As pentesters, we are usually asked to operate in an unfamiliar environment, find as many software, logical, or misconfiguration vulnerabilities as possible, and do all of that under stress due to a compressed time window allocated for an assessment.
While automated network and web application scanners, source code analyzers, and similar tools can certainly help us accelerate some traditional assessment tasks, they are arguably a minor part of a pentester’s toolkit. Critical thinking, the ability to analyze the big picture, multitasking, and identifying interconnected problems that cannot be caught by any scanner are the foundations of the skills necessary to be a successful pentester.
The goal of the PEN-200 labs has always been to simulate a real-world network that would expose our learners to situations in which the above-mentioned skills and mindset could be repeatedly practiced and improved upon. Nevertheless, for learners without prior experience, acquiring the skills needed to operate in an unfamiliar environment can seem like a daunting challenge.
For that reason, we have created the PEN-200 Labs Learning Path. It is a living document (with updates as our PEN-200 labs update) that provides a more explicit pathway for learners to choose and compromise some of the targets within the PEN-200 labs.
More specifically, we have selected 11 of the more than 70 available machines in the PEN-200 labs and will provide the information needed to compromise them. Since we have always been strong believers in a hands-on approach to learning, we are providing writeups with explicit steps for only 2 of those 11 machines. For the remaining 9 machines, we are providing sufficient hints to enable the learner to compromise the machines on their own.
Additionally, those machines are mapped to specific PEN-200 modules, so that learners can easily identify the topics that are relevant for the compromise of the respective machines.
Ultimately, completion of these Learning Path machines should provide a PEN-200 learner with the confidence and the skillset to tackle the remainder of our rather extensive labs. However, it is important to state that Learning Path machines alone are not sufficient to pass the OSCP exam. Rather, they are a helpful collection of starting point target machines for the rest of the PEN-200 labs. We highly encourage you to compromise as many machines in the labs as possible in order to prepare for the OSCP exam.
Learning Path Machines
You will notice that the PEN-200 module mappings for each of the machines in the Learning Path share one important module: Active Information Gathering.
For a pentester, the active information gathering process is extremely critical and often cyclical; we expand our search based on any new information we obtain at any point in time and we go deeper at every pass. Exploitation of targets is fun, but cannot be done correctly before the necessary information about that target is gathered. Attempting to launch arbitrary exploits against a target won't produce any meaningful results and will likely create problems with potentially catastrophic consequences during a real penetration test.
Additionally, many learners approach the labs as a sequence of independent targets, starting from the first IP address and moving upward. This is not necessarily a good way to approach the PEN-200 labs. Following the penetration testing methodology we cover in the course and applying it to the entire PEN-200 network is critical.
Once you see the big picture, you can use that information to access the low-hanging targets and collect all the information you can during the post-exploitation phase. Often, the information or credentials collected during the first phase of exploitation can be used to access additional machines in the network.
If you get stuck, go back to your notes regarding the network and move to the next target. You can always return to work on the targets you were not successful with at a later stage. Sometimes you just need to step away for a while to acquire a different perspective, and other times you need missing information or credentials that you can only find somewhere else in the network.
In other words, the PEN-200 labs are not CTF labs. There are many interdependencies between the machines, which need to be identified and exploited in order to make progress. Approaching the PEN-200 labs with this understanding will provide the learner with a much more valuable learning experience.
Without further ado, here are the details for the current PEN-200 Learning Path machines.
