Share
## https://sploitus.com/exploit?id=07AC44A5-5DE2-5F4D-907F-59566EB006B2
# Penetration Test Report β€” ClΓ­nica San Gabriel

## Overview

Full penetration test conducted on a simulated healthcare organization infrastructure as part of the **Offensive Security** coursework at **Universidad de Palermo** (2nd semester, 2025).

> **Disclaimer:** This project was conducted in a controlled lab environment using intentionally vulnerable virtual machines (Metasploitable2, Windows 10). No real systems or data were targeted.

---

## Objective

Evaluate the security posture of ClΓ­nica San Gabriel's simulated infrastructure by identifying vulnerabilities across network services, web applications, and endpoint systems β€” and documenting findings in a professional penetration test report.

---

## Scope

| Target | Details |
|---|---|
| **Linux Target** | Metasploitable2 (192.168.227.137) |
| **Windows Target** | Windows 10 VM (10.0.0.6) |
| **Web Application** | Mutillidae (OWASP Top 10 vulnerable app) |
| **Network** | Internal lab network (VMware / VirtualBox) |

---

## Methodology

The engagement followed a standard penetration testing methodology:

1. **Reconnaissance** β€” Passive (WHOIS, Google Dorks, Shodan) and active (Nmap)
2. **Enumeration** β€” Service/version detection, Nessus vulnerability scan
3. **Exploitation** β€” Multiple attack vectors executed
4. **Post-Exploitation** β€” Privilege escalation, credential harvesting, persistence
5. **Covering Tracks** β€” Log deletion, file removal
6. **Reporting** β€” Executive summary + technical findings

---

## Vulnerabilities Exploited

| Service | CVE / Vulnerability | Severity |
|---|---|---|
| VNC (port 5900) | Weak password (`password`) | Critical |
| FTP vsftpd 2.3.4 | Backdoor command execution | Critical |
| Samba (SMB) | `usermap_script` RCE | Critical |
| UnrealIRCd 3.2.8.1 | Backdoor command execution | Critical |
| MySQL (port 3306) | Unauthenticated access | High |
| Web App (Mutillidae) | SQL Injection + Path Traversal | High |
| Windows 10 | UAC Bypass (`bypassuac_sluihijack`, `bypassuac_fodhelper`) | High |
| Apache Tomcat | AJP Ghostcat (CVE-2020-1938) | Critical |

---

## Tools Used

| Tool | Purpose |
|---|---|
| **Nmap** | Port scanning and service enumeration |
| **Metasploit Framework** | Exploitation and post-exploitation |
| **Nessus Essentials** | Vulnerability scanning |
| **VNCViewer** | Remote desktop access via VNC |
| **John the Ripper** | Password cracking |
| **Mimikatz (Kiwi)** | Windows credential harvesting |
| **Shodan** | Passive reconnaissance |
| **Google Dorks** | OSINT reconnaissance |
| **Burp Suite** | Web application testing |
| **Netcat** | Reverse shell and file transfer |
| **Wireshark** | Network traffic analysis |
| **msfvenom** | Payload generation |

---

## Key Findings Summary

**Nessus scan results on Metasploitable2:**
- 6 Critical vulnerabilities
- 4 High vulnerabilities
- 16 Medium vulnerabilities
- 7 Low vulnerabilities
- 73 Informational

**Post-exploitation achieved on both targets:**
- Root shell on Metasploitable2 (Linux)
- NT AUTHORITY\SYSTEM on Windows 10

---

## Repository Structure

```
pentest-report-clinica-sangabriel/
β”œβ”€β”€ README.md                                      # This file
β”œβ”€β”€ report/
β”‚   └── pentest-report-clinica-sangabriel.docx    # Full technical report (Spanish)
β”œβ”€β”€ screenshots/                                   # Evidence screenshots (49 images)
└── methodology/
    β”œβ”€β”€ attack-narrative.md                        # Step-by-step attack narrative
    └── tools-used.md                              # Tool descriptions and references
```

---

## Team

- Francisco EspaΓ±a
- Norman Beltran
- Cristian Albuja
- Cristian Serrano Antelo

**Course:** Offensive Security β€” Universidad de Palermo  
**Period:** 4th Semester, 2025