Rekall Penetration Test Report
This CTF-style fictitious engagement tested my skills in web application and Linux web server hacking, followed by a high level deliverable. (10/20/2022)
Confidentiality Statement
This document contains confidential and privileged information from Rekall Inc. (henceforth known as Rekall). The information contained in this document is confidential and may constitute inside or non-public information under international, federal, or state laws. Unauthorized forwarding, printing, copying, distribution, or use of such information is strictly prohibited and may be unlawful. If you are not the intended recipient, be aware that any disclosure, copying, or distribution of this document or its parts is prohibited.
Introduction
In accordance with Rekall policies, our organization conducts external and internal penetration tests of its networks and systems throughout the year. The purpose of this engagement was to assess the networks’ and systems’ security and identify potential security flaws by utilizing industry-accepted testing methodology and best practices.
For the testing, we focused on the following:
Attempting to determine what system-level vulnerabilities could be discovered and exploited with no prior knowledge of the environment or notification to administrators.
Attempting to exploit vulnerabilities found and access confidential information that may be stored on systems.
Documenting and reporting on all findings.
All tests took into consideration the actual business processes implemented by the systems and their potential threats; therefore, the results of this assessment reflect a realistic picture of the actual exposure levels to online hackers. This document contains the results of that assessment.
Assessment Objective
The primary goal of this assessment was to provide an analysis of security flaws present in Rekall’s web applications, networks, and systems. This assessment was conducted to identify exploitable vulnerabilities and provide actionable recommendations on how to remediate the vulnerabilities to provide a greater level of security for the environment.
We used our proven vulnerability testing methodology to assess all relevant web applications, networks, and systems in scope.
Rekall has outlined the following objectives:
Find and exfiltrate any sensitive information within the domain.
Escalate privileges.
Compromise several machines.
Penetration Testing Methodology
Reconnaissance
We begin assessments by checking for any passive (open source) data that may assist the assessors with their tasks. If internal, the assessment team will perform active recon using tools such as Nmap and Bloodhound.
Identification of Vulnerabilities and Services
We use custom, private, and public tools such as Metasploit, hashcat, and Nmap to gain perspective of the network security from a hacker’s point of view. These methods provide Rekall with an understanding of the risks that threaten its information, and also the strengths and weaknesses of the current controls protecting those systems. The results were achieved by mapping the network architecture, identifying hosts and services, enumerating network and system-level vulnerabilities, attempting to discover unexpected hosts within the environment, and eliminating false positives that might have arisen from scanning.
Vulnerability Exploitation
Our normal process is to both manually test each identified vulnerability and use automated tools to exploit these issues. Exploitation of a vulnerability is defined as any action we perform that gives us unauthorized access to the system or the sensitive data.
Reporting
Once exploitation is completed and the assessors have completed their objectives, or have done everything possible within the allotted time, the assessment team writes the report, which is the final deliverable to the customer.
Scope
Prior to any assessment activities, Rekall and the assessment team will identify targeted systems with a defined range or list of network IP addresses. The assessment team will work directly with the Rekall POC to determine which network ranges are in-scope for the scheduled assessment.
It is Rekall’s responsibility to ensure that IP addresses identified as in-scope are actually controlled by Rekall and are hosted in Rekall-owned facilities (i.e., are not hosted by an external organization). In-scope and excluded IP addresses and ranges are listed below.
Executive Summary of Findings
Grading Methodology
Each finding was classified according to its severity, reflecting the risk each such vulnerability may pose to the business processes implemented by the application, based on the following criteria:
Critical: Immediate threat to key business processes.
High: Indirect threat to key business processes/threat to secondary business processes.
Medium: Indirect or partial threat to business processes.
Low: No direct threat exists; vulnerability may be leveraged with other vulnerabilities.
Informational: No threat; however, it is data that may be used in a future attack.
As the following grid shows, each threat is assessed in terms of both its potential impact on the business and the likelihood of exploitation:
Summary of Strengths
While the assessment team was successful in finding several vulnerabilities, the team also recognized several strengths within Rekall’s environment. These positives highlight the effective countermeasures and defenses that successfully prevented, detected, or denied an attack technique or tactic from occurring.
Some input validation located within web application entry fields
Multiple exploits failed to establish a connection via meterpreter shell
Password complexity included capital, lowercase, and special characters
Summary of Weaknesses
We successfully found several critical vulnerabilities that should be immediately addressed in order to prevent an adversary from compromising the network. These findings are not specific to a software version but are more general and systemic vulnerabilities.
