Black Box Internal Penetration Testing
Goal:
The client’s requirement was to determine the security effectiveness of their system and applications by conducting black box penetration testing.
Challenge:
To identify and exploit the vulnerabilities in the system and applications. Being black box testing, the application had no data and extremely limited communication with other systems. Interesting! Additionally, the application was hosted on a terminal server with no access to other file systems on the server. Including C drive!
We were provided a basic Windows account with the privileges of an end-user as it was controlled via Windows-based authentication. It was challenging for the team to access the necessary tools for carrying out the testing, considering the high degree of complexity of the environment and no access to the file system.
Outcome:
So, what do you do with an application with no data, an when you have very limited and controlled access to the client environment? How do you go about identifying loopholes in the system and applications? We started by thoroughly testing every entry point and input field. From there we figured out a specific way to access the file system from inside the application giving us access to the tools and power shell of the system.
We then managed to run the necessary tools required for testing the application. Next, we moved onto the major challenge of dealing with an application with no data and limited communication. We found only one entry point where there was an option to test the web communication with the application server.
When we intercepted the traffic, we found that the application was logging into the application server using server credentials for testing the connection which we managed to intercept using our tool. This was an initial success for us.
Thanks to this interception, we now had the details about the application web URL and its credentials. We managed to log on to the server using intercepted credentials and lo behold! We were able to access the client critical financial documentation! And the application source code! Charged with this discovery, we started digging more through all the files.
We found a directory on the server which stored all the usernames and passwords of the users in cleartext. We could now log in to the application imitating any user.
Now, since we had managed to compromise the user accounts, we shifted our focus to gain unauthorised access to the web admin account. Using a flaw on the web portal, we got access to a page where we could create a web admin user. We created an admin account and logged in as an administrator! We had gained access to all the clients associations and data; we could also create or delete any user.
But we did not want to stop yet, so we concentrated our efforts to gain access to the command prompt of the underlying server. We built a customised script and uploaded it on the server. We managed to access this script on the website; it gave us the needed access to the command prompt, and further to the entire file system of the application server.
Thus, despite the challenges and limitations presented, we were successful in compromising the entire application and its underlying server.
Conclusion:
Hackers are vigilant and persistent, and they always keep an eye on various websites which they could leverage. It does not matter if you are a small or a big organisation, if hackers manage to compromise your website, application or systems they will identify some or the other way to utilise it to their benefit.
Organisations must be proactive in being one step ahead of the hackers. Hacking is not just associated with financial losses but also with the reputation of the organisations. It takes months, even years, to build an organisation, however, ignoring security of your systems and applications can bring the organisation down in matter of few hours.
Our aim at SecureTriad is to provide best in class and deep-dive penetration testing services. We are committed towards ensuring your systems and data are secured against evolving cyber threats and attacks.
Do contact us at info@securetriad.io or visit our website at https://securetriad.io.