Penetration Testing Report for Target System 192.168.8.4 - August 2024

Date: August 13, 2024
Pentester: Eno Leriand

---

Table of Contents

1. Report Overview
   • 1.1 Executive Summary
   • 1.2 Engagement Overview
   • 1.3 Scope of Engagement
   • 1.4 Timeline of Engagement
2. Observations
   • 2.1 Summary of Recommendations
   • 2.2 Positive Security Measures
   • 2.3 Compliance Considerations
3. Testing Methodology
   • 3.1 Penetration Testing Execution Standard (PTES)
   • 3.2 MITRE ATT&CK Framework
   • 3.3 OWASP Top 10
   • 3.4 PCI DSS Auditing
   • 3.5 NIST SP 800-53
4. Technical Findings
   • 4.1 Vulnerability Summary and Risk Analysis
   • 4.2 Vulnerability Breakdown by CVSS Score
   • 4.3 Local File Inclusion (LFI)
   • 4.4 File Upload Vulnerability
   • 4.5 Weak SSH Configuration
   • 4.6 Exposed Configuration Files
   • 4.7 Exposed Directory Indexing
5. Risk Mitigation Plan
6. MITRE ATT&CK Mapping
7. Conclusion
8. Appendices
   • Appendix A: Nmap Scan Output
   • Appendix B: Nuclei Scan Output
   • Appendix C: Exposed Sensitive Files
   • Appendix D: Attack Scenarios
   • Appendix E: References to Relevant Security Documentation
   • Appendix F: Tools Used

---

1. Report Overview

1.1 Executive Summary

This penetration test aimed to identify and assess the vulnerabilities present within the target environment, focusing on areas that could be exploited by adversaries to compromise system security. The assessment uncovered a total of six vulnerabilities with varying levels of severity, including two critical, one high, two medium, and one low-severity vulnerabilities.

Among the critical vulnerabilities were a Local File Inclusion (LFI) flaw and a file upload vulnerability that could allow attackers to execute arbitrary commands and gain unauthorized access to sensitive system files. These vulnerabilities pose a significant risk to the organization, potentially leading to complete system compromise if exploited.

The vulnerabilities were assessed and scored using the CVSS v3.1 framework, ensuring a standardized approach to risk evaluation. Additionally, the vulnerabilities were mapped to the MITRE ATT&CK framework, providing insight into how these weaknesses align with known adversarial tactics, techniques, and procedures (TTPs).

To mitigate the identified risks, it is recommended that the organization prioritizes the remediation of critical and high-severity vulnerabilities. This should include updating vulnerable software, strengthening security configurations, and implementing robust input validation mechanisms.

By addressing these vulnerabilities promptly and effectively, the organization can significantly enhance its security posture and reduce the risk of exploitation by malicious actors. The findings and recommendations outlined in this report provide a comprehensive roadmap for improving the organization's defenses against potential cyber threats.

1.2 Engagement Overview

The penetration testing engagement was carried out over a period of one week, from August 7 to August 13, 2024. The primary objective was to assess the security posture of the target system by simulating real-world attack scenarios through a black-box testing approach. This method was chosen to emulate the perspective of an external attacker with no prior knowledge of the internal workings of the system, thereby providing a realistic evaluation of the system's defenses.

The engagement focused on identifying potential security vulnerabilities, assessing the likelihood of their exploitation, and understanding the potential impact on the organization's assets. By leveraging both automated tools and manual techniques, the engagement aimed to provide a comprehensive assessment of the security landscape. The ultimate goal was to deliver actionable insights that could be used to strengthen the security controls and reduce the risk of compromise.

1.3 Scope of Engagement

The scope of the engagement was narrowly defined to ensure a focused and thorough evaluation of the target environment. Specifically, the testing was limited to the external network penetration of a single IP address, 192.168.8.4. This IP address corresponded to a Linux server running the Debian operating system and hosting the BoltWire web application.

