Skip to content

Lab Tasks

This week we are going to look at an existing pen-test report, and see if we can apply the thinking around writing reports and assessing risk from this weeks material.

Reading a Pen Test Report

We have a security test report from the folks at Project Insecurity on the Open EMR software.

This was from a grey hat style security test of the product, where the team performed a security audit, then informed the developers of the flaws they had found. Its a pretty comprehensive report, but it lacks some of the elements we would expect around scoping etc. we might find in a commissioned report.

Note

There have been several pen-tests for the company, including ones by OWASP / SANS. Unfortunately, they leave a little bit to be desired in terms of detail.

The project insecurity was the most comprehensive I could see.

Tasks

We are going to look at a pen-test report, and try using the information to hack a machine.

There is a pen-test report template at the bottom of the page, feel free to use it to keep your notes / writeup in. I will stick a link up so you can get feedback when you are done.

Task

Read through a copy of the report

Think about:

  • What about the report is missing given our generic process
  • Do you think the instructions are clear on how to replicate the errors
  • What do you like about the report / dislike about the way it is presented.

We will have a discussion around this either during the lab, or on the Aula.

Task

While the report has risk ratings for the issues discovered, they are a little generic.

Try converting the risk ratings of the vulnerabilities to the OWASP or SANS ratings, There is a pretty nice tools for generating OWASP ratings at:

  • https://javierolmedo.github.io/OWASP-Calculator/
  • https://owasp-risk-rating.com/

Hacking the Example

Sometimes playing with an issue can help you to get a better understanding of it. This particular vulnerability as one of the ones in last years skills test for the equivalent module.

You can get a copy of the supporting VM from OneDrive

Hard_task

Using the information in the Pen-test report try to get a shell on the VM. You dont need to do the privilege escelation part, just getting web user is fine :p

How easy is it to follow the flow from the pen-test report given, What would you do to make it easier to follow?

Hint

The issue also came up in Cached on Hack the Box,
I am sure Google1 will help you in the right direction.

Report Template

https://github.com/hmaverickadams/TCM-Security-Sample-Pentest-Report

  1. Other search engines are available.