Ever wondered how it feels like to hack a company? To breach their systems, traverse their network, and gain complete and total control of their domain – but all in bounds of legality? Well, look no longer!
I’ve been scouring the inter-webs looking for decent resources that I can use to practice and hone my hacking skills. Although VulnHub was great, it didn’t provide me with a sense of realism. I wanted something more, something similar to the OSCP Labs and Exam… something with a “real world” structure, a real network that I can compromise, domain and all. All in all, I needed something to test and practice without breaking the bank or a company styled setup.
After many-a-hour of searching, I have come across a site called Pentestit Labs. It was a unique Russian “Corporate Laboratory” set up and led by the Pentestit Information Security Firm, allowing security professionals to test their penetration testing skills.
I decided to dig deeper into the site and was generally amazed by how well everything was put together and how realistic the lab felt. I decided to give the lab a shot and completed it with a 100% success rate. I will be posting my write-ups for the lab and how I successfully “hacked” the “real life” lab in the upcoming days.
But, before I am able to post my write-up’s let’s go over the basics of what the lab is, what it consists of, and what is to be done.
About the “Test Lab”:
The Test lab contains penetration testing laboratories that emulate the IT infrastructure of real companies and are created for legal pentesting and improving penetration testing skills. Laboratories are always unique and include the most recent and known vulnerabilities.
The Test lab is presented as a computer network of virtual companies containing widely of distributed misconfigurations and vulnerabilities. Participants, playing a pentester role, are trying to exploit them – and in the case of success, gain access to particular lab nodes which contain a token. The winner is the one who collects all tokens.
Penetration testing in the labs are based on a “grey box” methodology: participants have network infrastructure information in form of a schema and a text description. Participants can use different methods of penetration – exploiting network services, the web, social engineering, buffer overflow and etc.
During development of the labs, we try to cover almost all IT areas: network security, security of OSs and applications. Participants are supposed to exploit the variety of vulnerabilities in the network components and cryptographic mechanisms, in configurations and code, and also the human factor. The outstanding features of “Test lab” is the unique story and whole scenery which links tasks with each other. For example, one can use already found mail credentials to attack other services and machines (Active Directory, for example). This is more real than standalone tasks in CTF contests, which can be done separately.
Before you are able to access the Network Information and VPN Connection to the lab – you have to register. Once you are registered and verified you will be able to access the “Test Lab V.10” Main Screen.
From here you will be able to access the Network Diagram, Forums, Chat and also be allowed to enter any “Tokens” found during your pentest.
When you click on the Network Diagram link, you will be presented with the layout of the lab – in other terms you will be presented with the Companies Network Layout for your Grey-Box pentest.
From the initial image, we can see that we will have access to the Lab via VPN or Virtual Private Network.
Once in the network, we will only have access to one public facing host called “gw” – possibly sitting in the DMZ. From the small fire graphic – it also seems that the system has a running Firewall to prevent any attacks from getting into the Internal Network.
Our objective would be to compromise that host, get remote access, and then pivot into the Internal Network to continue our pentest.
Our “main” objective would be to compromise the WIN-DC0 host as that is the Domain Controller for the network. If we can compromise that, then we will have the keys to the kingdom. Overall, that is also the goal in any Network Pentest, to see if we can get access to the Domain.
Connecting to the Lab:
Once you are registered and at the main “Test Lab” screen, if you look at the top right corner of your screen, you will see a “HOW TO CONNECT” button, right next to your Progress Meter.
Once you click on “HOW TO CONNECT” you will be redirected to the Instructions Screen.
If you want, you can download their custom Kali 2 VirtualBox OVA Image, but I preferred to use my own custom setup… plus I didn’t know what else they might have installed/not installed on there, and I didn’t want any headaches during testing.
Once you login to the website, get your VPN credentials and download the OpenVPN config file to your Kali Box, we can go ahead and connect to the Lab.
This can be simply done by running the OpenVPN Command with the Pentestit config file as the argument, like so:
root@kali:~# openvpn lab.pentestit.ru.conf Sat Mar 13 22:15:43 2017 OpenVPN 2.3.11 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on May 23 2016 Sat Mar 13 22:15:43 2017 library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.08 Enter Auth Username: ****** Enter Auth Password: ******** ---snip--- Sat Mar 13 22:15:53 2017 /sbin/ip route add 192.168.101.0/24 via 10.10.200.121 Sat Mar 13 22:15:53 2017 /sbin/ip route add 10.10.0.1/32 via 10.10.200.121 Sat Mar 13 22:15:53 2017 Initialization Sequence Completed
After you see “Sequence Completed” then you are successfully in the lab and can start pentesting! You can test this by pinging 192.168.101.9 and you should get a reply.
Alright, that’s all for today! Stay tuned for more posts in the upcoming days on how to compromise the lab!