Pentest Documentation

Snooze Words: Documentation



    In our quest to automate the dumb stuff, we tend to always leave it a huge pain in the butt to do documentation. Mostly cause some parts of documentation have to be customized and adjusted and trying to automate that we sometimes overengineer it. Without that, we get used to loading up MS Word or similar products and setting up the documents we need. Then along with services like docusign to get signatures for things like our Pentest MSA and Scoping documents, we can also automate the generation of reports. There's several tools out there for this, and I've experimented with making a few myself. For this example though I'm going to go through using obsidian as a grounds for our documentation and jupyter-lab as our pentesting platform.

    To start with, I'm definitely gonna want to have a way to make a formalized document. Doc? PDF? Well I'm originally I went the doc route by using the python docx library. It worked, but was kind of lame to deal with still. Sure it's more automated, but anything abnormal could potentially break it or look wonky.  After a while of using it I found up finding that I still had to review the document every time anyway to make sure everything made sense. So instead, this time around I'm going to use obsidian. 

    I'm also going to need a test target, so lets head on over to hackthebox and see what the latest is. Which it looks like artificial is the first on the block:


Templatized documents:

    Next, lets setup our template so we can run this. My template is already made but I'll run through it. It's structured like this. Basically, all the data to make up the template, is in different sections, and the notes section is for running notes. I'm going to copy this into a folder for today's "pentest" which will be against this htb artificial system. 


    On the report itself, I have roughly logo and the info for the first page, then the confidentiality statement, and disclaimers. All this stuff is pretty well stationary so it's just gonna stay as is except the company's name we're working with. The first thing I'd really make changes to is the contact information. There's a table here to add contact information on both sides (company we're working for, and for our side) during the assessment. We want you to contact us if something happens just as much as we want to contact you, detailing both is essential.


    The next step is the overview, may change based on the type of assessment but all in all gonna be at least changing the dates relevant. Nothing too big but I wanna make sure to go through the lame documentation parts. Update scoping next which we gotta make sure we document well.


    Lastly before we get started, lets just update our executive summary. Just using a simple and straight forward response for this, nothing too big. For mine, I like to restate the limitations, summary and key observations, so we'll return to that of course.

 


    The entire rest of my template is just strengths, weaknesses, and findings. I didn't used to include the strengths and weaknesses in this but shout out to TCM Security training pointing that out because in nearly every type of report having these seems to go over really well and makes people feel like you're acknowledging what they have done.


    So that's it. That's the template. It's modular so I can focus on one piece at a time, all screenshots go under the data section as well so it's easy to import those into both notes and the final report. All that's left to do is kick off.

Start:

    Well, need to connect to the network first, so lets go over with tmux and start up openvpn in the background to begin with, and check that we can connect to the target.

tmux new-session -s "openvpn" -d "openvpn /share/pentests/htb/lab_ferasdour.ovpn"
ping 10.10.11.74
PING 10.10.11.74 (10.10.11.74) 56(84) bytes of data.
64 bytes from 10.10.11.74: icmp_seq=1 ttl=63 time=64.8 ms
^C
--- 10.10.11.74 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 64.780/64.780/64.780/0.000 ms

    Then I like to do something most people probably don't. I like to do a full port scan for purely open ports, on tcp (syn) and udp. Sure there is still ones that won't connect like this, but as a first round scan, I like to make it fairly complete. Doing this over in jupyter-lab, which you can use the canvas within obsidian to connect to the web page for (making your entire attack and documentation scene based in one tool). 



    Almost immediately ports 22 and 80 show up for the syn scan, so lets go digging on port 80. Gonna use whatweb which tells me it redirects by default to artificial.htb, which is no surprise. So quickly add that to /etc/hosts and try to connect with curl. This will tell me the content-length so I can ignore that length when fuzzing for subdomain websites on the same server. Then go ahead and start that fuzzing, and dirb to do basic directory fuzzy, and also run over to the site and check it out. This may seem like I'm doing too much at once, and that's true. The traffic amount isn't enough to cause disruptions but in other environments, I'd probably delay fuzzing for subdomains until after fuzzing for directories or visa versus. In some cases, having an ns server to query is more useful than subdomains responsive on the same host, but I guess that's irrelevant here. After a bit, nothing was found with ffuf so I killed it, and dirb found a very basic structure. Checking out the website seems to suggest it's an AI platform of some kind.





