lOMoARcPSD|19646962

Assigment 3Final - In-depth Report of Penetration Testing and

Reporting, where the testing is conducted
Computer Systems Security (University of Hertfordshire)

Downloaded by Benjamin Curtis (benjamin.curtis8@gmail.com)

 lOMoARcPSD|19646962

Studocu is not sponsored or endorsed by any college or university

Downloaded by Benjamin Curtis (benjamin.curtis8@gmail.com)

 lOMoARcPSD|19646962

University of Hertfordshire
School of Computer Science
BSc Computer Science (Software Engineering)
Module: Computer Systems Security
Coursework 3
System Security Project Report

Level 6
Academic Year 2021 - 22

Abstract

The goal of this project was to conduct a penetration test on a target system, provided the allocated
IP address of 192.168.1.178, with the purpose of identifying vulnerabilities using various techniques
and methods, then exploiting the founded vulnerabilities. The project consisted of several number of
tasks, which aimed at testing a computer system on the target machine according to pre-prepared
plan, where the Standard Operating Procedure (SOP) and an Attack Tree was generated by analysing
the penetration testing methodologies, for instance – OSSTMM, OWASP, and NIST. Subsequently,
examining these methodologies, NIST came up on top with its relativity to given scenario and
compatibility with outsider (Grey box) testing, also used SOP of NIST to produce procedures to
follow through testing for provided scenario. For SOP, Information Gathering has been ignored as it

Downloaded by Benjamin Curtis (benjamin.curtis8@gmail.com)

 lOMoARcPSD|19646962

has already been provided with IP address, which is used to conduct the penetration testing by
discovering vulnerabilities and exploiting these vulnerabilities, and finally writing the penetration
testing report.

For the first step of testing, two methods were used to scan through the given target to gather any
vulnerabilities, where manual scanning NMAP and a software Nessus was used to detect any critical
weaknesses within the target. Where number of vulnerabilities were found, consequently five
vulnerabilities were chosen to be exploited using various frameworks, commands, and techniques
namely Metasploit and DIRB. The result of the exploits and the mitigation for each of them were
recorded and explained in detail throughout the report for better understanding to rectify the
following vulnerabilities to prevent attacks from hackers.

The conclusions that could be drawn from this penetration project were that even a single IP address
can have many vulnerabilities, which could provide leads to many sensitive data, means keeping a
system with latest software updates, attaching authentication, and setting privileges for different
users is extremely vital.

Table of Contents
1.0 Introduction.......................................................................................................................................4
2.0 Attack Narrative.................................................................................................................................4
2.1 Information gathering....................................................................................................................4
2.2 Scanning and Enumerating............................................................................................................4
2.3 Vulnerability Identification............................................................................................................5
2.4 Vulnerability analysis.....................................................................................................................6
3.0 Vulnerability Exploitation...................................................................................................................7
3.1 Directory Vulnerability...................................................................................................................7
3.2 User directory traversal.................................................................................................................9

Downloaded by Benjamin Curtis (benjamin.curtis8@gmail.com)

 lOMoARcPSD|19646962

3.3 Default Login - PHP......................................................................................................................10

3.4 Privilege escalation......................................................................................................................12
3.5 Mitigations...................................................................................................................................13
4.0 Conclusions......................................................................................................................................14
5.0 Overall Conclusions and Reflections................................................................................................14
6.0 References.......................................................................................................................................15
7.0 Appendices......................................................................................................................................16
7.1 MySQL (unauthorised exploitation).............................................................................................16
7.2 DOS Attack...................................................................................................................................16
7.3 Pinging Target..............................................................................................................................17
7.4 Nmap scan report........................................................................................................................18
7.5 DIRB report..................................................................................................................................19
7.6 Vulnerability report (Nessus).......................................................................................................20

1.0 Introduction
This penetration testing project was completed as part of the Computer System Security module, to
consider security from the vulnerabilities and exploitations point of view. The project involved the
attack on a Linux system, following the same steps as prescribed by penetration testing
methodologies, such as NIST. The main purpose of penetration tests is to discover vulnerabilities on
allocated IP address by using various tools and techniques, then exploiting the vulnerabilities further
to gain access to area of the system that an outsider is not supposed to. This report will first analyse
all the vulnerabilities and ways of identifying them, then using different frameworks to exploit the
areas and the mitigation methods.