Scripts were able to be uploaded
SQL Injection was successful
Directory traversal was successful
Sensitive file names were not obfuscated enough
SSL Cert is expired
FTP port 21 was open
Drupal exploit was successful
Struts exploit was successful
Weak Admin password on Linux Machine
Sudo exploit available on Linux Machine
GitHub contained valid and essential credentials
Sensitive file was located on front facing web page
Sensitive file was extracted via FTP
Pop3 Port 110 exploit successful (SLMAIL)
LSADump was accessed for credentials
DCSync allowed lateral movement to the Domain Controller
Executive Summary
Part 1:
To begin the test, I first visited the front facing Rekall web page. The welcome page did not have proper sanitizing of input established, so upon entering a name and script, the reflected XSS allowed me to exploit a vulnerability.
The next page (Memory-Planner.php) was not so forgiving, however, so the same reflected XSS attempt was made but with a workaround for input validation. I was able to successfully upload the script past validation.
Moving on to the next page (comments.php), a stored XSS vulnerability was discovered by posting a comment to the page with an embedded script. This stored method successfully exploited the input vulnerability.
Continuing to exploit the machine, I decided to see which pieces of information I could pull from available methods like the curl command. When curling the page “About-Rekall.php,” the http response header contained some sensitive data that was exfiltrated. Further digging produced another vulnerability discovery back on the Memory-Planner.php page. Utilizing the technique of Local File Inclusion, a PHP script was uploaded successfully. Further down the page, however, there was an upload field that requested a JPG. By labeling the file as a JPG instead of PHP, the exploit succeeded by uploading a masked file.
Continuing with the testing of input, the Login.php page also lacked input sanitization within its fields. An initial query produced information that the database was SQL based, so various inputs and queries were entered in an attempt to gain unintended information. A logic argument proved to exploit the database as intended and more sensitive information was revealed in the process.
Upon expanding the HTML source information for the Login.php page, a few items looked out of place near the bottom. Further investigation led me to discover these were login credentials. After using them as input on the public facing web page, login was established.
Next, it was time to search for the robots.txt page with some google dorking. This led to a list of blacklisted pages from the public output of the search engine, and some hidden pages were revealed. Out of these hidden pages, networking.php was not supposed to be available upon searches. On this page, a command injection was utilized in the input field to view sensitive files on the Linux-based web server. These files were searched and eventually the /etc/passwd file revealed another set of login credentials. Navigating back to the login.php page, the credentials were valid and upon obtained access. Further exploration led to the souvenirs.php page (located from the robots.txt discovery). A PHP injection was performed in the browser URL section and was able to display some server information on the displayed web page.
After exhausting the Rekall site itself, it was time to utilize a tool called BurpSuite in order to control the session between web server and client. The intruder attack was used to exploit the information requesting a response from the Rekall site and the proper admin header proved exploit success.
Lastly on the page titled “Disclaimer.php,” I used a technique of directory traversal in order to discover another sensitive file by changing a few key items in the URL. After much success with the listed vulnerabilities above, I decided it was time to move on and attack the web server itself with some more advanced tools.
Part 2:
Using OSINT to discover more about the domain name using the who.is records, I searched the domain name totalrekall.xyz. The who.is record held much information in search of more vulnerabilities. Jumping to the command line, pinging the IP domain name helped to discover its IP address as well. Another search engine for SSL certificates showed that the site did not have a current certificate and was openly available for attack.
Active scanning was the next step in the test, so between nmap and Zenmap (both network testing tools), I was able to discover a lot about the number of hosts throughout the provided subnet. There were a total of 5 hosts up. Using another tool called Nessus, a critical vulnerability was discovered for the address 192.168.13.12, which would be utilized to gain unwarranted access to the linux machine.
At this point, it was time to exploit one of the machines and gain access. I utilized a metasploit module to exploit the .10 machine and was able to gain remote access to the filesystem. Searching the filesystem for a few key elements, the find command led me to discover hidden files in the root directory.
While still using the metasploit modules, another was utilized to gain more sensitive information from the .11 machine. After gaining access with a module that exploited a vulnerability on that machine specifically, viewing the contents of the /etc/sudoers file revealed essential user information. Further discovery led to the viewing of the /etc/passwd file which contained a few other users on the system.
Moving to the .12 machine, the Struts Vulnerability listed above was utilized to gain access to the machine. From there, searching the file system led to discovery of a zip file. That was then exfiltrated to my host machine and unzipped to reveal sensitive internal data.
Swapping over to the .13 machine, a module that exploited Drupal was utilized in order to gain remote access. Once in, using “getuid” revealed a username which would provide more information for escalation of privilege.
