Date: August 13, 2024
Pentester: Eno Leriand
- Report Overview
- Observations
- Testing Methodology
- Technical Findings
- Risk Mitigation Plan
- MITRE ATT&CK Mapping
- Conclusion
- Appendices
This penetration test aimed to identify and assess the vulnerabilities present within the target environment, focusing on areas that could be exploited by adversaries to compromise system security. The assessment uncovered a total of six vulnerabilities with varying levels of severity, including two critical, one high, two medium, and one low-severity vulnerabilities.
Among the critical vulnerabilities were a Local File Inclusion (LFI) flaw and a file upload vulnerability that could allow attackers to execute arbitrary commands and gain unauthorized access to sensitive system files. These vulnerabilities pose a significant risk to the organization, potentially leading to complete system compromise if exploited.
The vulnerabilities were assessed and scored using the CVSS v3.1 framework, ensuring a standardized approach to risk evaluation. Additionally, the vulnerabilities were mapped to the MITRE ATT&CK framework, providing insight into how these weaknesses align with known adversarial tactics, techniques, and procedures (TTPs).
To mitigate the identified risks, it is recommended that the organization prioritizes the remediation of critical and high-severity vulnerabilities. This should include updating vulnerable software, strengthening security configurations, and implementing robust input validation mechanisms.
By addressing these vulnerabilities promptly and effectively, the organization can significantly enhance its security posture and reduce the risk of exploitation by malicious actors. The findings and recommendations outlined in this report provide a comprehensive roadmap for improving the organization's defenses against potential cyber threats.
The penetration testing engagement was carried out over a period of one week, from August 7 to August 13, 2024. The primary objective was to assess the security posture of the target system by simulating real-world attack scenarios through a black-box testing approach. This method was chosen to emulate the perspective of an external attacker with no prior knowledge of the internal workings of the system, thereby providing a realistic evaluation of the system's defenses.
The engagement focused on identifying potential security vulnerabilities, assessing the likelihood of their exploitation, and understanding the potential impact on the organization's assets. By leveraging both automated tools and manual techniques, the engagement aimed to provide a comprehensive assessment of the security landscape. The ultimate goal was to deliver actionable insights that could be used to strengthen the security controls and reduce the risk of compromise.
The scope of the engagement was narrowly defined to ensure a focused and thorough evaluation of the target environment. Specifically, the testing was limited to the external network penetration of a single IP address, 192.168.8.4
. This IP address corresponded to a Linux server running the Debian operating system and hosting the BoltWire web application.
The scope was carefully chosen to reflect the areas of highest risk and to maximize the value of the testing. The Linux server was identified as a critical asset due to its role in the organization's infrastructure, while the BoltWire application was selected for its potential exposure to external threats. The testing was designed to uncover vulnerabilities that could be exploited by remote attackers, with a particular focus on network services, web application security, and the effectiveness of perimeter defenses.
The engagement was structured into several distinct phases, each building on the findings of the previous stage. This approach allowed for a methodical and systematic assessment of the target environment:
Phase | Date | Description |
---|---|---|
Reconnaissance | August 7-8, 2024 | The reconnaissance phase involved the gathering of open-source intelligence (OSINT) and other publicly available information related to the target. This included mapping the network, identifying potential entry points, and analyzing the attack surface. The goal was to gather as much information as possible without directly interacting with the target system, to avoid detection. |
Vulnerability Scanning | August 9-10, 2024 | The vulnerability scanning phase involved the use of automated tools such as Nmap and Nuclei to identify known vulnerabilities and misconfigurations within the target environment. This phase provided a baseline understanding of the potential weaknesses that could be exploited by an attacker. The tools were configured to perform both network and application-level scans, ensuring a comprehensive assessment of the target system. |
Manual Exploitation | August 11, 2024 | During the manual exploitation phase, the identified vulnerabilities were manually validated to determine their exploitability. This phase included the use of custom scripts, manual testing techniques, and publicly available exploits to attempt to gain unauthorized access to the target system. The goal was to simulate real-world attack scenarios and assess the potential impact of a successful compromise. Each exploited vulnerability was documented with detailed evidence, including screenshots and logs, to support the findings. |
Reporting | August 12-13, 2024 | The final phase of the engagement involved the preparation of a comprehensive report detailing the findings, their potential impact, and recommended remediation strategies. The report was structured to provide clear and actionable guidance to the organization's security team, with a focus on prioritizing the most critical vulnerabilities. The report also included an executive summary, technical details of each finding, and a roadmap for improving the security posture of the target environment. |
This section provides a high-level overview of the security posture of the target system. A detailed list of all discovered vulnerabilities can be found in Section 4.
