Leaked

Penetration Test Report

for

ed
Certified Red Team Expert

ak
Le
ed
ak
Le
ed
ak
Le
Leaked
Table of Contents
1.0 Certified Red Team Expert Exam Report ........................................................................ 3
1.1 Introduction .................................................................................................................... 3
1.2 Objective ......................................................................................................................... 3
1.3 Requirements .................................................................................................................. 3

ed
2.0 High-Level Summary ......................................................................................................... 4
2.1 Recommendations .......................................................................................................... 5
3.0 Methodologies ..................................................................................................................... 5

ak
3.1 Information Gathering ................................................................................................... 5
3.2 Penetration .................................................................................................................... 5

Le
1. Fortress-secure.fortress.corp ............................................................................................. 8
2. Fortress-privdb.fortress.corp ........................................................................................... 12
3. Palace-dbsrv2.palace.corp ................................................................................................ 18
4. Fortress-dc.fortress.corp ................................................................................................... 20
ed
5. Palace-dc.palace.corp ....................................................................................................... 21
ak
Le
ed
ak
Le
Leaked
1.0 Certified Red Team Expert Exam Report

1.1 Introduction

The Pentester Academy Lab exam report contains all efforts that were conducted in order to

ed
pass the Pentester Academy Certified Red Team Professional ("CRTE") Exam. This report will be
graded from a standpoint of correctness and fullness to all aspects of the Exam Lab. The purpose of this
report is to ensure that the student has a full understanding of penetration testing methodologies as well

ak
as the technical knowledge to pass the qualifications for the Certified Red Team Professional.

1.2 Objective

Le
The objective of this assessment is to perform an internal penetration test against the Pentester
Academy Exam network. The student is tasked with following a methodical approach in obtaining
access to the objective goals. This test should simulate an actual penetration test and how you would
ed
start from beginning to end, including the overall report.

1.3 Requirements
ak

The student will be required to fill out this penetration testing report fully and to include the following
sections:
Le

• Overall High-Level Summary and Recommendations (non-technical)

• Methodology walkthrough and detailed outline of steps taken
• Each finding with included screenshots, walkthrough, sample code, and proof.txt if applicable.
• Any additional items that were not included
ed
ak
Le
Leaked
2.0 High-Level Summary

The author of this report was tasked with performing an internal penetration test towards the
Pentester Academy Exam Lab environment. An internal penetration test is a dedicated offensive
simulation against internally connected systems. The focus of this test is to perform attacks, like those
of a malicious hacker and attempt to infiltrate Pentester Academy’s internal Exam Lab systems. The
overall objective was to evaluate the network, identify systems, and exploit vulnerabilities, ultimately

ed
reporting findings back to Pentester Academy.
During the assessment, several alarming vulnerabilities were identified on Pentester Academy’s exam
network. When performing the attacks, the author was able to gain access to multiple machines,

ak
primarily due to poor security configurations. During the tests, four systems were successfully
compromised, granting full control over most systems in the network.
- fortress-secure.fortress.corp

Le
- fortress-privdb.fortress.corp
- palace-dbsrv2.palace.corp
- fortress-dc.fortress.corp
- palace-dc.palace.corp
ed
ak
Le
ed
ak
Le
Leaked
2.1 Recommendations

It is strongly recommended to implement proper network segmentation in order to better

isolate the hosts and prevent lateral movement between systems. A firewall should be enabled on all
systems with a configuration that minimizes the unnecessary exposure of services. For each identified
vulnerability, mitigation recommendations are provided in the following chapters.

ed
3.0 Methodologies

I utilized a widely adopted approach to performing penetration testing that is effective in

ak
testing how well the Pentester Academy Labs and Exam environments are secured. Below is a
breakdown of how I was able to identify and exploit the different systems and includes all individual
vulnerabilities found.

Le
3.1 Information Gathering

The information gathering portion of a penetration test focuses on identifying the scope of the
ed
test. During this penetration test, the objective was to exploit the exam network.