      The system has a login form and a registration form. Trying the login it appears to need user's email and password. Couldn't login with nothing to those or admin:admin. So went ahead and setup a user and logged in. It's worth noting, You do need the email to login with, not the username, but i didn't test if you couldn't just get away with user@nothing or test@r or something. Seems pattern matching based, so worth noting but gonna move forward because ctf.


    Now that we're in the dashboard, we see this interesting little nonsense mentioning requirements.txt and a dockerfile. I should also mention people are resetting this system every 5 minutes and I don't really understand why. Found tensorflow at a specific version as the requirements. So, with a little googling I found this tensorflow rce or this seemingly related rce (they both leverage keras and the .h5 file specs) and this little guidance on how to create a malicious .h5 file (see the requirements for the uploaded file) along with tensorflow's model info. There's also this discussion here that seems to suggest another issue with keras too. 


    Then it was just a matter of ensuring I have the right environment setup.

┌──(root㉿kp2323)-[/home/jeff/Downloads]
└─# docker build . --tag "vulnerabletensor"
[+] Building 262.3s (9/9) FINISHED                                                                                                              docker:default
 => [internal] load build definition from Dockerfile                                                                                                      0.3s
 => => transferring dockerfile: 496B                                                                                                                      0.0s
 => [internal] load metadata for docker.io/library/python:3.8-slim                                                                                        1.8s
 => [auth] library/python:pull token for registry-1.docker.io                                                                                             0.0s
 => [internal] load .dockerignore                                                                                                                         0.2s
 => => transferring context: 2B                                                                                                                           0.0s
 => [1/4] FROM docker.io/library/python:3.8-slim@sha256:1d52838af602b4b5a831beb13a0e4d073280665ea7be7f69ce2382f29c5a613f                                 26.9s
 => => resolve docker.io/library/python:3.8-slim@sha256:1d52838af602b4b5a831beb13a0e4d073280665ea7be7f69ce2382f29c5a613f                                  0.2s
 => => sha256:1d52838af602b4b5a831beb13a0e4d073280665ea7be7f69ce2382f29c5a613f 10.41kB / 10.41kB                                                          0.0s
 => => sha256:314bc2fb0714b7807bf5699c98f0c73817e579799f2d91567ab7e9510f5601a5 1.75kB / 1.75kB                                                            0.0s
 => => sha256:b5f62925bd0f63f48cc8acd5e87d0c3a07e2f229cd2fb0a9586e68ed17f45ee3 5.25kB / 5.25kB                                                            0.0s
 => => sha256:302e3ee498053a7b5332ac79e8efebec16e900289fc1ecd1c754ce8fa047fcab 29.13MB / 29.13MB                                                          3.0s
 => => sha256:030d7bdc20a63e3d22192b292d006a69fa3333949f536d62865d1bd0506685cc 3.51MB / 3.51MB                                                            1.4s
 => => sha256:a3f1dfe736c5f959143f23d75ab522a60be2da902efac236f4fb2a153cc14a5d 14.53MB / 14.53MB                                                          2.7s
 => => sha256:3971691a363796c39467aae4cdce6ef773273fe6bfc67154d01e1b589befb912 248B / 248B                                                                1.7s
 => => extracting sha256:302e3ee498053a7b5332ac79e8efebec16e900289fc1ecd1c754ce8fa047fcab                                                                12.2s
 => => extracting sha256:030d7bdc20a63e3d22192b292d006a69fa3333949f536d62865d1bd0506685cc                                                                 0.7s
 => => extracting sha256:a3f1dfe736c5f959143f23d75ab522a60be2da902efac236f4fb2a153cc14a5d                                                                 7.7s
 => => extracting sha256:3971691a363796c39467aae4cdce6ef773273fe6bfc67154d01e1b589befb912                                                                 0.1s
 => [2/4] WORKDIR /code                                                                                                                                   2.3s
 => [3/4] RUN apt-get update &&     apt-get install -y curl &&     curl -k -LO https://files.pythonhosted.org/packages/65/ad/4e090ca3b4de53404df9d1247c  39.9s
 => [4/4] RUN pip install ./tensorflow_cpu-2.13.1-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl                                              143.1s
 => exporting to image                                                                                                                                   46.5s
 => => exporting layers                                                                                                                                  46.2s
 => => writing image sha256:284c36efe48129b3d9b5575c7a3a937293e1e620d7aaa96c9c6c7416167cd316                                                              0.0s
 => => naming to docker.io/library/vulnerabletensor                                                                                                       0.1s
                                                                                                                                                                                                                                                               
