Share
## https://sploitus.com/exploit?id=07AC44A5-5DE2-5F4D-907F-59566EB006B2
# Penetration Test Report β ClΓnica San Gabriel
## Overview
Full penetration test conducted on a simulated healthcare organization infrastructure as part of the **Offensive Security** coursework at **Universidad de Palermo** (2nd semester, 2025).
> **Disclaimer:** This project was conducted in a controlled lab environment using intentionally vulnerable virtual machines (Metasploitable2, Windows 10). No real systems or data were targeted.
---
## Objective
Evaluate the security posture of ClΓnica San Gabriel's simulated infrastructure by identifying vulnerabilities across network services, web applications, and endpoint systems β and documenting findings in a professional penetration test report.
---
## Scope
| Target | Details |
|---|---|
| **Linux Target** | Metasploitable2 (192.168.227.137) |
| **Windows Target** | Windows 10 VM (10.0.0.6) |
| **Web Application** | Mutillidae (OWASP Top 10 vulnerable app) |
| **Network** | Internal lab network (VMware / VirtualBox) |
---
## Methodology
The engagement followed a standard penetration testing methodology:
1. **Reconnaissance** β Passive (WHOIS, Google Dorks, Shodan) and active (Nmap)
2. **Enumeration** β Service/version detection, Nessus vulnerability scan
3. **Exploitation** β Multiple attack vectors executed
4. **Post-Exploitation** β Privilege escalation, credential harvesting, persistence
5. **Covering Tracks** β Log deletion, file removal
6. **Reporting** β Executive summary + technical findings
---
## Vulnerabilities Exploited
| Service | CVE / Vulnerability | Severity |
|---|---|---|
| VNC (port 5900) | Weak password (`password`) | Critical |
| FTP vsftpd 2.3.4 | Backdoor command execution | Critical |
| Samba (SMB) | `usermap_script` RCE | Critical |
| UnrealIRCd 3.2.8.1 | Backdoor command execution | Critical |
| MySQL (port 3306) | Unauthenticated access | High |
| Web App (Mutillidae) | SQL Injection + Path Traversal | High |
| Windows 10 | UAC Bypass (`bypassuac_sluihijack`, `bypassuac_fodhelper`) | High |
| Apache Tomcat | AJP Ghostcat (CVE-2020-1938) | Critical |
---
## Tools Used
| Tool | Purpose |
|---|---|
| **Nmap** | Port scanning and service enumeration |
| **Metasploit Framework** | Exploitation and post-exploitation |
| **Nessus Essentials** | Vulnerability scanning |
| **VNCViewer** | Remote desktop access via VNC |
| **John the Ripper** | Password cracking |
| **Mimikatz (Kiwi)** | Windows credential harvesting |
| **Shodan** | Passive reconnaissance |
| **Google Dorks** | OSINT reconnaissance |
| **Burp Suite** | Web application testing |
| **Netcat** | Reverse shell and file transfer |
| **Wireshark** | Network traffic analysis |
| **msfvenom** | Payload generation |
---
## Key Findings Summary
**Nessus scan results on Metasploitable2:**
- 6 Critical vulnerabilities
- 4 High vulnerabilities
- 16 Medium vulnerabilities
- 7 Low vulnerabilities
- 73 Informational
**Post-exploitation achieved on both targets:**
- Root shell on Metasploitable2 (Linux)
- NT AUTHORITY\SYSTEM on Windows 10
---
## Repository Structure
```
pentest-report-clinica-sangabriel/
βββ README.md # This file
βββ report/
β βββ pentest-report-clinica-sangabriel.docx # Full technical report (Spanish)
βββ screenshots/ # Evidence screenshots (49 images)
βββ methodology/
βββ attack-narrative.md # Step-by-step attack narrative
βββ tools-used.md # Tool descriptions and references
```
---
## Team
- Francisco EspaΓ±a
- Norman Beltran
- Cristian Albuja
- Cristian Serrano Antelo
**Course:** Offensive Security β Universidad de Palermo
**Period:** 4th Semester, 2025