|
LP-1 |
|
|
IP |
10.11.1.71 |
|
Name |
ALPHA |
|
Difficulty |
Easy |
|
PEN-200 Modules |
Active Information Gathering Using Public Exploits Privilege Escalation Password Attacks |
|
Target Service(s) |
WEB SERVER |
|
Details |
This machine contains a web application that does not contain an unauthenticated exploitable vulnerability. The actual initial foothold can be obtained by exploiting a shocking vulnerability in the web server itself. Once a low-privilege shell is obtained, privilege escalation can be obtained either through password reuse (found on the same machine), or through exploitation of another running service. Therefore, post-exploitation enumeration is critical. This machine is a part of Offsec's methodology forum posting guide, where a full and detailed writeup can be found. We encourage you to try it on your own before reading the writeup. |
|
LP-2 |
|
|
IP |
10.11.1.72 |
|
Name |
BETA |
|
Difficulty |
Easy |
|
PEN-200 Modules |
Active Information Gathering Using Public Exploits Privilege Escalation Password Attacks |
|
Target Service(s) |
POP3, SSH |
|
Details |
This machine contains an unusual application running on an uncommon port. Once identified, the application can be accessed by abusing weak credentials. A part of the functionality offered by this application is the ability to reset the password for arbitrary users. Taking this path allows an attacker to obtain additional information that will lead to a restricted shell to the machine itself. However, the application itself also suffers from a vulnerability that can be used to obtain a low-privilege shell. Once access is obtained, privilege escalation can be achieved using a number of public kernel exploits. This machine is a part of Offsec's methodology forum posting guide, where a full and detailed writeup can be found. We encourage you to try it on your own before reading the writeup. |
|
LP-3 |
|
|
IP |
10.11.1.5 |
|
Name |
ALICE |
|
Difficulty |
Easy |
|
PEN-200 Modules |
Active Information Gathering Using Public Exploits Metasploit Framework File Transfers Password Attacks |
|
Target Service(s) |
SMB |
|
Details |
This machine is one of the “low-hanging fruits” in the labs and is designed to give the learner an easy win with a simple Metasploit exploit. It is based on a very old operating system that is vulnerable to at least 2 different exploits against the target service. No privilege escalation is necessary as the target services run as SYSTEM. However, it is important to perform post-exploitation enumeration, including password hash recovery and cracking. Furthermore, additional files on the system are susceptible to weak credentials and could be useful later on. |
|
LP-4 |
|
|
IP |
10.11.1.13 |
|
Name |
DISCO |
|
Difficulty |
Easy |
|
PEN-200 Modules |
Active Information Gathering File Transfers Web Application Attacks Privilege Escalation Using Public Exploits |
|
Target Service(s) |
FTP, IIS |
|
Details |
This is an easy machine designed to allow the learner to practice gaining unauthorized access based on weak or non-existing authentication to a very common service. This access then allows the attacker to upload arbitrary files to the target system that can be used to gain a low-privilege shell. Identifying the user context under which the initial shell access is obtained allows the attacker to grab a bag of potato chips, find the very well-known exploit for the target service, and enjoy a SYSTEM-level shell. |
|
LP-5 |
|
|
IP |
10.11.1.146 |
|
Name |
SUSIE |
|
Difficulty |
Easy |
|
PEN-200 Modules |
Active Information Gathering Using Public Exploits Metasploit Framework |
|
Target Service(s) |
SMB |
|
Details |
This machine is one of the “low-hanging fruits” in the labs and is designed to give the learner an easy win with a simple Metasploit exploit. In this case, the goal is simply to perform proper initial enumeration and to identify the versions of running services. With this information, it is trivial to find the appropriate exploit and obtain a root-level shell. |
|
LP-6 |
|
|
IP |
10.11.1.217 |
|
Name |
HOTLINE |
|
Difficulty |
Easy |
|
PEN-200 Modules |
Active Information Gathering Using Public Exploits Privilege Escalation |
|
Target Service(s) |
HTTP |
|
Details |
This machine is one of the 'low hanging fruit' targets in the labs. It runs a service which suffers from weak authentication, therefore providing an initial foothold. This allows the attacker to find additional information about the same service, which turns out to be vulnerable to RCE. The exploit requires some customization. Privilege escalation can then be accomplished by focusing on enumeration, specifically of misconfigured permission settings. |
|
LP-7 |
|
|
IP |
10.11.1.222 |
|
Name |
CHRIS |
|
Difficulty |
Medium |
|
PEN-200 Modules |
Active Information Gathering Web Application Attacks Password Attacks |
|
Target Service(s) |
Web App, Oracle DB |
|
Details |
