IMF - Hacking Etico Unidad 5

Se comienza el análisis siendo de caja negra, porque solo conocemos la identidad de la
organización.
RECONOCIMIENTO PASIVO o FOOTPRINTING

Comenzamos con un reconocimiento pasivo o footprinting.
Para la realizacion de esta primera parte, he tomado como recursos las distintas herramientas
alojadas en la pagina https://osintframework.com/ todas englobadas como OSINT.
No utilizaremos todas pero si las mas representativas, ya que son muchas. Y algunas tomadas de
los apuntes extraidos de la unidad. He querido utilizar otras herramientas y frameworks para
poder evaluar su eficacia, aunque estan mas que probadas.
La búsqueda se puede complicar todo lo que necesitemos saber sobre el objetivo.
WHO IS
Whois imf-formacion.com
Domain Name: imf-formacion.com
Registry Domain ID: 77881834_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.dinahosting.com
Registrar URL: http://dinahosting.com
Updated Date: 2020-12-08T07:22:17Z
Creation Date: 2001-09-27T15:25:06Z
Registrar Registration Expiration Date: 2030-09-27T15:25:06Z
Registrar: Dinahosting s.l.
Registrar IANA ID: 1262
Registrar Abuse Contact Email: abuse-domains@dinahosting.com
Registrar Abuse Contact Phone: +34.981040200
Domain Status: clientDeleteProhibited (http://www.icann.org/epp#clientDeleteProhibited)
Domain Status: clientTransferProhibited (http://www.icann.org/epp#clientTransferProhibited)

Registrant ID: Redacted by Privacy
Registrant Name: Redacted by Privacy
Registrant Organization: IMF International Business School
Registrant Street: Redacted by Privacy
Registrant City: Redacted by Privacy
Registrant State/Province: Madrid
Registrant Postal Code: Redacted by Privacy
Registrant Country: ES
Registrant Phone: Redacted by Privacy
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: https://dinahosting.com/dominios/contacto-whois/dominio/imf-formacion.com
Admin ID: Redacted by Privacy
Admin Name: Redacted by Privacy
Admin Organization: Redacted by Privacy
Admin Street: Redacted by Privacy
Admin City: Redacted by Privacy
Admin State/Province: Redacted by Privacy
Admin Postal Code: Redacted by Privacy
Admin Country: Redacted by Privacy
Admin Phone: Redacted by Privacy
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: https://dinahosting.com/dominios/contacto-whois/dominio/imf-formacion.com

Tech ID: Redacted by Privacy
Tech Name: Redacted by Privacy
Tech Organization: Redacted by Privacy
Tech Street: Redacted by Privacy
Tech City: Redacted by Privacy
Tech State/Province: Redacted by Privacy
Tech Postal Code: Redacted by Privacy
Tech Country: Redacted by Privacy
Tech Phone: Redacted by Privacy
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: https://dinahosting.com/dominios/contacto-whois/dominio/imf-formacion.com
Name Server: george.ns.cloudflare.com
Name Server: rosalyn.ns.cloudflare.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2022-02-15T23:43:04+0100 <<<
To obtain further information about codes on Whois status please visit
https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en
Despues de analizar el nombre de dominio, vemos que este esta corriendo bajo una DNS de
Cloudflare.
Con este dato, podemos conocer como está protegida la página web y otros servicios publicados
en Internet.
IP PÚBLICA
GEOLOCALIZACION
https://www.ipfingerprints.com/
SHODAN
Utilizamos https://www.faganfinder.com/ para realizar busquedas en todos los motores,
buscadores, de los que extraemos distintos tipos de información.
Luego se analiza y se clasifica por importancia.

RECON-NG
WIKIPEDIA
https://es.wikipedia.org/wiki/IMF_International_Business_School
Dato importante es el nombre del fundador Carlos Martínez Domínguez.
Que está ubicada en Madrid, pero que tiene varias sedes:
.- Málaga.
.- Bogota.
.- Quito.
.- La Paz.
.- Lisboa.
Está adscrita a distintas Universidades Españolas:
.- Universidad Camilo José Cela.
.- Universidad de Nebrija.
.- Universidad Católica de Ávila.
.- Universidad del Atlántico Medio.