3.2 Penetration
ak

The penetration testing portions of the assessment focus heavily on gaining access to a
variety of systems. During this penetration test, I was able to successfully gain access to 5 out
Le

of the 5 systems.
ed
ak
Le
Leaked
INITIAL STEPS

1) I started by logging in to the lab env with the provided student credentials and started to enumerate
multiple objects (users, computers) using PowerView tool in order to discover enough information
about the Active Directory Environment. First, I observed that I wasn’t able to execute powerview

ed
commands because of the AMSI (Anti-Malware Scan Interface) so I used an one-liner script in
order to bypass the restrictions.

ak
[Ref].Assembly.GetType('System.Management.Automation.'+$("41 6D 73 69 55 74 69 6C 73".Split("
")|forEach{[char]([convert]::toint16($_,16))}|forEach{$result=$result+$_};$result)).GetField($("61 6D 73
69 49 6E 69 74 46 61 69 6C 65 64".Split("

Le
")|forEach{[char]([convert]::toint16($_,16))}|forEach{$result2=$result2+$_};$result2),'NonPublic,Static').S
etValue($null,$true)

Figure 1 - Amsy Bypass

2) First, I enumerated the domain, users and computers, where I found some interesting stuff from
ed
Get-NetDomain, Get-NetForest, Get-NetUser -SPN and Get-NetComputer (-Unconstrained), that
made me think about new steps.
ak
Le
ed

Figure 2 - Get-NetDomain
ak
Le

Figure 3 - Get-NetForest
Leaked
Figure 4 - Get-NetUser

ed
ak
Figure 5 - Get-NetComputer

Le
3) First I tried to escalate the privileges from studentuser to get local admin and for this I tried
multiple tools like winpeas, powerup and seatbelt, but all of them returned only false positives so
I continued the enumeration part till I found the password of the secureservice user into user
description field – UseThisToRunSvcs!23.
ed
ak
Le

Figure 6 - Password found in user description

4) I also retrieved an important information, while enumerating computers with unconstrained

ed

delegation enabled.
ak
Le

Figure 7 - Computers with unconstrained delegation enabled

5) Then I tried to create a remote PSSession to fortress-secure VM, but I got access denied for both
studentuser and secureservice users.

6) After a password spraying process I found that secureservicebkp user has the same password as
secureservice, logged in and tried to create that PSSession again and it worked ->
secureservicebkp has Administrator privielege on fortress-secure.fortress.corp.
Leaked
Figure 8 - Retrieve Remote PSSession on fortress-secure

In order to mitigate this issue I recommend to configure servers to require delegation with
Constrained Delegation (don’t use Kerberos Unconstrained Delegation) and also to configure all elevated
administrator accounts to be like “Account is sensitive and cannot be delegated”.

1. Fortress-secure.fortress.corp

ed
• Another important information is that the VM has Application Whitelisting (AWL) and
running in Constrained Language Mode (CLM). I checked C:\maintenancescripts folder and I
found a script called “checkserverstatus.ps1”, it uses administrator credentials in student machine

ak
to run “hostname” command via Invoke-Command.

Le
ed
ak
Le
ed

Figure 9 - OS commands run on fortress-secure

ak

• I used the credentials in the script to add my user “studentuser” to administrator’s group.
Le

Figure 10 - Added studentuser to Administrators group

Leaked
• After Sign in to the foothold machine with Administrator rights, I dumped the hashes using
Invoke-Mimikatz.ps1 script and extracted the NTML hash for maintenancesvc user.

ed
ak
Le
Figure 11 - Dump hashes for users on fortress-secure

• After this I also added maintenancesvc user to Administrators group. Then I performed Pass-The-
ed
Hash attack with maintenancesvc and connected to fortress-secure.fortress.corp, where I was able
to validate the Applocker policy.
ak
Le
ed
ak
Le

Figure 12 - Validate Applocker Policy

Leaked
• Then I created a script called testmimi.ps1 to install Invoke-Mimikatz.ps1 and run it to dump
hashes.

