✍️Practical Engagement I

Those are the steps that I took to complete the flag-hunting session, in the current module of the CEH v12 Practical Course.

Flag 1

Perform vulnerability scanning for the webserver hosting movies.cehorg.com using OpenVAS and identify the severity level of RPC vulnerability.

Pentesting > Vulnerability Analysis > Openvas – Greenbone > Start Greenbone Vulnerability Manager Service

Greenbone’s output

You can see that the RPC vulnerability has a score of 5

A: 5

Flag 2

Perform vulnerability scanning for the Linux host in the 172.16.0.0/24 network using OpenVAS and find the number of vulnerabilities with severity level as medium.

Linux IP: 172.16.0.11

A: 0

Flag 3

You are performing reconnaissance for CEHORG and has been assigned a task to find out the physical location of one of their webservers hosting www.certifiedhacker.com. What are the GEO Coordinates of the webserver? Note: Provide answer as Latitude, Longitude.

Go to: https://tools.keycdn.com/geo?host=162.241.216.11

A: 37.751, -97.822

Flag 4

Identify if the website www.certifiedhacker.com allows DNS zone transfer. (Yes/No)

Parrot Terminal
cd dnsrecon
chmod +x ./dnsrecon.py
./dnsrecon.py -d {target}
From module 02, Lab 7, Task 2. dnsrecon.py

A: No

Flag 5

Identify the number of live machines in 172.16.0.0/24 subnet.

Parrot Terminal
nmap -sP 172.16.0.0/24

Try: nmap -sP 172.16.0.0/24

nmap’s output

Here you are scanning even nodes, so to avoid “additional hosts” let’s try another scan option.

Parrot Terminal
nmap -sP -PS22 172.16.0.0/24
Parrot Terminal
nmap -PU 172.16.0.0/24

A: 3

Flag 6

While performing a security assessment against the CEHORG network, you came to know that one machine in the network is running OpenSSH and is vulnerable. Identify the version of the OpenSSH running on the machine. Note: Target network 192.168.0.0/24.

Parrot Terminal
nmap -sV -p 22 --script vuln 192.168.0.0/24
You can add –open at the end of the command

A: 8.9p1

Flag 7

During a security assessment, it was found that a server was hosting a website that was susceptible to blind SQL injection attacks. Further investigation revealed that the underlying database management system of the site was MySQL. Determine the machine OS that hosted the database.

Parrot Terminal
nmap -T4 -A cehorg.com
Port 22 shows the detail, you can use -O too

A: Ubuntu

Flag 8

Find the IP address of the Domain Controller machine.

INFO: Domain controllers will show port 389 running the Microsoft Windows AD LDAP service

Parrot Terminal
nmap -T4 -A movies.cehorg.com

Just to get some information, now let’s scan another batch of IPs

Parrot Terminal
nmap -p389 -sV 10.10.10.0/24 --open

A 10.10.10.25

Flag 9

Perform a host discovery scanning and identify the NetBIOS name of the host at 10.10.10.25.

Parrot Terminal
nmap -sV --script nbstat.nse 10.10.10.25
nmap -T4 -A 10.10.10.25
nmap’s scan output

A: ADMINDEPT

Flag 10

Find the IP address of the machine which has port 21 open. Note: Target network 172.16.0.0/24

Parrot Terminal
nmap -p21 -sV 172.16.0.0/24
Previous command’s output

You can try: nmap -p21 -sV 172.16.0.0/24 --open

A: 172.16.0.12

Flag 11

Perform an intense scan on 10.10.10.25 and find out the FQDN of the machine in the network.

Parrot Terminal
nmap -T4 -A 10.10.10.25

A: AdminDept.CEHORG.com

Flag 12

What is the DNS Computer Name of the Domain Controller?

Google search, are the same from the previous question

A: AdminDept.CEHORG.com

Flag 13

Perform LDAP enumeration on the target network and find out how many user accounts are associated with the domain.

For LDAP Enumeration I suggest to use ldapsearch, is a lot more comfortable than the search through nmap or the python script suggested by the documentation.

Parrot Terminal
nmap -p 389 --script ldap-brute --script-args ldap.base=’”cn=AdminDept,dc=CEHORG,dc=com”’ 10.10.10.25
nmap’s output, cn=user exist!
Parrot Terminal
ldapsearch -x -h 10.10.10.25 -b “dc=CEHORG,dc=com” “objectclass=user”
ldapsearch’s output, does not show users
Parrot Terminal
ldapsearch -x -h 10.10.10.25 -b “dc=CEHORG,dc=com” “objectclass=user” cn=user

A: 8

Flag 14

Perform an LDAP Search on the Domain Controller machine and find out the version of the LDAP protocol.

The following command ldapsearch -x -h 10.10.10.25 -b “dc=CEHORG,dc=com” “objectclass=user” shows the LDAP’s protocol version too, but in this flag I will shows the step by using the Python Script

Parrot Terminal
python3
Python
import ldap3
server=ldap3.Server('10.10.10.25', get_info=ldap3.ALL, port=389
connection=ldap3.Connection(server)
connection.bind()
server.info
server.info’s output, always use the highest supported version
Python
connection.search(search_base=’DC=CEHORG,DC=com’,search_filter='(&(objectclass=*))’,search_scope=’SUBTREE’, attributes=’*’)
connection.entries
connection.search(search_base=’DC=CEHORG,DC=com’,search_filter='(&(objectclass=person))’,search_scope=’SUBTREE’, attributes=’userpassword’)
connection.entries
Final output

A: LDAPv3

Flag 15

What is the IP address of the machine that has NFS service enabled? Note: Target network 192.168.0.0/24.

Remember: NFS Service port = 2049

Parrot Terminal
nmap -p 2049 192.168.0.0/24
command’s output, it is noisy
Parrot Terminal
nmap -p 2049 192.168.0.0/24 --open
nmap output with –open

A: 192.168.0.51

Flag 16

Perform a DNS enumeration on www.certifiedhacker.com and find out the name servers used by the domain.

Parrot Terminal
nmap --script=broadcast-dns-service-discovery www.certifiedhacker.com

First I tried to use nmap, but it was now precise and did not shows the answer, so I decided to use another command.

Parrot Terminal
dig ns www.certifiedhacker.com
dig ns’s output, check on ANSWER SECTION

A: ns1.bluehost.com, ns2.bluehost.com

Flag 17

Find the IP address of the machine running SMTP service on the 192.168.0.0/24 network.

Remember: SMTP Service port is 25

Parrot Terminal
nmap -p 25 --script=smtp-enum-users 192.168.0.0/24 --open
Parrot Terminal
nmap -p 25 192.168.0.0/24 --open

A: 192.168.0.51

Flag 18

Perform an SMB Enumeration on 192.168.0.51 and check whether the Message signing feature is enabled or disabled. Give your response as Yes/No.

SMB Port: 445

Parrot Terminal
nmap -p 445 -A 192.168.0.51

A: Yes

Flag 19

Perform vulnerability scanning for the domain controller using OpenVAS and identify the number of vulnerabilities with severity level as “medium”.

Using Greenbone, scan the IP 10.10.10.25 and watch the result

A: 2

Flag 20

Perform a vulnerability research on CVE-2022-30171 and find out the base score and impact of the vulnerability.

Google: CVE-2022-30171

LogoNVD - cve-2022-30171

A: 5.5 Medium

PreviousModule 05 - PracticalNextSystem Hacking

Last updated