- Critical: Update BoltWire and secure file uploads to prevent code execution.
- High: Improve SSH configurations by disabling password authentication and using key-based methods.
- Medium: Restrict access to sensitive configuration files and disable directory indexing.
The target system demonstrated the implementation of SSL/TLS encryption and basic access controls, which mitigated some potential attack vectors.
During the penetration test, several findings were evaluated for their impact on compliance with relevant industry standards such as PCI DSS, NIST SP 800-53, and GDPR. The following table provides a summary of compliance considerations identified during the engagement:
Compliance Standard | Requirement | Violation | Reference |
---|---|---|---|
PCI DSS | 1.1.4 Firewall Configuration | Firewall not implemented at every internet connection. | Section 4.1.1, 4.2.1 |
PCI DSS | 2.1 Remove Default Accounts | Default accounts were not removed from all systems on the network. | Section 4.1.1, 4.2.1 |
PCI DSS | 2.2 Secure Configuration | Insecure configurations found, lacking documentation and best practices. | Section 4.1.1, 4.2.1 |
NIST SP 800-53 | AC-2 Account Management | Improper management of user accounts and privileges. | Section 4.1.1, 4.2.1 |
NIST SP 800-53 | SC-7 Boundary Protection | Lack of proper network segmentation and boundary protection. | Section 4.1.1, 4.2.1 |
GDPR | Article 32 Security of Processing | Exposed sensitive data due to misconfigured access controls. | Section 4.3.1 |
Throughout the engagement, the PTES was referenced to ensure a comprehensive and standardized testing approach.
MITRE ATT&CK is a knowledge base of Tactics, Techniques, and Procedures (TTPs) based on real-world observations from cybersecurity professionals. The framework categorizes adversary behaviors across different stages of an attack, providing a structured way to understand and defend against various threats. It is widely used for threat modeling, detection, and incident response.
Tactic | Technique | Description |
---|---|---|
Initial Access | T1078 - Valid Accounts | Adversaries may use valid accounts to gain access to resources or systems. |
Execution | T1059.003 - Command and Scripting Interpreter: PHP | Use of PHP scripts to execute arbitrary commands on a web server. |
Persistence | T1098 - Account Manipulation | Adversaries may modify accounts to maintain access to a system. |
Privilege Escalation | T1068 - Exploitation for Privilege Escalation | Exploiting a vulnerability to gain higher-level privileges. |
Defense Evasion | T1070 - Indicator Removal on Host | Clearing logs or artifacts to avoid detection. |
Credential Access | T1552.001 - Unsecured Credentials: Credentials in Files | Stealing credentials stored in files on a compromised system. |
Discovery | T1083 - File and Directory Discovery | Adversaries may search for files and directories that contain valuable data. |
Lateral Movement | T1021 - Remote Services | Using remote services to move laterally through a network. |
Collection | T1114 - Email Collection | Collecting emails from a compromised user or system. |
Command and Control | T1071 - Application Layer Protocol | Using standard application layer protocols for command and control. |
Exfiltration | T1041 - Exfiltration Over C2 Channel | Exfiltrating data through an established command and control channel. |
Impact | T1486 - Data Encrypted for Impact | Encrypting data to disrupt operations or extort payment. |
Referenced in this report is the OWASP Top 10, focusing on common vulnerabilities that pose significant risks to web applications:
OWASP Top 10 Category | Description |
---|---|
1. Broken Access Controls | Improper enforcement of access controls. |
2. Cryptographic Failures | Inadequate protection of data. |
3. Injection | Injection flaws such as SQL, NoSQL, Command Injection. |
4. Insecure Design | Design flaws leading to security weaknesses. |
5. Security Misconfiguration | Insecure configuration of systems and applications. |
6. Vulnerable and Outdated Components | Use of components with known vulnerabilities. |
7. Identification and Authentication Failures | Weak authentication mechanisms. |
8. Software and Data Integrity Failures | Failures in ensuring software/data integrity. |
9. Security Logging and Monitoring Failures | Inadequate logging/monitoring. |
10. Server-Side Request Forgery (SSRF) | Server-Side Request Forgery vulnerabilities. |
The test included an assessment of PCI DSS compliance to identify areas requiring improvement to protect cardholder data.