.- Universidad San Pablo CEU.
REDES SOCIALES
https://twitter.com/imf_education/
https://www.facebook.com/IMF.Education/
https://www.linkedin.com/school/imf-smart-education/
https://www.instagram.com/imf_smart_education/
https://telegram.me/SomosIMF/
https://www.youtube.com/c/imfformacion
Analizando dichas redes sociales podemos ver que tiene entre 201 y 500 empleados y las
ubicaciones de sus sedes con direcciones.
Al igual que información sobre algunos de sus empleados mas importantes y representativos. Pra
ello utilizamos el framework:
THE HARVESTER
[*] Target: imf-formacion
Searching 100 results.
Searching 200 results.
[*] Searching Linkedin.
[*] LinkedIn Users found: 93
---------------------
Aitziber Txakartegi Hernandez - Profesora titular
Alberto Cipolla
Alberto Leal Romero
Alejandro Vidal - Responsable
Ana Cabezas
Ana Fuentes Martin
Ana Leal Castilla
Ana Rodriguez Mora - Delegada ventas farmacias
Andressa Vasi Bella
Angela Lopez Mas - Auxiliar administrativo
Angeles Albarran
Angeles Toro Delgado - IMF Smart Education
Anna Stoyanova Mihaylovska
Bella F M
Borja Lavado - Engineering Coordinator
Carles Forns
Carlos Almeida - Analista de Ciberseguridad

Carlos Lopez - Freelance
Carmen Leal
Celestina Martin
Cristina Ayala Moya
Cristina Irisarri Tanco
Cristina M. - Educadora en CDAFA Illescas
Daniel Diez Zapardiel
Davi Mayer
David Colomar Careta
EDUARDO PUERTAS DE SOLO - Jefe de Obra
Elena Rubio
Enrique de la Cerda Cisneros
Ernesto Porcar Bataller
Esperanza Plaza - Gestora
Eva Meseguer - Tecnica RRHH
Eva. Fernandez
FELIX JIMENO - comercial
Fernando Palau Ramos - IMF Business School
Helena Mohedano Quiroz - Soporte de admisiones
Inmaculada Salcedo Moreno
Isabel Guerra Cascos - Administrativa
J. Pedro Mera Oliva - Ingeniero Tec. Ind.
Jara Domenech - Grupo Santander -SBGM
Javi Martin
Javier Carretero Chamorro
Javier Coronel Trenado - Ciudad Real y alrededores
Javier Cotan - GRUPO IMF-FORMACION
Jesus Salas
Jorge Andres Florez Rivera - IMF Business School
Jose Morente Castillo
Josune Segovia Bueno
Juan Alberto Garcia
Juan Antonio Marco Montes De Oca
Juan Francisco Maroto Arnaiz - Junta Directiva
LAURA CALVENTE OTERO
Lola Sicilia Paneque - GRUPO IMF FORMACION
M. Angeles Romero Ruiz - 1 er RRHH y PRL
MATILDE RUESCAS - IMF Business School
Magdalena Wozniak - Faborit Coffee Shop
Manuel Jesus Hernandez Quesada - Profesor
Marcelo di Iorio - Sr. Global Black Belt for CloudKnox
Maria Carmen LopezMosteiro Garcia
Mariam Herrero Latorre - Secretario administrativo
Mario Copado
Marta Ramirez
Maximiliano Perez Camard - BE
Monica Aceituno Berengueras
Nieva Machin - Profesor universitario a tiempo parcial
Nieves Diaz
Nuria Fernandez Lopez
Nuria Gonzalez-Gamallo
Nuria Izquierdo
Omv Consultoria - Profesor
Oscar Marin Carvajal - Global Business Recruiter
Paloma Garcia
Patricia Evangelio Morato

Patricia Guirado Carabel
RAQUEL SAN CRISTOBAL BARROSO
Rafael Mesa
Rosa Meijide
Sandra Franco Meliveo
Sandra Laperal Toquero - Profesora
Sandra Pascual - Gestor de cuentas
Silvia Robador
Soledad Garcia-Navas - Gerente
Susana Murillo Maya - Manager Planning
Teresa Canals Morera - Analista de laboratorio
Vanessa V.
Veronica Prieto Pizarro - Consultora comercial
Virginia Arencibia - Dependiente
Wender Amaro de Azevedo - Cloud SysAdmin
Yaiza C.
Yolanda C. - Departamento de rrhh
julia rodes
menague marie danielle
[*] LinkedIn Links found: 0
---------------------
Aitziber Txakartegi Hernandez - Profesora titular
Alberto Cipolla
Alberto Leal Romero
Alejandro Vidal - Responsable
Ana Cabezas
Ana Fuentes Martin

Ana Leal Castilla
Ana Rodriguez Mora - Delegada ventas farmacias
Andressa Vasi Bella
Angela Lopez Mas - Auxiliar administrativo
Angeles Albarran
Angeles Toro Delgado - IMF Smart Education
Anna Stoyanova Mihaylovska
Bella F M
Borja Lavado - Engineering Coordinator
Carles Forns
Carlos Almeida - Analista de Ciberseguridad
Carlos Lopez - Freelance
Carmen Leal
Celestina Martin
Cristina Ayala Moya
Cristina Irisarri Tanco
Cristina M. - Educadora en CDAFA Illescas
Daniel Diez Zapardiel
Davi Mayer
David Colomar Careta
EDUARDO PUERTAS DE SOLO - Jefe de Obra
Elena Rubio
Enrique de la Cerda Cisneros
Ernesto Porcar Bataller
Esperanza Plaza - Gestora
Eva Meseguer - Tecnica RRHH
Eva. Fernandez
FELIX JIMENO - comercial