2.0 Attack Narrative

Prior to completing the tasks, a thorough research has been carried out to understand the concept of
penetration testing and different approach to target a system, which has led to the understanding of
the solid structure of procedures to follow through as shown below.

Downloaded by Benjamin Curtis (benjamin.curtis8@gmail.com)

 lOMoARcPSD|19646962

2.1 Information gathering

Information gathering is done prior to penetration testing, as more useful the information about the
target, the better chance of succeeding the penetration test and finding serious vulnerabilities (AAT
Team, 2021). For the penetration a single target has been provided, which can be known as the
information, as it can be used to proceed to next step of scanning and enumeration. In contrast, if
we had not been given any information, we would have had to come up with ways of gathering
information such as – using search engine like Google to discover information or there are various
commands and frameworks to find information about target. Furthermore, a blog by Vincent Fack
(2020) about information gathering & scanning where he portrays there are two types of
information gathering: Passive, where information is gathered from published information that is
open source which can be found using whois domain, mail server and social network, second one
being the Active information gathering, where information gathered which is not open source using
malicious technique that may trigger the target.

2.2 Scanning and Enumerating

As part of the scanning phase, firstly the pinging has been conducted up on the target to know
whether the target is running, where there was instant feedback as packets were transmitted
successfully.

Figure 1: Ping Result

Knowing the target is up running the Nmap was used to find out about the target such as – the OS
(operating system) target running on, any services or devices connected to the target, also the
version of each service are being used as well as their ports. The scan results showed that the target
system was running services such as – port 22 which consist of the SHH service, port 80 HTTP was
another service that was running using old Apache version, MySQL was another service which ‘?’
mark next to it providing hints as it may contain vulnerabilities. Finally, VNC was another service that
was running on the target system. These services were analysed using the software version, and
research was undertaken to find out what vulnerabilities were associated with them before a
vulnerability scan could be run on the target. This was done to know beforehand what results could

Downloaded by Benjamin Curtis (benjamin.curtis8@gmail.com)

 lOMoARcPSD|19646962

be expected from the vulnerability identification by linking the vulnerabilities identification to

scanning to make a strong case for our exploitation.

Figure 2: Nmap Scan result

2.3 Vulnerability Identification

Vulnerability identification phase of penetration test comprises of using the previous phase of
scanning and enumerating, as well as conducting further analysis using tools and techniques to
unveil vulnerabilities. This is where OpenVAS and Nessus become extremely helpful, where it is used
to gather information about the target and detailed analysis of the system with highly possible
vulnerabilities areas to focus on. Nessus additionally provides the tester the severity using the critical
level, as well as thorough description for the cause of the vulnerabilities and the solution.

Accordingly, the scan was run on Nessus using the allocated IP address to identify any known
vulnerabilities, where it was able to identify high number of vulnerabilities rated by severity of
Critical, High, Medium, Mixed and Info. Where total 64 vulnerabilities were found, for most part of
the assignment the first three levels were focused on, as the rest linked to the higher severity
vulnerability.

Figure 3: Nessus Severity

As it can be seen below there is vulnerabilities on web server, as well the PHP which uses older
version and has multiple issues, comparably to SSH and VNC. This instantly shows that almost all
services that is running on target system (which is known through Nmap) has vulnerabilities.
Consequently, the service version from Nmap was utilized to carry out further research on search
engine, providing multiple ways of identifying vulnerabilities and exploits.

Downloaded by Benjamin Curtis (benjamin.curtis8@gmail.com)

 lOMoARcPSD|19646962

Figure 3: Partial Nessus Scan Report

And by clicking on one of the vulnerabilities, further information regarding each of the weakness can
be viewed such as for the high critical severity it shows description for the cause of vulnerability.

Figure 4: Depth info on founded Vulnerabilities on Nessus

By knowing the cause of vulnerability, we can identify that our delegated target is a web server.
Where we can run further vulnerability identification using DIRB, which is a command that can be
run on an IP address to find all the directories, which may lead into additional findings.

