Capture The Flag CTF 2 Jaymon Security – Pentesting

1. Introduction and Objectives

In this article, we will provide a solution to the second CTF (2.0) proposed by JAYMON SECURITY, which you can download from their website through the following link:

• https://jaymonsecurity.com/capture-the-flag-2/

This article simulates the execution of an ethical hacking audit, also known as a Pentest, on a Windows operating system machine belonging to the education department of a university (hereinafter referred to as the “business organization”), where an exam platform is located.

To carry out the tasks of ethical hacking, we are situated with our attacking machine in the internal network segment of the business organization. Within this network segment, various interconnected machines share resources. In order to place ourselves on the same network segment as the CTF machine, we have accessed the Local Area Network (LAN) of the organization via VPN, similar to what is done in Hack The Box (HTB) or Offensive Security laboratories. It’s worth mentioning that JAYMON SECURITY also has its own ethical hacking lab:

• https://jaymonsecurity.com/laboratorio-de-hacking-etico/

To perform this practice, it’s necessary to have at least some basic knowledge in ethical hacking.

2. Phases of Professional Ethical Hacking

Before proceeding with the CTF resolution, let’s briefly explain how to carry out a professional “Ethical Hacking” endeavor, outlining the phases to be executed and the definition of each one of them.

Below, we outline the phases that must be followed in every ethical hacking audit:

• Phase 1. Preparation: The test parameters are defined, including objectives, scope, responsibilities, contact persons, rules, timing, success/failure criteria, and documentation approving the test.
• Phase 2. Reconnaissance: The test begins by gathering as much target information as possible. This step is crucial, as the better we understand the target, the more effectively we can act on it.
• Phase 3. Scanning: In this phase, we become active by sending packets to the target’s network to identify ports, services, and vulnerabilities they may have.
• Phase 4. Exploitation: The exploitation of identified vulnerabilities begins to gain access to the target.
• Phase 5. Analysis: All information gathered throughout the previous phases is analyzed to identify risks, prioritize them, determine mitigations, etc.
• Phase 6. Reporting: Various executive and technical documents will be created, detailing the entire test: results, risks, etc. The documents should be well-detailed and tailored to the reader.

3. Lab Setup Phase: Setting Up the Lab

To set up the lab, you only need to have VMware Workstation installed to create the virtual machines outlined below. In this particular case, we have also used a VPN generously provided by Juan M. to connect to the ethical hacking lab of Jaymon Security and carry out the practice.

• Auditor/Attacker Machine: A computer system with an up-to-date Kali Linux operating system. Kali Linux is a Debian GNU/Linux-based distribution primarily designed for auditing and general information security. It was founded and is maintained by Offensive Security Ltd. This distribution, in particular, has been redesigned with specific features by Jaymon Security S.L.

Official Download Link: https://www.kali.org/get-kali/

• CTF Machine with Windows 7 x64 OS: Contains a Moodle exam platform.

4. Internal Reconnaissance Phase

Once situated within the organization’s LAN, we proceed to locate the assets present on the network to be audited using techniques for host, port, and service discovery, among others.

To achieve this, we will utilize Nmap. Additionally, there is a graphical version called Zenmap. I will provide an example of each of these tools.

• Netdiscover: We discover devices connected to the network.
• Nmap: Nmap is the quintessential free tool for discovering all hosts within one or multiple network segments, as well as identifying open ports on a specific host. It enables us to determine the service associated with an open port and even identify if there are any known vulnerabilities. This program is also capable of detecting the type and version of the operating system on a given host, all in a very easy and efficient manner.
• Zenmap: Zenmap is the graphical interface for Nmap. It offers a user-friendly graphical interface to execute various types of port and service analysis provided by Nmap. It presents the results in an intuitive manner to the user.

Using the “netdiscover” command, we can view all the devices connected to the network within our reach.