Control measures were evaluated against NIST SP 800-53 guidelines, addressing risk management and information protection.
NIST 800-53 Control Family | Description |
---|---|
AC: Access Control | Controls related to restricting access to information. |
AU: Audit and Accountability | Controls for logging and monitoring activities. |
CM: Configuration Management | Controls for managing system configurations. |
IR: Incident Response | Controls for preparing and responding to security incidents. |
This section provides a detailed overview of the vulnerabilities identified during the penetration test. The findings are categorized based on their severity, impact, and ease of exploitation. The vulnerabilities are evaluated according to the OWASP Web Security Testing Guide (WSTG) methodology, and each finding includes a description, evidence, potential impact, and recommendations for remediation. Each finding is also mapped to relevant MITRE ATT&CK tactics and techniques.
Severity Level | Low | Medium | High | Critical |
---|---|---|---|---|
Vulnerability Count | 1 | 2 | 1 | 2 |
The following table summarizes the discovered vulnerabilities, their overall risk score, impact, and exploitability. The scores were calculated using the CVSS v3.1 calculator.
Vulnerability | CVSS Score | Category | OWASP Reference | Impact | Exploitability |
---|---|---|---|---|---|
Local File Inclusion (LFI) | 9.3 | A6:2017-Security Misconfiguration | WSTG-CONF-08 | 9.0 | 10 |
File Upload Vulnerability | 9.8 | A8:2017-Insecure Deserialization | WSTG-API-10 | 9.5 | 10 |
Weak SSH Configuration | 7.5 | A9:2017-Using Known Vulnerabilities | WSTG-CONF-07 | 7.0 | 8.5 |
Exposed Configuration Files | 5.5 | A3:2017-Sensitive Data Exposure | WSTG-CONF-06 | 5.0 | 6.0 |
Exposed Directory Indexing | 5.0 | A6:2017-Security Misconfiguration | WSTG-CONF-10 | 4.5 | 5.5 |
- Category: A6:2017-Security Misconfiguration (OWASP Top 10)
- Severity Level: Critical
- CVSS Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
- Description: BoltWire Version 6.03 on the target system contains a Local File Inclusion (LFI) vulnerability. This allows an attacker to include local files on the server, potentially accessing sensitive information.
- Evidence:
- Exploit: Access to the
/etc/passwd
file was achieved using the payload../../../../../../../etc/passwd
via theindex.php?p=action.search&action=
parameter.
- Exploit: Access to the
- Impact: Successful exploitation could allow an attacker to access sensitive system files, leading to potential full system compromise.
- MITRE ATT&CK Mapping: T1005 - Data from Local System (Execution)
- Recommendation:
- Update BoltWire to the latest version to address this vulnerability.
- Implement strict input validation to prevent similar attacks.
- References:
- Category: A8:2017-Insecure Deserialization (OWASP Top 10)
- Severity Level: Critical
- CVSS Score: 9.8 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
- Description: The file upload function on the page
http://192.168.8.4:8080/dev/index.php?p=action.search&action=create
contains a vulnerability that allows an attacker to upload and execute a PHP shell. - Evidence:
- A simple PHP shell was successfully uploaded and used to execute commands.
- Access: The shell was accessed via the following URL:
http://192.168.8.4/shell.php?cmd=whoami
- Impact: This vulnerability allows an attacker to execute arbitrary commands on the server, potentially leading to full control over the system.
- MITRE ATT&CK Mapping: T1059.003 - Command and Scripting Interpreter: PHP (Execution)
- Recommendation:
- Update BoltWire to close this vulnerability.
- Ensure proper file upload validation is implemented to prevent the upload of malicious files.
- References:
- Category: A9:2017-Using Components with Known Vulnerabilities (OWASP Top 10)
- Severity Level: High
- CVSS Score: 7.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
- Description: The SSH configuration was found to use weak algorithms and has password authentication enabled, making the system vulnerable to brute force attacks.