┌──(root㉿kp2323)-[/home/jeff/Downloads]
└─# docker run --rm -it -v ./:/code vulnerabletensor        
root@637f9b64699d:/code#

Back to documentation:

    I respect the nature of HTB and challenges like those (see also hack this site, hellboundhackers, and whatever other platforms are available these days), so I won't give a complete walkthrough of that. I did run into a number of issues running tensorflow including using their example source. moved to older kernel to do so. Soo while I try to finish that up, lets just discuss the documentation. So for the purposes of writing this blog, I used a simple example for the findings section. This form can be copy pasted as many times as needed to have multiple findings, so super easy to work around. 


    Then once I have all the findings I'm wanting, I got back to the executive summary and finish filling that out.

    I know this is just a quick mock-up of what could be, but given that everything is accessible in one tool, and the ability to focus on the test and documentation separately helps me a lot. Of course, for other templates like my threat detection and malware report templates, its easier to just templatize one page and one notes page. Went ahead and uploaded this /not gonna solve the htb challenge/ report over here (https://github.com/ferasdour/automation_tools/blob/main/Artificial%20Pentest%20Report.pdf ) just to show that the regular exporting in obsidian works well enough with some weirdness here and there, to get a report dumped out quickly but efficiently with all the oversight it needs in a quick read through. 

Thanks for reading

If you need any IT or CyberSecurity work remotely or within the DFW area, please contact us over at FeemcoTechnologies.

Comments

Post a Comment

Popular Posts

Updates

 Windows 11:  That required upgrade you can't perform     I have a lot of issues with using windows, apple, or red hat, and it's mostly because I grew up believing that people shouldn't have to pay to use a computer they already paid for. One time physical purchase, should be an all inclusive package. Sadly, thats not how the world works these days. Now days, your phone apps update every day, your phone updates every week, your computer updates every tuesday and at random, all of them enforce reboots or risk crashing the respective systems, blah. It's all pretty horrible. Now we have Windows 11 out for a while, with even high-end gaming computers that were purchased just before it's release, unable to run windows 11 on it.     If this was just a "my hardware isn't good enough" for it, I guess I could see that. ya know, service purchase with updates and all this garbage, fine. But in some cases, like mine, I have a windows 10 PC waiting to upgrade becau...
Read more

Weird hunting

Image
Bug hunting, threat hunting... license hunting?      Found myself doing some weird hunting, not finding anything special, but it was fun to keep some skills up. To start with, I was spending some time digging through some github repos using a tool called trufflehog . This is a secrets detection tool thats used specifically to determine if secrets have been leaked in code repos. It's really good for finding leaked passwords, apikeys, session tokens, etc... In my case, I was searching and stumbled across a result I wasn't too sure about. It was a .DS_Store file. These files are often left behind by Apple Mac OS when accessing specific filesystems ( you can find details on why this is a thing with a quick google ).  The main idea however, is that for support of specific systems, mac used a metadata caching mechanism, mostly filenames. Sometimes when finding these files, you can extract data from them in order to identify other files you should try to access. The file th...
Read more

Networking Basics - Pentesting Training part 1

Image
Primer:      I want to make a tutorial that I could show my kid to help them understand hacking, methodology, basics, etc... so this is an introduction post, more will follow, and maybe I can add a video series to go along with this.     The first thing to talk about, is what and why. Technology, while ever changing, can will always fall victim to several problems.  First is the idea that use case when created, won't match use case performed. Such as, when creating a remote for a TV, it may use infrared to point to the TV, and that works fine when one TV is in the same room at a time. When more then this is added, conflicts are caused and the light used for remote is picked up by the infrared sensor on multiple TVs. Change channels on one, both go. Second is that nothing created by man, is or is capable of creating, flawlessness. Business profits drive innovation, but not perfectionism (or the attempt to become close to perfect).     With these is...
Read more