Share
## https://sploitus.com/exploit?id=CA2DF009-33B3-54AB-AAA8-EAB7E58429A2
# Ethical Hacking & Information Security Lab Reports

![Security](https://img.shields.io/badge/Security-Ethical_Hacking-red?style=flat-square)
![Level](https://img.shields.io/badge/Level-5_Diploma-blue?style=flat-square)
![Tools](https://img.shields.io/badge/Tools-Nmap_|_Burp_Suite_|_Wireshark_|_Metasploit-darkgreen?style=flat-square)
![Status](https://img.shields.io/badge/Status-Completed-brightgreen?style=flat-square)

A collection of hands-on ethical hacking and information security assessment reports completed as part of the **Level 5 Diploma in Computing with Cybersecurity** (NCC Education). Each lab was conducted in an **isolated, authorised academic environment**.

---

## Lab Index

| # | Lab | Key Techniques | Tools Used |
|---|-----|---------------|------------|
| 01 | [Malware Analysis](#01-malware-analysis) | Static & dynamic analysis, IOC extraction | Ghidra, Cuckoo Sandbox, Volatility, FTK Imager |
| 02 | [CVE-2019-20183 Exploitation](#02-cve-2019-20183--unrestricted-file-upload--rce) | File upload bypass, RCE, CVSS scoring | Burp Suite, msfvenom, Netcat |
| 03 | [SNMP Enumeration](#03-snmp-enumeration-port-161) | Service enumeration, MIB walking | Nmap, onesixtyone, snmpwalk |
| 04 | [FTP Forensics & Packet Analysis](#04-ftp-forensics--packet-analysis) | Credential capture, protocol analysis | Wireshark, tcpdump |
| 05 | [Unquoted Service Path Privilege Escalation](#05-unquoted-service-path-privilege-escalation) | Windows privesc, service exploitation | WMIC, msfvenom, accesschk |
| 06 | [OSINT & Footprinting](#06-osint--footprinting) | Passive recon, metadata extraction | theHarvester, Shodan, Maltego, FOCA |

---

## 01. Malware Analysis

**Objective:** Perform static and dynamic analysis on a malware sample to identify its behaviour, persistence mechanisms, and indicators of compromise (IOCs).

**Techniques:**
- Static analysis: strings extraction, PE header inspection, hash identification
- Dynamic analysis: sandbox execution, network traffic monitoring, registry monitoring
- Memory forensics: process injection identification

**Tools:** `Ghidra` `Cuckoo Sandbox` `Volatility` `FTK Imager` `VirusTotal`

**Key Findings:**
- Identified C2 callback behaviour via DNS query to hardcoded IP
- Detected registry persistence key: `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`
- Extracted network IOCs: suspicious outbound connections on port 4444

**Security+ Mapping:** Domain 2 โ€” Threat Intelligence & Malware Types

---

## 02. CVE-2019-20183 โ€” Unrestricted File Upload & RCE

**CVE:** CVE-2019-20183 | **CVSS v3.1:** 7.2 (High) | **System:** Employee Records System 1.0

**Vulnerability:** Client-side only file extension validation in `uploadimage.php`. Server performs no MIME type checking, allowing arbitrary PHP webshell uploads.

**Exploitation Steps:**
```
1. Intercept upload request with Burp Suite
2. Modify Content-Type header to bypass client-side JS validation
3. Upload PHP reverse shell with allowed extension
4. Navigate to upload directory to trigger execution
5. Catch reverse shell: nc -lvnp 4444
```

**Remediation:**
- Implement server-side allowlist for file extensions
- Store uploads outside web root with randomised filenames
- Add MIME type validation server-side
- Re-test after patching to confirm fix

**Security+ Mapping:** Domain 2 โ€” Vulnerabilities & Application Security

---

## 03. SNMP Enumeration (Port 161)

**Objective:** Enumerate SNMP-enabled devices to extract system information, running processes, and network configuration.