Fernando Palau Ramos - IMF Business School
Helena Mohedano Quiroz - Soporte de admisiones
Inmaculada Salcedo Moreno
Isabel Guerra Cascos - Administrativa
J. Pedro Mera Oliva - Ingeniero Tec. Ind.
Jara Domenech - Grupo Santander -SBGM
Javi Martin
Javier Carretero Chamorro
Javier Coronel Trenado - Ciudad Real y alrededores
Javier Cotan - GRUPO IMF-FORMACION
Jesus Salas
Jorge Andres Florez Rivera - IMF Business School
Jose Morente Castillo
Josune Segovia Bueno
Juan Alberto Garcia
Juan Antonio Marco Montes De Oca
Juan Francisco Maroto Arnaiz - Junta Directiva
LAURA CALVENTE OTERO
Lola Sicilia Paneque - GRUPO IMF FORMACION
M. Angeles Romero Ruiz - 1 er RRHH y PRL
MATILDE RUESCAS - IMF Business School
Magdalena Wozniak - Faborit Coffee Shop
Manuel Jesus Hernandez Quesada - Profesor
Marcelo di Iorio - Sr. Global Black Belt for CloudKnox
Maria Carmen LopezMosteiro Garcia
Mariam Herrero Latorre - Secretario administrativo
Mario Copado
Marta Ramirez
Maximiliano Perez Camard - BE
Monica Aceituno Berengueras
Nieva Machin - Profesor universitario a tiempo parcial
Nieves Diaz
Nuria Fernandez Lopez
Nuria Gonzalez-Gamallo
Nuria Izquierdo
Omv Consultoria - Profesor
Oscar Marin Carvajal - Global Business Recruiter
Paloma Garcia
Patricia Evangelio Morato
Patricia Guirado Carabel
RAQUEL SAN CRISTOBAL BARROSO
Rafael Mesa
Rosa Meijide
Sandra Franco Meliveo
Sandra Laperal Toquero - Profesora
Sandra Pascual - Gestor de cuentas
Silvia Robador
Soledad Garcia-Navas - Gerente
Susana Murillo Maya - Manager Planning
Teresa Canals Morera - Analista de laboratorio
Vanessa V.
Veronica Prieto Pizarro - Consultora comercial
Virginia Arencibia - Dependiente
Wender Amaro de Azevedo - Cloud SysAdmin
Yaiza C.
Yolanda C. - Departamento de rrhh

julia rodes
menague marie danielle
SKYMEM
https://www.skymem.info/
Busqueda de correos.
VERIFY-EMAIL
https://verify-email.org/
Verificación de los correos.

GOOGLE HACKING
CERTIFICATE SEARCH
RECONOCIMINETO ACTIVO o FINGERPRINTING

Despues, continuaremos con un reconocimiento activo o fingerprinting.
NSLOOKUP
DNS RECON y DNS ENUM

https://dnsdumpster.com/
SUBDOMINIOS
https://spyse.com/tools/subdomain-finder
ESCANEO DE PUERTOS Y SERVICIOS
Configuramos las máquinas virtuales (Kali y Ubuntu) en VirtualBox, con la opción de red modo
puente.
En primera instancia en la máquina virtual (vmkali), lanzamos el comando sudo su, para elevar los
privilegios a root.
A continuación desde (vmkali), lanzamos el siguiente comando para conocer la red en la que
estamos trabajando,
ifconfig
Como resultado nos muestra una red tipo C privada, 192.168.1.x/24.
Continuamos lanzando el comando
nmap -O 192.168.1.0/24 para reconocer dentro de la red la máquina virtual ubuntu (vmubuntu),
sobre la que vamos a trabajar y los puertos que tiene abiertos.
Con este comando confirmamos que es la vm que queremos atacar.
Aun así podemos mandar otros comandos para verificarlo,
arp-scan 192.168.1.0/24
nmap -sn 192.168.1.0/24
Una vez conocemos la IP, continuamos lanzando comando con nmap para analizar qué servicios
están corriendo por cada puerto
nmap -Pn 192.1681.69 -sV -p 21
nmap -Pn 192.1681.69 -sV -p 22

nmap -Pn 192.1681.69 -sV -p 25
nmap -Pn 192.1681.69 -sV -p 80
nmap -Pn 192.1681.169 -sV -p 110
nmap -Pn 192.1681.69 -sV -p 119
nmap -Pn 192.1681.69 -A

nmap -Pn 192.1681.69 -sC
nmap -Pn 192.1681.169 -sU

ANALISIS VULNERABILIDADES CONTRA MAQUINA VIRTUAL
Mandamos el comando:
nmap 192.168.1.69 --script =vuln
Para que nos muestres las distintas vulnerabilidades más conocidas.
Con toda esta información, observamos que tiene dos posibles servicios para atacar el, 21 que
hace alusión a un servidor FTP y el 80 que referencia a una página web denominada
cyberacademy.
Explotamos el servicio web con Slowloris DOS

Conseguimos que la página web no cargue.
Cortamos el exploit y ya vuelve a cargar.

