- Day 1: Attempted to identify and exploit vulnerabilities on Rekall's web application.
- Day 2: Identified and exploited vulnerabilities on Rekall's Linux servers.
- Day 3: Identified and exploited vulnerabilities on Rekall's Windows servers.
- Penetration testing methodology
- MITRE framework
- OSINT tools
- Metasploit/Meterpreter
- Vulnerability scanning with Nmap and Nessus
- Burp Suite
- Rekall Web Application
- Azure Windows 10 VM
- Rekall Corporation is a fictional company that specializes in offering virtual reality experiences based on images that customers upload.
- These experiences could include dream vacations, adventures, or even secret missions.
- Rekall guarantees that these virtual reality experiences will feel real.
- Rekall is about to go live with their business, and they need penetration testers to find any vulnerabilities within their technical systems.
- Rekall has a brand new web application and several Windows and Linux servers that manage their businesses.
- Using a VM, I logged into Kali Linux with the following credentials:
- User: root
- Password: kali
- In a terminal, and cd over to: /root/Documents/day_1 and ran the following commands:
- Type: docker-compose pull and press Enter, then...
- Type: docker-compose up and press Enter.
- I then opened a browser in Firefox and accessed the web application at http://192.168.14.35. The webpage should resemble the following image:
- Vulnerability: Reflected XSS
- Probed the 'welcome.php' page of the Rekall web app by inserting a basic JavaScript alert payload into the "Put your name here" field.
- Exploit script used: <script>alert("You've been hacked!");</script>
- Affected Hosts: 192.168.14.35/Welcome.php
- Suggested remediation: Implement input validation.
- Vulnerability: Advanced Reflected XSS
- Successfully attempted another reflected XSS injection with modified payload in the form of masking the script tags:
- Exploit script used: alert("You've been hacked!");
- Affected Hosts: 192.168.14.35/Memory-planner.php
- Suggested remediation: Implement better input validation measures to restrict advanced scripting tags/scripting entries of any kind.
- Vulnerability: Stored XSS
- Performed XSS injection on comments.php page of totalrekall website to generate an alert.
- Exploit script used: <script>alert(“hi there”);</script>
- Affected Hosts: 192.168.14.35/comments.php
- Suggested remediation: Implement output encoding to properly prevent user-generated content from being interpreted as HTML or JavaScript code that might execute a malicious payload.
- Vulnerability: Data Exposure - HTTP Response Headers
- Viewed the HTTP response headers of the About-Rekall.php section of the web app revealing sensitive information as well as the fourth flag.
- Command used: curl -v http://192.168.14.35/About-Rekall.php
- Suggested remediation: Implement proper access controls and server-side validation.
- Vulnerability: Local File Inclusion (LFI)
- I uploaded a basic php script file into the first upload field on the memory-planner.php page. This revealed that this particular field is not configured to accept only image files which causes critical risk to the safety of the web app.
- Affected Hosts: 192.168.13.45/memory-planner.php
- Suggested remediation: File Upload Validation - Ensure that the only form of file that can be uploaded are files ending in .jpg or any other image related file.
- Vulnerability: Advanced LFI
- When probing the secondary upload field on the memory-planner page, pen testers from Team 10 LLC attempted uploading the same .php script file, renamed as “script.jpg.php.” This prompted a response from the web application to reveal sensitive data which can be further exploited.
- Affected Hosts: 192.168.13.45/Memory-planner.php
- Suggested remediation: File upload validation + Sanitization - Ensure only files with ‘.jpg’ format are accepted and the upload field is configured to sanitize the user input to prevent LFI attempts.
- Vulnerability: Suspected SQL Injection
- When probing the user login fields, I discovered the login.php page is vulnerable to SQL injection attacks. I was unable to determine the proper command to input into the right field but was able to yield the following error message indicating a potential vulnerability:
- Injection query used: ok' or 1=1--
- Vulnerability: Data Exposure - Admin Credentials
- Used Chrome developer tools feature to view the HTML structure of the login.php webpage. Further analysis revealed sensitive information stored within
tags containing admin credentials ‘dougquaid:kuato’. Successfully logged into the admin login field with credentials and was able to view networking.php page.
