents ### 1. Offsec Certified Professional Exam Report - 1.1 Introduction - 1.2 Objective - 1.3 Requirements ### 2. High-Level Summary - 2.1 Recommendations ### 3. Methodologies - 3.1 Information Gathering - 3.2 Service Enumeration - 3.3 Penetration - 3.4 Maintaining Access - 3.5 House Cleaning ### 4. Independent Challenges - 4.1 Target #1 - 192.168.232.55 - 4.1.1 Initial Access - Anonymous SMB share leads to Wordpress RCE - 4.1.2 Service Enumeration - 4.1.3 Initial Access - SMB share to Wordpress RCE - 4.1.4 Privilege Escalation - AlwaysInstallElevated - 4.1.5 Post Exploitation - 4.2 Target #2 - 4.3 Target #3 ### 5. Active Directory Set - 5.1 Leon - 10.4.4.10 - 5.1.1 Initial Access - Password Brute-Forcing - 5.1.2 Privilege Escalation - Sudo groupVulnerability - 5.1.3 Post-Exploitation - 5.2 Poultry - 10.5.5.20 - 5.2.1 - Initial Access - RDP login - 5.2.2 - Post-Exploitation - 5.3 DC - 10.5.5.30 - 5.3.1 - Initial Access - 5.3.2 - Post-Exploitation --- # 1. OffSec Certified Professional Exam Report ## 1.1 Introduction The OffSec Certified Professional exam report contains all efforts that were conducted in order to pass the OffSec Certified Professional exam. This report should contain all items that were used to pass the overall exam and it will be graded from a standpoint of correctness and fullness to all aspects of the exam. The purpose of this report is to ensure that the student has a full understanding of penetration testing methodologies as well as the technical knowledge to pass the qualifications for the OffSec Certified Professional. ## 1.2 Objective The objective of this assessment is to perform an internal penetration test against the OffSec Lab and Exam network. The student is tasked with following a methodical approach to obtaining access to the objective goals. This test should simulate an actual penetration test and how you would start from beginning to end, including the overall report. An example page has already been created for you in the latter portions of this document that should give you ample information on what is expected to pass this course. Use the sample report as a guideline to get you through the reporting. ## 1.3 Requirements The student will be required to fill out this penetration testing report fully and to include the following sections: - Overall High-Level Summary and Recommendations (non-technical) - Methodology walkthrough and detailed outline of steps taken - Each finding with included screenshots, walkthrough, sample code, and proof.txt if applicable. - Any additional items that were not included # 2. High-Level Summary John Doe was tasked with performing an internal penetration test towards OffSec Labs. An internal penetration test is a dedicated attack against internally connected systems. The focus of this test is to perform attacks, similar to those of a hacker and attempt to infiltrate OffSec’s internal lab systems – the THINC.local domain. John’s overall objective was to evaluate the network, identify systems, and exploit flaws while reporting the findings back to OffSec. When performing the internal penetration test, there were several alarming vulnerabilities that were identified on OffSec’s network. When performing the attacks, John was able to gain access to multiple machines, primarily due to outdated patches and poor security configurations.  During the testing, John had administrative level access to multiple systems. All systems were successfully exploited and access granted. ## 2.1 Recommendations John recommends patching the vulnerabilities identified during the testing to ensure that an attacker cannot exploit these systems in the future. One thing to remember is that these systems require frequent patching and once patched, should remain on a regular patch program to protect additional vulnerabilities that are discovered at a later date. # 3. Methodologies John utilized a widely adopted approach to performing penetration testing that is effective in testing how well the OffSec Labs and Exam environments are secure. Below is a breakout of how John was able to identify and exploit the variety of systems and includes all individual vulnerabilities found. ## 3.1 Information Gathering The information gathering portion of a penetration test focuses on identifying the scope of the penetration test. During this penetration test, John was tasked with exploiting the lab and exam network. The specific IP addresses were: **Exam Network:** 192.168.232.55, 172.16.203.134, 172.16.203.135, 172.16.203.136 ## 3.2 Service Enumeration The service enumeration portion of a penetration test focuses on gathering information about what services are alive on a system or systems. This is valuable for an attacker as it provides detailed information on potential attack vectors into a system. Understanding what applications are running on the system gives an attacker needed information before performing the actual penetration test.  In some cases, some ports may not be listed. ## 3.3 Penetration The penetration testing portions of the assessment focus heavily on gaining access to a variety of systems. During this penetration test, John was able to successfully gain access to 10 out of the 50 systems. ## 3.4 Maintaining Access Maintaining access to a system is important to us as attackers, ensuring that we can get back into a system after it has been exploited is invaluable. The maintaining access phase of the penetration test focuses on ensuring that once the focused attack has occurred (i.e. a buffer overflow), we have administrative access over the system again. Many exploits may only be exploitable once and we may never be able to get back into a system after we have already performed the exploit. John added administrator and root level accounts on all systems compromised. In addition to the administrative/root access, a Metasploit meterpreter service was installed on the machine to ensure that additional access could be established. ## 3.5 House Cleaning The house cleaning portions of the assessment ensures that remnants of the penetration test are removed. Often fragments of tools or user accounts are left on an organizations computer which can cause security issues down the road. Ensuring that we are meticulous and no remnants of our penetration test are left over is important. After the trophies on both the lab network and exam network were completed, John removed all user accounts and passwords as well as the Meterpreter services installed on the system. OffSec should not have to remove any user accounts or services from the system. # 4. Independent Challenges ## 4.1 Target #1 - 192.168.232.55 ### 4.1.1 Initial Access - Anonymous SMB share leads to Wordpress RCE **Vulnerability Explanation:** **Vulnerability Fix:** **Severity:** **Steps to reproduce the attack:** ### 4.1.2 Service Enumeration **Port Scan Results:** | IP Address | Ports Open | | -------------- | --------------------------------------- | | 192.168.232.55 | TCP: 21, 80, 135, 139, 443, 3306, 49666 | | | UDP: | ### 4.1.3 Initial Access - SMB share to Wordpress RCE **local.txt value:** ```bash whoami && ipconfig && type local.txt whoami && ifconfig && cat local.txt ``` ### 4.1.4 Privilege Escalation - AlwaysInstallElevated ### 4.1.5 Post Exploitation **proof.txt value:** ```bash whoami && ipconfig && type proof.txt whoami && ifconfig && cat proof.txt ``` ## 4.2 Target #2 - ## 4.2 Target #3 - # 5. Active Directory Set **Port Scan Results:** | IP Address | Ports Open | | ---------- | --------------------------------------- | | 10.4.4.10 | TCP: 21, 80, 135, 139, 443, 3306, 49666 | | 10.5.5.10 | TCP: 21, 80, 135, 139, 443, 3306, 49666 | | 10.6.6.10 | TCP: 21, 80, 135, 139, 443, 3306, 49666 | ## 5.1 Ajla - 10.4.4.10 ### 5.1.1 Initial Access **Vulnerability Explanation:** **Vulnerability Fix:** **Severity:** **Steps to reproduce the attack:** ### 5.1.2 Privilege Escalation - **Vulnerability Explanation:** **Vulnerability Fix:** **Severity:** **Steps to reproduce the attack:** ### 5.1.3 Post-Exploitation **System Proof screenshot:**