The 14th penetration testing laboratory will be launched on December 10. Information security experts will be able to legally assess their strengths in the search and exploitation of vulnerabilities, consolidate the skills of a pentester and determine the leaders of this season.

About laboratories

Test lab laboratories are free grounds for gaining and consolidating penetration testing skills and security analysis of corporate networks. Every laboratory has a single infrastructure, full legend and many attack vectors. Using them the members should create an effective scenario to compromise the information system or ensure its security. During the laboratories developing, the main criteria are the realism, relevance of the vulnerabilities and methods of their exploitation. Unlike classical CTFs, our laboratories are an interconnected IT structure of vulnerable and invulnerable components (servers, network equipment and workstations), thus maximizing the actions of attackers or defenders to real conditions.

Map of attacks and description

After registration in the account the information to connect to the laboratory through OpenVPN will be available. Having established a connection, the attacker gains access to the gateways behind which the corporate network of the virtual company is located. Having completed a successful scenario, the participant develops an attack already on internal networks. Depending on the structure of each particular laboratory, various pivoting techniques are used, for example, using services available from gateways (SSH, OpenVPN, web applications). Laboratories are designed so that participants interfere with each other as little as possible. All attempts to attack the laboratory are displayed in the online map on the main page, comparing the external and internal addresses of the attacker.

The main emphasis in laboratories is on realism: the IT structure is designed by analogy with corporate networks of companies, bringing the actions of attackers closer to real hacking. Participants acting as external intruders try to exploit the inherent vulnerabilities, and, if successful, gain access to individual laboratory nodes, each of which contains a token. The winner is the participant who first collected all the tokens, that is, in fact, received full control over the virtual corporate network. Everyone, regardless of skill level, can test penetration testing skills in conditions as close as possible to real ones, without breaking the law.

In the laboratory are used:

different network services (Mail, DNS, AD, VPN, IDS, WAF, DB, etc.);

web applications, API and microservices (PHP, Python, Django, Java);

different Desktop- and client-server applications;

additional support services for realism.

To pass the laboratory it is nessesary:

working skills with various network services and protocols;

knowledge of the best penetration testing practics (OSINT, OWASP, etc.);

skills in working with specialized tools (Nmap, SQLmap, Burp Suite, WPScan, Nikto/DirBuster/w3af, Dig, Patator/Hydra, IDA Pro, etc.);

development and reverse engineering experience (reverse engineering);

experience of fuzzing and vulnerability search in network services and web applications.

About the developer

Pentestit specializes in practical information security area, provides security analysis services for information systems, provides training in the field of information security, and also develops Nemesida WAF — the comprehensive software for protection against hacker attacks based on machine learning.

Pentestit cooperates with companies from Russia, the USA, Great Britain, Czech Republic, Canada, Ukraine, Moldova, Azerbaijan and Kazakhstan.

Test lab 12. Statistic

Currently, about 30K users from all over the world are registered on the site lab.pentestit.ru. The first task from the past laboratory (to find the Mail token) was completed by 959 participants, but only 50 of them could completely compromise the IT structure of the virtual company.

Parse some tasks from Test lab 12

Helpdesk

The password reset form, available on the forum page, uses unsafe parameter passing.

If you look at the code of the page with the form for changing the password or open the request using Burp Suite, you can find a certain token in a hidden field. When reload the page, the hidden parameter did not change, probably this is not a CSRF token, but an inscription similar to base64 encoded text. Taken into account that in the form for changing the password only the new password and its confirmation are requested, we can assume that this parameter is somehow connected with the user and, having tried to decode it, we see that it looks like a user ID. If you correctly substitute the parameter, you can set a new password to another user.

DB

In task it is necessary to parse and modify the Java application to make an attack on the server side.

Doing one of the previous tasks, we received a jar-file was obtained, which should be investigated by reverse engineering. After examining the decompiled version of the file, we see that an object of the Request class is sent to the server, and in one of the modes a string with the user’s surname is transmitted. Check the theory for SQL vulnerabilities, changing the corresponding constructor of this class, add a string request from the user for subsequent sending to the server.

Compile the class, replace it in the original jar file and run the updated application with the substitution of our SQL payload:

Image

The task is not typical for penetration testing, however, we decided to include it in the laboratory.

The majority of participants did not find the right solution. In one of the images obtained during the execution of an adjacent task, the text was encrypted using steganography. Check all the pictures using the steganography Python package.

The image we searched for returned the token encrypted in it.

Welcome to the Test lab 14

Access to the laboratory is fully free: lab.pentestit.ru. After registration the user gets login and password for a remote connection to the laboratory.

See you in the c[RU].sh!