Perimeter Breach

Target VPN 10.200.XXX.12

Used Tools

Nmap

Gobuster

Hydra

Burp Suite

diff

Remmina

Summary

For the perimeter breach, we target the public-facing VPN server, due to the nature of the subject it might connect to the internal network and offers a favorable opportunity to attack this target first.

We’ll scan the web server with Gobuster and detect two directories, of which one contains an OpenVPN file, which will connect us to the internal network. But this file is available to all and leads to an unstable RDP connection. It's enough for the perimeter breach to retrieve the first flag. There is also a login form that can be brute-forced using the previously gained information from the OSINT section. Gaining access to the page behind the login form reveals a form to submit usernames to generate an individual OpenVPN file, providing a more stable connection. The form itself is vulnerable and will be discussed in the next chapter Initial Compromise of Active Directory.

Recon

We see there is an SSH access running on port 20 and a webserver running on port 80.

┌──(0xb0b㉿kali)-[~]
└─$ nmap -sT -sV -sC 10.200.103.12
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-27 05:38 EDT
Nmap scan report for 10.200.103.12
Host is up (0.070s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e275e6b20f4ba886dccddd911f12b161 (RSA)
|   256 e01568d4735cd6de7d9f9b4cbe9584b3 (ECDSA)
|_  256 35c9f1745f021bbdefe8c8d252f2fe12 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: VPN Request Portal
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.43 seconds

Checking out the webserver with Gobuster reveals two directories, /vpn and /vpns. The /vpns directory seems empty but directing to the /vpn directory reveals an OpenVPN file.

Visiting /vpn

Visiting /vpns

Directly visiting 10.200.XXX.12 the web server greets us with a login prompt.

Investigation

After reviewing the request for login with Burp Suite, we are able to craft a brute-force attack via Hydra.

Running Hydra with our previously crafted users and password list we are able to retrieve the credentials of a single account.

laura.wood@corp.thereserve.loc:Password1@

┌──(0xb0b㉿kali)-[~/Documents/tryhackme/capstone]
└─$ hydra -L users-mail.txt -P passwords.txt 10.200.103.12 http-get-form "/login.php:user=^USER^&password=^PASS^:Please check your username or password" -v

Using those credentials we are able to log in.

The form prompts us to submit an account name, on login it's filled in before with

laura.wood@corp.thereserve.loc.

Just giving my own name a shot, it works just as well.

Next, analyze the request in Burp Suite to inspect if there is anything special.

Downloading two OpenVPN files for comparison.

Getting the diff between both hints that they might be individual.

On the first attempt at the beginning of the challenge the routes were set correctly and we were able to reach 10.200.XXX.21 and .22. Both WRK machines of the internal network.

Scanning those reveals their FQDN WRK_.corp.thereserve.loc and they have an open RDP port 3389.

Using Remmina to connect to the WRK1 machine reusing the credentials of laura.wood gives us a connection to the machine.

On the machine itself, we are able to submit the first flag. We breached the perimeter.

Flag-1: Breaching the Perimeter

For flag submission, you have to reach out to the 10.200.XXX.250 machine. Register an account and submit proof of compromises. On doing that you have to provide the machine hostname, then it asks you to store a file on a given location, named with your username and the content of an uuid it.

For the purpose of the write-up, I did not redo that again, instead, I show you how and where to place the given uuid. In this case, at C:\Windows\Temp\0xb0b.txt to prove of breaching the perimeter.

echo XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX > C:\Windows\Temp\0xb0b.txt