CERTIFIED PENETRATION TESTER

FINAL PROJECT REPORT

SUBMITTED BY

ADITHYA R
30/10/2022
11:30 to 1:30 BATCH

1
 ABSTRACT

Penetration testing is a series of activities undertaken to identify and exploit security

vulnerabilities. It helps confirm the effectiveness or ineffectiveness of the security measures that
have been implemented. This paper provides an overview of penetration testing. It discusses the
benefits, the strategies and the methodology of conducting penetration testing. The methodology
of penetration testing includes three phases: test preparation, test and test analysis. The test phase
involves the following steps: information gathering, vulnerability analysis, and vulnerability
exploit.

2
 Acknowledgement

I want to thank Mr. Sajith, our project mentor, who guided us to do this project and helped
us with the technical aspects.

I had help from our friends and other team members who made valuable suggestions for this
project. So they made an indirect contribution to this project.
I would also like to extend our deepest gratitude to all those who have directly and indirectly
guided me in doing this project.
I learnt many things while doing this project. I also learnt how to work in team and co-ordinate in
a team along with the technical skills involved in this project. It motivated us to learn more in the
field of Information Security and pursuing career in this field.

3
 INTRODUCTION

Security is one of the major issues of information systems. The growing connectivity of
computers through the internet, the increasing extensibility of systems, and the unbridled growth
of the size and complexity of systems have made software security a bigger problem now than in
the past. Furthermore, it is a business imperative to adequately protect an organization’s
information assets by following a comprehensive, and structured approach to provide protection
from the risks an organization might face. In an attempt to solve the security problem and comply
with the mandated security regulations, security experts have developed various security assurance
methods including proof of correctness, layered design, software engineering environments and
penetration testing.

Penetration testing is a comprehensive method to test the complete, integrated, operational, and
trusted computing base that consists of hardware, software and people. The process involves an
active analysis of the system for any potential vulnerabilities, including poor or improper system
configuration, hardware and software flaws, and operational weaknesses in the process or technical
countermeasures. Penetration testing is different from security functional testing. The latter
demonstrates the correct behavior of the system’s security controls while penetration testing
determines the difficulty for someone to penetrate an organization’s security controls against
unauthorized access to its information and information systems. It is done by simulating an
unauthorized user attacking the system using either automated tools or manual method or a
combination of both. This paper provides an overview of penetration testing. It discusses the
benefits of penetration testing, penetration testing strategies and types, as well as the methodology
for penetration testing.

4
WHY PENETRATION TESTING

The main goal of vulnerability assessment is to identify security vulnerabilities under

controlled circumstances so they can be eliminated before unauthorized users exploit them.
Computing system professionals use penetration testing to address problems inherent in
vulnerability assessment, focusing on high-severity vulnerabilities. Penetration testing is a valued
assurance assessment tool that benefits both business and its operations.

Penetration Testing Execution Standards

PTES defines penetration testing as 7 phases.

• Pre-engagement Interactions: Includes getting Permissions
• Intelligence Gathering: To get the info about the system or application using tools like Nmap
and WHOIS LOOKUP.
• Threat Modelling
• Vulnerability Analysis: To find out the vulnerabilities in the system Exploitation
• Post Exploitation: There should be illegal use of data that a pentester access.
• Reporting: Proper Step by Step Report should be submitted to client specifying all types of tests
that has been done.

HOW TO CONDUCT PENETRATION TESTING

Penetration testing is not merely the serial execution of automated tools and generation of
technical reports as it is frequently viewed. It should provide a clear and concise direction on how
to secure an organization’s information and information systems from real world attacks. One
critical factor in the success of penetration testing is its underlying methodology. A systematic and
scientific approach should be used to successfully document a test and create reports that are
aimed at different levels of management within an organization. It should not be restrictive to
enable the tester to fully explore his intuitions.

Generally, penetration testing has three phases: test preparation, test, and test analysis.

5
 All the necessary documents for the test are organized and finalized during the test
preparation phase. The testers and the organization meet to decide the scope, objectives, timing,
and duration of the test. Issues such as information leakages and downtime are resolved and put
into legal agreement document. Other legal agreements that are deemed necessary are concluded
and signed during this phase. The bulk of the penetration testing process is done during the test
phase. A variety of automated tools can be used in this phase. This phase involves the following
steps: information gathering, vulnerability analysis, and vulnerability exploits. The information
gathering step requires that the tester scan the physical and logical areas of the test target and
identify all pertinent information needed in the vulnerability analysis phase. Depending on the
information gathered or provided by the organization, the tester then analyzes the vulnerabilities
that exist within the target’s network, host and application. The tester may opt to use the manual
method to do this step but automated tools also exist to help the tester. The last step allows the
tester to find exploits for the vulnerabilities found in the previous steps. When exploits do not lead
to what is intended, for example, root access, then further analysis should be done. This is
represented by the loop between vulnerability analysis and vulnerability exploit phases. The
results of the test are thoroughly investigated during the test analysis phase. These results are
provided to the organization so it must be comprehensive and systematic. Preparation of a
mitigation plan is important in penetration testing. It is therefore mandatory to include a
mitigation plan section in the analysis report.

