Final Penetration Test Report

TABLE OF CONTENT

Contents
1. Executive Summary ..............................................................................................................................3
2. Introduction .........................................................................................................................................3
3. Scope ....................................................................................................................................................4
4. Methodology........................................................................................................................................5
5. Findings ................................................................................................................................................5
6. Recommendations ...............................................................................................................................7
7. Conclusion ............................................................................................................................................5
References................................................................................................................................................7
8. Appendices.........................................................................................................................................10
INTERNAL NETWORK FINDINGS .........................................................................................................10
 1. Executive Summary

Following a thorough scan via our web application, the penetration testing team has identified
several significant vulnerabilities within the security framework of the recent local business. These
vulnerabilities pose a considerable risk, leaving the application exposed to potential threats and
malicious activities.

The assessment revealed a number of critical issues, including outdated software versions,
susceptibility to SQL injection attacks, cross-site scripting (XSS) vulnerabilities, weak password
policies, and potential directory traversal vulnerabilities. These findings underscore the urgent need
for proactive security measures to safeguard the integrity and confidentiality of the application.

For instance, Postvoid has recommended the following actions to address the identified
vulnerabilities: For instance, Postvoid has recommended the following actions to address the
identified vulnerabilities:

1. Upgrade Software Versions: Implement timely updates and patches to ensure that the software is
running on the latest versions, thereby addressing known security vulnerabilities and enhancing
overall system resilience.

2. Implement Input Validation Mechanisms: Deploy robust input validation mechanisms to prevent
SQL injection and other forms of injection attacks, thereby fortifying the application against
unauthorized access and data manipulation.

3. Strengthen Password Policies: Enforce stringent password policies, including requirements for
complex passwords, regular password changes, and multi-factor authentication, to bolster the
security of user accounts and prevent unauthorized access.

4. Establish Threat Detection Systems: Implement robust threat detection systems and response
mechanisms to promptly identify and mitigate security incidents, minimizing the impact of potential
breaches and unauthorized access attempts.

In addition to these immediate remediation efforts, it is imperative for the organization to adopt an
ongoing surveillance approach to monitor the security posture of the application continuously. A
proactive stance towards identifying and addressing emerging security threats is essential to mitigate
the ever-evolving landscape of cybersecurity risks effectively.
2. Introduction
This report outlines the findings and recommendations stemming from a vulnerability assessment
conducted on behalf of a small business located in the nearby area. The primary objective of the
assessment was to identify potential design flaws and lax configurations within the application that
could pose security risks. It's important to note that the assessment was conducted with the
intention of identifying vulnerabilities to enhance the application's security posture, rather than to
exploit or attack the application itself.

The assessment was performed within the website's network environment, utilizing ports 80 and 443
for communication. It's worth highlighting that the Rules of Engagement (ROE) were established,
agreed upon, and adhered to throughout the testing process, ensuring transparency and alignment
with the organization's objectives.
 2. Scope

The exploitation efforts were limited to website connections that utilized ports 80 and 443
exclusively. Adherence to the Rules of Engagement (ROE) policy dictated that SQLmap inspections
were to be conducted exclusively on PCs and laptops, while at the network level, any Tactics,
Techniques, and Procedures (TTPs) were permissible, excluding the use of SQLmap. Notably, physical
assaults on the victim's Virtual Hard Disk, as well as attempts to gain access through the GRUB loader
and directly on the provided coursework VM, were explicitly excluded from the scope of the
research.

3. Methodology

The methodology employed in the penetration test encompassed the following key steps: The
methodology employed in the penetration test encompassed the following key steps:

Fingerprinting and Vulnerability Scanning:

Utilized tools such as Nmap and WhatWeb to scan open ports on the system, aiming to discover the
technology stack's components and version information of the web application.

Conducted comprehensive vulnerability scanning using OpenVAS and Nikto, ensuring a thorough
assessment of potential vulnerabilities.

Exploit Attempt:

Implemented a systematic approach to exploit discovery, striving to identify and exploit any
vulnerabilities discovered during the scanning phase.

Leveraged both pre-existing vulnerabilities and custom scripts to simulate realistic cyberattack
scenarios, enabling a robust evaluation of the application's security posture.

Reporting and Recommendations:

Documented all findings, including identified vulnerabilities, their associated risk levels, and
proposed mitigation strategies.

Recommendations for remediation efforts were formulated based on industry best practices and
aligned with the MITRE ATT&CK framework, ensuring comprehensive and actionable guidance for
enhancing the application's security defences.
5. Findings
5.1 Vulnerability Summary:

tcp 1671 rmiregistry Java RMI

tcp 3000 http WEBrick httpd

1.3.1 (Ruby
2.3.3 (2016-
11-21))

tcp 4848 ssl/http Oracle

GlassFish 4.0
(Servlet 3.1;
JSP 2.3; Java
1.8)

tcp 5985 Microsoft

HTTPAPI httpd
2.0
(SSDP/UPnP)

tcp 8020 http Apache httpd

tcp 8022 http Apache

Tomcat/Coyote
JSP engine 1.1

tcp 8027 unknown unknown

tcp 8080 http Oracle

GlassFish 4.0
(Servlet 3.1;
JSP 2.3; Java
1.8)

tcp 8282 http Apache

Tomcat/Coyote
JSP engine 1.1

tcp 8383 http Apache httpd

tcp 8484 http Jetty

winstone-2.8

tcp 8585 http Apache httpd

2.2.21
((Win64)
PHP/5.3.10
DAV/2)

tcp 9200 http Elasticsearch

REST API
1.1.1 (name:
Spymaster;
Lucene 4.7)

