25 Sep, 2023

Unravelling the Security Mysteries: The Story of the Successful Pentest Case

Chapter 1: Background

In the first chapter we introduce the members of our pentester team V, Y, G, A, M. They have been working in the field of information security for many years and have many successful cases to their credit. XXXX is a large financial company that decided to conduct a full security test of its new online platform, which promises to change the world of financial technology.

Chapter 2: Preparation

In Chapter 2, we dive into the preparation phase that is at the heart of a successful pentest case. This phase begins with a thorough research of the XXXX company. Our pentesters delve into the company’s history, corporate culture, and business goals. The goal of this research is to fully understand the client and identify potential vulnerabilities.

Next, the team analyses the products and services provided by XXXX. This includes a detailed examination of the company’s web applications, mobile applications, and servers. The main objective at this stage is to identify potential entry points that could be exploited by potential attackers.

In addition, our pentesters search for information about the company’s partners and clients, as vulnerabilities in their systems may also pose a threat to XXXX. This analysis helps identify a wide range of possible vulnerabilities that may go undetected.

Finally, the team applies social engineering techniques to further expand their knowledge of the company. This may include analysing the social media profiles of XXXX employees, allowing them to identify potential weaknesses and attack vectors related to human error.

This preparation phase is the foundation for a successful pentest case, allowing the team to better understand the customer and develop a strategy aimed at identifying the most critical vulnerabilities and potential threats. It is important to emphasise that the entire preparation process is carried out in compliance with the law and high standards of ethics.

Chapter 3: Discovering First Vulnerabilities

Chapter Three reveals the vulnerability discovery phase of the pentest case in more detail. During this phase, the pentester team actively scans XXXX’s external systems.

Their task is to identify open ports, services, and applications that could represent potential entry points for attackers. They not only identify which ports are open, but also perform detailed analyses of each service and application for known vulnerabilities.

In addition to active scanning, the team also actively investigates the system using techniques that potential attackers could use to bypass existing defences. This can include exploiting vulnerabilities in web applications, session hijacking, and other techniques that allow the team to understand how vulnerable the system is to a possible attack.

This stage plays an important role in the pentesting process, as it allows the team to identify the most critical vulnerabilities and assess the security level of the XXXX system. All activities at this stage are also carried out in compliance with the law and high standards of ethics.

Chapter 4: Exploiting Vulnerabilities

Chapter four takes a detailed look at several discovered vulnerabilities in the XXXX system, as well as methods for finding and exploiting them. Let’s take a closer look at each of them.

Vulnerability in web application: SQL Injection

Pentesters discovered a vulnerability in a search form on the XXXX website that allowed SQL Injection. They first noticed that the query parameters were not properly secured and could be subject to code injection.

To perform a more sophisticated SQL Injection, they used the following payload:

				
					' UNION ALL SELECT username, password FROM users--

				
			

 

Let’s break down this payload in more detail:

' – initiates the SQL Injection by closing the current SQL query.

UNION ALL – combines the current query with another query that retrieves data from the users table.

SELECT username, password – specifies the columns they want to retrieve from the users table.

FROM users – points to the table from which they want to fetch data.

-- – a comment that disregards the remaining part of the original SQL query to avoid errors.

This payload allowed the pentesters to extract user data, including usernames and password hashes. They could then attempt to decrypt the password hashes and try to gain access to the system on behalf of other users.

Successful SQL Injection can pose a serious security threat, so it is important to diligently conduct testing for such vulnerabilities and promptly remediate them to protect data and the system.

Vulnerability at the Operating System Level: Unauthorized Access via Weak Password

The pentesters identified a vulnerability related to a weak password used for one of the system accounts within the XXXX network. Using the Hydra tool for brute-force attacks, they attempted various password combinations and eventually gained access to the system with the password “password123.” This granted them full control over the server, allowing them to perform actions with administrative privileges.

Vulnerability in the Web Application: Remote Code Execution

The pentesters also discovered a vulnerability in one of the scripts of the XXXX web application that allowed for remote code execution. In this case, they utilized the following PHP payload:

				
					<?php
system('cat /etc/passwd');
?>

				
			


This payload enabled them to execute arbitrary commands on the server, providing access to confidential files, such as /etc/passwd. Remote code execution vulnerabilities can be particularly severe as they allow attackers to take control of a system.

Insecure File Upload

The pentesters discovered that the XXXX web application had a vulnerability related to its file upload functionality. To exploit this vulnerability, they crafted a malicious script and uploaded it via the file upload feature. The script they uploaded was designed to create a backdoor in the application, potentially providing them with unauthorized access to the server.

The malicious script they uploaded could be named something inconspicuous, like “profile_picture.jpg,” to avoid suspicion. However, the script was not an image but rather a script file. When the server accepted the file and stored it in a directory accessible via the web, the pentesters could then access and execute the script remotely, potentially compromising the server and the application’s security.