- Affected Hosts: 192.168.13.45/login.php
- Suggested remediation: Immediately modify source code of totalrekall web page to remove tags or remove content in between them.
- Vulnerability: Data Exposure - Directory Traversal Attack
- I was able to use path traversal techniques on the disclaimer.php page to view the robots.txt file. With this, it was determined that the goodbot agent is allowed to access all parts of the website. The BadBot agent is not allowed to access any part of the website. The wildcard rule applied to all user agents not mentioned restricts access to certain directories and a particular souvenirs.php URL.
- Affected Hosts: 192.168.13.45/disclaimer.php?page=robots.txt
- Suggested remediation: Implement Access Controls immediately to restrict access to any other sensitive files and directories. In addition, ensure that only authorized users are allowed to view critical files like robots.txt
- Using a VM, I logged into Kali Linux with the following credentials:
- User: root
- Password: kali
- In a terminal, and cd over to: /root/Documents/day_2 and ran the following commands:
- docker-compose pull
- docker-compose up
- I then opened a browser in Firefox and accessed Nessus by navigating to: https://kali:8834/. Once I had everything set up, I then began using the hints provided by the TA's on how to uncover each flag one by one. Here are the following vulnerabilities (flags) I found during this portion of the lab:
- Vulnerability: Domain Registrar Data Exposure
- Exploit Method: I used the Domain Dossier tool on CentralOps.net to gather information about the domain ‘totalrekall.xyz.’ The team was able to view sensitive PII regarding Admin level credentials, phone numbers, email and mailing addresses, etc. This information was exposed by performing a domain WHOIS record search of the URL.
- Affected Hosts: totalrekall.xyz
- Suggested remediation: Remove sensitive data from the associated server immediately.
- Vulnerability: DNS Record Exposure
- Exploit Method: I used the same Domain Dossier utility to view DNS records of totalrekall.xyz. This revealed sensitive information including IP addresses,subdomains, and email addresses associated with the URL.
- Affected Hosts: totalrekall.xyz
- Suggested remediation: Remove any immediately sensitive information from the records and implement logging and monitoring mechanisms to scan for any unauthorized access attempts.
- Vulnerability: Certificate Information Exposure
- Description: I used crt.sh tools to view certificate validity of totalrekall.xyz which revealed that there was no valid root/intermediate certificate.
- Affected Hosts: totalrekall.xyz
- Suggested remediation: Update the SSL certificate by contacting the Certificate Authority (CA) immediately.
- Vulnerability: Apacher Tomcat Bypass RCE (CVE-2017-12617)
- Description: I used metasploit exploit modules to demonstrate RCE vulnerability and drop into root session on remote host 192.168.13.10. I searched for exploits that had Tomcat and JSP. I then used the exploit module multi/http/tomcat_jsp_upload_bypass, and set the RHOST to 192.168.13.10. After getting a Meterpreter shell, I then dropped into a system shell to get to the command line.
- Affected Hosts: 192.168.13.10 on port 80.
- Suggested remediation: Apply a patch or update to Apache Tomcat installed on the remote host. In addition, consider implementing better network security measures to restrict access on vulnerable ports.
- Vulnerability: Shellshock
- Description: I ran MSFconsole and searched for exploits that had Shellshock. I then selected exploit/multi/http/apache_mod_cgi_bash_env_exec and the following options:
- target URI(The vulnerable webpage): /cgi-bin/shockme.cgi
- RHOST: 192.168.13.11
- To find the flag using this exploit, I ran the following command from a shell on the exploited machine: cat /etc/sudoers
- Affected Hosts: 192.168.13.11
- Suggested remediation: Update to the most current version of BASH and assess if any other interconnected systems are vulnerable to Shellshock.
