Share 
## https://sploitus.com/exploit?id=1B4E1928-22BA-58AE-868A-852185F77BAA
# CSI_6_SCS_2526 โ€” Systems and Cyber Security Coursework

> **Grey-Box Vulnerability Assessment** | LSBU | 2025/26  
> Student ID: 4214293 | Group 10 | Network: `10.0.10.0/24`

---

## Overview

This repository contains the coursework submission and supporting materials for the **CSI_6_SCS_2526 Systems and Cyber Security** module at London South Bank University. The assessment involved conducting a grey-box vulnerability assessment against three allocated target VMs within an isolated GNS3/Apporto lab environment.

The engagement simulates a compromised internal user scenario โ€” prior knowledge of the network address space and default credentials was given, but no knowledge of target services or configurations.

---

## Target Environment

| Device | IP Address | Role |
|---|---|---|
| Kali Linux | `10.0.10.3` | Attack Machine |
| VPLE | `10.0.10.5` | Target VM |
| pWnOS | `10.0.10.2` | Target VM |
| Windows 10 | `10.0.10.4` | Target VM |
| Router (R1 / c7200) | `10.0.10.1` | DHCP Server / Default Gateway |

---

## Key Findings Summary

### VPLE (10.0.10.5)

| Port | Finding | Severity |
|---|---|---|
| 1336 | Apache 2.4.7 + PHP 5.5.9 + jQuery 1.6.2 โ€” EOL stack, CVE-2016-6814 (CVSS 9.8) | Critical |
| 1336 | Exposed `/.git/` repository | High |
| 1336 | Unprotected phpMyAdmin interface | High |
| 1336 | `phpinfo.php` leaking server internals | High |
| 1336 | Directory indexing on `/passwords/` and `/data/` | Medium |
| 1336 | Missing security headers, absent HttpOnly cookie flag | Medium |

### pWnOS (10.0.10.2)

| Port | Finding | Severity |
|---|---|---|
| 22 & 80 | Apache 2.2.17, PHP 5.3.5, OpenSSH 5.8.1 โ€” end-of-life | Critical |
| 80 | Unauthenticated RCE via CVE-2005-2733 (CVSS 7.5) | High |
| 80 | SQL injection โ€” full database credential extraction via SQLMap | Critical |
| 22 | Direct root access via SSH using extracted credentials | Critical |
| 22 | Complete credential dump from `/etc/shadow` | Critical |
| 22 | Deprecated SSH algorithms, 1024-bit DSA host key | Medium |

### Windows 10 (10.0.10.4)

| Port | Finding | Severity |
|---|---|---|
| 137, 139, 445 | NetBIOS/SMB exposed โ€” host enumeration and lateral movement risk | Medium |
| 445 | SMBv1 present โ€” potential EternalBlue CVE-2017-0144 (CVSS 8.8) | High |
| 137โ€“139 | Workgroup membership and hostname disclosed via SMB | Low |

---

## Exploitation Chain โ€” pWnOS (Full Compromise)

pWnOS was fully compromised via a five-phase attack chain:

1. **Initial Access** โ€” Unauthenticated RCE via CVE-2005-2733 (Simple PHP Blog file upload) using Metasploit
2. **SQL Injection** โ€” Full credential extraction from external database using SQLMap
3. **Privilege Escalation** โ€” Direct root SSH access using extracted credentials
4. **Database Dump** โ€” Internal MySQL database dumped via root shell
5. **Password Hash Extraction** โ€” `/etc/shadow` contents retrieved for offline cracking

---

## Methodology

The assessment followed the penetration testing methodology introduced in the module:

```
Passive Reconnaissance
        โ†“
Host & Service Discovery (Nmap)
        โ†“
Port & Directory Enumeration (Nikto, Dirb, Gobuster)
        โ†“
Vulnerability Assessment (Manual CVE/NVD/CWE + OpenVAS)
        โ†“
Exploitation โ€“ Proof of Concept (Metasploit, SQLMap)
        โ†“
Security Concerns & Mitigation Strategies
```

---

## Tools Used

| Tool | Purpose |
|---|---|
| Nmap | Host discovery, port scanning, service/OS fingerprinting |
| WhatWeb | Web technology fingerprinting |
| Nikto | Automated web vulnerability scanning |
| Dirb | Directory and file brute-forcing |
| enum4linux | SMB/NetBIOS enumeration |
| nbtscan | NetBIOS name scanning |
| Metasploit | Exploitation framework (CVE-2005-2733) |
| SQLMap | Automated SQL injection and credential extraction |
| OpenVAS | Automated vulnerability scanning |
| ssh2-enum-algos (Nmap script) | SSH algorithm enumeration |

---

## Repository Structure

```
.
โ”œโ”€โ”€ README.md
โ”œโ”€โ”€ report/
โ”‚   โ””โ”€โ”€ 4214293_Yameen_Munir-coursework_report.docx
โ”œโ”€โ”€ evidence/
โ”‚   โ”œโ”€โ”€ screenshots/
โ”‚   โ”‚   โ”œโ”€โ”€ network-setup/
โ”‚   โ”‚   โ”œโ”€โ”€ information-gathering/
โ”‚   โ”‚   โ”œโ”€โ”€ enumeration/
โ”‚   โ”‚   โ”œโ”€โ”€ vulnerability-assessment/
โ”‚   โ”‚   โ””โ”€โ”€ exploitation/
โ”‚   โ””โ”€โ”€ scan-outputs/
โ”‚       โ”œโ”€โ”€ vple/
โ”‚       โ”œโ”€โ”€ pwnos/
โ”‚       โ””โ”€โ”€ windows10/
โ”œโ”€โ”€ scripts/
โ”‚   โ””โ”€โ”€ (custom scripts if applicable)
โ””โ”€โ”€ notes/
    โ”œโ”€โ”€ vple-notes.md
    โ”œโ”€โ”€ pwnos-notes.md
    โ””โ”€โ”€ windows10-notes.md
```

---

## Vulnerability References

| CVE | CVSS | Description | Target |
|---|---|---|---|
| CVE-2016-6814 | 9.8 Critical | Apache Groovy remote code execution | VPLE |
| CVE-2005-2733 | 7.5 High | Simple PHP Blog unauthenticated RCE | pWnOS |
| CVE-2017-0144 | 8.8 High | EternalBlue SMBv1 RCE | Windows 10 |

---

## Disclaimer

> All testing was conducted exclusively within an authorised, isolated lab environment provided by LSBU via the Apporto/GNS3 platform. No real-world systems were targeted at any point. This repository is for educational purposes only as part of the CSI_6_SCS_2526 module assessment.

---

## Module Info

| | |
|---|---|
| Module | CSI_6_SCS_2526 โ€” Systems and Cyber Security |
| Institution | London South Bank University (LSBU) |
| Lecturer | George Bamfo |
| Academic Year | 2025/26 |
| Assessment Weight | 60% of module mark |