This project focuses on conducting a Capture The Flag (CTF) penetration test for the fictional company Rekall, targeting their web application, Linux servers, and Windows servers. The objective is to exploit vulnerabilities across all three platforms to expose current security weaknesses and provide effective mitigations. This approach aims to enhance the overall security posture of Rekall while ensuring compliance with established security standards.
- Linux
- Windows
-
Web Application Penetration Testing
- Discovered and exploited vulnerabilities such as XSS (reflected and stored), SQL injection, command injection, and local file inclusion.
- Used tools like Burp Suite and cURL to analyze and manipulate web traffic.
- Gained access to sensitive information through improper input validation and weak session management.
-
Linux Server Exploitation
- Conducted network reconnaissance using Nmap and Nessus to identify open ports and vulnerabilities.
- Exploited vulnerabilities such as Shellshock, Apache Struts RCE, and privilege escalation flaws.
- Gained unauthorized access by leveraging weak credentials and SSH misconfigurations.
-
Windows Server Exploitation
- Identified open ports and running services through network scanning.
- Exploited SLMail, scheduled tasks, and cached credentials for privilege escalation.
- Used Metasploit modules to execute remote exploits and gain shell access.
- Extracted user credentials and cracked password hashes using John the Ripper and Mimikatz.
The penetration test aimed to evaluate the security posture of Rekall’s Linux and Windows environments by identifying vulnerabilities that could be exploited by an attacker. The assessment included external reconnaissance, network scanning, service enumeration, exploitation of known vulnerabilities, and privilege escalation techniques. Testing was conducted on identified hosts within the provided IP ranges, focusing on weaknesses such as exposed credentials, misconfigurations, and unpatched software. The engagement followed ethical hacking methodologies and was limited to non-destructive exploitation, ensuring system integrity remained intact. Findings from this assessment will be used to strengthen Rekall’s security defenses and mitigate potential threats.
This penetration test was conducted against Rekall’s Linux and Windows environments to evaluate their security posture and identify vulnerabilities that could be exploited by an attacker. The assessment revealed multiple critical security gaps that could lead to unauthorized access, data breaches, and system compromise. These vulnerabilities range from exposed credentials and misconfigurations to known software exploits and privilege escalation techniques.
- Network Segmentation: Some systems demonstrated effective segmentation, limiting lateral movement within the environment.
- Use of Encryption: Sensitive data transmission was encrypted in several key areas, reducing the risk of interception.
- Logging and Monitoring: Security event logging was in place on several hosts, allowing for potential threat detection and response.
- Exposed Credentials: Plaintext credentials were found in public repositories, increasing the risk of unauthorized access.
- Unpatched Vulnerabilities: Multiple critical vulnerabilities, such as Apache Struts (CVE-2017-5638) and Drupal (CVE-2019-6340), were exploitable due to outdated software.
- Weak Access Controls: Several systems allowed unauthenticated or weakly authenticated access, leading to privilege escalation.
- Lack of Network Hardening: Open ports and unnecessary services increased the attack surface, making exploitation easier.
- Exposed Credentials on GitHub: Sensitive credentials were found in public repositories, leading to unauthorized access.
- Weak Authentication & Anonymous Access: Unprotected HTTP and FTP services allowed unauthorized users to access sensitive data.
- Remote Code Execution (RCE) & Exploitable Services: Outdated and vulnerable software, such as SLMail and Apache Struts, enabled attackers to gain full control of compromised systems.
- Privilege Escalation & Credential Dumping: Attackers were able to escalate privileges through misconfigurations and extract cached credentials, increasing the attack surface.
- Inadequate Access Controls & File Protections: Critical system files were accessible without proper restrictions, leading to potential data exfiltration.
- Critical (5): Anonymous FTP access, SLMail RCE, password hash dumping, cached administrator credentials, and DCSync attack.
- High (4): Exposed credentials, weak HTTP authentication, scheduled task misconfigurations, and unprotected sensitive files.
- Medium (1): Unrestricted file access.
- Credential Security: Conduct regular audits of public repositories and implement strict secrets management to prevent credential exposure.