Figure 13 - testmimi.ps1 script

ed
ak
Le
ed
ak
Le

Figure 14 - Retrieve sensitive information by running mimikatz

ed

• After retrieving all relevant information I refined a little bit the invoke-mimikatz parameters and
added vault::cred /patch option in order to retrieve more useful information – the credentials for
securesrvadmin user
ak
Le

Figure 15 - Retrieve securesrvadmin password from vault

Leaked
• On the foothold machine, I connected as securesrvadmin user and started to enumerate information
regarding SQL instances using PowerUpSQL.ps1.

ed
ak
Le
Figure 16 - Reconnaissance for SQL instances
ed
ak
Le
ed
ak
Le
Leaked
2. Fortress-privdb.fortress.corp
• Using HeidiSQL.exe I connected to the SQL instance on fortress-privdb.fortress.corp.

ed
ak
Le
ed
Figure 17 - Establishing connection to fortress-privdb
ak

• I started the SQL server abuse, first I checked logged on user if is “sysadmin” or “db owner”. It return ‘0’
for “sysadmin” and ‘0’ for “db_owner”.
Le
ed
ak

Figure 18 - Checking for privileges

•
Le

Then I did some reconnaissance and tried to look for privileges for every database.
Leaked

Figure 19 - Reconnaissance for privileges

ed
ak
Le
Figure 20 - Reconnaissance for privileges
ed
ak
Le
ed
ak

Figure 21 - Reconnaissance for privileges

Le

• After doing some discovery regarding user and privileges, I found a way to impersonate privileges
to sa in order to enable xp_cmdshell using priv_db database.
Leaked

ed
ak
Le
Figure 22 - Get privileges for priv_db database
ed
ak
Le
ed
ak

Figure 23 – Check for Impersonation

Le

EXECUTE AS USER='dbo'
ALTER SERVER ROLE [sys
• Finally I was able to impersonate as sysadmin and I enabled “xp_cmdshell” to execute OS
Commands
Leaked

ed
• After running whoami command on fortress-privdb I added studentuser into Administrators
group:

ak
Le
ed

Figure 24 - Added studentuser to Administrators group

ak
Le
ed
ak
Le

Figure 25 - Check the Administrators group on fortress-privdb

REFERENCE: HTTPS://SECURE360.ORG/WP-CONTENT/UPLOADS/2017/05/SQL-SERVER-HACKING-ON-SCALE-

USINGPOWERSHELL_S.SUTHERLAND.PDF
Leaked
As mitigation on fortress-privdb.fortress.corp, I recommend to remove EXECUTE privileges on the
XP_CMDSHELL procedure for non administrative logins and public roles. using the following SQL
command: REVOKE EXECUTE on xp_cmdshell to Public.

• After getting a remote session on fortress-privdb.fortress.corp machine via PSSession I was able to
run my own compiled version of mimikatz in order to retrieve privdbmanager hash.

ed
ak
Le
ed
ak
Le

Figure 26 - Dump privdbmanager hash via Mimikatz on fortress-privdb

• Then I tried to get a RDP session in order to be much easier to do the reconnaissance by enableing
with the following command: Set-ItemProperty
'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\' -Name
ed

“fDenyTSConnections” -Value 0
ak

• I did some recon by looking for the Domain GPO on palace.corp domain and found that the machine
should have access to palace.corp domain via GPO.
Le

Figure 27 - Enumerate Domain GPO

Leaked
• I also checked for some GPLinks from palace.corp domain

ed
ak
Figure 28 - Checked for GPLinks

Le
• I run Sharphound collector and Bloodhound tool to analyze collected data in order to gather more
information about the domains, Domain controllers, Users and privileges in the context of
fortress-privdb$ and found that fortress-privdb machine has can force password change on
dbmanager@palace.corp and to change GPO on palace.corp
ed
ak
Le
ed
ak
Le

