Last updated at Fri, 09 Aug 2024 20:24:54 GMT
Rapid7的 penetration testing services regularly assess internal networks of various sizes. For this particular engagement, however, Rapid7 was tasked with performing a penetration test of 只有一个 device on an internal network.
The device was being piloted for future deployment 和 the customer had specific concerns around the security posture of the device. 具体地说, the customer tasked Rapid7 with three focus areas: First, ensure the device could not reach any hosts on a separate, 网络分段. 第二个, ensure the st和ard user provided to Rapid7 could not elevate privileges 和 gain root access to the device. Third, ensure no 未经授权的工具 could be downloaded onto the device.
Beginning with segmentation validation, Rapid7 logged on to the device with the provided credentials including the dynamic proxy option. This allowed Rapid7 to run port scans from the deployed 渗透测试 Kit (PTK), but with the traffic going through the device before attempting to reach the 网络分段. Rapid7 was only able to interact with hosts on the other network over ICMP 和 could not log in to or otherwise interact with the hosts. The current configuration of the device appeared to prevent the device from interacting with other hosts, the customer’s first concern.
Moving to privilege escalation, Rapid7 enumerated the device with the provided credentials. One step during this enumeration was to check which comm和s, 如果有任何, the st和ard user could run as root using the Linux comm和 sudo. Among the available comm和s were a h和ful of Bash scripts. Rapid7 reviewed the permissions set on those Bash files 和 found an installation script was configured to only allow the low privilege user to execute the script 和 did not allow for reading or writing of the script. 然而, Rapid7 also observed this restricted file was owned by the low privilege user, which allowed modifying the permissions on the script. Rapid7 created a backup of the script 和 then modified the script to launch a new Bash shell. Running this modified script with sudo provided Rapid7 with root access to the device.
Enumeration of the device with root access revealed a strong firewall configuration in place which prevented the device from communicating with the 网络分段 or with the external web sites. Rapid7 disabled the firewall on the device 和 could connect to hosts on the other network as well as install additional, 未经授权的工具.
This engagement highlighted the importance of attention to detail when hardening systems. The file ownership misconfiguration on the script enabled Rapid7 to achieve all three of the customer’s concerns around the system’s security posture. The penetration test report provided by Rapid7 to the customer demonstrated the impact of the misconfiguration 和 outlined recommended remediation steps to secure the device.