Análisis con OWAS ZAP
Análisis con Nessus

nmap -sV --script=vulscan/vulscan.nse 192.168.1.69
ETC...
Una vez, vistas ciertas vulnerabilidades lanzamos MetaSploit

Luego buscamos exploit para FTP de Linux
Buscamos vulnerabilidad para el servicio vsftpd que corre sobre el puerto 21
Buscamos por Internet y encontramos que se puede explotar
https://www.exploit-db.com/exploits/49719
Descargamos el fichero y lo ejecutamos
python2 49719.py 192.168.1.69 21, no obtenemos ningún resultado.

Hemos observado que el puerto 22 tiene habilitado el usuario anonymus, con el programa Filezilla
probamos a conectarnos.
Y observamos que hay un flag, FLAG{FTP_4n0nym0us_G00D_JoB!}
Buscamos vulnerabilidad para el servicio OpenSSH 7.2p2 que corre sobre el puerto 22
De nuevo buscamos en la página web exploit-database.
Vulnerabilidad para el servicio JAMES smtpd 2.3.2.1 en el puerto 25
Nos da error nos documentamos un poco más y descubrimos este vulnerabilidad en
Vulnerabilidad Apache httpd 2.4.18 ((ubuntu)) puerto 80
Buscamos en la pagina https://www.cvedetails.com/

# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date
Score Gained Access Level Access Complexity Authentication Conf. Integ.
Avail.
1 CVE-2021-44790 787 Overflow 2021-12-20 2022-02-07

7.5 None RemoteLow Not required Partial Partial Partial A carefully crafted
request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called
from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it
might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
2 CVE-2021-44224 476 2021-12-20 2022-02-19 6.4

None RemoteLow Not required None Partial Partial A crafted URI sent to
httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer
dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for
requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery).
This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).
3 CVE-2021-42013 22 Exec Code Dir. Trav. 2021-10-07 2022-02-

07 7.5 None RemoteLow Not required Partial Partial Partial It was found that
the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a
path traversal attack to map URLs to files outside the directories configure d by Alias-like
directives. If files outside of these directories are not protected by the usual default configuration
"require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased
pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and
Apache 2.4.50 and not earlier versions.
4 CVE-2021-41773 22 Exec Code Dir. Trav. 2021-10-05 2022-02-

07 4.3 None RemoteMedium Not required Partial None None A flaw
was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker
could use a path traversal attack to map URLs to files outside the directories configured by Alias -
like directives. If files outside of these directories are not protected by the usual default
configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for
these aliased pathes, this could allow for remote code execution. This issue is known to be
exploited in the wild. This issue only affects Apache 2.4.49 and not e arlier versions. The fix in
Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.
5 CVE-2021-41524 476 2021-10-05 2022-02-07 5.0

None RemoteLow Not required None None Partial While fuzzing the 2.4.49
httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an
external source to DoS the server. This requires a specially crafted request. The vulnerability was
recently introduced in version 2.4.49. No exploit is known to the project.
6 CVE-2021-40438 918 2021-09-16 2022-02-07 6.8

None RemoteMedium Not required Partial Partial Partial A crafted request
uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote
user. This issue affects Apache HTTP Server 2.4.48 and earlier.
7 CVE-2021-39275 787 2021-09-16 2022-02-07 7.5

None RemoteLow Not required Partial Partial Partial ap_escape_quotes() may
write beyond the end of a buffer when given malicious input. No included modules pass untrusted
data to these functions, but third-party / external modules may. This issue affects Apache HTTP
Server 2.4.48 and earlier.
8 CVE-2021-36160 125 2021-09-16 2022-02-07 5.0

None RemoteLow Not required None None Partial A carefully crafted
request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash
(DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive).
9 CVE-2021-34798 476 2021-09-16 2022-02-07 5.0

None RemoteLow Not required None None Partial Malformed requests may
cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and
earlier.
10 CVE-2021-33193 Bypass 2021-08-16 2022-02-07 5.0

None RemoteLow Not required None Partial None A crafted method sent
through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request
splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.
11 CVE-2021-31618 476 2021-06-15 2021-12-10 5.0