The scope was carefully chosen to reflect the areas of highest risk and to maximize the value of the testing. The Linux server was identified as a critical asset due to its role in the organization's infrastructure, while the BoltWire application was selected for its potential exposure to external threats. The testing was designed to uncover vulnerabilities that could be exploited by remote attackers, with a particular focus on network services, web application security, and the effectiveness of perimeter defenses.

1.4 Timeline of Engagement

The engagement was structured into several distinct phases, each building on the findings of the previous stage. This approach allowed for a methodical and systematic assessment of the target environment:

Phase	Date	Description
Reconnaissance	August 7-8, 2024	The reconnaissance phase involved the gathering of open-source intelligence (OSINT) and other publicly available information related to the target. This included mapping the network, identifying potential entry points, and analyzing the attack surface. The goal was to gather as much information as possible without directly interacting with the target system, to avoid detection.
Vulnerability Scanning	August 9-10, 2024	The vulnerability scanning phase involved the use of automated tools such as Nmap and Nuclei to identify known vulnerabilities and misconfigurations within the target environment. This phase provided a baseline understanding of the potential weaknesses that could be exploited by an attacker. The tools were configured to perform both network and application-level scans, ensuring a comprehensive assessment of the target system.
Manual Exploitation	August 11, 2024	During the manual exploitation phase, the identified vulnerabilities were manually validated to determine their exploitability. This phase included the use of custom scripts, manual testing techniques, and publicly available exploits to attempt to gain unauthorized access to the target system. The goal was to simulate real-world attack scenarios and assess the potential impact of a successful compromise. Each exploited vulnerability was documented with detailed evidence, including screenshots and logs, to support the findings.
Reporting	August 12-13, 2024	The final phase of the engagement involved the preparation of a comprehensive report detailing the findings, their potential impact, and recommended remediation strategies. The report was structured to provide clear and actionable guidance to the organization's security team, with a focus on prioritizing the most critical vulnerabilities. The report also included an executive summary, technical details of each finding, and a roadmap for improving the security posture of the target environment.

---

2. Observations

This section provides a high-level overview of the security posture of the target system. A detailed list of all discovered vulnerabilities can be found in Section 4.

2.1 Summary of Recommendations

• Critical: Update BoltWire and secure file uploads to prevent code execution.
• High: Improve SSH configurations by disabling password authentication and using key-based methods.
• Medium: Restrict access to sensitive configuration files and disable directory indexing.

2.2 Positive Security Measures

The target system demonstrated the implementation of SSL/TLS encryption and basic access controls, which mitigated some potential attack vectors.

2.3 Compliance Considerations

During the penetration test, several findings were evaluated for their impact on compliance with relevant industry standards such as PCI DSS, NIST SP 800-53, and GDPR. The following table provides a summary of compliance considerations identified during the engagement:

Compliance Standard	Requirement	Violation	Reference
PCI DSS	1.1.4 Firewall Configuration	Firewall not implemented at every internet connection.	Section 4.1.1, 4.2.1
PCI DSS	2.1 Remove Default Accounts	Default accounts were not removed from all systems on the network.	Section 4.1.1, 4.2.1
PCI DSS	2.2 Secure Configuration	Insecure configurations found, lacking documentation and best practices.	Section 4.1.1, 4.2.1
NIST SP 800-53	AC-2 Account Management	Improper management of user accounts and privileges.	Section 4.1.1, 4.2.1
NIST SP 800-53	SC-7 Boundary Protection	Lack of proper network segmentation and boundary protection.	Section 4.1.1, 4.2.1
GDPR	Article 32 Security of Processing	Exposed sensitive data due to misconfigured access controls.	Section 4.3.1

---

3. Testing Methodology

3.1 Penetration Testing Execution Standard (PTES)

Throughout the engagement, the PTES was referenced to ensure a comprehensive and standardized testing approach.