Lastly, jumping back into metasploit, the .14 machine was exploited using the information found on the who.is page. With the username “alice,” some password guessing revealed the proper credentials were alice:alice. Using SSH, I gained access to the .14 machine and viewed her privileges. Recognizing a known Sudo exploit, I was able to access the root directory after escalating privileges properly.
Part 3:
Now that I finished with the Linux machines, it was time to pursue the Windows machines discovered. First, a little more OSINT revealed a set of credentials posted to totalrekall’s GitHub page.
Following the discovery on github, an Nmap scan of the subnet revealed two total windows machines (172.22.117.10, and 172.22.117.20). Navigating to the page for 172.22.117.20, a sensitive file was located on the displayed webpage.
Utilizing the discovered information from the scan, the .20 machine had Port 21 (FTP) open, and there was a sensitive file listed as available to download. Utilizing FTP, I was able to exfiltrate the sensitive file via this FTP vulnerability.
Within the same nmap scan, there was another vulnerability located on pop3 Port 110 and SMTP Port 25. Utilizing searchsploit for these open ports, an exploit was located in Metasploit and a meterpreter shell was established with the .20 target machine. After access was gained, viewing the file system led to the discovery of a sensitive file.
While in the established meterpreter shell, viewing the scheduled tasks revealed much information, including another hidden file. Not only did the tasks hold hidden files, but the shell was also used to find a set of credentials in the lsadump SAM folder. Using John the ripper, it was very simple to crack the user’s password. Next, it was time to tackle the rest of the file system. A simple search command with a few parameters located another hidden and sensitive file.
Along with the LSADump, some Admin credentials were discovered, which would be very important in lateral movement to the .10 Domain Controller (DC). Using a metasploit module (psexec), I was able to use AMDBob’s credentials to connect to the .10 machine and execute a command to view the net users. While connected, I was able to move to the C:\ directory and find yet another sensitive file.
Lastly, lateral movement. Using DCSync via Kiwi on metasploit, I was able to lateral and discover the DC’s NTLM password, which is the equivalent of highest privilege. Thus the test was concluded and all vulnerabilities discovered were accounted for.
Summary Vulnerability Overview
Vulnerability
Severity
Reflected XSS On Web App (x2)
Low
Stored XSS on Web App
Medium
Revealing HTTP Header with Curl Command
Medium
Local File Inclusion (x2)
High
SQL Injection on Login Page
Medium
Exposed Credentials on HTTP Login Source Page
Medium
Robots.txt led to sensitive files
Low
PHP Injection in URL
High
Directory traversal possible in URL
High
SSL Certificate Expired
Critical
Critical Vulnerability Exploited (Apache Struts)
Critical
Critical Vulnerability Exploited (Drupal)
Critical
Tomcat Remote Code Execution
Critical
Shellshock Vulnerability Exploited
Critical
CVE-2019-14287
Critical
Open set of Credentials on GitHub
High
Sensitive file on open webpage with valid credentials
Medium
FTP Open and Sensitive File able to be exfiltrated
Critical
SLMAIL Vulnerability Exploited
Critical
Obtainable NTLM Hashes for DC
High
DCSync Possible to Lateral to Domain Controller
Critical
The following summary tables represent an overview of the assessment findings for this penetration test:
Scan Type
Total
Hosts
1 web, 5 linux, 2 windows
Ports
21, 22, 53, 110, 25, 80
Exploitation Risk
Total
Critical
9
High
5
Medium
5
Low
1
Vulnerability Findings
Vulnerability 1
Findings
Title
Reflected XSS On Web App (x2)
Type (Web app / Linux OS / WIndows OS)
Web App
Risk Rating
Low
Description
Input fields in the Web Application allowed for scripts to be run, with one workaround due to input validation
Images
*See Executive Summary*
Affected Hosts
Web Server 172.22.117.150
Remediation
Further input validation is necessary, for multiple types of scripts that would be entered in different spelling, orders, capitals, lowercase, or other options. Having less input fields would help as well by offering less chance to upload anything malicious.
Vulnerability 2
Findings
Title
Stored XSS on Web App
Type (Web app / Linux OS / WIndows OS)
Web App
Risk Rating
Medium
Description
Using custom input in a comment entry field, it was possible to upload a script to a cached field to be stored and used later.
Images
*See Executive Summary*
Affected Hosts
Web Server 172.22.117.150
Remediation
Input Validation needs to be implemented. This can take a few forms, but I believe the best method would include a drop down menu with preselected options to avoid any option for other entries.