None RemoteLow Not required None None Partial Apache HTTP Server
protocol handler for the HTTP/2 protocol checks received request headers against the size
limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of
these restrictions and HTTP response is sent to the client with a status code indicating why the
request was rejected. This rejection response was not fully initialised in the HTTP/2 protocol
handler if the offending header was the very first one received or appeared in a a footer. This led
to a NULL pointer dereference on initialised memory, crashing reliably the child process. Since
such a triggering HTTP/2 request is easy to craft and submit, this can be exploited to DoS the
server. This issue affected mod_http2 1.15.17 and Apache HTTP Server version 2.4.47 only.
Apache HTTP Server 2.4.47 was never released.
12 CVE-2021-30641 2021-06-10 2021-12-02 5.0

None RemoteLow Not required None Partial None Apache HTTP Server
versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'
13 CVE-2021-26691 787 Overflow 2021-06-10 2022-02-07

7.5 None RemoteLow Not required Partial Partial Partial In Apache HTTP
Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could
cause a heap overflow
14 CVE-2021-26690 476 DoS 2021-06-10 2021-12-01 5.0

versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a
NULL pointer dereference and crash, leading to a possible Denial Of Service
15 CVE-2020-35452 787 Overflow 2021-06-10 2021-12-01

6.8 None RemoteMedium Not required Partial Partial Partial Apache
HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in
mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP
Server team could create one, though some particular compiler and/or compilation option might
make it possible, with limited consequences anyway due to the size (a single byte) and the value
(zero byte) of the overflow
16 CVE-2020-13950 476 DoS 2021-06-10 2021-12-01 5.0

versions 2.4.41 to 2.4.46 mod_proxy_http can be made to crash (NULL pointer derefe rence) with
specially crafted requests using both Content-Length and Transfer-Encoding headers, leading to a
Denial of Service
17 CVE-2020-11993 444 2020-08-07 2021-06-06 4.3

None RemoteMedium Not required None None Partial Apache HTTP
Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on
certain traffic edge patterns, logging statements were made on the wrong connection, causing
concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will m itigate
this vulnerability for unpatched servers.
18 CVE-2020-11985 345 2020-08-07 2021-06-06 4.3

None RemoteMedium Not required None Partial None IP address
spoofing when proxying using mod_remoteip and mod_rewrite For configurations using proxying
with mod_remoteip and certain mod_rewrite rules, an attacker could spoof their IP address for
logging and PHP scripts. Note this issue was fixed in Apache HTTP Server 2.4.24 but was
retrospectively allocated a low severity CVE in 2020.
19 CVE-2020-11984 120 2020-08-07 2021-06-06 7.5

None RemoteLow Not required Partial Partial Partial Apache HTTP server
2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE
20 CVE-2020-9490 444 2020-08-07 2021-06-06 5.0 None

RemoteLow Not required None None Partial Apache HTTP Server versions
2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would
result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring
the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
21 CVE-2020-1934 908 2020-04-01 2021-07-09 5.0 None

RemoteLow Not required Partial None None In Apache HTTP Server 2.4.0 to
2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server.
22 CVE-2020-1927 601 2020-04-02 2021-07-09 5.8 None

RemoteMedium Not required Partial Partial None In Apache HTTP Server
2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self -referential
might be fooled by encoded newlines and redirect instead to an an unexpected URL within the
request URL.
23 CVE-2019-17567 444 2021-06-10 2021-12-02 5.0

None RemoteLow Not required None Partial None Apache HTTP Server
versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily
Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for
subsequent requests on the same connection to pass through with no HTTP validation,
authentication or authorization possibly configured.
24 CVE-2019-10098 601 2019-09-25 2021-06-14 5.8

None RemoteMedium Not required Partial Partial None In Apache HTTP
server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self -
referential might be fooled by encoded newlines and redirect instead to an unexpected URL within
the request URL.
25 CVE-2019-10097 787 Overflow 2019-09-26 2021-07-07

6.0 None RemoteMedium ??? Partial Partial Partial In Apache HTTP
Server 2.4.32-2.4.39, when mod_remoteip was configured to use a trusted intermediary proxy
server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer
overflow or NULL pointer deference. This vulnerability could only be triggered by a trusted proxy
and not by untrusted HTTP clients.
26 CVE-2019-10092 79 XSS 2019-09-26 2021-09-09 4.3

None RemoteMedium Not required None Partial None In Apache HTTP
Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error
page. An attacker could cause the link on the error page to be malformed and instead point to a
page of their choice. This would only be exploitable where a server was set up with proxying
enabled but was misconfigured in such a way that the Proxy Error page was displaye d.
27 CVE-2019-10082 416 2019-09-26 2021-10-20 6.4

None RemoteLow Not required Partial None Partial In Apache HTTP Server
2.4.18-2.4.39, using fuzzed network input, the http/2 session handling could be made to read
memory after being freed, during connection shutdown.
28 CVE-2019-10081 787 2019-08-15 2021-06-06 5.0

None RemoteLow Not required None None Partial HTTP/2 (2.4.20 through
2.4.39) very early pushes, for example configured with "H2PushResource", could lead to an
overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that
of the configured push link header values, not data supplied by the client.
29 CVE-2019-0220 706 2019-06-11 2021-06-06 5.0 None