6
 PROJECT OVERVIEW

The main aim of this project named LaMasia machine is to compromise the Linux machine
as the final project for the CPT course completion. In this machine, find the vulnerability and
exploit then compromise the machine using pentesting tools and skills gained from RedTeam
Hacker Academy.

PENTRATION TESTING METHODOLOGY

IFCONFIG

As the first step I scanned my own IP address to get the other machines information which
is connected in the same network

Command used: Ifconfig

7
NETDISCOVER

Now I need to gather the information about the machine LaMasia.

Netdiscover is a simple ARP scanner which can be used to scan for live hosts in a network. This
can be used in the first phase of a pentest where you have access to a network.

Netdiscover –r 192.168.1.0/24

By scanning the network:

IP address:192.168.1.100

8
NMAP

Now use the Nmap tool to gathering the information on the services and operating system that
are running on the machine by using the IP got from the above method.
Nmap has an aggressive mode that enables OS detection, version detection, script scanning
and trace routes. So, use –A argument to perform aggressive scan.

Nmap –A 192.168.1.100

9
PORT-KNOCKING

Since we had only found 1 port open (ssh)

Iam gonna try approaching a different method called ‘port-knocking’.
Running the command: hping3 -S 197.168.1.100 -p 1 -c 1;hping3 -S 197.168.1.100 -p 2 -c 1;hping3
-S 197.168.1.100 -p 3 -c 1

Now again fire up nmap scan. This time hopefully we will have more than one port in the result.
using the command: nmap -p- -A 192.168.1.100

10
As you can see there is one more port open in comparison to our previous scan i.e., 1337 which
has the service of HTTP and this is all we wanted as by default port 80 was not open. Let’s open
our target IP with this port.

It opens a page with only one image, as shown above, then we have also checked its source code
but didn’t get any clue. Generally, there are always some chances of getting robots.txt file inside
a web directory, therefore, while penetrating any system we should always check for the robots.txt
file. Here we had tested for robots.txt it in url 192.168.1.9: 1337/robots.txt, a new web page will
be following image gets opened. let’s dig deep and check in its “view page source” to see whether
it contains any useful information.

11
After then we looked into its source code and found brainfuck encoded format .

Antonela/index.ph is the decoded word we got. Let’s assume it’s a directory and try accessing it
in browser.

12
Test this form with some dummy data. This reveals that the error messages won’t help us try to
brute force usernames, so I fire up burp suite to capture a request and see what I can find. So, we
have a typical post request with 3 params and a cookie, all of which could be potential sql-injection
points.

So we have a typical post request with 3 params and a cookie, all of which could be potential sql-
injection points. So I did what I always do.
I copy the whole request to a file called messi.req and throw it at sqlmap.
sqlmap -r mateo.txt --dbs --batch

13
So it started gathering the database. I decided to immediately enumerate the tables of the Webapp
DB. sqlmap -r mateo.req --dbs --batch --level 3 -D Webapp --tables

We found a table called Users, which is always a good sign so, we go on to dump that table.
sqlmap -r mateo.txt --dbs --level 3 -D Webapp -T Users –dump

14
Finally, we get the username and password. The passwords are in the hash format, so we need to
crack the hash to get these passwords. It's looks like base 64 encoded string, so we need to decode
the hash using base 64 decoder.

We are successfully managed to convert the hashes .

15
We got another set of hashes from decoding the first set.

Let’s decode it again.

After decoding it all we got password i.e. oldtrafford.so we found the correct username is
mateo and password oldtrafford.
I decided to try these credentials via ssh.
ssh [email protected]

16
I start off by trying to list our sudo privileges as mateo .
sudo -l

“Sorry, user mateo may not run sudo on LaMasia.”

I then took a look at the passwd file to see what users we are dealing with.

17
We are going to Edit /etc/passwd File for Privilege Escalation
Refer the link I give to gain more information about it:
https://www.hackingarticles.in/editing-etc-passwd-file-for-privilege-escalation/

using openssl I edited the password of the user “root”

openssl passwd lamasia

18
Let’s nano /etc/passwd and paste the hash we got in the area of encrypted password and save it
Switch user to “root”
Su root
Provide the password you given
My case its “lamasia”

Here, we have found a text file with the name flag which was our ultimate goal. So now no more
waiting let's read it. Now as we all do Cat the flag.txt from the root directory and be the owner of
your target machine.
Hence successfully find out the vulnerabilities of this machine and exploit the vulnerability to
find the Final Flag.txt .

19
 CONCLUSION

Penetration testing is a comprehensive method to identify the vulnerabilities in a system.

It offers benefits such as prevention of financial loss; compliance to industry regulators, customers
and shareholders; preserving corporate image; proactive elimination of identified risks. The testers
can choose from black box, white box, and gray box testing depending on the amount of
information available to the user. The testers can also choose from internal and external testing,
depending on the specific objectives to be achieved. There are three types of
penetration testing: network, application and social engineering.

This penetration testing process illustrated on the web applications. The testers should follow a
comprehensive format to present the test results. One of the most important parts of the test
analysis phase is the preparation of remediation which includes all necessary corrective measures
for the identified vulnerabilities. The final report needs to have enough detail and substance to
allow those doing remediation to simulate and follow the attack
pattern and respective findings

20