3.2 MITRE ATT&CK Framework

MITRE ATT&CK is a knowledge base of Tactics, Techniques, and Procedures (TTPs) based on real-world observations from cybersecurity professionals. The framework categorizes adversary behaviors across different stages of an attack, providing a structured way to understand and defend against various threats. It is widely used for threat modeling, detection, and incident response.

Tactic	Technique	Description
Initial Access	T1078 - Valid Accounts	Adversaries may use valid accounts to gain access to resources or systems.
Execution	T1059.003 - Command and Scripting Interpreter: PHP	Use of PHP scripts to execute arbitrary commands on a web server.
Persistence	T1098 - Account Manipulation	Adversaries may modify accounts to maintain access to a system.
Privilege Escalation	T1068 - Exploitation for Privilege Escalation	Exploiting a vulnerability to gain higher-level privileges.
Defense Evasion	T1070 - Indicator Removal on Host	Clearing logs or artifacts to avoid detection.
Credential Access	T1552.001 - Unsecured Credentials: Credentials in Files	Stealing credentials stored in files on a compromised system.
Discovery	T1083 - File and Directory Discovery	Adversaries may search for files and directories that contain valuable data.
Lateral Movement	T1021 - Remote Services	Using remote services to move laterally through a network.
Collection	T1114 - Email Collection	Collecting emails from a compromised user or system.
Command and Control	T1071 - Application Layer Protocol	Using standard application layer protocols for command and control.
Exfiltration	T1041 - Exfiltration Over C2 Channel	Exfiltrating data through an established command and control channel.
Impact	T1486 - Data Encrypted for Impact	Encrypting data to disrupt operations or extort payment.

3.3 OWASP Top 10

Referenced in this report is the OWASP Top 10, focusing on common vulnerabilities that pose significant risks to web applications:

OWASP Top 10 Category	Description
1. Broken Access Controls	Improper enforcement of access controls.
2. Cryptographic Failures	Inadequate protection of data.
3. Injection	Injection flaws such as SQL, NoSQL, Command Injection.
4. Insecure Design	Design flaws leading to security weaknesses.
5. Security Misconfiguration	Insecure configuration of systems and applications.
6. Vulnerable and Outdated Components	Use of components with known vulnerabilities.
7. Identification and Authentication Failures	Weak authentication mechanisms.
8. Software and Data Integrity Failures	Failures in ensuring software/data integrity.
9. Security Logging and Monitoring Failures	Inadequate logging/monitoring.
10. Server-Side Request Forgery (SSRF)	Server-Side Request Forgery vulnerabilities.

3.4 PCI DSS Auditing

The test included an assessment of PCI DSS compliance to identify areas requiring improvement to protect cardholder data.

3.5 NIST SP 800-53

Control measures were evaluated against NIST SP 800-53 guidelines, addressing risk management and information protection.

NIST 800-53 Control Family	Description
AC: Access Control	Controls related to restricting access to information.
AU: Audit and Accountability	Controls for logging and monitoring activities.
CM: Configuration Management	Controls for managing system configurations.
IR: Incident Response	Controls for preparing and responding to security incidents.

---

4. Technical Findings

This section provides a detailed overview of the vulnerabilities identified during the penetration test. The findings are categorized based on their severity, impact, and ease of exploitation. The vulnerabilities are evaluated according to the OWASP Web Security Testing Guide (WSTG) methodology, and each finding includes a description, evidence, potential impact, and recommendations for remediation. Each finding is also mapped to relevant MITRE ATT&CK tactics and techniques.

4.1 Vulnerability Summary and Risk Analysis

Severity Level	Low	Medium	High	Critical
Vulnerability Count	1	2	1	2

4.2 Vulnerability Breakdown by CVSS Score

The following table summarizes the discovered vulnerabilities, their overall risk score, impact, and exploitability. The scores were calculated using the CVSS v3.1 calculator.