RemoteLow Not required Partial None None A vulnerability was found in
Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple
consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for
duplicates in regular expressions while other aspects of the servers processing will implicitly
collapse them.
30 CVE-2019-0217 362 Bypass 2019-04-08 2021-06-06 6.0 None

RemoteMedium ??? Partial Partial Partial In Apache HTTP Server 2.4 release
2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could
allow a user with valid credentials to authenticate using another username, bypassing configured
access control restrictions.
31 CVE-2019-0215 Bypass 2019-04-08 2021-06-06 6.0 None

RemoteMedium ??? Partial Partial Partial In Apache HTTP Server 2.4
releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification
with TLSv1.3 allowed a client to bypass configured access control restrictions.
32 CVE-2019-0211 416 Exec Code 2019-04-08 2021-06-06 7.2

None Local Low Not required Complete Complete Complete In
Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code
executing in less-privileged child processes or threads (including scripts executed by an in-process
scripting interpreter) could execute arbitrary code with the privileges of the parent process
(usually root) by manipulating the scoreboard. Non-Unix systems are not affected.
33 CVE-2019-0197 444 2019-06-11 2021-06-06 4.9 None

RemoteMedium ??? None Partial Partial A vulnerability was found in
Apache HTTP Server 2.4.34 to 2.4.38. When HTTP/2 was enabled for a http: host or H2Upgrade
was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not the
first request on a connection could lead to a misconfiguration and crash. Server that never
enabled the h2 protocol or that only enabled it for https: and did not set "H2Upgrade on" are
unaffected by this issue.
34 CVE-2019-0196 416 2019-06-11 2021-06-06 5.0 None

RemoteLow Not required None None Partial A vulnerability was found in
Apache HTTP Server 2.4.17 to 2.4.38. Using fuzzed network input, the http/2 request handling
could be made to access freed memory in string comparison when determining the method of a
request and thus process the request incorrectly.
35 CVE-2018-17199 384 2019-01-30 2021-06-06 5.0

None RemoteLow Not required None Partial None In Apache HTTP Server 2.4
release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session.
This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry
time is loaded when the session is decoded.
36 CVE-2018-17189 400 2019-01-30 2021-07-06 5.0

None RemoteLow Not required None None Partial In Apache HTTP server
versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2
stream for that request unnecessarily occupied a server thread cleaning up that incoming data.
This affects only HTTP/2 (mod_http2) connections.
37 CVE-2018-11763 2018-09-25 2021-06-06 4.3

None RemoteMedium Not required None None Partial In Apache HTTP
Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a
connection, server thread and CPU time without any connection timeout coming to effect. This
affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.
38 CVE-2018-8011 476 2018-07-18 2021-06-06 5.0 None

RemoteLow Not required None None Partial By specially crafting HTTP
requests, the mod_md challenge handler would dereference a NULL pointer and cause the child
process to segfault. This could be used to DoS the server. Fixed in Apache HTTP Server 2.4.34
(Affected 2.4.33).
39 CVE-2018-1333 400 DoS 2018-06-18 2021-06-06 5.0 None

RemoteLow Not required None None Partial By specially crafting HTTP/2
requests, workers would be allocated 60 seconds longer than necessary, leading to worker
exhaustion and a denial of service. Fixed in Apache HTTP Server 2.4.34 (Affected 2.4.18-
2.4.30,2.4.33).
40 CVE-2018-1312 287 2018-03-26 2021-06-06 6.8 None

RemoteMedium Not required Partial Partial Partial In Apache httpd 2.2.0 to
2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply
attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a
common Digest authentication configuration, HTTP requests could be replayed across servers by
an attacker without detection.
41 CVE-2018-1303 125 DoS 2018-03-26 2021-06-06 5.0 None

RemoteLow Not required None None Partial A specially crafted HTTP request
header could have crashed the Apache HTTP Server prior to version 2.4.30 due to an out of bound
read while preparing data to be cached in shared memory. It could be used as a Denial of Service
attack against users of mod_cache_socache. The vulnerability is considered as low risk since
mod_cache_socache is not widely used, mod_cache_disk is not concerned by this vulnerability.
42 CVE-2018-1302 476 2018-03-26 2021-06-06 4.3 None

RemoteMedium Not required None None Partial When an HTTP/2 stream
was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have
written a NULL pointer potentially to an already freed memory. The memory pools maintained by
the server make this vulnerability hard to trigger in usual configurations, the reporter and the
team could not reproduce it outside debug builds, so it is classified as low risk.
43 CVE-2018-1301 119 Overflow 2018-03-26 2021-06-06 4.3