**Techniques:**
- SNMP v1/v2c community string brute force
- MIB (Management Information Base) walking
- Network topology discovery via SNMP

**Commands Used:**
```bash
# Discover SNMP hosts
nmap -sU -p 161 --open 192.168.1.0/24

# Brute force community strings
onesixtyone -c community_strings.txt 192.168.1.x

# Walk MIB tree
snmpwalk -v2c -c public 192.168.1.x
```

**Key Findings:**
- Default community string `public` exposed full system MIB
- Running processes, installed software, and routing table extracted
- No authentication or encryption on SNMP v1/v2c

**Remediation:** Upgrade to SNMPv3 with AuthPriv mode; restrict SNMP access to management VLAN

**Security+ Mapping:** Domain 3 โ€” Network Security & Enumeration

---

## 04. FTP Forensics & Packet Analysis

**Objective:** Capture and analyse FTP traffic to demonstrate credential exposure and propose secure alternatives.

**Techniques:**
- Packet capture on FTP sessions (port 21)
- Credential extraction from cleartext traffic
- Protocol comparison: FTP vs FTPS vs SFTP

**Commands Used:**
```bash
# Capture FTP traffic
tcpdump -i eth0 port 21 -w ftp_capture.pcap

# Filter in Wireshark
ftp.request.command == "USER" || ftp.request.command == "PASS"
```

**Key Findings:**
- Username and password transmitted in plaintext, captured in  payload.exe

4. Restart service and catch SYSTEM shell
```

**Key Findings:**
- Achieved SYSTEM-level access from standard user account
- Service restart triggered payload execution without user interaction
- Vulnerability existed due to improper path quoting in service configuration

**Remediation:** Enclose all service binary paths in quotes; apply principle of least privilege to service accounts

**Security+ Mapping:** Domain 2 โ€” Vulnerability Exploitation & Windows Security

---

## 06. OSINT & Footprinting

**Objective:** Conduct passive reconnaissance against a target organisation to map attack surface without direct interaction.

**Techniques:**
- Email harvesting and employee enumeration
- DNS and subdomain enumeration
- Metadata extraction from public documents
- Shodan IoT/device discovery

**Tools & Commands:**
```bash
# Email and subdomain harvesting
theHarvester -d target.com -b google,linkedin,bing

# Shodan device discovery
shodan search org:"Target Organisation"

# DNS enumeration
nslookup -type=ANY target.com
```

**Key Findings:**
- 14 employee email addresses harvested from public sources
- 3 exposed subdomains identified including a staging environment
- PDF metadata revealed internal usernames and software versions
- Shodan identified 2 internet-facing devices with default credentials

**Remediation:** Strip metadata from public documents; disable unnecessary subdomains; change default credentials; implement email address obfuscation

**Security+ Mapping:** Domain 2 โ€” Threat Intelligence, OSINT & Reconnaissance

---

## Skills Demonstrated

| Category | Skills |
|----------|--------|
| Offensive Security | CVE exploitation, privilege escalation, web app attacks, social engineering recon |
| Network Analysis | Packet capture, protocol analysis, traffic filtering, credential extraction |
| OSINT | Passive recon, metadata analysis, email harvesting, attack surface mapping |
| Malware Analysis | Static/dynamic analysis, IOC extraction, memory forensics, sandbox analysis |
| Remediation | Security controls, patch management, hardening recommendations |

---

## Environment & Ethics

> All labs conducted in **controlled, isolated academic environments** using purpose-built vulnerable VMs and authorised targets only. No real-world systems were targeted or harmed. All work completed under NCC Education academic guidelines.

---

## Related Repositories

- [Network Security Defence](https://github.com/Cyril556/network-security-defence) โ€” LAN design, DMZ architecture, DDoS mitigation
- [CCorp SIRTS](https://github.com/Cyril556/ccorp-sirts) โ€” Security Incident Response & Ticketing System
- [SY0-701 Exam Simulator](https://github.com/Cyril556/sy0-701-simulator) โ€” CompTIA Security+ practice platform