• 192.168.153.1 : Router.
• 192.168.153.129 : SO Windows 7 x64. CTF machine.
• 192.168.153.131 : SO Windows Server 2008 R2.
• 192.168.153.136 : SO Windows Server 2008 R2.
• 192.168.153.130 : SO Linux Ubuntu.
• 192.168.153.139 : SO Kali Linux. Attacker machine.

5. Scanning and Vulnerability Analysis Phase of the CTF Machine with IP 192.168.153.129

After gathering information in the previous phases, we will proceed with the scanning and vulnerability analysis phase. The goal is to discover operating systems, open ports, vulnerable services, and communication routes.

In this phase, we will actively send packets to the target machine. Therefore, it’s important to be cautious and measure the aggressiveness of our scanning to avoid raising suspicions. All actions will be recorded in the various system logs of each victim machine, and there might also be SIEM systems monitoring network activities. Once vulnerabilities are identified, we need to analyze and organize the results to plan the most appropriate attack method for the exploitation phase.

To accomplish this phase, we will use the following tools: Nmap, Sparta, SuperScan, OWASP ZAP, OpenVAS, Nessus, among others.

Let’s begin by using Zenmap to identify ports and services on the target machine:

The scanning results show five (5) open ports: 3306 (MySQL), 3389 (RDP), 139 and 445 (SMB), and 135 (RPC).

In this case, since it’s a Windows 7 machine and ports 139 and 445 are open, in the exploitation phase, we can assess if it’s vulnerable to EternalBlue. From there, we can attempt to access the database whose contents are unknown. Another option is to try compromising the Remote Desktop Protocol (RDP) using a known exploit like “BlueKeep,” or resorting to brute-force attacks, as discussed in the article: “Remote Desktop Attacks as a Ransomware Entry Point.“

a) Launching OpenVAS

At this point, we’re going to use OpenVAS, which, alongside Nessus, is one of the best tools for vulnerability analysis of computer systems.

When you start OpenVAS, it will ask for access credentials. If it’s your first time using it, the program will present you with new credentials.

• openvas-status: To update the database.
• openvas-start: To initiate the application and provide us with the credentials.

Once it’s initialized, open your web browser and go to http://127.0.0.1:9392 to start working with the application and input the access credentials.

Once inside, all you need to do is input the target and start the scanning process.

I have saved the scan results in the document “Report_OpenVas_W7.pdf.” The image displays the vulnerabilities found categorized by severity. The most critical one is related to the SMB service.

With the obtained results, we can now proceed to the next phase.

6. Exploitation Phase of the CTF Machine with IP 192.168.153.129

In this phase, we will enumerate and organize all the information obtained in the previous stages to detail our attack plan and initiate the exploitation of the machines under audit.

Since we are conducting an internal audit, the attacks need to be controlled. We must avoid causing services to become inoperable or inaccessible.

As observed in the previous phase, the target machine is vulnerable to “EternalBlue” due to port 445 being open, associated with the SMB service. It appears that the operating system is not patched against this security vulnerability. Therefore, we will proceed with the attack.

Remember that the vulnerability Wannacry utilizes for propagation is the infamous MS17-010, named so by Microsoft’s official bulletin. To exploit this vulnerability, there’s a tool called EternalBlue, which was released by the ShadowBrokers (a hacker group involved in the NSA hack). It exploits the vulnerability affecting the SMB protocol (Server Message Block), and it has been ported to Metasploit by ElevenPaths.

The first step is to open Metasploit on our auditing machine. We will then launch the corresponding auxiliary and exploit modules for exploiting the mentioned resource. Initially, we will check if the victim is susceptible to an EternalBlue attack. If affirmative, we will proceed with the exploitation to gain access to the victim machine.

We use the auxiliary module and search within the SMB scanner for the vulnerability previously reported by OpenVAS.

use /auxiliary/scanner/smb/smb_ms17_010
show options 
set RHOSTS 192.168.153.129
exploit

Just as additional information, it’s worth noting that we could launch this scanner across the entire subnet to detect machines vulnerable to this service. The way to do this would be to input RHOSTS as 192.168.153.2-192.168.153.254 or RHOSTS as 192.168.153.1/24.

