## https://sploitus.com/exploit?id=1EEE27D9-DFF4-517B-9EAB-CCDECA6EF254
# ๐ก๏ธ Advanced Penetration Testing & System Forensic Audit
## Midterm Assessment: Target Server PT005B (Cyberium Arena)
[](https://kernel.org)
[](https://www.kali.org/)
[](#)
## ๐ Executive Summary
Following a CERT alert regarding compromised credentials (`nate:1234`), this repository documents a sanctioned penetration test performed on a cloned production server. The objective was to identify existing threats, exploit architectural weaknesses, and perform post-exploitation forensics to determine the extent of potential data exposure.
---
## ๐ Primary Evidence
The full, step-by-step laboratory submission containing annotated terminal screenshots and real-time command execution logs is available here:
๐ **[Download Full Technical PDF Report](./annotated-Mid%20term%20Pentest.pdf)**
---
## ๐ ๏ธ Phase 1: Reconnaissance & Attack Surface Mapping
### 1. Network Automation Scripting
I developed a Bash utility, `midtest2.sh`, to automate the discovery phase. This script dynamically pulls the local gateway information and iterates through the `/24` subnet to identify live hosts.
* **IP Exclusion:** To maintain operational integrity, the script was configured to exclude the attacker's local IP from the scan results.
* **Target Identified:** The assessment focused on host `10.0.2.6` after confirming it was the primary target server.
### 2. Service-Level Fingerprinting
A comprehensive Nmap scan was executed to identify high-risk entry points.
* **Command:** `nmap -open -sV 10.0.2.6 -oX scan.xml`
* **Findings:**
* **Port 21:** vsftpd 2.3.4 (Known Backdoor Version)
* **Port 80:** Apache httpd 2.2.8 (Ubuntu/DAV2)
* **Port 2121:** ProFTPD 1.3.1
* **OS Detection:** Aggressive fingerprinting confirmed the server environment as **Linux 2.6.9**.
### 3. Vulnerability Research (CVE Correlation)
Using `searchsploit`, the identified versions were mapped to the Exploit-Database to find verified remote exploits.
* **CVE-2015-3306:** Found in ProFTPd 1.3.5 allowing for Remote Command Execution.
* **CVE-1999-0368:** A critical buffer overflow vulnerability in older ProFTPd builds.
* **CVE-2001-1501:** A directory traversal/expansion vulnerability found in WU-FTPD/ProFTPd.
---
## ๐ Phase 2: Exploitation & Administrative Takeover
### 1. Gaining Initial Access
The primary breach was achieved by exploiting a backdoor bind listener in the **vsftpd 2.3.4** service.
* **Method:** Utilizing the Metasploit module `unix/ftp/vsftpd_234_backdoor`, a connection was triggered that successfully spawned a high-privilege shell.
* **Immediate Result:** Gained **UID 0 (root)** access on the first attempt.
* **Persistence:** Leveraged this access to extract the `/etc/passwd` file, providing a blueprint of the system's user architecture (e.g., `msfadmin`, `nate`, `syslog`).
### 2. Post-Exploitation & Data Discovery
To demonstrate advanced command-and-control (C2) capabilities, a secondary payload was deployed.
* **Advanced Session:** Established a Meterpreter session via a PHP reverse shell (`php/reverse_php`) on port `6666`.
* **Privilege Escalation Simulation:** Successfully utilized session handling to navigate restricted directories.
* **Forensic Evidence:** Identified a high-value target file named **`topsecurity`** located in the `/root/Desktop` directory, confirming that sensitive data was accessible and unprotected at the root level.
---
## ๐ Repository Structure
* **`scripts/`**: Automation tools used for network discovery.
* **`scans/`**: Raw XML Nmap outputs for auditing purposes.
* **`report/`**: The complete annotated Mid-term Pentest PDF document.
## โ ๏ธ Mitigation Recommendations
1. **Patch Management:** Immediately update `vsftpd` to a version higher than 2.3.4 and upgrade `Apache 2.2.8` to resolve the DAV2 vulnerabilities.
2. **FTP Configuration:** Disable write permissions for standard users and implement SFTP (SSH File Transfer Protocol) to encrypt credentials and data in transit.
3. **Directory Permissions:** Restrict access to the `/root` directory using strict ACLs to prevent exposure of sensitive files like `topsecurity`.
---
*This project was conducted in a controlled lab environment for the Cyberium Arena mid-term assessment.*