- Evidence:
- SSH was configured with the weak SHA1-HMAC algorithm, and password authentication was enabled.
- Impact: An attacker could perform brute force attacks to gain SSH access, particularly if weak passwords are used.
- MITRE ATT&CK Mapping: T1110.001 - Brute Force: Password Guessing (Credential Access)
- Recommendation:
- Disable password authentication and enforce key-based authentication.
- Remove weak algorithms like SHA1-HMAC from the SSH configuration.
- Patch or upgrade OpenSSH to address vulnerabilities such as CVE-2023-48795.
- References:
- Category: A3:2017-Sensitive Data Exposure (OWASP Top 10)
- Severity Level: Medium
- CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
- Description: The
.gitignore
andconfig.yml
files were found to be exposed on the server, containing sensitive information such as database credentials. - Evidence:
- The
.gitignore
file was accessible athttp://192.168.8.4/.gitignore
, referencing the sensitive configuration fileconfig.yml
.
- The
- Impact: These credentials could be used by an attacker to gain unauthorized access to the database, compromising sensitive information.
- MITRE ATT&CK Mapping: T1552.001 - Unsecured Credentials: Credentials in Files (Credential Access)
- Recommendation:
- Restrict access to sensitive configuration files.
- Immediately change any exposed credentials to prevent unauthorized access.
- References:
- Category: A6:2017-Security Misconfiguration (OWASP Top 10)
- Severity Level: Medium
- CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:P/A:N)
- Description: Directory indexing is enabled at
http://192.168.8.4:8080/dev/pages/
, allowing an attacker to browse and access files within the directory. - Evidence:
- Files such as
member.admin
andsite.linkrot
were visible within the indexed directory.
- Files such as
- Impact: Exposed files could provide an attacker with additional information about the server's structure and potentially sensitive data.
- MITRE ATT&CK Mapping: T1552.002 - Unsecured Credentials: Directory Listing (Discovery)
- Recommendation:
- Disable directory indexing to prevent unauthorized browsing of directories.
- Implement a review process to ensure that directory indexing is disabled across all relevant directories on the server.
- References:
The following mitigation plan prioritizes the remediation actions based on the severity of identified vulnerabilities:
Priority Level | Vulnerability | Recommended Actions | Timeline |
---|---|---|---|
Critical | Local File Inclusion (LFI) | Patch application, implement input validation | Immediate (0-7 days) |
Critical | File Upload Vulnerability | Update BoltWire, enforce file upload validation | Immediate (0-7 days) |
High | Weak SSH Configuration | Disable password auth, remove weak algorithms | High Priority (7-14 days) |
Medium | Exposed Configuration Files | Restrict access, change exposed credentials | Medium Priority (14-30 days) |
Medium | Exposed Directory Indexing | Disable directory indexing, conduct server review | Medium Priority (14-30 days) |
This table details the vulnerabilities identified during the assessment, mapping each to the relevant tactic and technique in the MITRE ATT&CK framework. This approach helps to contextualize the vulnerabilities within a broader threat landscape, providing actionable intelligence for strengthening security defenses.
Finding/Exploit | ATT&CK Tactic | ATT&CK Technique | Technique ID | Description |
---|---|---|---|---|
Unauthorized Access to Sensitive Data | Credential Access | Credential Dumping | T1003 | The attacker was able to obtain credentials by exploiting a vulnerability in the system, which could be used to gain further unauthorized access. |
Remote Code Execution via SQL Injection | Execution | SQL Injection | T1190 | The exploitation of a SQL injection vulnerability allowed the attacker to execute arbitrary code on the target system, leading to potential data breach. |
Persistent Access through Backdoor Implant | Persistence | Implantation of Malicious Code | T1105 | The attacker established persistent access by implanting a backdoor, allowing continuous control over the compromised system. |
Lateral Movement via Pass-the-Hash Technique | Lateral Movement | Pass the Hash | T1075 | The attacker moved laterally within the network using a compromised account's hash without needing the plaintext password. |
Data Exfiltration over C2 Channel | Exfiltration | Exfiltration Over C2 Channel | T1041 | Sensitive data was exfiltrated using a command-and-control channel, enabling the attacker to transfer information outside the compromised environment. |
Command Execution via PowerShell | Execution | PowerShell | T1059.001 | PowerShell was used by the attacker to execute commands on the compromised system, facilitating further malicious activities. |
The penetration test on IP 192.168.8.4 uncovered multiple critical vulnerabilities, including Local File Inclusion (LFI) and File Upload vulnerabilities in BoltWire, as well as weak SSH configurations and exposed sensitive files. These vulnerabilities pose significant risks, including unauthorized access, data leakage, and potential full system compromise.