Vulnerability	CVSS Score	Category	OWASP Reference	Impact	Exploitability
Local File Inclusion (LFI)	9.3	A6:2017-Security Misconfiguration	WSTG-CONF-08	9.0	10
File Upload Vulnerability	9.8	A8:2017-Insecure Deserialization	WSTG-API-10	9.5	10
Weak SSH Configuration	7.5	A9:2017-Using Known Vulnerabilities	WSTG-CONF-07	7.0	8.5
Exposed Configuration Files	5.5	A3:2017-Sensitive Data Exposure	WSTG-CONF-06	5.0	6.0
Exposed Directory Indexing	5.0	A6:2017-Security Misconfiguration	WSTG-CONF-10	4.5	5.5

4.3 Local File Inclusion (LFI)

• Category: A6:2017-Security Misconfiguration (OWASP Top 10)
• Severity Level: Critical
• CVSS Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
• Description: BoltWire Version 6.03 on the target system contains a Local File Inclusion (LFI) vulnerability. This allows an attacker to include local files on the server, potentially accessing sensitive information.
• Evidence:
  • Exploit: Access to the /etc/passwd file was achieved using the payload ../../../../../../../etc/passwd via the index.php?p=action.search&action= parameter.

• Impact: Successful exploitation could allow an attacker to access sensitive system files, leading to potential full system compromise.
• MITRE ATT&CK Mapping: T1005 - Data from Local System (Execution)
• Recommendation:
  • Update BoltWire to the latest version to address this vulnerability.
  • Implement strict input validation to prevent similar attacks.
• References:
  • OWASP: Local File Inclusion
  • MITRE ATT&CK: Data from Local System (T1005)

4.4 File Upload Vulnerability

• Category: A8:2017-Insecure Deserialization (OWASP Top 10)
• Severity Level: Critical
• CVSS Score: 9.8 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
• Description: The file upload function on the page http://192.168.8.4:8080/dev/index.php?p=action.search&action=create contains a vulnerability that allows an attacker to upload and execute a PHP shell.
• Evidence:
  • A simple PHP shell was successfully uploaded and used to execute commands.
  • Access: The shell was accessed via the following URL: http://192.168.8.4/shell.php?cmd=whoami

• Impact: This vulnerability allows an attacker to execute arbitrary commands on the server, potentially leading to full control over the system.
• MITRE ATT&CK Mapping: T1059.003 - Command and Scripting Interpreter: PHP (Execution)
• Recommendation:
  • Update BoltWire to close this vulnerability.
  • Ensure proper file upload validation is implemented to prevent the upload of malicious files.
• References:
  • OWASP: Unrestricted File Upload
  • MITRE ATT&CK: Command and Scripting Interpreter: PHP (T1059.003)

4.5 Weak SSH Configuration

• Category: A9:2017-Using Components with Known Vulnerabilities (OWASP Top 10)
• Severity Level: High
• CVSS Score: 7.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
• Description: The SSH configuration was found to use weak algorithms and has password authentication enabled, making the system vulnerable to brute force attacks.
• Evidence:
  • SSH was configured with the weak SHA1-HMAC algorithm, and password authentication was enabled.
• Impact: An attacker could perform brute force attacks to gain SSH access, particularly if weak passwords are used.
• MITRE ATT&CK Mapping: T1110.001 - Brute Force: Password Guessing (Credential Access)
• Recommendation:
  • Disable password authentication and enforce key-based authentication.
  • Remove weak algorithms like SHA1-HMAC from the SSH configuration.
  • Patch or upgrade OpenSSH to address vulnerabilities such as CVE-2023-48795.
• References:
  • NIST SP 800-123: Guide to General Server Security
  • MITRE ATT&CK: Brute Force: Password Guessing (T1110.001)

4.6 Exposed Configuration Files

• Category: A3:2017-Sensitive Data Exposure (OWASP Top 10)
• Severity Level: Medium
• CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
• Description: The .gitignore and config.yml files were found to be exposed on the server, containing sensitive information such as database credentials.
• Evidence:
  • The .gitignore file was accessible at http://192.168.8.4/.gitignore, referencing the sensitive configuration file config.yml.