- Access Controls: Enforce strong authentication mechanisms, disable anonymous access, and implement role-based access control (RBAC).
- System & Software Hardening: Upgrade outdated and vulnerable software, enforce patch management policies, and remove unnecessary services.
- Privilege Management: Restrict credential caching, enable LSA protection, and monitor directory replication attempts to prevent unauthorized privilege escalation.
- Monitoring & Incident Response: Implement real-time logging and monitoring tools to detect unauthorized access and potential exploitation attempts.
The penetration test identified critical vulnerabilities that pose a significant risk to Rekall’s infrastructure. Immediate remediation efforts should focus on securing exposed credentials, patching vulnerable services, enforcing access controls, and implementing robust monitoring solutions. Addressing these issues will greatly improve Rekall’s overall security posture and reduce the risk of a successful cyber attack.
During the assessment of a Rekall's web application, multiple vulnerabilities were identified across different locations, revealing various security weaknesses. Below are the details of these findings:
- Welcome.php: Found an XSS vulnerability that can be triggered with the payload
<script>alert("test")</script>. - Memory-Planner.php (first field): Identified an advanced XSS reflection where input validation removes "script," requiring a modified payload such as
<SCRIPscriptT>alert("test")</SCRIPscripTt>.
- comments.php: Found a stored XSS vulnerability allowing persistent execution of JavaScript payloads.
-
About-Rekall.php: Exposed sensitive data within HTTP response headers, which can be accessed using Burp Suite or a cURL request:
(Use
curl -v [target URL]to inspect headers.) -
Login.php (second field): User credentials were embedded within the HTML source and could be revealed by inspecting the page.
-
robots.txt: Contained sensitive data exposure by listing directories accessible without authentication.
- Memory-Planner.php (second field): LFI vulnerability allows arbitrary file uploads.
- Memory-Planner.php (third field): An advanced LFI vulnerability was found where the input validation checks for
.jpg. Bypassing it requires naming a scriptscript.jpg.php.
-
Login.php (first field): SQL injection was exploitable using payloads like:
(Use
ok' or 1=1--to bypass authentication.)
-
networking.php (first field): The application was vulnerable to command injection using:
(Modify the URL or input field to append
&& cat vendors.txt.) -
networking.php (second field): A more advanced form of command injection required modifying the payload to:
(Use
| cat vendors.txtinstead of&∨.)
- Login.php (second field): Using command injection vulnerabilities, the
/etc/passwdfile revealed a valid username and password combination.
-
souvenirs.php: This hidden page was discovered through
robots.txt, and a PHP injection vulnerability was exploited using:(Modify the URL to
?message=""; system('cat /etc/passwd').)
- admin_legal_data.php: Session IDs were predictable, and testing different values with Burp Suite revealed a valid session at
?admin=87.
-
Disclaimer.php: The page hinted at older disclaimers, and directory traversal was used to access previous versions by modifying the URL:
(Modify
?page=old_disclaimers/disclaimer_1.txtto access previous versions.)
| Flag # | Vulnerability | Risk Rating | Remediation |
|---|---|---|---|
| 1 | XSS Reflected | Medium | Implement input validation and output encoding. Use Content Security Policy (CSP). |
| 2 | XSS Reflected (Advanced) | Medium | Strengthen input sanitization and enforce strict CSP rules. |
| 3 | XSS Stored | High | Sanitize and validate inputs before storage. Use HTTP-only and secure cookies. |
| 4 | Sensitive Data Exposure | High | Remove sensitive data from HTTP headers. Encrypt data in transit. |
| 5 | Local File Inclusion | High | Restrict file uploads to necessary types. Validate and store files securely. |
| 6 | Local File Inclusion (Advanced) | High | Enforce strict file type validation. Store uploaded files in non-executable directories. |
| 7 | SQL Injection | Critical | Use parameterized queries or prepared statements. Implement least privilege for databases. |
| 8 | Sensitive Data Exposure | High | Never store credentials in HTML. Use hashed and salted passwords. |
| 9 | Sensitive Data Exposure (robots.txt) | Low | Restrict access to robots.txt for sensitive paths. Use authentication for directory access. |
| 10 | Command Injection | Critical | Sanitize and validate all user inputs. Use allowlists for command inputs. |
| 11 | Command Injection (Advanced) | Critical | Avoid executing system commands from user input. Use a Web Application Firewall (WAF). |
| 12 | Brute Force Attack | High | Implement account lockout, rate limiting, and multi-factor authentication (MFA). |
| 13 | PHP Injection | Critical | Disable execution of user input in PHP scripts. Use secure coding practices. |
| 14 | Session Management Flaw | High | Use secure session management with strong, unique session IDs. Implement session expiration. |
| 15 | Directory Traversal | High | Restrict directory access. Validate and sanitize user input to prevent path manipulation. |
During the security assessment of Rekall's Linux infrastructure, several vulnerabilities were identified. These findings expose risks that could be exploited by attackers to gain unauthorized access, escalate privileges, or retrieve sensitive information. Below are the details of these findings:
-
Domain WHOIS Information
- Discovery: Publicly accessible domain information revealed sensitive details.
