Pentration Testing Report

By
Shiv Shankar Yadav

1
 Table of Contents

EXECUTIVE SUMMARY 3
1.1 SYNOPSIS 3
1.2 SCOPE OF TESTING 3
1.3 FINDINGS OVERVIEW 3
1.4 SEVERITY SCALE 3

Testing Approach 4
2.1 OVERVIEW 4
2.2 Enumeration 5
2.3 Nmap Network Scanning 6
2.4 Technology Enumeration 7
2.5 Directory Enumeration 8
Vulnerability Assessment 10
3.1 Mobile Login OTP Bypass 10
3.2 Steps 10
3.3 POC 11
3.4 Impact 12
3.4 Remediation 12

2
EXECUTIVE SUMMARY

1.1 SYNOPSIS
On September 28th, 2022, Shiv shankar yadav was invited to evaluate vastrzone by
participating in a 5-day penetration test. The purpose of the "pentest" is to act as a penetration
tester by conducting cyber-attacks on the corporate server of vastrzone.com. This will be used
to find any existing flaws that could lead to a breach and be used by a real-world attacker to
get access to AI-sensitive Web's data. All issues found by shiv shankar yadav are attained and
validated through network evaluation, system vulnerability scanning and assessment, and
automated and manual exploitation (where necessary) of detected vulnerabilities.

1.2 SCOPE OF TESTING

In the scope indicated below, security assessment covers testing for security flaws. There was
no more information provided other what is listed below. At the commencement of the
security assessment, nothing was assumed.
The following items were included in the security audit's scope:

URL : https://vastrzone.com

1.3 FINDINGS OVERVIEW

The finding of web directories and the nmap network enumeration using nmap proceeded
from the initial reconnaissance of the vastrzone.com website. Manually searching wordpress
sensitive files and vastrzone.com content discovery I discovered a mobile number-based
login authentication mechanism. I explored a few methods to get around otp brute forcing,
and fortunately, I discovered a vulnerability enabling otp bypass via response manipulation.

1.4 SEVERITY SCALE

CRITICAL Severity Issue: Poses an immediate danger to systems, network, and/or data
security and should be addressed as soon as possible. Exploitation requires little to no special
knowledge of the target. Exploitation doesn’t require highly advanced skills, training, or
tools.

3
HIGH Severity Issue: Poses a significant danger to systems, network, and/or data security.
Exploitation commonly requires some advanced knowledge, training, skill, and/or tools.
Issue(s) should be addressed promptly.
MEDIUM Severity Issue: Vulnerabilities should be addressed in a timely manner.
Exploitation is usually more difficult to achieve and requires special knowledge or access.
Exploitation may also require social engineering as well as special conditions.
LOW Severity Issue: The danger of exploitation is unlikely as vulnerabilities offer little to
no opportunity to compromise the system, network, and/or data security. Can be handled as
time permits.
INFORMATIONAL Issue: Meant to increase client’s knowledge. Likely no actual threat.

Testing Approach

2.1 OVERVIEW

All testing was executed in several related phases.

1. In the planning phase, the rules of engagement were identified, scope of testing and test
windows were agreed upon, and testing goals were set.
2. The discovery phase included automated vulnerability scanning along with manual testing
to explore and understand the testing target and any vulnerabilities that could be detected by
automated tools.

3. The attack phase comprised efforts to exploit any vulnerabilities detected, and to
synthesize knowledge gained about the environment, its technology, its users and its function
into an escalation of privilege beyond that intended by the customer.
4. The final phase recorded all findings in a manner that supports risk assessment and
remediation

4
2.2 Enumeration
From vastrzone.com, Shiv shankar yadav was granted a scope of the host(s), which
included the corporate server. The following are the network details for the device:

5
 Hostname IP Address

vastrzone.com 45.84.204.149

www.vastrzone.com 45.84.204.114

2.3 Nmap Network Scanning

Services provided by the host and the port conduct network reconnaissance on the specified
IP addresses to find open ports as the first step in the Discovery phase. Standard scanning
tools like Nmap were used to test each IP address for all TCP and UDP ports. The following
ports have been identified:

6
2.4 Technology Enumeration
The technology of a webapp can be identified with the aid of wappalyzer. This website is
built on the WordPress 5.9.3 CMS, using php 7.4.26 as the backend programming language.
A variety of WordPress plugins are installed, as listed below.

WordPress plugins
Webserver Database
PixelYourSite
LiteSpeed MySql
WooCommerce 6.5.1

Draftpress HFCM Email Authentication

Advanced Custom Fields MailChimp Facebook login

MailChimp for WordPress

7
2.5 Directory Enumeration
By manually enumerating a number of WordPress directories, we can get more detailed
information about backend php files, sql queries, the version information of the install plugin,
and the error log directory, which reveals the website's curial information.

8
Vulnerability Assessment

3.1 Mobile Login OTP Bypass

I discovered a vulnerability that allows an attacker to circumvent the login process by using a
mobile device. For mobile login, we enter a mobile number, and an otp is sent to that number;
if the otp is correct, we login; if the otp is incorrect, an error notice appears. Although the otp
is invalid, an attacker can simply login without entering the correct otp by manipulating the
response using a burp proxy tool.

3.2 Steps
● Enter the mobile number to login in vastrzone.com.
● Open burp suit and enable the intercept
● Enter the wrong otp and request sent the repeater tab. And check the response when
otp is wrong
● Check the response the when the otp is right. Copy the response of correct otp.
● Go back to intercept tab and enable the do intercept the response change the response
of wrong otp and paste the response of right otp.
● Check the we logged in the web application.

Severity: CRITICAL

9
3.3 POC

10
3.4 Impact
Using the "Login with mobile number" option on the Grab Android app, the attacker can
bypass OTP verification on any mobile number. Using simply a phone number and a country
code, an attacker can take over the account of any user with no privileges.

3.4 Remediation
I suggest you to make a strong authentication system checking client side as well as server
side .

11