Perimeter Breach
Target VPN 10.200.XXX.12
Used Tools
Nmap
Gobuster
Hydra
Burp Suite
diff
Remmina
Summary
For the perimeter breach, we target the public-facing VPN server, due to the nature of the subject it might connect to the internal network and offers a favorable opportunity to attack this target first.
We’ll scan the web server with Gobuster and detect two directories, of which one contains an OpenVPN file, which will connect us to the internal network. But this file is available to all and leads to an unstable RDP connection. It's enough for the perimeter breach to retrieve the first flag. There is also a login form that can be brute-forced using the previously gained information from the OSINT section. Gaining access to the page behind the login form reveals a form to submit usernames to generate an individual OpenVPN file, providing a more stable connection. The form itself is vulnerable and will be discussed in the next chapter Initial Compromise of Active Directory.
Recon
We see there is an SSH access running on port 20 and a webserver running on port 80.
Checking out the webserver with Gobuster reveals two directories, /vpn and /vpns. The /vpns directory seems empty but directing to the /vpn directory reveals an OpenVPN file.
Visiting /vpn
Visiting /vpns
Directly visiting 10.200.XXX.12 the web server greets us with a login prompt.
Investigation
After reviewing the request for login with Burp Suite, we are able to craft a brute-force attack via Hydra.
Running Hydra with our previously crafted users and password list we are able to retrieve the credentials of a single account.
laura.wood@corp.thereserve.loc:Password1@
Using those credentials we are able to log in.
The form prompts us to submit an account name, on login it's filled in before with
laura.wood@corp.thereserve.loc.
Just giving my own name a shot, it works just as well.
Next, analyze the request in Burp Suite to inspect if there is anything special.
Downloading two OpenVPN files for comparison.
Getting the diff between both hints that they might be individual.
On the first attempt at the beginning of the challenge the routes were set correctly and we were able to reach 10.200.XXX.21 and .22. Both WRK machines of the internal network.
Scanning those reveals their FQDN WRK_.corp.thereserve.loc and they have an open RDP port 3389.
Using Remmina to connect to the WRK1 machine reusing the credentials of laura.wood gives us a connection to the machine.
On the machine itself, we are able to submit the first flag. We breached the perimeter.
Flag-1: Breaching the Perimeter
For flag submission, you have to reach out to the 10.200.XXX.250 machine. Register an account and submit proof of compromises. On doing that you have to provide the machine hostname, then it asks you to store a file on a given location, named with your username and the content of an uuid it.
For the purpose of the write-up, I did not redo that again, instead, I show you how and where to place the given uuid. In this case, at C:\Windows\Temp\0xb0b.txt to prove of breaching the perimeter.
echo XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX > C:\Windows\Temp\0xb0b.txt
Last updated
Was this helpful?