None RemoteMedium Not required None None Partial A specially crafted
request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of
bound access after a size limit is reached by reading the HTTP header. This vulnerability is
considered very hard if not impossible to trigger in non-debug mode (both log and build level), so
it is classified as low risk for common server usage.
44 CVE-2018-1283 2018-03-26 2021-06-06 3.5 None

RemoteMedium ??? None Partial None In Apache httpd 2.4.0 to 2.4.29,
when mod_session is configured to forward its session data to CGI applications (SessionEnv on,
not the default), a remote user may influence their content by using a "Session" header. This
comes from the "HTTP_SESSION" variable name used by mod_session to forward its data to CGIs,
since the prefix "HTTP_" is also used by the Apache HTTP Server to pass HTTP header fields, per
CGI specifications.
45 CVE-2017-15715 20 2018-03-26 2021-06-06 6.8

None RemoteMedium Not required Partial Partial Partial In Apache httpd
2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline character in
a malicious filename, rather than matching only the end of the filename. This could be exploited in
environments where uploads of some files are are externally blocked, but only by matching the
trailing portion of the filename.
46 CVE-2017-15710 787 DoS 2018-03-26 2021-06-06 5.0

None RemoteLow Not required None None Partial In Apache httpd 2.0.23 to
2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with
AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset
encoding when verifying the user's credentials. If the header value is not present in the charset
conversion table, a fallback mechanism is used to truncate it to a two characters value to allow a
quick retry (for example, 'en-US' is truncated to 'en'). A header value of less than two characters
forces an out of bound write of one NUL byte to a memory location that is not part of the string. In
the worst case, quite unlikely, the process would crash which could be used as a Denial of Service
attack. In the more likely case, this memory is already reserved for future use and the issue has no
effect at all.
47 CVE-2017-12171 20 2018-07-26 2019-10-09 6.4

None RemoteLow Not required Partial Partial None A regression was found in
the Red Hat Enterprise Linux 6.9 version of httpd 2.2.15-60, causing comments in the "Allow" and
"Deny" configuration lines to be parsed incorrectly. A web administrator could unintentionally
allow any client to access a restricted HTTP resource.
48 CVE-2017-9798 416 2017-09-18 2021-06-06 5.0 None

RemoteLow Not required Partial None None Apache httpd allows remote
attackers to read secret data from process memory if the Limit directive can be set in a user's
.htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the
Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an
unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-
free issue and thus secret data is not always sent, and the specific data depends on many factors
including configuration. Exploitation with .htaccess can be blocked with a patch to the
ap_limit_section function in server/core.c.
49 CVE-2017-9789 416 2017-07-13 2021-06-06 5.0 None

RemoteLow Not required None None Partial When under stress, closing many
connections, the HTTP/2 handling code in Apache httpd 2.4.26 would sometimes access memory
after it has been freed, resulting in potentially erratic behaviour.
50 CVE-2017-9788 200 DoS +Info 2017-07-13 2021-06-06 6.4

None RemoteLow Not required Partial None Partial In Apache httpd before
2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type
'Digest' was not initialized or reset before or between successive key=value assignments by
mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of
uninitialized pool memory used by the prior request, leading to leakage of potentially confidential
information, and a segfault in other cases resulting in denial of service.
Usamos dirb para realizar fuerza bruta de directorios
Vamos abriendo URL que hemos sacado por fuerza bruta.

Una vez detectamos el fichero de indexación robots.txt , sabiendo que robots.txt se utiliza para
"Cuando creamos un sitio web nuevo necesitamos que Google pueda acceder a nuestra página
para rastrar nuestra información. Para realizar esta tarea es necesario la creación de un archivo de
texto (con extensión.txt) en nuestro dominio para proveer al buscador de toda la información que
nos interesa que sepa sobre nuestra página web o negocio."
Lanzamos el comando curl http://192.1681.69/robots.txt que nos muestra lo mismo que en la

imagen adjuntada. Donde nos indica que esta rechazado la parte ciberacademy, si abrimos un
navegado con esa URL nos muestra la siguiente flag.
Vulnerabilidad XSS reflejado
Usamos Nikto
Usamos Skipfish
Una vez detectamos las vulnerabilidades procedemos con una web shell reverse
Siguiendo los pasos de esta página web
https://www.offensive-security.com/metasploit-unleashed/web-delivery/
Descubrimos el siguiente flag
FLAG{SIMPLEMENTE_RCE}
Una vez conectados nos movemos por lo directorios y encontramos otra flag dentro de
/home/deloitte
FLAG{W311_D0N3_R00T_1S_W41T1nG_U}
Una vez conectados con una sesion remota tenemos que realizar la Escalada de privilegios, para
ello lanzamos el comando uname -a que nos indica la version d ela kernel del sistema operativo.
Y buscamos vulnerabilidades para esa versión, encontramos la siguiente vulnerabilidad
Para ello descargamos el fichero en nuestro kali y los compilamos.

