Share
## https://sploitus.com/exploit?id=CA2DF009-33B3-54AB-AAA8-EAB7E58429A2
# Ethical Hacking & Information Security Lab Reports




A collection of hands-on ethical hacking and information security assessment reports completed as part of the **Level 5 Diploma in Computing with Cybersecurity** (NCC Education). Each lab was conducted in an **isolated, authorised academic environment**.
---
## Lab Index
| # | Lab | Key Techniques | Tools Used |
|---|-----|---------------|------------|
| 01 | [Malware Analysis](#01-malware-analysis) | Static & dynamic analysis, IOC extraction | Ghidra, Cuckoo Sandbox, Volatility, FTK Imager |
| 02 | [CVE-2019-20183 Exploitation](#02-cve-2019-20183--unrestricted-file-upload--rce) | File upload bypass, RCE, CVSS scoring | Burp Suite, msfvenom, Netcat |
| 03 | [SNMP Enumeration](#03-snmp-enumeration-port-161) | Service enumeration, MIB walking | Nmap, onesixtyone, snmpwalk |
| 04 | [FTP Forensics & Packet Analysis](#04-ftp-forensics--packet-analysis) | Credential capture, protocol analysis | Wireshark, tcpdump |
| 05 | [Unquoted Service Path Privilege Escalation](#05-unquoted-service-path-privilege-escalation) | Windows privesc, service exploitation | WMIC, msfvenom, accesschk |
| 06 | [OSINT & Footprinting](#06-osint--footprinting) | Passive recon, metadata extraction | theHarvester, Shodan, Maltego, FOCA |
---
## 01. Malware Analysis
**Objective:** Perform static and dynamic analysis on a malware sample to identify its behaviour, persistence mechanisms, and indicators of compromise (IOCs).
**Techniques:**
- Static analysis: strings extraction, PE header inspection, hash identification
- Dynamic analysis: sandbox execution, network traffic monitoring, registry monitoring
- Memory forensics: process injection identification
**Tools:** `Ghidra` `Cuckoo Sandbox` `Volatility` `FTK Imager` `VirusTotal`
**Key Findings:**
- Identified C2 callback behaviour via DNS query to hardcoded IP
- Detected registry persistence key: `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`
- Extracted network IOCs: suspicious outbound connections on port 4444
**Security+ Mapping:** Domain 2 โ Threat Intelligence & Malware Types
---
## 02. CVE-2019-20183 โ Unrestricted File Upload & RCE
**CVE:** CVE-2019-20183 | **CVSS v3.1:** 7.2 (High) | **System:** Employee Records System 1.0
**Vulnerability:** Client-side only file extension validation in `uploadimage.php`. Server performs no MIME type checking, allowing arbitrary PHP webshell uploads.
**Exploitation Steps:**
```
1. Intercept upload request with Burp Suite
2. Modify Content-Type header to bypass client-side JS validation
3. Upload PHP reverse shell with allowed extension
4. Navigate to upload directory to trigger execution
5. Catch reverse shell: nc -lvnp 4444
```
**Remediation:**
- Implement server-side allowlist for file extensions
- Store uploads outside web root with randomised filenames
- Add MIME type validation server-side
- Re-test after patching to confirm fix
**Security+ Mapping:** Domain 2 โ Vulnerabilities & Application Security
---
## 03. SNMP Enumeration (Port 161)
**Objective:** Enumerate SNMP-enabled devices to extract system information, running processes, and network configuration.
**Techniques:**
- SNMP v1/v2c community string brute force
- MIB (Management Information Base) walking
- Network topology discovery via SNMP
**Commands Used:**
```bash
# Discover SNMP hosts
nmap -sU -p 161 --open 192.168.1.0/24
# Brute force community strings
onesixtyone -c community_strings.txt 192.168.1.x
# Walk MIB tree
snmpwalk -v2c -c public 192.168.1.x
```
**Key Findings:**
- Default community string `public` exposed full system MIB
- Running processes, installed software, and routing table extracted
- No authentication or encryption on SNMP v1/v2c
**Remediation:** Upgrade to SNMPv3 with AuthPriv mode; restrict SNMP access to management VLAN
**Security+ Mapping:** Domain 3 โ Network Security & Enumeration
---
## 04. FTP Forensics & Packet Analysis
**Objective:** Capture and analyse FTP traffic to demonstrate credential exposure and propose secure alternatives.
**Techniques:**
- Packet capture on FTP sessions (port 21)
- Credential extraction from cleartext traffic
- Protocol comparison: FTP vs FTPS vs SFTP
**Commands Used:**
```bash
# Capture FTP traffic
tcpdump -i eth0 port 21 -w ftp_capture.pcap
# Filter in Wireshark
ftp.request.command == "USER" || ftp.request.command == "PASS"
```
**Key Findings:**
- Username and password transmitted in plaintext, captured in payload.exe
4. Restart service and catch SYSTEM shell
```
**Key Findings:**
- Achieved SYSTEM-level access from standard user account
- Service restart triggered payload execution without user interaction
- Vulnerability existed due to improper path quoting in service configuration
**Remediation:** Enclose all service binary paths in quotes; apply principle of least privilege to service accounts
**Security+ Mapping:** Domain 2 โ Vulnerability Exploitation & Windows Security
---
## 06. OSINT & Footprinting
**Objective:** Conduct passive reconnaissance against a target organisation to map attack surface without direct interaction.
**Techniques:**
- Email harvesting and employee enumeration
- DNS and subdomain enumeration
- Metadata extraction from public documents
- Shodan IoT/device discovery
**Tools & Commands:**
```bash
# Email and subdomain harvesting
theHarvester -d target.com -b google,linkedin,bing
# Shodan device discovery
shodan search org:"Target Organisation"
# DNS enumeration
nslookup -type=ANY target.com
```
**Key Findings:**
- 14 employee email addresses harvested from public sources
- 3 exposed subdomains identified including a staging environment
- PDF metadata revealed internal usernames and software versions
- Shodan identified 2 internet-facing devices with default credentials
**Remediation:** Strip metadata from public documents; disable unnecessary subdomains; change default credentials; implement email address obfuscation
**Security+ Mapping:** Domain 2 โ Threat Intelligence, OSINT & Reconnaissance
---
## Skills Demonstrated
| Category | Skills |
|----------|--------|
| Offensive Security | CVE exploitation, privilege escalation, web app attacks, social engineering recon |
| Network Analysis | Packet capture, protocol analysis, traffic filtering, credential extraction |
| OSINT | Passive recon, metadata analysis, email harvesting, attack surface mapping |
| Malware Analysis | Static/dynamic analysis, IOC extraction, memory forensics, sandbox analysis |
| Remediation | Security controls, patch management, hardening recommendations |
---
## Environment & Ethics
> All labs conducted in **controlled, isolated academic environments** using purpose-built vulnerable VMs and authorised targets only. No real-world systems were targeted or harmed. All work completed under NCC Education academic guidelines.
---
## Related Repositories
- [Network Security Defence](https://github.com/Cyril556/network-security-defence) โ LAN design, DMZ architecture, DDoS mitigation
- [CCorp SIRTS](https://github.com/Cyril556/ccorp-sirts) โ Security Incident Response & Ticketing System
- [SY0-701 Exam Simulator](https://github.com/Cyril556/sy0-701-simulator) โ CompTIA Security+ practice platform