Share
## https://sploitus.com/exploit?id=1EEE27D9-DFF4-517B-9EAB-CCDECA6EF254
# ๐Ÿ›ก๏ธ Advanced Penetration Testing & System Forensic Audit
## Midterm Assessment: Target Server PT005B (Cyberium Arena)

[![Target: Linux](https://img.shields.io/badge/Target-Linux%20Kernel%202.6-red?logo=linux)](https://kernel.org)
[![Tools: Metasploit](https://img.shields.io/badge/Tools-Metasploit%20|%20Nmap-blue)](https://www.kali.org/)
[![Status: Completed](https://img.shields.io/badge/Status-Fully%20Compromised-success)](#)

## ๐Ÿ“– Executive Summary
Following a CERT alert regarding compromised credentials (`nate:1234`), this repository documents a sanctioned penetration test performed on a cloned production server. The objective was to identify existing threats, exploit architectural weaknesses, and perform post-exploitation forensics to determine the extent of potential data exposure.

---

## ๐Ÿ“„ Primary Evidence
The full, step-by-step laboratory submission containing annotated terminal screenshots and real-time command execution logs is available here:

๐Ÿ‘‰ **[Download Full Technical PDF Report](./annotated-Mid%20term%20Pentest.pdf)**

---

## ๐Ÿ› ๏ธ Phase 1: Reconnaissance & Attack Surface Mapping

### 1. Network Automation Scripting
I developed a Bash utility, `midtest2.sh`, to automate the discovery phase. This script dynamically pulls the local gateway information and iterates through the `/24` subnet to identify live hosts. 
* **IP Exclusion:** To maintain operational integrity, the script was configured to exclude the attacker's local IP from the scan results.
* **Target Identified:** The assessment focused on host `10.0.2.6` after confirming it was the primary target server.

### 2. Service-Level Fingerprinting
A comprehensive Nmap scan was executed to identify high-risk entry points. 
* **Command:** `nmap -open -sV 10.0.2.6 -oX scan.xml`
* **Findings:**
    * **Port 21:** vsftpd 2.3.4 (Known Backdoor Version)
    * **Port 80:** Apache httpd 2.2.8 (Ubuntu/DAV2)
    * **Port 2121:** ProFTPD 1.3.1
* **OS Detection:** Aggressive fingerprinting confirmed the server environment as **Linux 2.6.9**.

### 3. Vulnerability Research (CVE Correlation)
Using `searchsploit`, the identified versions were mapped to the Exploit-Database to find verified remote exploits.
* **CVE-2015-3306:** Found in ProFTPd 1.3.5 allowing for Remote Command Execution.
* **CVE-1999-0368:** A critical buffer overflow vulnerability in older ProFTPd builds.
* **CVE-2001-1501:** A directory traversal/expansion vulnerability found in WU-FTPD/ProFTPd.

---

## ๐Ÿ”‘ Phase 2: Exploitation & Administrative Takeover

### 1. Gaining Initial Access
The primary breach was achieved by exploiting a backdoor bind listener in the **vsftpd 2.3.4** service. 
* **Method:** Utilizing the Metasploit module `unix/ftp/vsftpd_234_backdoor`, a connection was triggered that successfully spawned a high-privilege shell.
* **Immediate Result:** Gained **UID 0 (root)** access on the first attempt.
* **Persistence:** Leveraged this access to extract the `/etc/passwd` file, providing a blueprint of the system's user architecture (e.g., `msfadmin`, `nate`, `syslog`).

### 2. Post-Exploitation & Data Discovery
To demonstrate advanced command-and-control (C2) capabilities, a secondary payload was deployed.
* **Advanced Session:** Established a Meterpreter session via a PHP reverse shell (`php/reverse_php`) on port `6666`.
* **Privilege Escalation Simulation:** Successfully utilized session handling to navigate restricted directories.
* **Forensic Evidence:** Identified a high-value target file named **`topsecurity`** located in the `/root/Desktop` directory, confirming that sensitive data was accessible and unprotected at the root level.

---

## ๐Ÿ“‚ Repository Structure
* **`scripts/`**: Automation tools used for network discovery.
* **`scans/`**: Raw XML Nmap outputs for auditing purposes.
* **`report/`**: The complete annotated Mid-term Pentest PDF document.

## โš ๏ธ Mitigation Recommendations
1. **Patch Management:** Immediately update `vsftpd` to a version higher than 2.3.4 and upgrade `Apache 2.2.8` to resolve the DAV2 vulnerabilities.
2. **FTP Configuration:** Disable write permissions for standard users and implement SFTP (SSH File Transfer Protocol) to encrypt credentials and data in transit.
3. **Directory Permissions:** Restrict access to the `/root` directory using strict ACLs to prevent exposure of sensitive files like `topsecurity`.

---
*This project was conducted in a controlled lab environment for the Cyberium Arena mid-term assessment.*