PENETRATION TESTING
REPORT
Dated 12th May 2024
Executive Summary
The NBN Corporation is headquartered in Los Angeles, having relocated from New Manhattan
in the early 2020s. NBN recently experienced a cyber-attack that resulted in the exposure of
customer and employee data. To strengthen security, NBN engaged an independent firm to
conduct a red team exercise mimicking attacker techniques.
This penetration testing report serves as a detailed analysis of the security landscape. The
primary objective of the assessment was to identify vulnerabilities within the web serves,
employing a methodology consisting of network reconnaissance, vulnerability scanning, and
targeted exploitation. During this penetration test, we uncovered critical flaws, some of which
include open ports susceptible to exploitation, login page vulnerabilities on both the production
and staging servers, as well as data exposure risks in specific directories. These findings
necessitate immediate action to fortify the organization’s security posture.
Our testing approach adhered closely to guidelines outlined in NIST SP 800-115, ensuring that
all assessments and actions were conducted under controlled conditions. Throughout the
assessment, emphasis was placed on evaluating MegaCorp One’s resilience to security threats
and understanding the potential consequences of a security breach. This executive summary
encapsulates the purpose and methodology of the penetration test, providing MegaCorp One
with a clear overview of the identified weaknesses, their potential impact, and the imperative
for timely remediation efforts to fortify the organization’s security posture.
Introduction
Objective
The penetration testing engagement conducted was initiated with the primary goal of assessing
the security posture in the aftermath of a recent security breach experienced by NBN Corp. The
overarching objective was to identify and address vulnerabilities within the web servers,
shedding light on potential threats and providing actionable insights to bolster the organization's
defenses. This penetration test was strategically designed to simulate a red team-style
assessment, mimicking the actions of an external threat source to comprehensively evaluate the
security resilience of the targeted systems. The final goal is to obtain root access to the below
specified systems.
In conducting this penetration test, we adhered to the rules of engagement outlined in NIST
Special Publication 800-115. These guidelines ensured that our testing was conducted ethically,
within legal boundaries, and with due consideration for the security and stability of the target
environment. By following these rules, we aimed to provide a comprehensive assessment of the
security posture while minimizing potential risks and disruptions.
Scope
S.No.
Owner
Server name
IP address
Environment
1.
NBN Corp
nbnserver
eth0: 10.10.0.66
eth1: 172.16.1.1
Development
2.
NBN Corp
nbnclient
Eth0: 172.16.1.2
Development
Methodology
Our approach to this penetration test was structured and thorough, following industry best
practices and established methodologies. We began with a comprehensive reconnaissance
phase, using both passive and active techniques to gather information about the target
environment. This was followed by an in-depth analysis of the discovered information to
identify potential vulnerabilities and entry points. The next step involved exploiting these
vulnerabilities in a controlled manner to assess their impact and the overall security posture of
the system. Throughout the process, we maintained clear documentation of our findings and
methodologies to ensure transparency and reproducibility.
The approach that would be used while carrying out a vulnerability assessment and penetration
testing is Black Box Testing:
1. Reconnaissance
a. Conduct open soure intelligence gathering
b. Gather info on the target organization’s online presence (OSINT)
2. Scanning and Enumeration
a. Determine what are the live and reachable servers from the internet
b. Gather information on domain names, web servers, web applications, and
externally visible IP addresses
c. Use passive and active information gathering processes
d. Enumerate the target network
e. Conduct research to find vulnerabilities in online databases
3. Vulnerability Discovery
a. Identify vulnerabilities based on applications and operating systems
b. Verify vulnerabilities for false positives and false negatives
c. Compare with industry best practices
4. Exploitation
a. Determine if potential vulnerabilities can be exploited for unauthorized access
b. Perform minimal remote access without causing damage
c. Excalate privilege on target system
d. Attempt to discover proprietary information
5. Privilege Escalation
a. Escalate privileges on the target system
b. Establish persistence
Vulnerability ratings
To provide management with an indication as to the significance of the risk involved and the
priority with which the same needs to be addressed, all risks have been rated per the
classifications shown below:
https://nvd.nist.gov/vuln-metrics/cvss
Findings
Nmap scan
First I scanned the system using nmap
└─$ nmap -sC -sV -oA nmap/pentesting 10.10.0.66
From this scan, we can see that there are three services running,
On port 80, http
On port 443, ssh
On port 8001, http
On visiting http://10.10.0.66:8001/ we can conclude that it is a staging server.