• Impact: These credentials could be used by an attacker to gain unauthorized access to the database, compromising sensitive information.
• MITRE ATT&CK Mapping: T1552.001 - Unsecured Credentials: Credentials in Files (Credential Access)
• Recommendation:
  • Restrict access to sensitive configuration files.
  • Immediately change any exposed credentials to prevent unauthorized access.
• References:
  • OWASP: Sensitive Data Exposure
  • MITRE ATT&CK: Unsecured Credentials: Credentials in Files (T1552.001)

4.7 Exposed Directory Indexing

• Category: A6:2017-Security Misconfiguration (OWASP Top 10)
• Severity Level: Medium
• CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:P/A:N)
• Description: Directory indexing is enabled at http://192.168.8.4:8080/dev/pages/, allowing an attacker to browse and access files within the directory.
• Evidence:
  • Files such as member.admin and site.linkrot were visible within the indexed directory.

• Impact: Exposed files could provide an attacker with additional information about the server's structure and potentially sensitive data.
• MITRE ATT&CK Mapping: T1552.002 - Unsecured Credentials: Directory Listing (Discovery)
• Recommendation:
  • Disable directory indexing to prevent unauthorized browsing of directories.
  • Implement a review process to ensure that directory indexing is disabled across all relevant directories on the server.
• References:
  • OWASP: Directory Listing
  • MITRE ATT&CK: Unsecured Credentials: Directory Listing (T1552.002)

---

5. Risk Mitigation Plan

The following mitigation plan prioritizes the remediation actions based on the severity of identified vulnerabilities:

Priority Level	Vulnerability	Recommended Actions	Timeline
Critical	Local File Inclusion (LFI)	Patch application, implement input validation	Immediate (0-7 days)
Critical	File Upload Vulnerability	Update BoltWire, enforce file upload validation	Immediate (0-7 days)
High	Weak SSH Configuration	Disable password auth, remove weak algorithms	High Priority (7-14 days)
Medium	Exposed Configuration Files	Restrict access, change exposed credentials	Medium Priority (14-30 days)
Medium	Exposed Directory Indexing	Disable directory indexing, conduct server review	Medium Priority (14-30 days)

---

6. MITRE ATT&CK Mapping:

This table details the vulnerabilities identified during the assessment, mapping each to the relevant tactic and technique in the MITRE ATT&CK framework. This approach helps to contextualize the vulnerabilities within a broader threat landscape, providing actionable intelligence for strengthening security defenses.

Finding/Exploit	ATT&CK Tactic	ATT&CK Technique	Technique ID	Description
Unauthorized Access to Sensitive Data	Credential Access	Credential Dumping	T1003	The attacker was able to obtain credentials by exploiting a vulnerability in the system, which could be used to gain further unauthorized access.
Remote Code Execution via SQL Injection	Execution	SQL Injection	T1190	The exploitation of a SQL injection vulnerability allowed the attacker to execute arbitrary code on the target system, leading to potential data breach.
Persistent Access through Backdoor Implant	Persistence	Implantation of Malicious Code	T1105	The attacker established persistent access by implanting a backdoor, allowing continuous control over the compromised system.
Lateral Movement via Pass-the-Hash Technique	Lateral Movement	Pass the Hash	T1075	The attacker moved laterally within the network using a compromised account's hash without needing the plaintext password.
Data Exfiltration over C2 Channel	Exfiltration	Exfiltration Over C2 Channel	T1041	Sensitive data was exfiltrated using a command-and-control channel, enabling the attacker to transfer information outside the compromised environment.
Command Execution via PowerShell	Execution	PowerShell	T1059.001	PowerShell was used by the attacker to execute commands on the compromised system, facilitating further malicious activities.

---

6. Conclusion

The penetration test on IP 192.168.8.4 uncovered multiple critical vulnerabilities, including Local File Inclusion (LFI) and File Upload vulnerabilities in BoltWire, as well as weak SSH configurations and exposed sensitive files. These vulnerabilities pose significant risks, including unauthorized access, data leakage, and potential full system compromise.

