Great Ezenwa
$20/hr
Cybersecurity || Digital Marketing || Data Management || Software Engineer - Web Developer
- Reply rate:
- -
- Availability:
- Hourly ($/hour)
- Location:
- Lekki, Lagos, Nigeria
- Experience:
- 4 years
My Pentesting Report
PENETR ATION TEST REPORT
VULNERABLE ORGANIZATION
1
Security Posture
The scope was to exploit vulnerabilities on Vulnerable Organization servers and
apps that may be exploited by malicious attackers. The aim of the tests was to go
as far as possible.
NOTE:- Dots Color Signify ⪢ Red - High Risk Orange - Mid Risk Green Low Risk
Grey – Safe
By this map, it is extremely clear that the organizational security measures,
policies, practices and procedures are not aligned with the industry best practices.
More than 25% of the tested infrastructure is in a critical state with High level of
Risk.
TOTAL NUMBER OF VULNERABILITIES (including all 5 target machines)
Total Findings
High
Medium
Low
19
9
2
3
Overall Security Rating – Immediate Attention and Action Required
Methodology
I utilized a widely adopted approach to performing penetration testing during the
tests to test how well the target environment is secured. Below, a breakdown of
the applied methodology is provided.
• Information Gathering – Reconnaissance [Foot printing, Scanning and
Enumeration] Vulnerability Analysis – Researching Potential Vulnerabilities
and Analyzing them
• Exploitation – Using Exploits in order to validate the vulnerabilities of the
target Post Exploitation – Everything that should be performed after
successful exploitation.
•
House Cleaning – Ensuring that the Remnants of the Penetration Test are
removed
Tools Utilized
Tools used by me were Industry Grade in a combination of Open Source and
Commercial Licenses.
1. Nmap – Industry’s Most Commonly used Open-Source Scanning Tool
2. Metasploit Framework – Industry Grade Most Popular Pen-Testing
Framework Toolset
3
3. BurpSuite Professional – Best in Class Suite of Tools for Web Application
Assessment
4. Nikto – Web Server Audit Tool
5. Dirbuster – Directory & Web Files Enumeration Tool
6. Wpscan – Most popular WordPress Website Security scanning tool
Detailed Findings
HOST -
Name: Basic PenTesting 1
IP:-
Type: Virtual Machine
This host contains 1. FTP Server (ProFTPd)
2. SSH Server
3. Web Server (Apache)
Operating System: Ubuntu
1. Backdoor Command Execution – HIGH
• System Vulnerable -
• Vulnerability – ProFTPD-1.3.3c Backdoor Command Execution
•
Severity Rating – High | CVSS Risk Score – 10 (Critical)
• Exploit Used Rapid7.com/db/modules/exploit/unix/ftp/proftpd_133c_backdoor
4
Description
ProFTPD 1.3.3c service is found to be running on Port 21. It’s a highly configurable
& feature rich FTP server for Unix-like environments. An FTP Server’s purpose is to
handle data transfer between computers. In this case, this installation contains a
backdoor vulnerability.
Analysis
Backdoor command execution allows remote attackers to execute arbitrary system
commands with superuser privileges. This results in full confidentiality, integrity
and availability violation of organizational data and systems.
Remediation
Option 1: If the FTP Service is not necessary, disable or remove it.
Option 2: Upgrade to a Stable Release. (Latest version available is ProFTPD 1.3.9)
Steps to Reproduce
1. My initial Nmap scan revealed 3 open ports and detected Ubuntu
OS on the target.
Command Used – nmap- -A -p- --min-rate 10000
5
2. Searchsploit displayed a potential exploit for the ProFTPD 1.3.3c
service at Port 21.
Command Used – searchsploit ProFTPD 1.3.3c
3. To configure and test the discovered exploit, I used Metasploit
Framework.
Exploit Used – exploit/unix/ftp/proftpd_133c_backdoor
6
4. I decided to upgrade the shell from normal shell to meterpreter.
Module Used-Post/multi/manage/shell_to_meterpreter
2. Weak Credentials – MEDIUM
• Endpoint – http://-/secret/wp-login.php
7
• Vulnerability – Weak Password Usage for Wordpress
• Severity Rating – High | OWASP’s ID – WSTG-ATHN-07
•
CWE Reference – https://cwe.mitre.org/data/definitions/521.html
Description
During the test, user “admin” was found to be using a weak password at Endpoint
Analysis
This WordPress user has admin level access on the WordPress website. So, with
this level of privileges, an attacker can generate a fake plugin, pack the payload
into it and upload it to the WordPress sever which on executing would give server
user access to him/her.
