PENETRATION TEST TECHNICAL

REPORT ON THE SERVER-SIDE

VULNERABLE VM’S ON THE

172.16.17.0/24 NETWORK

Objective: To follow the ethical hacking methodology; to exploit the discovered

vulnerabilities (demonstrate at least two ways to break in); to gain root access of
the case study machine; read the flag.file file in the root directory

PENETRATION TESTER: ESTHER OREOLUWA OSINAIKE

 TABLE OF CONTENTS
Technical Report..........................................................................................................................................................3

FOOTPRINTING AND RECONNAISSANCE 3

ENUMERATION 6

WEB VULNERABILITY SCANNING 7

VULNERABILITY EXPLOITATION 9

HACKING CREDENTIALS 19
RECOMMENDATION AND
CONCLUSION 19

REFERENCE 20
Technical Report
Test Methodology
For a step-by-step report of the procedures and outcomes of each test, please keep scrolling.

Significant Test Outcomes

 FOOTPRINTING AND RECONNAISANCE
To scan the network, tools such as nmap was used. Nmap -sn revealed about 6 hosts but upon
further digging with the nmap -sU command, 8 hosts were revealed.
Using the command nmap -A -T4 on all discovered hosts gives details about all identified hosts
but none of them revealed the case study machine
 Using the command nikto -h on the 172.16.17.96 host revealed it to be the case study machine
as shown in the picture below

 ENUMERATION
Upon further enumeration on the discovered host, ports 21, 22 and 80 were discovered open
amongst other details like OS detection as displayed below
 WEB VULNERABILITY SCANNING
 First vulnerability
I used Nessus to scan for vulnerability in the Case Study machine and found the highest
vulnerability in the version of the ftp service used in the host

 Second vulnerability
Also, after finding out that port 80 had a secret directory from the nikto results and navigating to
that directory, it was identified that the webpage was designed using wordpress which further
made me run a wpscan on the webpage to find out the version that was running and users of
the website.
  Third vulnerability
Further research on the web page of this machine, after discovering the machine ran on php
showed a few themes on the webpage that looked like another way to break in to the system
through a payload found through this link https://github.com/pentestmonkey/php-reverse-
shell/blob/master/php-reverse-shell.php

 VULNERABILITY EXPLOITATION
 Exploiting the first vulnerability
Metasploit is the tool that was used to exploit the vulnerability found in the ProFTPD version
used in the ftp service in the identified host.
In the image above, the user seen is root@casestudy and the content of the flag.file found is
displayed below

 Exploiting the second vulnerability

Wpscan was also used as a form of online attack to brute force the passwords for two users,
rvillaver and admin exposing their passwords to be cisco and awesome respectively
Searching for a Metasploit wpscan led me to the exploit I found on an infosec website
https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/unix/webapp/
wp_admin_shell_upload

Using this exploit, I set the following values, LHOST, RHOST, TARGETURI
And this gave me meterpreter reverse-shell connection access to the 172.16.17.96 host

In this state, I downloaded the /etc/passwd and /etc/shadow file to be cracked offline later on
by JohntheRipper.

Then typing the shell command to gain access to the shell CLI of the machine, this gives room to
confirm the active user which displays www-data
 Because a root access is needed, further research was done and a CVE-2021-4034-rust
vulnerability was found on wordpress websites for privilege escalation. This package was also
found in the tmp folder for this user and I installed it. Installation gave me root access to the
machine.

After gaining root access and running the python module to get an interactive shell. In the root
directory, the flag.file can be found.

 Exploiting the third vulnerability

I then edited the 404.php file(one of the pages that already contained the payload) to include my
ip address and the listening port
After updating the file, I forced browsed the link found by dirbuster
This led to a reverse shell on my already setup listener on Metasploit
 HACKING CREDENTIALS
Using John the Ripper tool to hack the credentials of users crackerdude, uwcracker and
greatwhite found in the /etc/shadow and /etc/passwd files, the result of that can be seen below

 RECOMMENDATION AND CONCLUSION

An upgrade to the server version will solve the ftp vulnerability found or a complete
reinstallation of the server from reputable sources. For the wordpress vulnerabilities found,
various policies should be enforced like the password policy (10 character minimum including
lowercase, uppercase, digits and special characters) and Multifactor Authentication. Also
unauthorized PHP files that contain payload should be prevented from executing to prevent
backdoor access to the server. Automatic updates should always be carried out.
Based on my findings, these are the recommendations to mitigate it.
References
Wordpress Admin Shell Upload-Metasploit https://www.infosecmatter.com/metasploit-module-library/?
mm=exploit/unix/webapp/wp_admin_shell_upload
https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
www.google.com
https://www.cybersecurity-help.cz/vdb/SB2019072303
https://www.securityweek.com/proftpd-vulnerability-can-expose-servers-attacks