Vulnerability 3
Findings
Title
Revealing HTTP Header with Curl Command
Type (Web app / Linux OS / WIndows OS)
Web App
Risk Rating
Medium
Description
When using Curl to pull HTTP, the HTTP header revealed some sensitive information
Images
*See Executive Summary*
Affected Hosts
Web Server 172.22.117.150
Remediation
Sanitize the HTTP header to be sure it only contains the absolutely necessary information required to complete its functional tasks.
Vulnerability 4
Findings
Title
Local File Inclusion (x2)
Type (Web app / Linux OS / WIndows OS)
Web App
Risk Rating
High
Description
In two different fields, a PHP script was able to be uploaded in input boxes asking for a file upload. One specified a JPG file, but renaming the PHP as a JPG circumvented this input validation tactic.
Images
*See Executive Summary*
Affected Hosts
Web Server 172.22.117.150
Remediation
Input validation is always suggested, but depending on other workarounds for file upload, I would choose to not require an upload at all so there wouldn’t be a chance of a malicious upload.
Vulnerability 5
Findings
Title
SQL Injection on Login Page
Type (Web app / Linux OS / WIndows OS)
Web App
Risk Rating
Medium
Description
At the login page, a SQL injection with login (OR ‘1’ = ‘1) revealed extraneous login information that should not have appeared.
Images
*See Executive Summary*
Affected Hosts
Web Server 172.22.117.150
Remediation
Input validation should be implemented where the ‘ symbol is not allowed at all, as well as other common SQL entries to keep from tricking the database.
Vulnerability 6
Findings
Title
Exposed Credentials on HTTP Login Source Page
Type (Web app / Linux OS / WIndows OS)
Web App
Risk Rating
Medium
Description
When “view source” was selected, the HTTP information included a set of login credentials that should not have been visible to the public.
Images
*See Executive Summary*
Affected Hosts
Web Server 172.22.117.150
Remediation
In the development process, comb the code for essential login information and be sure that it is removed or deleted in the test environment before launching the application.
Vulnerability 7
Findings
Title
Robots.txt led to sensitive files
Type (Web app / Linux OS / WIndows OS)
Web App
Risk Rating
Low
Description
The robots.txt page for the rekall domain revealed a few sensitive files on the web.
Images
*See Executive Summary*
Affected Hosts
Web Server 172.22.117.150
Remediation
If files are sensitive, do not store them on the web server. Be sure that your data is secured deeper in the network topology, and encrypted properly to keep prying eyes from discovering too much company data.
Vulnerability 8
Findings
Title
PHP Injection in URL
Type (Web app / Linux OS / WIndows OS)
Web App
Risk Rating
High
Description
A PHP injection was used to navigate to unwanted files and view sensitive information.
Images
*See Executive Summary*
Affected Hosts
Web Server 172.22.117.150
Remediation
Do not use direct shell executions, and do not use unsafe data in combination with a direct shell.
Vulnerability 9
Findings
Title
Directory traversal possible in URL
Type (Web app / Linux OS / WIndows OS)
Web App
Risk Rating
High
Description
Using the URL area, directory traversal was executed and possible to cat and view sensitive files on the Linux server.
Images
*See Executive Summary*
Affected Hosts
Web Server 172.22.117.150
Remediation
Be sure developers are using input validation strategies on the browser and web page source code.
Vulnerability 10
Findings
Title
SSL Certificate Expired
Type (Web app / Linux OS / WIndows OS)
Web App
Risk Rating
Critical
Description
The SSL Certificate that verifies the web application is expired, making unsafe and unsecure web traffic possible.
Images
*See Executive Summary*
Affected Hosts
Web Server 172.22.117.150
Remediation
Ensure the SSL Cert is up to date, and have scheduled maintenance for the renewal of said Certs so there is no lapse in their validity.
Vulnerability 11
Findings
Title
Critical Vulnerability Exploited (Apache Struts)
Type (Web app / Linux OS / WIndows OS)
Linux OS
Risk Rating
Critical
Description
Utilizing the Apache Struts vulnerability, a Meterpreter shell to the remote machine was established.
Images
*See Executive Summary*
Affected Hosts
Linux 192.168.13.12
Remediation
Update the Apache server to the most recent version in order to allow security patches to take affect and secure the vulnerability so a shell cannot be established.
Vulnerability 12
Findings
Title
Critical Vulnerability Exploited (Drupal)
Type (Web app / Linux OS / WIndows OS)
Linux OS
Risk Rating
Critical
Description
Using a found drupal exploit, metasploit was able to establish a meterpreter shell with the remote host.
Images
*See Executive Summary*
Affected Hosts
Linux 192.168.13.13
Remediation
Update the server applications so the latest security patches can be fixed or rorate services to a different API without the known vulnerability so a shell cannot be established.
