Professional Documents
Culture Documents
P.O.O Enterpirse
Attn. Mohan Hacky's Ptest Company
CONFIDENTIAL
Table of Contents
1 Document Control ....................................................................... 4
1.1 Team .................................................................................................................. 4
1.2 List of Changes ................................................................................................ 4
3 Methodology ................................................................................ 7
3.1 Objective ......................................................................................................... 7
3.2 Scope ................................................................................................................. 7
4 Findings ......................................................................................... 8
H1: Escalating privileges in mssql server to execute command with
xp_cmdshell ............................................................................................................. 8
H2: Kerberoasting to Domain Admin ................................................................. 10
M1: Microsoft IIS shortname vulnerability ........................................................ 13
M2: Plaintext Storage of a Password .................................................................. 15
L1: Basic Authentication Without HTTPS ........................................................... 17
5 Disclaimer .................................................................................. 18
A Appendix ..................................................................................... 19
A.1 Static Appendix Section .............................................................................. 19
A.2 Vulnerability Assessment and Exploitation Analysis ............................... 19
Pentester
Executive Summary
This report provides an overview of the findings from a comprehensive penetration testing exercise
conducted on the network infrastructure of the organization. The assessment aimed to identify
vulnerabilities and assess the security posture of the systems, with a focus on potential risks and
exploitation scenarios.
The assessment revealed several critical vulnerabilities across the network, including but not limited
to:
• Escalating Privileges in MSSQL Server: Exploiting vulnerabilities within the MSSQL Server
environment allows attackers to escalate privileges and execute commands, potentially leading to
further compromise or data exfiltration.
• Microsoft IIS Shortname Vulnerability: Affecting the web server, this vulnerability could
potentially allow attackers to disclose file shortnames, gaining unauthorized access to sensitive
files or directories.
• Kerberoasting to Domain Admin: Within the Active Directory environment, the vulnerability to
Kerberoasting poses a significant risk. Successful exploitation could lead to the compromise of
service accounts and the escalation of privileges to domain admin level.
• Basic Authentication Without HTTPS: The usage of basic authentication without HTTPS
encryption exposes credentials to interception by attackers, posing a risk of unauthorized access to
sensitive accounts or systems.
Additionally, the assessment identified plaintext passwords transmitted over the network, further
highlighting the need for improved security measures to prevent unauthorized access and
interception.
To mitigate these vulnerabilities and enhance the overall security posture, we recommend the
following measures:
1. Patch Management: Regularly update and patch all systems and applications to address known
vulnerabilities and security flaws.
2. Encryption and Secure Protocols: Implement HTTPS encryption for web applications and services
to protect sensitive information transmitted over the network. Additionally, enforce strong
authentication mechanisms to prevent unauthorized access.
3. Access Control and Monitoring: Implement robust access control measures and monitor network
traffic for suspicious activities. Implementing intrusion detection systems and log monitoring can
help detect and respond to security incidents in a timely manner.
4. Privilege Management: Review and restrict user privileges to minimize the impact of potential
security breaches. Implement the principle of least privilege to limit access to only necessary
resources and functionalities.
In conclusion, addressing the identified vulnerabilities and implementing proactive security measures
are essential steps towards enhancing the organization's overall security posture and mitigating the
risks of cyber threats and attacks. Regular security assessments and proactive risk management
practices are crucial in maintaining a strong defense against evolving cybersecurity threats.
Vulnerability Overview
In the course of this penetration test 2 High, 2 Medium and 1 Low vulnerabilities were identified:
{{ report.methodology }}
3.1 Objective
The objective of this penetration test is to comprehensively assess the security posture of the target
network infrastructure and identify potential vulnerabilities that could be exploited by malicious
actors. Through a systematic evaluation, the aim is to:
1. Identify entry points into the network and potential weaknesses in the perimeter defenses.
2. Assess the effectiveness of existing security controls in place, including firewalls, intrusion
detection systems, and access controls.
3. Discover and prioritize vulnerabilities present in the network, applications, and services,
considering their severity and potential impact on the organization.
4. Validate the exploitability of identified vulnerabilities through targeted exploitation attempts.
5. Evaluate the organization's response and detection capabilities to simulated attacks, including
incident response procedures and logging mechanisms.
6. Provide actionable recommendations for remediation and improving the overall security posture,
with a focus on mitigating identified risks and strengthening defenses against future attacks.
3.2 Scope
Scope
Entry Point: 10.13.38.11
The goal is to compromise the perimeter host, escalate privileges, and ultimately compromise the
domain. You are allowed to use/run any tools of your choice.
You are not allowed to delete any files or carry out any form of Denial of Service (DOS) attack.
Target 10.13.38.11
References -
Overview
Our pen-tester abused linked server functionality to add themselves as sysadmin group. From there
they abused xp_cmdshell to execute system level commands from mssql server.
Details
We logged in with external_user user credential into POO_PUBLIC and then we executed the following
commands to get an RCE (Remote code execution)
Recommendation
Use proper monitoring/logging system to detect creation of any new account.
Target 10.13.38.11
References https://www.tenable.com/plugins/nessus/150480
Overview
A privileged account is vulnerable to the Kerberoasting attack.
With Kerberoast, attackers exploit the internals of the Kerberos authentication protocol and generally
target privileged domain user accounts. The goal of this attack is to discover the cleartext password of
a privileged account, and thereby gain the associated rights. This attack can be performed from inside
an Active Directory environment. All an attacker needs is a simple, unprivileged user account.
Details
We used Rubeus to kerberoast p00_adm user.
From here we abused "Genericall" permission of "P00 Help Desk" group to get domain admin (Note:-
p00_adm was part of help desk group)
Steps :-
Recommendation
In order to make sure that privileged accounts are not affected by the Kerberoast attack, different
measures can be taken:
Target http://10.13.38.11/
References https://www.tenable.com/plugins/was/112442
Overview
Microsoft Internet Information Server (IIS) suffers from a vulnerability which allows the detection of
short names of files and directories which have en equivalent in the 8.3 version of the file naming
scheme.
Details
By crafting specific requests containing the tilde '~‘ character, an attacker could leverage this
vulnerability to find files or directories that are normally not visible and gain access to sensitive
information. Given the underlying filesystem calls generated by the remote server, the attacker could
also attempt a denial of service on the target application.
Our pentester used metasploit module to list shortnames of different files on the iis server
Target 10.13.38.11
References https://cwe.mitre.org/data/definitions/256.html
Overview
Storing a password in plaintext may result in a system compromise.
Details
We found 2 different plaintext passwords for two different user/account.
The first Plaintext password was found at Micorsoft IIS server, And it was publicly accessbile.
The second password was found in "C:\inetpub\wwwroot\web.config". However this one required
authentication and privileged mssql account.
Recommendation
1. 1.Use password managers to store your password securily.
2. Avoid storing passwords in easily accessible locations.
3. Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.
Target http://10.13.38.11/
References https://www.tenable.com/plugins/was/98615
Overview
The remote web server contains web pages that are protected by 'Basic' authentication over cleartext.
Details
An attacker eavesdropping the traffic might obtain logins and passwords of valid users.
Recommendation
Make sure that HTTP authentication is transmitted over HTTPS.