2.4 Vulnerability analysis

After a thorough examination of our target system using different methods like – Nmap, Nessus scan
and manual discovery, some of the crucial vulnerabilities was established. In this section, four
vulnerabilities have been outlined to understand the risks, so that it can be rectified before facing
consequences.

The first vulnerability identified after rigorous investigation was directory browsing, where the web
server function that exhibits contents of a directory without the needs of authentication. This occurs
when web server is not configured properly, where the directory listings are turned on to be visible.

Downloaded by Benjamin Curtis (benjamin.curtis8@gmail.com)

 lOMoARcPSD|19646962

(Acunetix, 2020). Accordingly, using the directory browsing could lead into attackers gaining access
to information which should be authenticated. Hence, this will result in attackers exploiting further
using the information by modifying and navigating to other systems or services that is related to web
server.

Secondly the directory traversal vulnerability was identified after the exploration of Access control
List (ACLs) user of web server. This attack allows the hacker to access restricted directories outside of
its own directory for instance – accessing other user details from local users. (Acunetix, 2020) .
Hackers can inject malicious attacks on other user’s local resources or may use the file or remote
resources as an advantage to carry out further exploitation (NTT, 2020). Moreover, the hacker may
access other restricted user account and impersonate himself as the user to execute harmful
commands to avoid consequences, which would make it complicated to identify the actual hacker.

Thirdly, the vulnerabilities within PHP were unveil through the Nessus scan, which shows a critical
severity on PHP as it has older version and may contain security issue. According to W3Techs (2022)
almost 78% of the websites are operated by using PHP as server-side languages, meaning it is very
popular amongst people as well as the hackers, as they would study this framework to come up with
many attacks’ variations. Therefore, it is extremely essential to keep up with the latest updates, as
older version has many vulnerabilities, which was later rectified in newer versions. Thus, common
attacks on older version PHP would most likely succeed without difficulty such as – XSS (Cross Site
Scripting), SQL injection and brute force on phpMyAdmin (Mauro Chojrin, 2021).

The fourth vulnerability identified was privilege escalation, this happens when an external user
exploits a system by running malicious bugs or configuration error in a system to gain access to
confidential material (Zbigniew Banach, 2021). Hence, this vulnerability could be costly if the hackers
is successful with the exploits, as the attacker could gain access within the environment unnoticed
and perform typical surveillance or steal data, then clean up to remain undetected. In addition, if the
hacker is successful to gain the administrative privilege to the system, which could lead into further
consequences as the system environment would be under hackers’ control, where the attacker may
restrict other authorised users, making the system almost unretrievable (BeyondTrust, 2021).

3.0 Vulnerability Exploitation

After examining the result of Nmap and Nessus, various vulnerabilities were identified. Below, four
exploits will be discussed, including the approaches and methods used to exploit the vulnerabilities
with the evidence of screenshots describing the process. (Some of the screenshot for the exploit
explanation are partial, the full screenshot can be found in appendix section)

3.1 Directory Browsing

Through the use of Nmap, where it was identified that the target system has http service, which
means the system could potentially be a web server.

Figure 5: Partial Nmap Result

To confirm the web server has any vulnerabilities, Nessus scan was run to which it shows web server
has high severity vulnerabilities, providing enough evidence to further the findings to carry out
exploitation.

Downloaded by Benjamin Curtis (benjamin.curtis8@gmail.com)

 lOMoARcPSD|19646962

Figure 6: Partial Nessus Scan Report

Hence, the DIRB command on the allocated IP address has been executed, by running brute force
method of wordlists to identify directories, which displayed with multiple of links, after many trials
and error, a link was found which contains the parents’ directory.

Figure 7: Partial Dirb Scan Result

As it can be seen below, multiple of links and folders are presented in a table format, which should
only be available to root user, therefore the potential hacker could access the directory easily and
the folders/files such as – User Credentials, which already demonstrates this folder may contain
authentication to access targets system, this can be seen as naïve and major vulnerability.

Figure 8: Directory Browsing Vulnerability

After visiting through all the folders/files, an exploit to crucial User Credentials was accumulated,
which can be seen below that shows username and passwords, this should not be available to
random users and needs to be stored securely.

