Embedded Files
Engaged in a multi-day security assessment task, I systematically evaluated the robustness of Rekall's web application, Linux servers, and Windows servers. Employing various investigative techniques, I actively exploited vulnerabilities in each component, successfully uncovering concealed "flags" that served as indicators of potential compromise. This hands-on experience significantly enhanced my proficiency in ethical security assessments, emphasizing the critical skills required to identify and responsibly address security weaknesses. By executing a comprehensive penetration testing strategy, I contributed to the organization's overall cybersecurity resilience, providing valuable insights into potential areas of improvement for their digital infrastructure.
Web Application
The web application functioned as a central location for evaluating weaknesses in Rekall's online presence. Employing a variety of penetration testing techniques, I meticulously evaluated the platform for vulnerabilities like SQL injection, cross-site scripting, and authentication issues. Through the identification and successful exploitation of 15 hidden "flags" that were purposefully positioned throughout the application, I was able to show the efficacy of ethical hacking techniques and offer a concrete indicator of potential compromise. Examples are provided below.
Visit 192.168.14.15/welcome.php and, in the section prompting you to "enter your name below," input a simple script: "<script>alert</script>" to trigger an on-screen alert and obtain 'Flag 1.'
In the Linux terminal, employ the "curl -v" command to inspect the HTTP header of the rekall-about page. 'Flag 4' is located within this header information.
Access the page at 192.168.14.15/network.php. To exploit the command injection vulnerability, input "www.welcometorekall.com && cat vendors.txt" in the DNS Check field. This action will reveal 'Flag 10.'
In the Linux terminal, generate a file with a ".php" extension. Upload this file to the Memory-Planner.php page to uncover 'Flag 5.'
Linux Operating System
Within Rekall's environment, the Linux servers offered a distinct set of opportunities and challenges for evaluation. I investigated the Linux operating system using my knowledge to find weaknesses, errors, and possible entry points. Through the successful identification and manipulation of 12 hidden "flags" that were strategically positioned throughout the system, I was able to conduct penetration testing on the Linux OS with the goal of simulating real-world scenarios and evaluating the system's resistance to privilege escalation, unauthorized access, and other security threats. Examples are provided below.
In the context of 'Flag,' where the user is identified as 'sshuser Alice,' establish an SSH connection to the server using 'ssh alice@192.168.13.14' with the password 'Alice.' For the privilege escalation exploit and to retrieve the flag, execute the command 'sudo -u#-1 cat /root/flag12.txt.'
Upon connecting to MSFconsole, search for Struts exploits, and employ the exploit 'multi/http/struts2_content_type_ognl' to attain a Meterpreter shell. Configure RHOSTS to 192.168.13.12. Utilize Meterpreter to download the file '/root/flagisinThisfile.7z' to your Kali machine. Unzip the file on your Kali machine using '7z x flagisinThisfile.7z,' and use the 'cat' command with the flag file to view 'Flag 10.'
Execute a Nessus scan for the IP address 192.168.13.12. Upon completion, identify the critical vulnerability related to Apache Struts. Click on this vulnerability, and 'Flag 6' will be visible as id 97610 at the top right of the page.
Conduct a Zenmap scan on the IP address 192.168.13.0/24, and 'Flag 4' is represented by the count of hosts obtained during the scan.
Windows Operating System
In the thorough evaluation of Rekall's Windows servers using the Linux OS, I strategically employed meterpreter as a pivotal tool in my penetration testing. Leveraging its functionalities, I probed for vulnerabilities, assessed security controls, and executed simulated attacks on the Windows 10 operating system. This approach not only identified potential weaknesses but also successfully exploited 10 concealed 'flags,' contributing valuable insights to the organization's understanding of its exposure to threats in the Windows environment. Examples are provided below.
Upon reviewing the port scan results, it was observed that port 21 has an open "FTP" service, allowing anonymous access. Initiating an FTP connection with the command 'ftp 172.22.117.20' and logging in as anonymous, one can retrieve 'flag3.txt' using 'get flag3.txt' and subsequently exit the FTP session. Once logged in anonymously, the downloaded 'Flag 3' can be read using the 'cat' command.
Executing Kiwi to extract cached credentials from Win10 uncovered that the administrator, ADMBob, had cached credentials. Storing the username and hashed password in 'Flag8hash.txt,' the password was successfully cracked using John, revealing it as "Changeme!" These credentials provided access to the Server2019 machine, where utilizing the PsExec module in Metasploit granted a SYSTEM shell. Within Meterpreter's command shell, the users were listed using 'net user,' and one of them, named 'flag8,' became apparent.
Discovered through the application of the "John" command on a '.txt' file, this flag originated from the extraction and cracking of a password hash. The process involved locating the hash by examining the user credentials on the totalrekall GitHub page. Subsequently, the identified credentials were transferred to a .txt file within the Linux OS terminal, leading to the successful cracking of the hash and revealing the flag as "Tanya4life."
Concealed within the system's scheduling task file, this flag was unearthed through the execution of specific commands in Meterpreter. By accessing a command shell within Meterpreter and utilizing the "schtasks" command with the syntax "schtasks /query /tn 'flag5' /v," the flag was successfully revealed.
Project Accomplishments
Exploit vulnerabilities in an organization's web application during a penetration test.
Exploit vulnerabilities in an organization's Linux servers during a penetration test.
Exploit vulnerabilities in an organization's Windows servers during a penetration test.
Google Sites
Report abuse