In this case, confirming that our target is vulnerable to MS17-010, we will proceed with its exploitation. The next step is to find the appropriate exploit. To do this, we can use tools like “searchsploit” or search directly within the Metasploit framework using the “search” command. After performing this search, we have found an exploit that, upon successful execution, will grant us access to the victim machine and will also automatically escalate privileges.

use exploit/windows/smb/ms17_010_eternalblue

RHOSTS 192.168.153.129

RPORT 445

Exploit

Once the exploit is launched, we can observe that we are now inside the victim machine with “SYSTEM” user privileges through a standard command shell. Therefore, our next step is to obtain a “Meterpreter Shell” to conduct a more advanced intrusion.

• shell: Returns to the victim’s command shell.
• whoami: Checks the current user.

• sessions -l: Displays information about open sessions.
• sessions -u 1: Upgrades a session to a Meterpreter session, in this case, session 1.

As we can see, we have two sessions, one with Meterpreter and the other with the victim machine’s command shell. We can manipulate sessions by pushing them into the background while working on one and then returning to the other.

To connect to session 2 and begin working with Meterpreter, we use the command sessions -i 2. We confirm our user identity with getuid, which shows that we are the “system” user. This means we can carry out any action without permission issues.

Using the background command or Ctrl+Z, we can push the current session into the background, allowing us to continue working with other sessions. We can also switch to using the victim’s standard system shell by using the command “shell”.

From here, we can view the services running on the system and navigate through the directory tree. At this point, we could move on to the post-exploitation phase, which involves establishing persistence on the victim system by installing backdoor-type malware for access whenever needed. However, since this is a professional ethical hacking audit, neither the post-exploitation phase nor the phase involving eliminating traces (typically associated with Red Team operations) is considered.

Exploring the system, we find an Apache server in the directory “C:\CampusVirtual\server.” Let’s start it, as it wasn’t running when we checked the list of processes.

start xampp_start.exe

We also find an application called “Moodle.” Let’s launch it from the “C:\CampusVirtual” directory.

start Moodle.exe

Moodle is an open-source Learning Management System (LMS) or, more specifically, a “Learning Content Management” system, written in PHP. It’s a platform for creating online courses and exams. Additionally, when we run the platform, we observe that a database service is initiated. Considering the previous phase’s port and service scan, we know that the victim machine has port 3306 open, which is used by the MySQL database.

Continuing our search, we find a configuration file containing database access credentials.

With this information, we could access the Moodle database from the victim machine’s command shell. However, due to certain routing issues, connecting to the “MySQL” service becomes complicated. Therefore, let’s resort to Plan B, which involves accessing the victim machine through Remote Desktop. Fortunately, port 3389 is open for this service. If it wasn’t, there are techniques to enable it.

While we don’t have clear access credentials, having a command shell with “System” user privileges enables us to change the password for any of the users created on the victim machine, allowing us to subsequently access it via RDP.

• net user: To see all users created in the system.
• net user R007_1N51D3R 123456: Changes the access credentials for the user “R007_1N51D3R” to “123456”.

rdesktop 192.168.153.129: To access the victim machine through Remote Desktop.

Upon accessing, we see a shortcut to Moodle on the desktop. Opening it directs us to the login page of the web application since we had previously started the service.

Although we have access to the Moodle graphical interface, we can’t log in because we don’t know the login credentials. Next, let’s explore how we can access the Moodle database from the victim machine itself and extract login credentials for the “administrator” user. This will allow us to access the platform’s exams.

Firstly, we need to access the database to find out the administrator’s login password for the graphical interface. To do this, we’ll navigate through the machine to find interesting files, such as service configuration files. As seen earlier, the image below displays how we found database access information for Moodle in the “config.php” file.

With the found credentials, we proceed to access the Moodle database.

While navigating through the database, we discover credentials of the registered users on the platform. As observed, the access passwords are hashed in MD5 format.