Downloaded by Benjamin Curtis (benjamin.curtis8@gmail.com)

 lOMoARcPSD|19646962

Figure 9: Directory Browsing Result

3.2 User directory traversal

Going back to Nmap scan which presents the target system has SSH service, providing indication that
the actual user can SSH to the system, as a result using the previous exploitation result, SSH into the
system was established.

Figure 10: Partial Nmap Result

When logged on the system using certain user, to check the current directory used ‘pwd’ command
was used, this displayed that current user is within a folder, then after exiting the current folder to
go to lower-level folder, which displayed with other users’ directories. However, the main
vulnerability occurred when an attempt to enter other user’s directories from a different user
happened, where the system accepted the request, when it should have denied the access
immediately. As it can be seen below an image of a normal secured system, which denies access
when a user tries to access other accounts.

Downloaded by Benjamin Curtis (benjamin.curtis8@gmail.com)

 lOMoARcPSD|19646962

Figure 11: Normal Secure System Result

Figure 12: Target System Exploit Result

Furthermore, when inside another user’s system, it enables the user to view other files listing and
open them, which could contain crucial information and a lead to further exploitation. Hence access
others account should not be permissible in the first place.

Downloaded by Benjamin Curtis (benjamin.curtis8@gmail.com)

 lOMoARcPSD|19646962

3.3 Default Login - PHP

After examining the Nessus report, where VPR severity shows critical on PHP, this is an instant
indicator that PHP may contain vulnerability.

Figure 13: Partial Nessus Scan Report

Hence, while looking through the DIRB scan, where PHP directory was identified, and it directed to
view the login page for phpMyAdmin.

Figure 14: Partial Dirb Scan Result

Figure 15: phpMyAdmin Login page

On further investigation on PHP within Nessus scan, it was identified that PHP of the target system
has older version, which is no longer supported, which means it also contains security vulnerabilities
as it has not been looked after, indicating the phpMyAdmin could be in default setting.

Downloaded by Benjamin Curtis (benjamin.curtis8@gmail.com)

 lOMoARcPSD|19646962

Figure 16: PHP Nessus Descriptive Scan Report

With simple search on google which displayed with default username and password, this enabled to
gain root access within the service, where system allowed root access request and provided with
control over privileges as well as the databases.

Figure 17: Google Search Result for Default Password/Username

Figure 18: phpMyAdmin root access exploitation result

Downloaded by Benjamin Curtis (benjamin.curtis8@gmail.com)

 lOMoARcPSD|19646962

3.4 Privilege escalation

With the access to the underlaying operating of the web application already obtained by using SSH,
there was continuation of exploration of the system to escalate privileges to the root level. Where it
was possible to identify vulnerability of local privilege, firstly a .c file from the kali Linux was
obtained, which can be seen by running ‘searchsploit’ command.

Figure 19: Searchsploit Result to Identify 9545.C file

The command above listed many .c and other useful file, from which 9545.c file was identified using
‘locate’ command, which was transfer to the target web-server user using ‘scp’ command, which can
be seen below.

Figure 20: Installation of File and Transferring to Allocated Location

Finally, going back to the user account, access to the transferred file without complication, which
shows anything can be transferred to the web-server user without checking the file content, then
the ‘gcc’ command was run locally within the target system on .c file, which enabled the root mode
by utilizing successfully.

Figure 21: Root Access & Exploit result

Downloaded by Benjamin Curtis (benjamin.curtis8@gmail.com)

 lOMoARcPSD|19646962

The exploit was made possible due to the local access and inclusive developer tools on the system.
Also, shows the current configuration has many internal attack areas which can be triggered by
malicious users, with the access of root the malicious user may cause further exploitation and can
have control all over the system.

3.5 Mitigations
Vulnerability mitigation is noteworthy aspect of penetration test; hence below there is a list
consisting of the vulnerable areas to focus on, to enhance the security and confidentiality. Which will
prevent the system from being attacked by external user:

To mitigate directory browsing the web server configuration must be changed, where an option
known as directory listing should be turned off to not allow other unauthenticated users to view the
files and folders (Zbigniew Banach, 2021), the securer option would be not to include files that
contains credentials within such1 directories. Furthermore, the Apache version should be upgraded
to latest version as it is currently running 1.3 and there is 2.4 available, which has enhanced security
with more control over web server. Moreover, with an easy Dirb search outsider can view all the
directories, to prevent confidential information to be secure, the practice would be to implement
authentication to access certain URL paths, this will prevent the data being exposed to potential
hackers.

Directory traversal is another crucial aspect that needs to be mitigated to keep user information
secure and prevent from further exploitation. The permissions of users need to be restructured with
users having access to limited material which can be accomplished by establishing trust boundaries
on the internal network, also not allowing a user to have access details of another user. Hence, an
article by Damon Garn (2020) can be followed to manage users and permissions, which will enable
further restriction and control over the system.us

To have a secure server-side web application, the PHP would need to be configured correctly with
latest PHP version. Currently, the PHP is running on version 2.10, there are newest versions available
which is 8.1, which has advanced features with improved security. Additionally, the default setting of
login needs to be amended using strong credentials, it would be beneficial to use different
credentials throughout the system to decrease the chance of trial and error from the potential

hacker. Considering
NIST has been used as penetration methodology, NIST SP 800 -63B (2022) is recommended for

guidelines on passwords for the system.

To attempt privilege escalation the hacker would gain access to less privileged user account. To
mitigate this the above steps of configuring user permissions and using secured password can be
used. Educating the users of the system regarding social engineering attacks, as some of the hackers
may use this naïve technique to lure the user into providing credentials. Also, restricting all file
transfer functionality on the system by removing unnecessary tools and restricting directories, as
most attackers transfer file into the system to exploit the privileges (Zbigniew Banach, 2021).

4.0 Conclusions
After rigorous examination of the allocated target. Where many strategies, tools and techniques
used to investigate the target to find weaknesses. Later exploiting these vulnerabilities, where many
vulnerabilities were identified by further exploitation as when one found the other followed it

Downloaded by Benjamin Curtis (benjamin.curtis8@gmail.com)

 lOMoARcPSD|19646962

through, indicating the necessity of managing the external traffic that access the internal resources
as well as configuration of the system. Therefore, the mitigation section explains the required steps
need to be taken to make the target system securer and prevent it from exploitation by hackers.

5.0 Overall Conclusions and Reflections

Planning is essential aspect of a successful and effective penetration testing as it assists determine
the system and approach to take best possible way. Hence, prior to the penetration testing, scoping
and planning has been conducted. Where detailed approach of methodology searched and chosen
to use NIST, also an SOP (standard operation procedures) and Attack Tree was produced to guide
throughout the testing. Finally, with a strong base plan the practical work began, where the target
system has been analysed by finding vulnerabilities and exploited using Kali Linux. To finalise the
process each of the vulnerabilities and exploitation has been reported to understand the risks as well
as mitigation methods to follow to secure the system.

Throughout the penetration testing project, numerous skills and useful lesson has been learned. One
of the crucial skills attained was the process from raw data to information, where I was able to
establish how to improvise in certain situation during the exploitation to gain crucial information.
Also, I have learned to have open mind and attention to detail while approaching vulnerabilities,
hence it allows to identify small unnoticed information which leads into exploitation. In addition,
many technical skills such as – use of different operating system like Linux Kali where countless
resources are available to carry out the testing, different methodology for suitable testing
(Black/White/Grey box), and ability to understand web server exploitation method with different
services. The essential knowledge was when and which resource to use at certain stage. One of the
tools that I have enjoyed studying the most and was extremely useful was Nessus, which is
extremely powerful system that allowed me target specific area of vulnerability within a system. The
penetration testing has taught me many aspects of keeping a system secure, being a software
engineering student myself it is obvious that I have a system, and this experience has made me
realise the importance of the update to latest form of software’s, using unpredictable
passwords/username and restructuring configuration besides permission limitation.

To extend, the most useful non-technical skill that I have attained was ability to write a professional
report. Also, to understand different types of audience the report is targeted to, which can be used
to structure the report to suit the audience best. Furthermore, researching was also essential for the
penetration testing, which encouraged me to read many materials to identify information, which
enabled me to improve my reading and scanning ability. In conclusion, the experience and skills
gained from this penetration testing process will help in professional career field to carry out even
complex testing on a larger system.

6.0 References
AAT Team (2021) ‘Information Gathering Techniques for Penetration Testing’ available at :
Information Gathering Techniques for Penetration Testing [Updated 2021] - All About Testing

Vincent Fack (2020) ‘PenTest: Information Gathering and Scanning’ available at: PenTest:
Information Gathering and Scanning - laredoute.io

Acunetix (2020) ‘Why Is Directory Listing Dangerous?’ available at: Why Is Directory Listing
Dangerous? | Acunetix

Downloaded by Benjamin Curtis (benjamin.curtis8@gmail.com)

 lOMoARcPSD|19646962

Acunetix (2020) ‘Directory Traversal Attacks’ available at: What is a Directory Traversal Attack?
(acunetix.com)

NTT (2020) ‘What is Directory Traversal Attack’ available at: Directory Traversal (whitehatsec.com)

W3techs (2020) ‘Usage statistics of PHP for websites’ available at: Usage Statistics and Market Share of
PHP for Websites, January 2022 (w3techs.com)

Mauro Chojrin (2021) ‘Fixing the Most Common Security Vulnerabilities in PHP Powered Websites’
available at: Fixing the Most Common Security Vulnerabilities in PHP Powered Websites -
SecureCoding

Zbigniew Banach (2021) ‘What is privilege escalation and why is it important?’ available at: What is
privilege escalation and why is it important? | Netsparker

BeyondTrust (2021) ‘Privilege Escalation Attack and Defence Explained’ available at: Privilege
Escalation Attack & Defense Explained | BeyondTrust

Damon Garn (2020) ‘How to manage Linux permissions for users, group, and others’ RedHat
available at: How to manage Linux permissions for users, groups, and others | Enable Sysadmin
(redhat.com)

NIST (2022) ‘NIST Special Publication 800-63B’ Available at: NIST Special Publication 800 - 63B

7.0 Appendices
7.1 MySQL (unauthorised exploitation)
Going back to Nmap scan, where one port or service that seems to stand out from rest where the
MySQL services had ‘mysql?’ indicating that ‘?’ could mean this service may need further
investigation, as it could potentially mean the MySQL service is unauthorised.

After the PHP exploitation, where many clues accumulated to provide us indication that MySQL may
have unauthorised access like PHP. Hence, after accessing the webserver using SSH, where MySQL
root access was attempted and it asked for password, which last left as empty, consequently
allowing the access to the MySQL of the system.

Downloaded by Benjamin Curtis (benjamin.curtis8@gmail.com)

 lOMoARcPSD|19646962

As presented above, when asked to present database, list of tables has been presented which are
identical to the PhpMyAdmin. This shows that without correct configuration one vulnerability could
lead into many exploitations.

7.2 DOS Attack

To take the server down or slow the service by not allowing actual user to access the web server or
application, Denial-Of-Service (DOS) was one of the many options. Considering the exploitation are
being conducted on the Linux Kali, which has many features and tools to process penetration testing.

Metasploit being one of them, which has many useful built-in directory tools that can be used to
target a system. Accordingly, after SSH into the target system and using Metasploit within, where
Slowloris is an application layer that continuously sends packet to the HTTP port, which overwhelms
the target by slowing it down.

After accessing the directory, the exploitation has been processed, where it can be seen below it
continuously attacks the port by keeping it busy.

Downloaded by Benjamin Curtis (benjamin.curtis8@gmail.com)

 lOMoARcPSD|19646962

While the attack is running other user will not be able to access the server or the web application.
Which will display loading like the image below. Therefore, denying the service of an actual user.

7.3 Pinging Target

7.4 Nmap scan report

Downloaded by Benjamin Curtis (benjamin.curtis8@gmail.com)

 lOMoARcPSD|19646962

7.5 DIRB report

Downloaded by Benjamin Curtis (benjamin.curtis8@gmail.com)

 lOMoARcPSD|19646962

7.6 Vulnerability report (Nessus)

Downloaded by Benjamin Curtis (benjamin.curtis8@gmail.com)

 lOMoARcPSD|19646962

Downloaded by Benjamin Curtis (benjamin.curtis8@gmail.com)

 lOMoARcPSD|19646962

Downloaded by Benjamin Curtis (benjamin.curtis8@gmail.com)