Cross-Site Scripting (XSS)

In the case of Cross-Site Scripting (XSS), the pentesters injected a payload to demonstrate the vulnerability. The payload used was a basic alert box script in JavaScript, as follows:

				
					<script>alert("XSS Vulnerability");</script>

				
			

They injected this payload into a comment on the XXXX website. When other users viewed the comment, the script executed within their browsers, triggering a pop-up alert with the message “XSS Vulnerability.” While this payload is relatively harmless, it illustrates the potential for an attacker to inject more malicious scripts, such as those that steal session cookies or perform other malicious actions.

Insufficient Network Segmentation

The pentesters identified that the XXXX network lacked proper network segmentation. This means that different parts of the network were not adequately isolated from one another. Specifically:

Public-facing servers, such as the web server and email server, were on the same network as critical internal systems like databases and application servers.

The absence of network segmentation meant that if an attacker gained access to the public-facing servers, they could potentially pivot and move laterally within the network to compromise more critical internal resources.

An attacker could leverage the initial foothold to escalate privileges and access sensitive data or even launch further attacks on internal systems.

Cross-Site Request Forgery (CSRF)

In the context of the CSRF vulnerability, the pentesters created a malicious web page, similar to the one below, to demonstrate how CSRF attacks can exploit the absence of proper security controls:

				
					<!DOCTYPE html>
<html>
<head>
    <title>Malicious CSRF Page</title>
</head>
<body data-rsssl=1>
    <h1>Click This Button</h1>
    <form id="csrf-form" action="https://target-site.com/change-password" method="POST">
        <input type="hidden" name="new-password" value="hacker-password">
        <input type="submit" value="Change Password">
    </form>
    <script>
        document.getElementById('csrf-form').submit();
    </script>
</body>
</html>

				
			

This malicious page, when visited by an authenticated user of the XXXX application, would automatically submit a request to change the user’s password to “hacker-password” without their consent. CSRF vulnerabilities can lead to unauthorized changes in user accounts, illustrating the need for effective anti-CSRF mechanisms in web applications.

Inadequate Data Encryption

The pentesters discovered that sensitive data, such as user passwords and financial transactions, were not adequately encrypted during transmission. When users interacted with the XXXX application, data was transferred between clients and servers without proper encryption, making it susceptible to interception by attackers employing techniques like packet sniffing. The absence of secure encryption protocols put user data at risk and highlighted the importance of implementing HTTPS and strong encryption standards to safeguard sensitive information.

Lack of Two-Factor Authentication (2FA)

Within the XXXX system, the pentesters found that Two-Factor Authentication (2FA) was not implemented for user accounts. This absence of 2FA made it easier for attackers who had obtained valid usernames and passwords, potentially through vulnerabilities like SQL Injection, to gain unauthorized access to user accounts. Enabling 2FA introduces an additional layer of security by requiring users to provide a second authentication factor, such as a temporary code sent to their mobile device, in addition to their password. Implementing 2FA can help mitigate the risk associated with unauthorized access to user accounts.

Chapter 5: Moving to Internal Networks

In Chapter 5, we will take a closer look at the investigation phase of XXXX’s internal networks. In this phase, the pentester team focused on investigating the network infrastructure within the organisation and attempting to bypass firewalls and other network defences.

Bypassing Firewalls

The first challenge was to bypass the firewalls that separated XXXX’s external and internal networks. Pentesters used a variety of techniques, including analysing firewall rules and examining external servers to find weaknesses. They discovered a recently implemented web server that was unauthorisedly connected to the internal network, giving them the opportunity to bypass security barriers.

Internal Network Scanning

A team of pentesters used network scanning programmes to investigate internal network segments. They discovered active hosts, services, and open ports, allowing them to map the network and identify potential entry points. At this stage, they also looked for vulnerabilities in network equipment.

Forwarding Attacks

To gain access to sensitive information, the pentester team used redirection attacks. They created malicious redirects that intercepted network traffic and redirected it to servers under their control. This allowed them to intercept authentication credentials and session IDs, which could be used to further intrude into the system.

Hidden Internal Server Vulnerabilities:

While scanning and analysing internal servers, pentesters discovered hidden vulnerabilities in operating systems and services running within the network. These vulnerabilities could have been exploited to perform additional attacks and gain access to sensitive data.

In chapter five of our story, the pentest team demonstrated how conducting a thorough investigation of internal networks can reveal hidden vulnerabilities and potential entry points for attackers. This pentest phase is critical in ensuring the overall security of an information system.

Chapter 6: Completion

In the final chapter of our story, the focus shifts to actions after successful pentesting. The XXXX organisation takes the recommendations provided by the pentest team and begins to implement them. These recommendations cover a wide range of security measures, including configuration changes, installation of security updates and employee training. The organisation seeks to strengthen its system and protect critical financial data.

The pentester team completes their mission with confidence that their efforts have contributed to the security of the online platform. They provide a final report detailing all vulnerabilities found and recommendations for remediation. This report becomes the basis for further security improvements and allows XXXX to better protect their customers and business partners.

As we wrap up our story, we see pentesters not only finding vulnerabilities, but also actively contributing to strengthening the security of the information system. This reminds us of the importance of continually working on security and ensuring that we are protected from potential threats in the financial technology industry.

Other Services

Ready to secure?

Let's get in touch