Vulnerability 13
Findings
Title
Tomcat Remote Code Execution
Type (Web app / Linux OS / WIndows OS)
Linux OS
Risk Rating
Critical
Description
A Tomcat and JSP exploit was run to establish a meterpreter shell with the remote target.
Images
*See Executive Summary*
Affected Hosts
Linux 192.168.13.10
Remediation
Update security patches or switch services to a more reliable and less exploitable source.
Vulnerability 14
Findings
Title
Shellshock Vulnerability Exploited
Type (Web app / Linux OS / WIndows OS)
Linux OS
Risk Rating
Critical
Description
The shellshock exploit was utilized to create a makeshift bash shell so a script on the target machine could be executed.
Images
*See Executive Summary*
Affected Hosts
Linux 192.168.13.11
Remediation
Change services so the vulnerable shellshock method is no longer a method of attack.
Vulnerability 15
Findings
Title
CVE-2019-14287
Type (Web app / Linux OS / WIndows OS)
Linux OS
Risk Rating
Critical
Description
Using particular sudo privileges, a command was executed that gained root access and exploited the machine further.
Images
*See Executive Summary*
Affected Hosts
192.168.13.12
Remediation
Edit the sudoers configuration so that the proper commands are limited for the specified user, avoiding the input allowing this exploit to be possible (least privilege necessary for daily tasks).
Vulnerability 16
Findings
Title
Open set of Credentials on GitHub
Type (Web app / Linux OS / WIndows OS)
Web App / Windows OS
Risk Rating
High
Description
After surfing Rekall’s GitHub page, some valid credentials were listed in one of the repositories on the web.
Images
*See Executive Summary*
Affected Hosts
Windows Machines (Valid Credentials)
Remediation
Encrypt a file like that, but definitely do not allow that information to remain open and accessible on the internet, especially on a public page.
Vulnerability 17
Findings
Title
Sensitive file on open webpage with valid credentials
Type (Web app / Linux OS / WIndows OS)
Web App / Windows OS
Risk Rating
Medium
Description
When accessing one of the scanned IP addresses, VPN credentials were prompted. After the discovered creds in the vulnerability above, access was obtained and sensitive fields were viewed.
Images
*See Executive Summary*
Affected Hosts
Windows 172.22.117.20
Remediation
As stated above, do not keep those credentials where the public can view them. This will eliminate unintended logins.
Vulnerability 18
Findings
Title
FTP Open and Sensitive File able to be exfiltrated
Type (Web app / Linux OS / WIndows OS)
Windows OS
Risk Rating
Critical
Description
After scanning and finding FTP open on the remote host, it was exploited to exfiltrate a sensitive file.
Images
*See Executive Summary*
Affected Hosts
Windows 172.22.117.20
Remediation
Close FTP port 21 and utilize a more secure file transfer method.
Vulnerability 19
Findings
Title
SLMAIL Vulnerability Exploited
Type (Web app / Linux OS / WIndows OS)
Windows OS
Risk Rating
Critical
Description
Using a known exploit on SLMAIL via pop3 port 110, a meterpreter shell was established and access was gained.
Images
*See Executive Summary*
Affected Hosts
Windows 172.22.117.20
Remediation
Close unnecessary ports so exploits are unable to gain unintended access. Switch to safer, more updated and secure services and close outdated versions.
Vulnerability 20
Findings
Title
Obtainable NTLM Hashes for DC
Type (Web app / Linux OS / WIndows OS)
Windows OS
Risk Rating
High
Description
After meterpreter shell was gained with the windows machine, the Kiwi module was able to extract the LSADump and gain credential hashes.
Images
*See Executive Summary*
Affected Hosts
Windows 172.22.117.20
Remediation
Ensure all measures are taken to close unnecessary ports and services to avoid a meterpreter shell, and regularly sanitize the cache and LSADump in order to keep sensitive credentials secret. Also rotate passwords to eliminate a chance for the attacker's persistence.
Vulnerability 21
Findings
Title
DCSync Possible to Lateral to Domain Controller
Type (Web app / Linux OS / WIndows OS)
Windows OS
Risk Rating
Critical
Description
Once in the Windows machine with discovered Admin credentials, DCSync was utilized with Kiwi in order to lateral to the Domain Controller.
Images
*See Executive Summary*
Affected Hosts
Windows 172.22.117.10
Remediation
Ensure security of admin credentials, and password complexity to be sure that cracking is at least slowed down, and then have password changes occur regularly to eliminate chances of persistence.
Last updated