- Investigation Tool: Domain Dossier at
centralops.net.
-
Subdomain Enumeration
- Discovery: Certificate transparency logs exposed additional subdomains.
- Investigation Tool:
crt.shsearch fortotalrekall.xyz.
-
Host Discovery
- Scan Results: A network scan revealed active hosts within the
192.168.13.0/24subnet. - Key Finding: Five active hosts were identified excluding the scanning machine.
- Scan Results: A network scan revealed active hosts within the
-
Service Enumeration
- Vulnerable Host Identified: An aggressive scan indicated that
192.168.13.13runs Drupal, making it a potential target.
- Vulnerable Host Identified: An aggressive scan indicated that
- Affected Host:
192.168.13.12 - Discovery Method: Nessus scan detected a critical vulnerability.
- Exploit: Leveraging Metasploit's
struts2_content_type_ognlexploit to gain access. - Post-Exploitation: Retrieved sensitive files containing a potential flag.
- Affected Host:
192.168.13.10 - Exploitation Method: Metasploit's
tomcat_jsp_upload_bypassmodule was used to gain a Meterpreter shell. - Privilege Escalation: Retrieved root-level sensitive information.
- Affected Host:
192.168.13.11 - Exploitation Method: Apache's CGI module was vulnerable to Shellshock.
- Exploitation Steps:
- Leveraged
apache_mod_cgi_bash_env_execmodule. - Gained shell access and extracted critical system files.
- Leveraged
-
Drupal Exploit (CVE-2019-6340)
- Host:
192.168.13.13 - Exploit: Used Metasploit's
drupal_restws_unserializemodule. - Result: Gained access to the server with the
www-datauser.
- Host:
-
Privilege Escalation via Sudo Misconfiguration (CVE-2019-14287)
- Host:
192.168.13.14 - Misconfiguration: WHOIS data suggested an
sshuseraccount with weak credentials. - Exploit: Used
sudo -u#-1to escalate privileges and retrieve sensitive data.