Denominamos la salida como root con el parámetro -o.
Una vez que lo tenemos compilado debemos de subirlo a la víctima para ello montamos en
nuestro Kali un servidor solamente con una línea de comandos.
Al ser el usuario www-data sabemos que solo podemos subir el fichero en la siguiente ubicación
/var/temp
Nos desplazamos hasta esa ubicación y subimos el fichero con wget
Una vez subido el fichero le tenemos que dar permisos de ejecución,
Y ejecutamos dicho fichero,
Para verificar que el programa funcionado, lanzamos el comando whoami,
Ya somos root, podemos cambiar la contraseña,
Ya con usuario root podemos hacer lo que queramos con la víctima.

Parte de la documentación ha sido facilitada por el tutor Raimundo, muchas gracias por el apoyo e
indicaciones y esta página de Youtube.
https://www.youtube.com/watch?v=ntIg4C6uzMM&ab_channel=Red_Team%21
Ya con estos permisos seguimos navegando por los directorios y encontramos la siguiente flag.
Procedemos a la instalación del ADDON para Mozilla Firefox Wappalyzer para saber de qué
componentes está hecha la web. Nos indica que de Apache, PHP y Ubuntu.
Vulnerabilidad JAMES pop3d 2.3.2.1 puerto 110
Vulnerabilidad JAMES nntpd puerto 119
No encontramos ningún exploit en msfconsole.

USANDO BURP SUITE
FLAG{LOGIN_Y_JAVASCRIPT}
FLAG{B13N_Y4_T13N3S_UN4_+}

IMF - Hacking Etico Unidad 5

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IMF - Hacking Etico Unidad 5

Uploaded by

Copyright:

Available Formats

Se comienza el análisis siendo de caja negra, porque solo conocemos la identidad de la

RECONOCIMIENTO PASIVO o FOOTPRINTING

La búsqueda se puede complicar todo lo que necesitemos saber sobre el objetivo.

Domain Name: imf-formacion.com

Registry Domain ID: 77881834_DOMAIN_COM-VRSN

Registrar WHOIS Server: whois.dinahosting.com

Registrar URL: http://dinahosting.com

Updated Date: 2020-12-08T07:22:17Z

Creation Date: 2001-09-27T15:25:06Z

Registrar Registration Expiration Date: 2030-09-27T15:25:06Z

Registrar: Dinahosting s.l.

Registrar IANA ID: 1262

Registrar Abuse Contact Email: abuse-domains@dinahosting.com

Registrar Abuse Contact Phone: +34.981040200

Domain Status: clientDeleteProhibited (http://www.icann.org/epp#clientDeleteProhibited)

Domain Status: clientTransferProhibited (http://www.icann.org/epp#clientTransferProhibited)

Registrant Name: Redacted by Privacy

Registrant Organization: IMF International Business School

Registrant Street: Redacted by Privacy

Registrant City: Redacted by Privacy

Registrant State/Province: Madrid

Registrant Postal Code: Redacted by Privacy

Registrant Phone: Redacted by Privacy

Registrant Phone Ext:

Registrant Fax Ext:

Registrant Email: https://dinahosting.com/dominios/contacto-whois/dominio/imf-formacion.com

Admin ID: Redacted by Privacy

Admin Name: Redacted by Privacy

Admin Organization: Redacted by Privacy

Admin Street: Redacted by Privacy

Admin City: Redacted by Privacy

Admin State/Province: Redacted by Privacy

Admin Postal Code: Redacted by Privacy

Admin Country: Redacted by Privacy

Admin Phone: Redacted by Privacy

Admin Phone Ext:

Admin Fax Ext:

Admin Email: https://dinahosting.com/dominios/contacto-whois/dominio/imf-formacion.com

Tech Name: Redacted by Privacy

Tech Organization: Redacted by Privacy

Tech Street: Redacted by Privacy

Tech City: Redacted by Privacy

Tech State/Province: Redacted by Privacy

Tech Postal Code: Redacted by Privacy

Tech Country: Redacted by Privacy

Tech Phone: Redacted by Privacy

Tech Phone Ext:

Tech Fax Ext:

Tech Email: https://dinahosting.com/dominios/contacto-whois/dominio/imf-formacion.com

Name Server: george.ns.cloudflare.com

Name Server: rosalyn.ns.cloudflare.com

URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

>>> Last update of WHOIS database: 2022-02-15T23:43:04+0100 <<<

To obtain further information about codes on Whois status please visit

Luego se analiza y se clasifica por importancia.

Dato importante es el nombre del fundador Carlos Martínez Domínguez.

Que está ubicada en Madrid, pero que tiene varias sedes:

Está adscrita a distintas Universidades Españolas:

.- Universidad Camilo José Cela.

.- Universidad Católica de Ávila.

.- Universidad del Atlántico Medio.

Searching 100 results.

Searching 200 results.