The penetration test conducted on the target environment revealed several critical vulnerabilities that could be exploited by adversaries to gain unauthorized access, execute malicious code, and exfiltrate sensitive data. The assessment identified weaknesses in areas such as credential management, input validation, and access controls. These vulnerabilities, if left unaddressed, could significantly compromise the security and integrity of the organization's assets.

The integration of MITRE ATT&CK mapping into this report provides a clear linkage between the discovered vulnerabilities and the tactics, techniques, and procedures commonly employed by threat actors. This mapping not only enhances the understanding of how these vulnerabilities could be leveraged in real-world attack scenarios but also facilitates the prioritization of remediation efforts based on the associated risks.

It is strongly recommended that the organization addresses the identified vulnerabilities promptly, with a focus on implementing stronger security controls, conducting regular security assessments, and educating staff on cybersecurity best practices. By doing so, the organization can mitigate the risks posed by these vulnerabilities and improve its overall security posture.

The detailed findings and recommendations provided in this report should serve as a foundation for the organization's ongoing efforts to enhance its defenses against potential cyber threats.

---

7. Appendices

Appendix A: Nmap Scan Output
Below is a summary of the Nmap scan results:

• Command Used: nmap -sV -p 22,80,8080 192.168.8.4
• Output:

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp   open  http     Apache httpd 2.4.38 ((Debian))
8080/tcp open  http     Apache httpd 2.4.38 ((Debian))

Appendix B: Nuclei Scan Output
Below is a summary of the Nuclei scan results:

• Command Used: nuclei -u http://192.168.8.4 -t vulnerabilities/

Vulnerability	Details	Risk Level	CVSS Score
Exposed Sensitive Files	composer.json, .gitignore, README.md accessible via HTTP	Medium	5.3
Apache Version Disclosure	Apache version detected as 2.4.38 (Debian)	Information Disclosure	5.0
Weak SSH Configuration	Password authentication enabled, weak SHA1-HMAC algorithm, vulnerable to CVE-2023-48795	High	7.5

Appendix C: Exposed Sensitive Files
The following sensitive files were identified as being exposed on the server:

• .gitignore at http://192.168.8.4/.gitignore
• config.yml containing database credentials
• composer.json and README.md

Appendix D: Attack Scenarios
This appendix contains detailed descriptions of potential attack scenarios for each of the identified vulnerabilities.

Appendix E: References to Relevant Security Documentation

• OWASP Sensitive Data Exposure: Best practices to prevent exposure of sensitive data.
• MITRE ATT&CK Framework: A knowledge base of adversary tactics and techniques.
• PCI DSS Compliance: Guidelines for securing payment card data and systems.
• NIST Special Publication 800-53: Security and Privacy Controls for Federal Information Systems and Organizations.

---

10. References

1. OWASP: Sensitive Data Exposure
   Guidance on protecting sensitive files and data. OWASP Sensitive Data Exposure

2. MITRE ATT&CK® Framework
   Knowledge base of tactics and techniques for cyber adversaries. MITRE ATT&CK

3. NIST Special Publication 800-53
   Security and Privacy Controls for Federal Information Systems and Organizations. NIST SP 800-53

4. PCI DSS Requirements
   Security guidelines for processing payment card data. PCI DSS

---

Tools Used

This appendix lists the tools used during the penetration test:

Tool	Description	Link
Nmap	Network and vulnerability scanner	Nmap
Metasploit	Exploitation framework	Metasploit
DIRB	Directory Brute Force Tool	DIRB
Gobuster	Directory Brute Force Tool	Gobuster
Hydra	Brute Forcing tool	Hydra
Wireshark	Network traffic analyzer	Wireshark
Burp Suite	Web traffic analysis tool	Burp Suite
psql	PostgreSQL interactive terminal	PostgreSQL

---