The penetration test conducted on the target environment revealed several critical vulnerabilities that could be exploited by adversaries to gain unauthorized access, execute malicious code, and exfiltrate sensitive data. The assessment identified weaknesses in areas such as credential management, input validation, and access controls. These vulnerabilities, if left unaddressed, could significantly compromise the security and integrity of the organization's assets.
The integration of MITRE ATT&CK mapping into this report provides a clear linkage between the discovered vulnerabilities and the tactics, techniques, and procedures commonly employed by threat actors. This mapping not only enhances the understanding of how these vulnerabilities could be leveraged in real-world attack scenarios but also facilitates the prioritization of remediation efforts based on the associated risks.
It is strongly recommended that the organization addresses the identified vulnerabilities promptly, with a focus on implementing stronger security controls, conducting regular security assessments, and educating staff on cybersecurity best practices. By doing so, the organization can mitigate the risks posed by these vulnerabilities and improve its overall security posture.
The detailed findings and recommendations provided in this report should serve as a foundation for the organization's ongoing efforts to enhance its defenses against potential cyber threats.
Appendix A: Nmap Scan Output
Below is a summary of the Nmap scan results:
- Command Used:
nmap -sV -p 22,80,8080 192.168.8.4
- Output:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
8080/tcp open http Apache httpd 2.4.38 ((Debian))
Appendix B: Nuclei Scan Output
Below is a summary of the Nuclei scan results:
- Command Used:
nuclei -u http://192.168.8.4 -t vulnerabilities/
Vulnerability | Details | Risk Level | CVSS Score |
---|---|---|---|
Exposed Sensitive Files | composer.json , .gitignore , README.md accessible via HTTP |
Medium | 5.3 |
Apache Version Disclosure | Apache version detected as 2.4.38 (Debian) | Information Disclosure | 5.0 |
Weak SSH Configuration | Password authentication enabled, weak SHA1-HMAC algorithm, vulnerable to CVE-2023-48795 | High | 7.5 |
Appendix C: Exposed Sensitive Files
The following sensitive files were identified as being exposed on the server:
.gitignore
athttp://192.168.8.4/.gitignore
config.yml
containing database credentialscomposer.json
andREADME.md
Appendix D: Attack Scenarios
This appendix contains detailed descriptions of potential attack scenarios for each of the identified vulnerabilities.
Appendix E: References to Relevant Security Documentation
- OWASP Sensitive Data Exposure: Best practices to prevent exposure of sensitive data.
- MITRE ATT&CK Framework: A knowledge base of adversary tactics and techniques.
- PCI DSS Compliance: Guidelines for securing payment card data and systems.
- NIST Special Publication 800-53: Security and Privacy Controls for Federal Information Systems and Organizations.
-
OWASP: Sensitive Data Exposure
Guidance on protecting sensitive files and data. OWASP Sensitive Data Exposure -
MITRE ATT&CK® Framework
Knowledge base of tactics and techniques for cyber adversaries. MITRE ATT&CK -
NIST Special Publication 800-53
Security and Privacy Controls for Federal Information Systems and Organizations. NIST SP 800-53 -
PCI DSS Requirements
Security guidelines for processing payment card data. PCI DSS
This appendix lists the tools used during the penetration test:
Tool | Description | Link |
---|---|---|
Nmap | Network and vulnerability scanner | Nmap |
Metasploit | Exploitation framework | Metasploit |
DIRB | Directory Brute Force Tool | DIRB |
Gobuster | Directory Brute Force Tool | Gobuster |
Hydra | Brute Forcing tool | Hydra |
Wireshark | Network traffic analyzer | Wireshark |
Burp Suite | Web traffic analysis tool | Burp Suite |
psql | PostgreSQL interactive terminal | PostgreSQL |