Penetration Test

Report
Prepared for Hotel Dorsey
Name:
Team Number: Redteam3
Student Number: 4

Introduction

In this report, you will find the results of our penetration test that we conducted on Hotel Dorsey’s
network. We utilized Kali, which is a Linux Distribution, as our attack machine in order to exploit the
network vulnerabilities that Hotel Dorsey had. To begin with, we performed a system scan of the
network by using two tools: Zenmap and OpenVAS. Zenmap is a Graphic User Interface (GUI) that allows
us to use the Nmap utility, which is a network exploration and security auditing tool. OpenVAS is a
vulnerability scanner that is capable of conducting a variety of tests and scans, such as authenticated
and unauthenticated testing, and various high- and low-level internet and industrial protocols. By
combining the reports from both of these vulnerability tools, we were able to determine the high-level
vulnerabilities that existed in the network. We decided to exploit the vulnerabilities that were
associated with port 80, which is also known as Http. In the following sections, you will find more
information that is associated with the vulnerability that we exploited and how we used it to gain access
to Hotel Dorsey’s network.

Target

We have two machines: the attacker’s (Kali) with the IP address 10.3.5.50 and the victim’s
(Metasploitable) with the IP address 10.3.5.100. We scan the network with tools that can discover open
ports that are exposed and prone to attacks. These tools help us evaluate and detect the vulnerability of
these machines. We can improve network security by taking actions after scanning. Network ports can
have transport protocols such as UDP and TCP. Ports allow a host with an IP address to run services.

Here is a screenshot of Zenmap scan where it shows that the victim machine is very weak because all
important ports are open, and the server may be exposed to hackers because of the open ports. For
instance, on port 111, anyone can get the SRC port map without user authentication since there is no
logging or filtering.
The table below shows the target system’s open ports and their service, or function of the port.

Open port Services

Hypertext Transfer protocol (HTTP) – used at the application level of the network
80
[3]
SunRPC – it is used to provide information among Unix based system
111
Open Network Computing Remote Procedure Call (ONCRPC) [3]
23 Telnet -used for remotely accessing the network but not secure [3]
25 Simple Mail Transfer Protocol (SMTP) – used for mailing [3]
21 File Transfer Protocol (FTP) – used for file transfer between client and server [3]
Domain Name System (DNS) – acts as the phonebook of the internet as it maps
53
computer name to IP address [3]
139 NetBios -session services [3]
445 Microsoft Directory services -windows file sharing
512 Remote Process Execution [3]
514 Remote Shell RSH – to connect to network remotely but securely [3]
523 Routing Information Protocol Next Generation (RIPng) [3]
1099 RMIregistry – java method invocation [3]
1524 Ingreslock
2049 Network File System (NFS) [3]
3306 MySQL database system – port for MySQL database
445 Microsoft Directory services -windows file sharing
PostgreSQL – port for PostgreSQL database system [3]
5432
 445 Microsoft Directory services -windows file sharing
PostgreSQL – port for PostgreSQL database system [3]
5432

Internet Relay Chat (IRC) [3]

6667

Apache JServe Protocol (AJP13) [3]

8009

Applications [3]
8180

Vulnerability

We attacked the port 80, Http, vulnerability. We gained access to the victim machine exploiting
vulnerability 2012-1823 which is 'php_cgi_arg_injrection'. HTTP vulnerability 2012-1823 is a security
flaw that affects PHP versions before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka
php-cgi). It allows remote attackers to execute arbitrary code by placing command-line options in the
query string, related to lack of skipping a certain php_getopt for the ‘d’ case [1]. This vulnerability was
reported in May 2012 and was rated as severe by US CERT. It was exploited in the wild by various
attackers, including some targeting Parallels Plesk Panel servers [2]. The vulnerability was patched by
PHP developers in version 5.3.12 and 5.4.267. we achieved root level access on the box.
Data Exfiltration

After getting root level access to the machine, we could access the shadow and password files that have
crucial user login data. We used the following commands to collect the data from both files: “download
shadow /root/” to transfer shadow file to attacker machine, “cat shadow” to see the hash, “download
mypass.txt /root/” on meta framework, and “leafpad hash.txt” on kali to copy the hash from shadow file
to hash.txt. We copied the contents and pasted them into a work document on the attack machine. The
penetration testers then cracked the passwords from the shadow file using John the Ripper command "
john hash.txt" and “john --show hash.txt”. We have access to all the user’s data on the victim machine.
To further demonstrate exfiltration, we also accessed the redteam3student4 account and took the
contents of the mypass.txt file.
Recommendations

The victim has many weaknesses and can be easily attacked, as shown by the vulnerability assessment,
the system fingerprinting and the penetration test. The attacker collected confidential data about Hotel
Dorsey to harm, damage or disturb Hotel operations. The full penetration test results will help in making
a completely secure network to prevent and protect from harm, damage and disturbance of the Hotel
Dorsey network and data. The penetration testers suggest doing network hardening by using Access
Control Lists, turning off unneeded ports and protocols, and using policies and procedures to check and
fix user and application weaknesses.

References
[1] “CVE - CVE-2012-1823,” cve.mitre.org, Mar. 21, 2012. https://cve.mitre.org/cgi-bin/cvename.cgi?
name=CVE-2012-1823

[2] V. S, “PHP-CGI ‘severe’ vulnerability CVE-2012-1823,” Bobcares, May 06, 2012.

https://bobcares.com/blog/php-cgi-severe-vulnerability-cve-2012-1823/ (accessed Dec. 07, 2023).

[3] Wikipedia Contributors, “List of TCP and UDP Port Numbers,” Wikipedia, Jun. 04, 2019.
https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers