Professional Penetration Testing Report
Report Summary
Executive Overview
This penetration testing engagement identified four critical security vulnerabilities across multiple
target systems, demonstrating significant security gaps that could lead to complete system compromise.
The assessment revealed vulnerabilities ranging from web application security flaws to Windows system
misconfigurations, with all findings classified as High to Critical severity.
Key Findings
• 4 Critical/High vulnerabilities identified and successfully exploited
• Complete system compromise achieved on multiple targets
• Remote Code Execution (RCE) possible on web applications
• Privilege escalation from limited user to SYSTEM access
• Multiple attack vectors including file upload, SQL injection, and registry misconfiguration
Risk Assessment
The cumulative impact of these vulnerabilities represents a Critical security posture, requiring imme-
diate remediation to prevent unauthorized access, data exfiltration, and potential lateral movement
within the network infrastructure.
Vulnerability Writeups
Vulnerability 1: Unrestricted File Upload → Remote Code Execution (RCE)
Vulnerability Name: Unrestricted File Upload with Remote Code Execution
Risk Rating: Critical (CVSS Score: 9.8)
Flag Value: THM{6cf7b638-1ecb-4284-bcfc-d35767a02b96}
Description: The target exposed a web-based “PDF Upload Analyzer” that accepted uploaded files with-
out proper validation. The application failed to verify file content and allowed execution of malicious
executables disguised as PDF files, resulting in complete system compromise.
1
�Identification Method: - Port scanning revealed web application on port 8081 - File upload functional-
ity identified during manual testing - File type validation bypassed by renaming executable with .pdf
extension - Successful execution confirmed via reverse shell connection
Remediation Actions: 1. Implement strict file type validation using magic bytes, not file extensions
2. Restrict uploads to safe file types only (PDF, DOC, TXT, etc.) 3. Store uploaded files outside web
root in non-executable directories 4. Implement file content scanning and antivirus integration 5.
Apply principle of least privilege to web application process 6. Regular security audits of upload
functionality
Vulnerability 2: Insecure Registry Configuration
Vulnerability Name: Windows Installer Registry Misconfiguration
Risk Rating: High (CVSS Score: 8.8)
Flag Value: THM{28883b74-27f1-4d0e-9ead-2095485c9790}
Description: Critical Windows registry misconfiguration where the AlwaysInstallElevated
policy was enabled in both HKLM and HKCU registry keys, allowing unprivileged users to execute MSI
packages with SYSTEM privileges, bypassing normal Windows security controls.
Identification Method: - Privilege enumeration using whoami /priv command - Registry queries
revealed misconfigured Windows Installer policies - Confirmed both HKLM and HKCU keys set to 0x1
(enabled) - Successfully exploited using malicious MSI payload
Remediation Actions: 1. Disable AlwaysInstallElevated policy in both registry locations: -
HKLM\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
= 0x0 - HKCU\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
= 0x0 2. Implement Group Policy restrictions for Windows Installer settings 3. Regular registry
configuration audits 4. User privilege reviews and principle of least privilege implementation 5. Enable
Windows Installer logging and monitoring
Vulnerability 3: SQL Injection → Remote Code Execution
Vulnerability Name: SQL Injection in Login Functionality Leading to RCE
Risk Rating: Critical (CVSS Score: 9.8)
Flag Value: THM{282c6c60-94de-42a2-9731-a929b9a1849c}
2
�Description: SQL injection vulnerability in the login form allowed unauthorized access to database
contents and subsequent remote code execution through sqlmap’s OS shell functionality, leading to
complete web server compromise.
Identification Method: - Manual testing of login form parameters - SQL injection confirmed using
sqlmap automated testing - Database enumeration revealed admin credentials - OS shell obtained via
sqlmap’s –os-shell feature
Remediation Actions: 1. Implement parameterized queries and prepared statements 2. Input valida-
tion and sanitization for all user inputs 3. Web Application Firewall (WAF) implementation 4. Database
user privilege restrictions 5. Regular security code reviews and penetration testing 6. Implement proper
error handling without information disclosure
Vulnerability 4: SQL Injection → Remote Code Execution (Second Instance)
Vulnerability Name: SQL Injection Leading to RCE via Unauthenticated Login Form
Risk Rating: Critical (CVSS Score: 9.0-10.0)
Flag Value: THM{964f118a-799a-4093-b377-dad356e9ca52}
Description: Another instance of SQL injection vulnerability in an unauthenticated login form, allowing
attackers to execute arbitrary commands on the host without prior authentication, leading to full
system compromise.
Identification Method: - Port scanning identified web service on port 1200 - Login form analysis
revealed SQL injection vulnerability - sqlmap automated testing confirmed injection and extracted
data - Reverse shell deployment achieved through sqlmap OS shell
Remediation Actions: 1. Implement proper input validation and parameterized queries 2. Apply
principle of defense in depth with multiple security layers 3. Regular vulnerability assessments and
penetration testing 4. Implement proper authentication and authorization controls 5. Database security
hardening and access controls 6. Security monitoring and incident response procedures
Overall Recommendations
Immediate Actions Required
1. Patch all identified vulnerabilities within 24-48 hours
3
� 2. Implement compensating controls while permanent fixes are developed
3. Review and restrict network access to vulnerable systems
4. Implement security monitoring to detect exploitation attempts
Long-term Security Improvements
1. Security awareness training for development and operations teams
2. Secure coding practices implementation and code review processes
3. Regular security assessments and penetration testing
4. Incident response plan development and testing
5. Security architecture review to identify systemic issues
Risk Mitigation
The identified vulnerabilities represent a critical security posture requiring immediate attention. Suc-
cessful exploitation could result in complete system compromise, data exfiltration, and potential lateral
movement within the network infrastructure.