This machine is designed to expose the learner to some traditional web application attacks. One of the fundamental parts of attacking web apps is to first identify as much of the attack surface as possible. Therefore, enumeration is important to make any progress. When the vulnerable page is found, learners will need to rely on the knowledge acquired in the PEN-200 Web Application Attacks module to manually probe the input points and identify the vulnerability. Once identified, the vulnerability can be used to extract information about and from the backend database, which includes items such as password hashes. Again, identification of the type of hash and cracking thereof is critical for a complete compromise of the target system. Because of the machine's configuration, no privilege escalation is necessary. However, further exploration of the compromised system is encouraged. |
|
LP-8 |
|
|
IP |
10.11.1.231 |
|
Name |
MAILMAN |
|
Difficulty |
Medium |
|
PEN-200 Modules |
Active Information Gathering Using Public Exploits Privilege Escalation |
|
Target Service(s) |
SMB, SMTP |
|
Details |
Extensive enumeration of this machine reveals that, shockingly, it is vulnerable to the same type of exploit that also affects Alpha. At the time of this writing, the exploit itself is not present in the Metasploit framework, but it can be found using SearchSploit. The machine is designed to allow the learner to practice privilege escalation identification. More specifically, obtaining root privileges does not rely on any exploit but rather on a misconfiguration, which can be identified once a low-privilege shell is obtained. |
|
LP-9 |
|
|
IP |
10.11.1.123 |
|
Name |
XOR-APP59 |
|
Difficulty |
Medium |
|
PEN-200 Modules |
Active Information Gathering Password Attacks Web Application Attacks Active Directory Attacks |
|
Target Service(s) |
AD, SPN |
|
Details |
This machine is the entry point for one of our Active Directory deployments and exploitation chains in the PEN-200 labs. It contains a little bit of everything: a web application that first needs to be discovered using enumeration techniques described in Web Application Attacks, weak credentials, and the ability to upload malicious web files that are not properly filtered, resulting in a SYSTEM shell. Finally, this allows an attacker to roast the SQL Service Principal Names (SPNs) and crack the obtained ticket. These credentials can then be used to access XOR-APP23, the next machine in this AD chain. |
|
LP-10 |
|
|
IP |
10.1.1.246 |
|
Name |
SEAN |
|
Difficulty |
Medium |
|
PEN-200 Modules |
Active Information Gathering Web Application Attacks Password Attacks Port Redirection and Tunneling |
|
Target Service(s) |
FTP, SSH |
|
Details |
This machine can be accessed via the 10.11.1.251 router inside the public network. Reverting the router will also revert Sean to its original pristine state. It contains a very badly hidden web application with a vulnerable WordPress plugin. More information about the application can be found by using unauthenticated access to a non-web service and/or by standard web enumeration techniques. The most important part is to identify the vulnerable plugin. Exploiting it, obtaining the password hashes and cracking them is not difficult as popular automation tools can be used. Similarly, obtaining root privileges is also trivial due to excessive privileges of the compromised user. Nevertheless, the most important function of this machine is that it enables pivoting to the PEN-200 Labs IT Network. As such, it is designed to allow learners to practice enumeration and exploitation of machines over tunneled connections. We encourage OffSec learners to fully explore and practice this type of access to otherwise unreachable subnets. |
|
LP-11 |
|
|
IP |
10.11.1.50 |
|
Name |
BETHANY |
|
Difficulty |
Hard |
|
PEN-200 Modules |
Active Information Gathering Web Application Attacks Antivirus Evasion Password Attacks Port Redirection and Tunneling Privilege Escalation |
|
Target Service(s) |
Web Server, AntiVirus |
|
Details |
This machine is designed to allow learners to practice antivirus evasion. However, before getting to that point in the exploitation chain, learners will need to identify multiple web servers running on the target system. One of these suffers from a remote command execution vulnerability with a publicly available exploit. In order to gain code execution, learners have multiple tools at their disposal that can create or modify standard malicious binary files. Please note that some work better than others so if you are not making progress, try a different tool. Once a shell is obtained, it is critical to perform proper system enumeration. This will reveal that this particular machine has connections to a previously exploited machine in this list. Note that in order to make use of obtained information from that machine, traffic redirection techniques will be needed. |
For additional information, please check out A PATH TO SUCCESS IN THE PEN-200 LABS blog post on the OffSec website.