Remediation
Introduce and enforce strong password policy and two-factor authentication.
Expert Opinion
Though weak WordPress credentials that finally lead to a system takeover are
normally considered a High Severity Vulnerability, but in case of this specific
machine, we only get a www-data user access (and not root!), so this has been
rated as Medium.
Steps to Reproduce
1. A basic directory structure enumeration revealed
http://-/secret.
Command Used – dirb http://-
8
2. Further reconnaissance disclosed that Wordpress 4.9.16 was installed.
Command Used – whatweb dirb http://-/secret
3. A wordpress username “admin” was easily detected through a special scan.
Command Used – wpscan –url http://-/secret -e u
4. Another attack using wpscan successfully found this username’s password.
Command Used – wpscan -U admin --url-/secret -P
/usr/share/wordlists/metasploit/http_default_pass.txt
9
5. Since this username had admin level privileges, it was possible to upload a
shell. Screenshot below shows how the payload was configured for this
purpose. Payload Location in Kali Linux – /usr/share/webshells/php/phpreverse-shell.php
6. After logging into the wordpress dashboard of the website with
admin:admin credentials, I uploaded this php-reverse-shell.php file as a
payload to the site.
Plugin Uploader URL – http://-/secret/wp-admin/plugininstall.php
After pressing the “Install Now” Button, the following error was displayed on
wordpress because our payload was obviously not a real plugin. But, the file has
been uploaded.
10
7. A listener was setup in Metasploit framework which can catch the reverse
shell.
Metasploit Module Used – exploit/multi/handler
8. On accessing the URL of the previously uploaded payload, A reverse shell
with user level access on the target is received by our handler.
Uploaded Plugin URL -/secret/wpcontent/uploads/2021/06/php reverse-shell.php
Conclusion
Vulnerable Organization suffered a series of control failures, which led to a
complete compromise of many in-scope machines. These failures would have had
a dramatic effect on the company’s operations if a malicious party had exploited
them.
11
The overall risk identified to Vulnerable Organization as a result of the penetration
test is High. A direct path from external attacker to full network compromise was
discovered. The fact that all 5 systems in scope were compromised makes it clear
that these systems were not tested from a long time and since, they are all placed
at the DMZ area, It’s a risky situation.
The primary goal of this penetration test was stated as identifying if there is any
weakness in Vulnerable Organization’s Network that could potentially be used by
attackers to access sensitive health (PHI) or payment data which would violate
HIPPA or PCI-DSS compliances.
These goals of the pentest were met and in-fact much more than this. Many
critical vulnerabilities were found during the test that directly affect
confidentiality, integrity and availability of the information and systems. Majority
of the findings have occasional prevalence, easy exploitability, and devasting
impact with simple prevention.
It was found that your security architecture has few patterns:
• Operating Systems are Outdated and Unpatched.
• Software's and Services are Outdated.
• Passwords are either defaults or very weak.
• Security Controls are either not defined or implemented in most cases.
• All the vulnerabilities found have easy mitigation
In conclusion, these vulnerabilities should not be there in the first place.
Vulnerable Organization needs to redefine their Information Security
Management Program and rethink their processes.
Recommendations
Due to the impact to the overall organization as uncovered by this penetration
test, appropriate actions should be taken to remediate and safeguard your IT
infrastructure.
12
Though mitigation for specific vulnerabilities has already been given in this report,
Additionally, we recommend the following:-.
Establishment of Updates & Patch Management Program
Implementation of WAF and IPS
Source Code Review of Deployed Applications and Sanitization
Alignment of Security Policies with Industry’s Best Practices
Use a Custom 404 (Not Found Error) Page
Social Engineering training for every employee
Vulnerability Scanning on at least monthly basis (Scan – Patch – Scan Again)
Install a HIPS and DLP to stop common attacking payloads like meterpreter
13
14
15
16
17
18
19
