Innogen security


Posted in Blog post

pentestit lab v11 Guide Part 1


Introduction and Service Identification

While looking for vulnerable lab environments to utilise during my down time i came across I had heard of this previously but had lacked the time to investigate and register with the site.

Finally finding time I took the plunge and registered for the latest lab offering, registering was a very quick and simple step which you can do here: Sign up
Once registered you can sign in then navigate to the following url:  in order to gain your personal vpn connection details.

Once connected to the vpn with your personal vpn profile then take a look at the lab map  which shows you the basic overview of the host network which outlines a company based across 2 sites and thus provides us with 2 gateways to investigate.

[click for larger image]


Site 1 Gateway 1:
Site 2 Gateway 2:

My first thoughts here are:

  • how are the 2 sites related?
  • are they cross connected by a site-to-site vpn?
  • is site 2 a small non integrated company outpost?

(as you can see the questions start building immediately)

Having completed this labs challenge I have decided to collate and publish my notes via this blog, also I must say this was as close to OSCP based labs as one could ask for and its free! so if you are interested in OSCP it definitely worth hitting these labs when they present themselves!

NOTE: I apologise in advance for the detailed way i have presented each step and system which means the entire lab guide here is spread over quite a number of parts.

Nmap results for .10 and .11

Rather than paste an entire nmap dump here i have placed the commands and the ports returned:

Site 1 Nmap: nmap -sS -sC -sV -v -A

25/tcp open smtp Postfix smtpd
|_smtp-commands: SMTP: EHLO 220 mail.ptest.lab ESMTP Postfix (Debian/GNU)\x0D
80/tcp open http nginx 1.12.1
|_http-title: 403 Forbidden
88/tcp open hadoop-datanode Apache Hadoop 1.6.2
| hadoop-datanode-info:
|_ Logs: login-header
| hadoop-tasktracker-info:
|_ Logs: login-header
| http-cookie-flags:
| /:
|_ httponly flag not set
|_http-favicon: Unknown favicon MD5: 9E0C1B2136CE8FBE423F8AD1EF052665
| http-methods:
|_ Supported Methods: GET HEAD POST
| http-robots.txt: 1 disallowed entry
|_http-server-header: nginx/1.6.2
|_http-title: Users
8080/tcp open http nginx
| http-methods:
|_ Supported Methods: GET HEAD
|_http-open-proxy: Proxy might be redirecting requests
| http-robots.txt: 1 disallowed entry
|_http-server-header: nginx
|_http-title: Site doesn't have a title (text/html).

Site 2 Nmap: nmap -sS -sC -sV -v -A

2222/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey:
| 1024 50:f9:23:6f:7e:3f:bb:68:77:5e:44:99:4d:51:9b:92 (DSA)
| 2048 df:da:b6:ac:c8:d6:ee:10:0b:b0:da:87:2f:c9:a3:08 (RSA)
|_ 256 e1:3e:b9:12:3e:01:ea:d5:d0:9a:3b:96:da:a8:ce:a5 (ECDSA)

Site 1 – Port 80 – Name = SITE (according to the lab map):  This leads us to a default webpage and a link to a customer login:


Site 1 – Port 88 – Name = CRM (according to the lab map): A default login page for Vtiger CRM:


Site 1 – Port 8080 – Name = MAIL (according to the lab map):  A default login page for roundcube mail:


Site 2 – Port 2222 SSH:

A quick test of the SSH port returns the version, OS and the fact a private key is required to access this system so we will need to visit this later in case one of the 3 above sites aid us in this matter?


Now we have listed out the ports available for the 2 gateway endpoints we can now pick our targets and enumerate further in order to find our entry points into the backend systems, which will be detailed in separate parts.

PART 2: 

Innogen security


Exploiting Sudo 1.8.27 The following brief is a quick demonstration of the issue faced by cve-2019-14287. This issue is presented when the user is allowed to run a specified command as any user other than the root user account, specified …

17 Oct 2019

SMB LFI Exploitation The following outlines a very short overview of LFI using SMB in form of a crib sheet. Install Samba: apt-get install samba Remove default Samba config: rm -f /etc/samba/smb.conf Create New smb.conf: vi /etc/samba/smb.conf The following config …

13 Oct 2019

Linux reverse shell without python. During a recent application exploit into an interactive shell the typical path to spawn a reverse shell and upgrade it to tty was sought. It was found that the go to technologies such as python, …

19 Sep 2019