Next, we can try to find any direct vulnerabilities from searchsploit using the nmap scan, but in
this case, we did not get any, as shown below.
└─$ searchsploit --nmap nmap/pentesting.xml
Nikto Scan
We can now try a nikto scan for content discovery.
└─$ nikto -h 10.10.0.66
From this scan’s output, we can find 4 files that are interesting.
- /login.php
- /data
- /internal
- /phpinfo.php
1. In login.php
a. There are login pages both on ports 80 and 8001. Port 80 is the production server
and port 8001 is the staging server. We can try sqlmap or bruteforce attacks on
these pages.
2. In /data
a. There is a link: http://10.10.0.66/data/flag1
b. flag{CYBERFELLOWS_GOODLUCK}
c. Also on the page http://10.10.0.66/data/ we can see a file with the name
“CEO_gibson.jpg”. We can conclude that this might be a username. We can use the
username for future password attacks.
3. In /internal
a. There are hints about injection attacks here
4. In /phpinfo.php
a. This page is disclosing version and other php information, this should not be an
open for public link.
phpinfo() is a debug functionality that prints out detailed information on both the system and the
PHP configurations. This information can help an attacker gain more information on the
systems.
Mitigations: Implement access controls for sensitive files on the server
Hydra Password Guessing Attack
└─$ hydra -l gibson -P /usr/share/wordlists/rockyou.txt 10.10.0.66 http-get-form
"/login.php:username=^USER^&password=^PASS^&Login=Enter:F=Login failed"
And thus, the password for “gibson” is “digital”
Using SQLMap
Capture the login page using Burpsuite, store it in a file called “req” and then we can use it to
pass it as a parameter.
Command used: └─$ sqlmap -r req --dump
This will dump data using sqlmap on the login.php page. Using the same process yields
different outputs on port 80 and port 8001. Port 80 is not vulnerable to this attack vector, but we
get a different output on port 8001.
We can dump the credentials using, using the same flow.
I was able to crack the password “digital” using sqlmap, but I wasn’t able to crack the password
for stephenson. We can use the online tool https://crackstation.net/.
Now, finally, we have two users and passwords for both the users:
- gibson:digital
- stephenson:pizzadeliver
Login to the website using these credentials, we will get the flag2 on the link
http://10.10.0.66/internal/customers.php?list=..%2Fdata%2Fcustomer.list
The second flag is:
flag2{down_a_rabbithole}
This flag can suggest, if we go down the rabbithole, we can may find more vulnerabilities.
- There is an LFI vulnerability, but I am not getting any information on how to exploit this.
- In index.php, there is a developer comment, that executes shell using the function
“shell_exec”. But this is not a valid attack vector, as we are unable to get any shell. But
this comment should be removed.
- We also tried XSS payloads for that specific function, and those stored on customer.list
which can be executed with LFI, but we are not able to get shell from there.
We can directly try sshing into the server, using “gibson” credentials.
The password “digital” works here.
Next flag is:
flag3{brilliantly_lit_boulevard}
Now, we can try privilege escalation attack vectors.
First, we try to get all SUID bit binaries.
gibson@nbnserver:~$ find / -perm -u=s -type f 2>/dev/null
Okay so there are a lot. Second, we can simply run “sudo -l”
This is interesting, we can run the tee command as root. https://gtfobins.github.io/gtfobins/tee/
tells us that we are able to write any file using tee, so basically we can do this to make a new
user and generate is sha512hash, and append this new user in /etc/passwd with root priv.
echo
'bob:$6$LryMjXsa/QdM/UQp$KjRMdfNwxRytCMzLSFeHsDAHacy3Z/1PNjQixpq7sYiU./jg
HRO8dXq9cILlDGdJYSAB50WljrMQOW6/mDtTA.:0:0:root:/r oot:/bin/bash' | sudo tee -a
/etc/passwd cat /etc/passwd | tail
We created a bob user, password “spongebob”, and gave it root privileges. We can login to get
root.
Commands used:
root@nbnserver:/# locate flag
root@nbnserver:/# strings /var/www/html/data/flag4.jpg | grep "flag"
We find the next flag:
flag4{youre_going_places}
Now we can direct our attention to CLIENT
In the home directory, there is a file named “flag7”, easily available, but we will have to crack
the encoding. We can use online tools to crack this.
https://gchq.github.io/CyberChef/ tool is used in our case.