Figure 29 - Fortress-privdb can change password for dbmanager user

Leaked
3. Palace-dbsrv2.palace.corp
• Using PSexec tool on fortress-privdb.fortress.corp , I’ve obtained an elevated (NT
AUTHORITY\SYSTEM) cmd prompt where I used Rubeus with the asktgt /ptt command and
fortress-privdb credentials in order to pass the ticket and make connectivity.

ed
Figure 30 - FORTRESS-PRIVDB machine HASH

ak
Le
ed
ak

Figure 31 - Rubeus execution output

Le

• After this step I’ve changed the password of the dbmanager user with the Set-
DomainUserPassword cmdlet from Powerview tool.
ed

Figure 32 - Password change for dbmanager

• After this, I’ve added dbmanager user to DatabaseMasters group using following commands:
ak

$User = Get-ADUser -Identity dbmanager -Server “palace.corp”

$Group = Get-ADGroup -Identity DatabaseMasters -Server “palace.corp”
Add-ADGroupMember -Identity $Group -Members $user -Server “palace.corp”
Le

Figure 33 - Commands used to insert dbmanager user to DatabaseMasters

Leaked
• After this step I was able to create a new remote PSSession on palace-dbsrv2.palace.corp using
dbmanager user and the new password (after reset).

ed
Figure 34 - Remote PSSession on palace-dbsrv2 and run OS commands

ak
• Here I’ve run my own compiled version of mimikatz in order to retrieve user hashes, and I found
trustuser hash which has Administrator rights on fortress-dc.fortress.corp.

Le
[palace-dbsrv2.palace.corp]: PS C:\temp> Invoke-Mimikatz -Command ' "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "exit"'

.#####. mimikatz 2.1.1 (x64) built on Nov 29 2018 12:37:56

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ** Kitten Edition **
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
ed
<TRUNK>

mimikatz(powershell) # sekurlsa::logonpasswords

Authentication Id : 0 ; 65022 (00000000:0000fdfe)

Session : Service from 0
User Name : trustuser
ak

Domain : PALACE
Logon Server : PALACE-DC
Logon Time : 3/29/2021 2:30:43 PM
SID : S-1-5-21-3220691889-3703580063-924024866-1105
msv :
[00000003] Primary
* Username : trustuser
Le

* Domain : PALACE
* NTLM : bf26e8a371339924ce631f2ec40b1b87
* SHA1 : f5e3eb38e742deba5066f43a28ecbd2a4ab30104
* DPAPI : 1144fed6a68eb85f3d76afa3a52f3598
tspkg :
wdigest :
* Username : trustuser
* Domain : PALACE
* Password : (null)
kerberos :
* Username : trustuser
ed

* Domain : PALACE.CORP
* Password : (null)
ssp :

On the same machine I was able to find the credentials for companyadmin user. After running Bloodhound Ingestor I was able to
see what privileges has this user and observer that he has rights to PS-Remote on Palace-DC machine :
ak
Le
Leaked

ed
ak
Le
Figure 35 - Retrieving trustuser password from vault and also the Hash
ed
4. Fortress-dc.fortress.corp
• Using pass the hash I was able to login to fortress-dc.fortress.corp as trusteduser where I’ve
ak

added studentuser as administrator.

Le
ed

Figure 36 - New PSSession to fortress-dc

ak
Le

Figure 37 - Run OS Commands on Fortress-DC

Leaked
• I also run lsadump::dsync command to retrieve all users and computer hashes.

ed
ak
Figure 38 - Lsadump::dsync output

• Last step was to add studentuser to Domain admins group and also to Enterprise Admins group

Le
using the following commands:

net group "Domain Admins" studentuser /add

net group "Enterprise Admins" studentuser /add
ed
• This last screenshot is a proof that I was able to gain domain admin privileges on fortress.corp
domain with studentuser.
ak
Le

Figure 39 - Proof that studentuser is Domain Admin

5. Palace-dc.palace.corp
ed

Using pass the hash I was able to login to palace-dc.fortress.corp as companyadmin user where I was
able to run commands on this machine.
ak
Le