- Host:
| Flag # | Vulnerability | Risk Rating | Remediation |
|---|---|---|---|
| 1 | Open Source Exposed Data (WHOIS) | Low | Use privacy protection services for WHOIS registration. Limit exposure of sensitive information. |
| 2 | IP Address Exposure | Low | Use a CDN or proxy to hide the real IP address. Implement firewalls to restrict access. |
| 3 | Open Source Exposed Data (crt.sh) | Low | Regularly monitor certificate transparency logs. Use wildcard certificates cautiously. |
| 4 | Network Host Enumeration | Medium | Implement network segmentation and monitoring to detect unauthorized scans. Use firewall rules to limit exposure. |
| 5 | Drupal Service Discovery | Medium | Regularly update and patch Drupal installations. Hide service version details from unauthenticated users. |
| 6 | Apache Struts Vulnerability (CVE-2017-5638) | Critical | Patch Apache Struts immediately. Apply security updates and restrict access to vulnerable services. |
| 7 | Apache Tomcat RCE (CVE-2017-12617) | Critical | Upgrade Tomcat to a secure version. Disable unauthenticated file uploads and implement strict access controls. |
| 8 | Shellshock (CVE-2014-6271) | Critical | Patch affected systems immediately. Restrict CGI scripts and use Web Application Firewalls (WAFs). |
| 9 | User Enumeration (/etc/passwd exposure) | High | Restrict access to sensitive system files. Implement proper file permissions. |
| 10 | Apache Struts Exploit (CVE-2017-5638) | Critical | Regularly scan for vulnerabilities. Apply patches and restrict unnecessary external access. |
| 11 | Drupal RCE (CVE-2019-6340) | High | Keep Drupal updated and remove unused modules. Implement Web Application Firewalls (WAFs) to block exploit attempts. |
| 12 | Privilege Escalation (CVE-2019-14287) | Critical | Apply patches to sudo vulnerabilities. Limit user privileges and monitor sudo command usage. |
During the security assessment of Rekall's Windows Server infrastructure, several vulnerabilities were identified. These findings present risks that could be exploited by attackers to gain unauthorized access, escalate privileges, or retrieve sensitive information. Below are the details of these findings:
- A public repository related to Rekall was identified on GitHub.
- Searching within the repository led to the
xampp.userspage, revealing stored credentials. - The credentials were hashed using
$apr1$format, indicating they could be cracked using John the Ripper.
- A subnet scan (
172.22.117.0/24) revealed two machines:Win10 @ 172.22.117.20Server2019 @ 172.22.117.10
- Further scans identified open ports, including HTTP, FTP, SMTP, and POP3 services.
- Visiting
http://172.22.117.20prompted authentication. - Using the cracked credentials (
trivera : Tanya4life), access was granted to retrieve sensitive files.
- FTP access was enabled for anonymous users.
- Using FTP commands, files were retrieved, including a flag stored in
flag3.txt.
- SLMail service was running on port 110.
- Using Metasploit, a known exploit was applied, leading to a Meterpreter session.
- Once inside, directory listing revealed
flag4.txt.
- Scheduled tasks were enumerated using system commands.
- A flagged task contained critical information when queried.
- Post-exploitation tools like
kiwiwere used to extract user credentials. - Cached credentials of an administrator were identified and cracked.
- The retrieved credentials were leveraged to escalate access to the
Server2019machine.
PsExecwas used to obtain SYSTEM privileges onServer2019.- A DCSync attack was performed to retrieve the NTLM password hash of the administrator.
| Flag # | Vulnerability | Risk Rating | Remediation |
|---|---|---|---|
| 1 | Exposed Credentials on GitHub | High | Regularly audit public repositories for sensitive data. Implement secrets management and remove exposed credentials immediately. |
| 2 | Weak HTTP Authentication | High | Enforce strong authentication mechanisms such as multi-factor authentication (MFA). Remove or update weak credentials. |
| 3 | Anonymous FTP Access | Critical | Disable anonymous FTP access. Implement authentication and restrict access with proper firewall rules. |
| 4 | SLMail Remote Code Execution (RCE) | Critical | Upgrade SLMail to a secure version or replace it with a modern email service. Implement access controls to restrict unauthorized access. |
| 5 | Scheduled Task Misconfiguration | High | Regularly audit scheduled tasks for unauthorized entries. Implement least privilege principles to restrict modifications. |
| 6 | Password Hash Dumping (LSA Dump) | Critical | Disable caching of credentials in memory. Implement LSA protection and credential guard to prevent unauthorized access. |
| 7 | Unrestricted File Access | Medium | Apply proper file permissions to sensitive directories. Regularly audit system files for unauthorized access. |
| 8 | Cached Administrator Credentials | Critical | Implement MFA and enforce password rotation policies. Limit credential caching and use least privilege access. |
| 9 | Unprotected Sensitive Files | High | Encrypt sensitive files and restrict access with ACLs. Regularly audit file system for unauthorized access. |
| 10 | DCSync Attack (Privilege Escalation) | Critical | Restrict domain replication permissions to only necessary users. Enable auditing and monitoring of directory replication attempts. |