We proceed to decrypt the MD5-hashed administrator password using an online service.

Once we have the decrypted password, we can log into the Moodle platform, and the CTF is now completed.

7. Vulnerability Analysis Phase and Recommendations

In this phase, vulnerabilities found throughout the exercise are enumerated and analyzed, and appropriate recommendations are proposed for their mitigation.

After completing the exploitation of the CTF machine, we can conclude that it exhibits security flaws of significant severity, potentially opening pathways for an attacker to establish a foothold and target the enterprise’s data network where it resides.

As general recommendations to be implemented organization-wide within the IT systems, the following are enumerated:

• Update Operating Systems: Obsolete operating systems like “Windows 7” vulnerable to “Eternalblue” should not be in use.

• Disable Unnecessary Services and Apply Security Hotfixes: Regularly update systems and software automatically whenever versions or updates are available, while also disabling unnecessary services.

• Regularly Review Security Alerts for All Operating Systems.

• Keep Software Up to Date: Maintain all software up to its latest versions. This applies to antivirus and similar systems. Check compliance with update policies at system restarts and scheduled weekly intervals.

• Secure Application Development: For both system and web applications, sanitize input parameters to prevent potential code injections by well-informed attackers for remote command execution.

• Establish Credential Policies: Implement a policy for creating and changing passwords. Restrict permissions for users based on their roles within the organization. Set robust access credentials with high security standards, such as including uppercase and lowercase letters, numbers, special characters, and a minimum length of 10 characters.

• Backup Policy: Implement a backup policy with reasonable frequency to safeguard relevant organization data. This prevents data loss due to events like cybercriminals gaining access and installing ransomware.

• Employee Awareness: Conduct awareness sessions within the organization to reduce cyberattacks, particularly those exploiting social engineering as the primary attack vector.

• Physical Protection Measures: Establish physical protection measures, such as biometric systems, to restrict access to various organization systems. This ensures that only authorized users, as determined by the organization, can access confidential resources based on their roles or other relevant factors.

Finally, it’s important to emphasize that the most crucial measure for any organization is to educate all employees on awareness matters. They are consistently the weakest link in the chain and play a critical role in the organization’s overall cybersecurity posture.

8. Reporting Phase

In this final phase, the client is informed about all the tests conducted in the audit and the results obtained. Therefore, we will provide all the information in a clear and concise manner, allowing the end client to comprehend the entire audit process.

Each test conducted, the attack methods employed, and the tools used for analysis and exploitation will be presented. Vulnerabilities found will be detailed based on their criticality according to the CVSS calculator, along with recommendations for mitigation.

Considering that there are two distinct types of reports – executive and technical – it’s important to consider the intended audience. The executive report is directed towards professionals within the company who lack technical knowledge in cybersecurity (e.g., managerial roles), while the technical report is meant for professionals with expertise in the field (IT department, etc.).

9. Conclusions

Throughout this article, we’ve explored the process of conducting a “Pentest” or “ethical hacking” audit on an IT system, utilizing JAYMON SECURITY’s testing lab with their CTF 2 machine.

Upon concluding the audit, the key takeaway is the necessity to update systems and provide robust configurations. Failing to do so leaves the organization perpetually vulnerable to cyberattacks. Additionally, when deploying new applications, adhering to secure configuration guidelines through tested “hardening” methods is crucial. This ensures proper functionality and prevents applications or services from becoming threats to the organization, as demonstrated with the Moodle platform.

In closing, it’s essential to recognize that the most significant challenge for any organization lies in mitigating the lack of cybersecurity awareness among its employees. Even if all IT systems are well-patched and updated, their effective use can be compromised due to insufficient training in cybersecurity. To address this issue, it’s strongly recommended to offer various courses and workshops to bolster the weakest link in the chain.

If you’re interested in gaining introductory knowledge in ethical hacking, you can enroll in our basic ethical hacking course. For those seeking more advanced insights into offensive cybersecurity, our advanced course is available for purchase.