Vulnerability Assessment and Penetration Test Exercise (Individual)

1.1 Project Overview

CDF Artworks Pte Ltd is a Singapore-based SME that is well-known for displaying high-profile artwork in a virtual setting. The business has just won a local productivity award using cloud technologies to run their virtual gallery platform called ‘The Artisan’s Gallery’.

The Client had called (as part of an annual internal review) a tender to perform a Vulnerability Assessment and Penetration Test (VAPT) on a specific set of assets hosted on the Staging environment, before they are pushed to the production cloud. The awarded vendor is to report any findings and provide recommendations.

Your company, 1337 Security Services Pte Ltd, had responded to the tender and is awarded the deal. Your managing consultant has assigned your team to perform the assessment for CDF Artworks Pte Ltd.

1.2 General Requirements

a. Students are to form groups of 2 to 3 for this assignment. The main objective for all groups is to identify and exploit security vulnerabilities on 3 target machines (CS-BOX1, CS-BOX2, CS-BOX3).

b. Each target is configured with 2 levels of challenges, and the logical network diagram for each target is shown below:

c. A quick description of the levels are as follows:

• LEVEL1 (Subnet: 10.13.13.0/24) – Network vulnerability assessment & penetration testing

• LEVEL2 (Subnet: 172.199.66.0/24)  – Web application vulnerability assessment & penetration testing

d. Each level is also designed with the following exploits that you are to discover during your case study attempt:

• Initial Entry / Initial Exploitation (security misconfiguration / vulnerability to low-privileged user)

• Privilege Escalation Exploit (low-privileged user to high-privileged root user) – note that this is not taught, but should you pursue on this further, you are to perform further research on Linux privilege escalation techniques.

e. The table below shows an overview of vulnerabilities (12 vulnerabilities in total) for all three target boxes:

CS-BOX1

CS-BOX2

CS-BOX3

LEVEL1

1x Initial Entry / Initial Exploitation

1x Privilege Escalation Exploit

1x Initial Entry / Initial Exploitation

1x Privilege Escalation Exploit

1x Initial Entry / Initial Exploitation

1x Privilege Escalation Exploit

LEVEL2

1x Initial Entry / Initial Exploitation

1x Privilege Escalation Exploit

1x Initial Entry / Initial Exploitation

1x Privilege Escalation Exploit

1x Initial Entry / Initial Exploitation

1x Privilege Escalation Exploit

f. Each student in the group is to do a writeup on ONE vulnerability (initial entry OR privilege escalation) on any one of the level challenges (except LEVEL3). Template for the writeup will be provided in POLITEMall.

g. More marks will be awarded for the following:

• Gaining initial access (remote command execution) to a Level 2 challenge.

• Attaining full ‘root’/administrative access of a Level 1 OR a Level 2 challenge.

h. You are NOT to perform vulnerability assessments and penetration tests beyond the scope given, such as scanning other networks and systems. Anyone caught doing so could result in immediate failure of this subject or even more severe disciplinary action.

1.3 Submission Requirements

a. All groups are to submit a combined report that contains the following:

• Cover Page

• Declaration of Originality (with complete signatures)

• Executive Summary

• Findings Overview

• Detailed Findings and Recommendations (compiled finding writeups written by all 4-5 members)

b. For the title of each finding, you are only allowed to use ONE title per vulnerability. Here is the list of accepted titles:

• Misconfigured Scheduled Task Permissions

• Weak/Known Password of User Account ‘___________’

• Misconfigured Sudo Privileges

• Default/Weak Administrator Password

• SQL Injection

• Cross-Site Scripting (Stored)

c. For more information regarding the various sections of the report template, view the comments for more information.

d. You are expected to submit the Final Report as a PDF document with all the necessary requirements listed 1.3(a). To generate the PDF file, follow the instructions below:

• Open your Word document and go to File > Save as Adobe PDF

• Once done, go to Options and ensure that you tick the following boxes:

i. Create Bookmarks

ii. Convert Word Headings to Bookmarks

e. Be warned that plagiarism is a serious offence!

Students are to submit via Brightspace LMS based on the stipulated deadline specified in the Teaching Plan. Submissions via any other communication channels (e.g Emails, WhatsApp, Microsoft Teams) will not be accepted.

Late submissions:

a. Late and < 1 day: 10% deduction from absolute mark given for the assignment.  E.g., 75 marks (100 marks max)  65 marks (10% of 100 marks).

b. Late ≥ 1 and < 2 days: 20% deduction from absolute mark.

c. Late ≥ 2 days: No marks awarded.

2. Findings Walkthrough Presentation (Group)

2.1 Overview

After performing the vulnerability assessment and penetration test exercise with your team, the Head of IT has instructed your team to conduct a walkthrough of your report with him. As the Head of IT has a bad experience of previous penetration testing vendors submitting quite several false positives to the organisation, he tends to be far more wary and will tend to second guess every single detail that is being listed out in the report.

Your team is confident of the submitted vulnerabilities and will do whatever it takes to prevent the Head of IT from discouraging you to remove the vulnerabilities due to the lack of supporting evidence.

2.2 Presentation Requirements

a. Only the submitted PDF report will be used for the walkthrough. No demonstrations or PowerPoint slides are allowed.

b. The template for the case study report dictates the flow of presentation:

1. Cover Page – Team Leader to introduce the team to the client.

2. Executive Summary – Team Leader provides a quick overview of what the testing is about (e.g how long did it took, how many targets)

3. Findings Overview – Team Leader to list out the number of vulnerabilities which have been classified into its respective risk ratings.

4. Detailed Findings and Recommendations – Team members are to step out one by one to present their vulnerabilities (no questions will be asked until the end of the presentation, assessor will take note of questions).

c. Question and Answer segment will only be conducted at the end of the presentation.