172.16.2.3 tcp 21 ftp vsftpd 2.3.4

 tcp 22 ssh OpenSSH
4.7p1 Debian

5.2 Attack Flow Diagram:

6. Recommendations
The methodology employed in the penetration test encompassed the following key steps:The
methodology employed in the penetration test encompassed the following key steps:

Fingerprinting and Vulnerability Scanning:

Utilized tools such as Nmap and WhatWeb to scan open ports on the system, aiming to discover the
technology stack's components and version information of the web application.

Conducted comprehensive vulnerability scanning using OpenVAS and Nikto, ensuring a thorough
assessment of potential vulnerabilities.

Exploit Attempt:

Implemented a systematic approach to exploit discovery, striving to identify and exploit any
vulnerabilities discovered during the scanning phase.

Leveraged both pre-existing vulnerabilities and custom scripts to simulate realistic cyberattack
scenarios, enabling a robust evaluation of the application's security posture.

Reporting and Recommendations:

Documented all findings, including identified vulnerabilities, their associated risk levels, and
proposed mitigation strategies.

Recommendations for remediation efforts were formulated based on industry best practices and
aligned with the MITRE ATT&CK framework, ensuring comprehensive and actionable guidance for
enhancing the application's security defences.
7. Conclusion

The penetration test represents a crucial step towards gaining deeper insights into the current
security posture of the SME's web application. By identifying and addressing the identified
weaknesses, the recommended remedies will play a vital role in strengthening the application's
security stance and reducing associated risks. Regular security checks, timely application of patches,
and active threat intelligence are indispensable elements for maintaining a robust security posture.
These proactive measures help identify and mitigate threats, whether they are overt or persistent,
thereby safeguarding the integrity and confidentiality of the application's data and infrastructure.
References
1. Barrett, D. (2019). Penetration Testing Basics: A Quick-Start Guide to Breaking into Systems.
O'Reilly Media.

2. Beale, J. (2020). Mastering Kali Linux for Advanced Penetration Testing: Secure Your Network
with Kali Linux 2020.1 – The Ultimate White Hat Hacker's Toolkit. Packt Publishing.

3. MITRE Corporation. (n.d.). MITRE ATT&CK®. Retrieved from https://attack.mitre.org/

4. Engebretson, P. (2018). The Basics of Hacking and Penetration Testing: Ethical Hacking and
Penetration Testing Made Easy. Syngress.

5. Kim, A., & Olsson, E. (2018). The Web Application Hacker's Handbook: Finding and Exploiting
Security Flaws. Wiley.

6. Nmap Project. (n.d.). Nmap: the Network Mapper - Free Security Scanner. Retrieved from
https://nmap.org/
8. Appendices
8.1 Screenshots: Vulnerability scanner screenshots with its output, including the network attacks,
successful ones, and exploitations.

INTERNAL NETWORK FINDINGS

Target IP Addresses

172.16.2.8

172.16.2.3

172.16.2.5

Testing modes were also implemented in the laboratories using tools such as Nmap, Sniper, Fierce,
OpenVAS, Metasploit and Wireshark.

NETWORK PENETRATION TESTING RESULTS

3. Database-Backed Content Providers (Directory Traversal)

Risk HIGH

Locations(s) content://com.mwr.example.sieve.FileBackupProvider/
content://com.mwr.example.sieve.FileBackupProvider

Description

Many these vulnerabilities were found to exist on the external target network that included a
vulnerability on the Apache Glassfish server alongside Apache Struts REST Pug Plugin, unrestricted
WebDAV up-load, misconfiguration r in services, a vulnerability in the DistCC daemon, a Samba RCE,
buffer overflow vulnerability in the SLmail application which thereafter resulted in system takeover
of the impacted nodes.
Vulnerability Summary Table

We advise this strongly to help the organization mitigate the risks involved

Result Classification

Vulnerabilities Found Yes

Exploited – Denial of Service (DoS) No

Exploited – Elevation of Privilege (EoP) No

Exploited – Remote Code Execution (RCE) Yes

Exploit Persistence Achieved No

Sensitive Data Exfiltrated No

Overall Risk HIGH

OWASP 2013 Top 10 Result

A1 Injection

A2 Broken Authentication and Session Management

A3 Cross-Site Scripting (XSS)

A4 Insecure Direct Object References

A5 Security Misconfiguration

A6 Sensitive Data Exposure

A7 Missing Function Level Access Control

A8 Cross-Site Request Forgery (CSRF)

A9 Using Components with Known Vulnerabilities

A10 Unvalidated Redirects and Forwards

8.2 Command Outputs:

We gained access and tested the vulnerabilities.

 Reading the /etc/hosts file is not a big problem (it is world readable anyway) but
another drozer module allowed us to find additional content URIs that most contain more sensitive
information, such as content://com.mwr.example.sieve.FileBackupProvider get the output data from
the directory directly beneath.