- Vulnerability: Struts
- Description: I used Nessus to determine RHOST 192.168.13.12 is vulnerable to Struts exploitation. I then used MSFconsole to use Struts exploit multi/http/struts2_content_type_ognl to establish a Meterpreter shell on the RHOST 192.168.13.12. With this, I was able to extract a special zip file containing sensitive information (Flag 9).
- Used Meterpreter to download the following file: /root/flagisinThisfile.7z
- In my Kali machine, I unzipped the file with the following command: 7z x flagisinThisfile.7z
- Used cat to view the flag file.
- Affected Hosts: 192.168.13.12
- Suggested remediation: Update Apache Struts depending on the version the host is using. In addition, consider implementing a Web Application Firewall to block malicious attempts to exploit Struts.
- Vulnerability: Drupal - CVE-2019-6340
- Description: I used MSFconsole to search for drupal exploits. Used the exploit unix/webapp/drupal_restws_unserialize to establish a meterpreter session in RHOST 192.168.13.13. Performed the getuid command and received www-data as the UID for that host.
- Affected Hosts: 192.168.13.13
- Suggested remediation: Update Drupal to the latest version that includes the latest security patches.
- Vulnerability: SUDO without password
- Description: I used password guessing techniques to SSH into RHOST 192.168.13.14 using information gathered in WHOIS records. Guessed password ‘alice’, successfully executed ssh into RHOST as alice and used sudo to extract sensitive data in root level directories.
- Affected Hosts: 192.168.13.14
- Suggested remediation: Update admin password to something more complex, and disable SSH on that port.
- Vulnerability: Public Data Exposure - Github Repo
- Description: The clue for the first flag was to search for any public information pertaining to Rekall. I stumbled across a public github repository containing username and password hash on https://github.com/totalrekall/site/blob/main/xampp.users. I then pasted contents into a .txt file and used John the Ripper tool to crack the password hash, revealing Tanya4life as password for user Trivera.
- Suggested remediation: Make the Github repository private or delete it entirely.
- Vulnerability: FTP Anonymous READ
- Description: I performed an Nmap scan on the Windows 10 machine in my hyper manager using the following command: nmap -A 172.22.117.20. It revealed that port 21 is open on the Windows 10 host and I then successfully connected to Windows host using ftp 172.22.117.20. I was able to log into FTP as anonymous and exfiltrated sensitive information (Flag 3, Day 3).
- Affected Hosts: 172.22.117.20
- Suggested remediation: Disable FTP for Windows 10 host.
- Vulnerability: SL Mail Exploit
- Description: I used the Nmap scan of 172.22.117.20 to determine the SLMAIL service is open via POP3 protocol on port 110. I then used MSFconsole to search for the appropriate exploit: windows/pop3/seattlelab_pass. Afterwards, I loaded the exploit modules and configured the module options to create a meterpreter session on RHOST 172.22.117.20
- Affected Hosts: 172.22.117.20
- Suggested remediation: Disable unnecessary SLMAIL services and update to the latest version of SLMAIL for the server.
- Vulnerability: SYSTEM Shell Access
- Description: I created a Meterpreter session after running SLMAIL exploit to drop into the SYSTEM shell on Windows 10 machine and view scheduled tasks. This exploit reveals that attackers have the potential to establish a backdoor and create scheduled tasks to exfiltrate sensitive data at certain times.
- Affected Hosts: 172.22.117.20
- Suggested remediation: Implement Least Privilege ensuring that all users and services only have read access and change login credentials frequently.
- Vulnerability: Credential Data Exposure
- Description: I loaded the kiwi extension to begin credential dumping on Windows 10 host. Using the command las_dump_sam, kiwi revealed user and password hash information. I then copied the username and hash into a .txt file and used John the Ripper to crack the hash in NT format.
- Affected Hosts: 172.22.117.20
- Conducted a penetration test against a mock organization following the PTES methodology and MITRE framework.
- Found and exploited vulnerabilities on the organization’s web application and Linux and Windows hosts.
- Summarized findings and recommended mitigations in a penetration testing summary report.