The flag is a png file. The new flag is:
flag7{worlds_within_worlds}
Now,
In the root shell, if we change directories into the root, we will find a hidden directory “...”, and
if we cat all the files in this directory, we will get the same output
“flag5{NOTAFLAGNOTAFLAGNOTAFLAGNOTA}”.
Decoding this, we will get the next flag.
This flag is:
flag5{weve_always_done_it_this_way}
This is a local file inclusion vulnerability that we found. You may follow the snippet below:
The exploit is from the source
https://github.com/joeammond/CVE-2021-4034/blob/main/CVE-2021-4034.py. Root will be
the output on the nbnclient.
The new flag is;
flag8{escape_the_metaverse}
Severity: CRITICIAL
Mitigations: The sysadmin should remove the SUID permissions on this binary, and once
done, the exploit cannot run processes as root.
While we were checking the client’s traffic using tcpdump, we found flag6 in the dump.
New flag found:
flag6{listen}
A few more recommendations:
- The websites are usign HTTP and not HTTPS with TLS encryption are vulnerable
to the nature of the HTTP, some of them may be man-in-the-middle attacks, session
hijacking, and non repudiation of session data. To counter this, NBN should use PKI and
get a certificate for it’s website signed by the CA. This will encrypt the client server
session with the public key, thereby effectively blocking any encryption based attack
vectors
- Anonymous FTP login is possible. Using nmap, we will find that ftp is running on port
65535. We can login using the command:
ftp 172.16.1.1 65535
Severity: MEDIUM
Mitigations: Disable anonymous logins for ftp service if you really need the service. If
you do not need the service, simply disable it. You may also use SFTP or FTPS to
provide for encrypted sessions.
- Mitigations for both flag4 and flag5 attack vectors: The sysadmin should enforce
RBAC policies to ensure that users only have the necessary privileges for their roles.
Conclusion
In conclusion, the penetration testing endeavor aimed to achieve a comprehensive evaluation of
the infrastructure, with the overarching goals of identifying vulnerabilities, assessing risks, and
providing actionable insights to enhance the organization's security posture. The primary targets
for assessment were the external-facing web servers, specifically the production server at
10.10.0.66 and the staging server at 10.10.0.66:8001. Our methodology, encompassing
reconnaissance, exploitation, and privilege escalation, allowed for a thorough examination of
the systems' resilience to potential external threats.
The results of the penetration test unearthed critical flaws, including open ports susceptible to
exploitation, SQL injection vulnerabilities, and data exposure risks. The compromised
credentials, flags, and sensitive data discovered during the assessment underscore the potential
consequences of a security breach. Risk scoring was applied systematically, categorizing
vulnerabilities into high, medium, and low risk levels based on the Common Vulnerability
Scoring System (CVSS).
Immediate fixes and remediation actions are imperative to fortify the organization's security
posture. Recommendations include patching and securing open ports, implementing robust
input validation mechanisms to mitigate SQL injection vulnerabilities, and enhancing access
controls to prevent unauthorized data exposure. Additionally, the identification and removal of
unnecessary services and the timely application of security patches are critical steps in
mitigating potential risks.
In summary, the penetration testing results provide a detailed overview of the organization's
current security landscape, emphasizing the importance of prompt remediation efforts. By
addressing the identified vulnerabilities and implementing the recommended fixes, the
organization can proactively enhance its cybersecurity resilience and mitigate the risk of
potential security breaches.
Appendixes
Appendix A – Ports, Protocols, and Services
Port
Protocol
Service
Version
80
TCP
HTTP
Apache/2.4.29
443
TCP
SSH
OpenSSH/7.6p1
8001
TCP
HTTP (Staging)
Apache/2.4.29
Appendix B – Usernames and Passwords
Username
Password
gibson
digital
stephenson
pizzadeliver
bob
spongebob
Appendix C – Flags
Flag identifier
Flag
flag1
flag{CYBERFELLOWS_GOODLUCK}
flag2
flag2{down_a_rabbithole}
flag3
flag3{brilliantly_lit_boulevard}
flag4
flag4{youre_going_places}
flag5
flag5{weve_always_done_it_this_way}
flag6
flag6{listen}
flag7
flag7{worlds_within_worlds}
flag8
flag8{escape_the_metaverse}