https://github.com/machphy/penetration-testing-report-hackmaster
https://github.com/machphy/penetration-testing-report-hackmaster
Last synced: 4 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/machphy/penetration-testing-report-hackmaster
- Owner: machphy
- Created: 2025-05-04T11:56:07.000Z (about 1 year ago)
- Default Branch: main
- Last Pushed: 2025-05-04T12:27:53.000Z (about 1 year ago)
- Last Synced: 2025-07-23T02:48:19.769Z (11 months ago)
- Size: 8.67 MB
- Stars: 1
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# ๐ก๏ธ HackMaster Web Application Penetration Testing Report
**Author:** Rajeev Sharma
**Role Applied:** Penetration Tester & Red Team Specialist
**Date:** May 4, 2025
**Target:** [https://hack-master.hackersprey.com](https://hack-master.hackersprey.com)
---
## ๐ Overview
This repository contains the results of a comprehensive penetration test conducted on the HackMaster web application. The assessment aimed to identify security vulnerabilities, exploit real-world scenarios, and provide actionable recommendations to enhance the application's security posture.
---
## ๐ฏ Objective
- Identify 10 distinct security flags within the target web application.
- Exploit real-world web vulnerabilities to uncover these flags.
- Document findings, methodologies, and provide remediation strategies.
---
## ๐งช Methodology
The penetration testing approach adhered to industry best practices, incorporating both automated tools and manual techniques:
- **Tools Used:**
- Burp Suite โ Intercept & analyze requests
- SQLMap โ SQL injection testing
- Gobuster โ Directory enumeration
- cURL โ Manual HTTP requests
- Browser Developer Tools โ Frontend inspection
- Custom Payloads โ SSRF, Authentication Bypass, etc.
- **Testing Covered:**
- Input validation & injection flaws
- Directory & file discovery
- Server-side request forgery (SSRF)
- Authentication and access control
- Sensitive data exposure
---
## ๐งพ Findings & Flags
1. **Flag #1 โ Sensitive File in `/donotopen`**
- **Vulnerability:** Exposed sensitive flag via `robots.txt`
- **Payload:** `curl https://hack-master.hackersprey.com/donotopen`
- **Flag:** `hackersprey{d0_n0t_0p3n}`
- **Severity:** Low
2. **Flag #2 โ Exposed Credentials in `/adminCreds`**
- **Payload:** `curl https://hack-master.hackersprey.com/adminCreds`
- **Output:**
```
Username: krichardson@hackersprey.com
Password: backstreetboys
```
- **Use Case:** Login for further exploitation (admin panel, SSRF, etc.)
- **Severity:** High
3. **Flag #3 โ Hidden Content in `/secret`**
- **Response:** โlook farther downโ (possible lead to nested or encoded content)
- **Next Step:** Analyze page source, JavaScript, or attempt path traversal
- **Status:** Partial โ needs further enumeration
4. **Flag #4 โ Restricted Access in `/internal2` & `/internal3`**
- **Status:** HTTP 403 Forbidden
- **Bypass Attempts:** Use `X-Forwarded-For`, encoded URLs (`%2e`), etc.
- **Flag Status:** Pending โ might be flag-bearing endpoints
5. **Flag #5 โ SQL Injection Vulnerability**
- **Tool:** SQLMap
- **Targeted Parameter:** `/admin?request=fetch&url=...`
- **Injection Type:** Time-based blind
- **DBMS:** MySQL
- **Flag Status:** Likely hidden in backend data (DB dump pending)
*(Continue detailing the remaining flags as discovered.)*
---
## ๐ Repository Structure
````
hackmaster-pentest-report/
โโโ report/
โ โโโ HackMaster\_Pentest\_Report.pdf
โ โโโ HackMaster\_Pentest\_Report.md
โโโ screenshots/
โ โโโ flag1\_robots\_txt.png
โ โโโ flag2\_admin\_creds.png
โ โโโ ...
โโโ payloads/
โ โโโ sqlmap\_payload.txt
โ โโโ ssrf\_payload.txt
โ โโโ ...
โโโ tools/
โ โโโ burp\_config.json
โ โโโ ...
โโโ notes/
โ โโโ methodology.md
โ โโโ observations.md
โ โโโ ...
โโโ references/
โ โโโ OWASP\_Top10.pdf
โ โโโ PTES\_Guide.pdf
โโโ LICENSE
โโโ README.md
```
---
## ๐ ๏ธ Tools & Resources
- **Burp Suite:** Intercepting proxy for analyzing web traffic.
- **SQLMap:** Automated tool for SQL injection detection and exploitation.
- **Gobuster:** Directory and file brute-forcing tool.
- **cURL:** Command-line tool for transferring data with URLs.
- **Browser Developer Tools:** Inspecting and debugging web applications.
- **Custom Payloads:** Crafted inputs for testing SSRF, authentication bypasses, etc.
---
## โ
Recommendations
| Issue | Recommendation |
|--------------------------------|--------------------------------------------------------------------------------|
| Exposed `robots.txt` entries | Remove sensitive paths or restrict them via authentication headers. |
| Hardcoded admin credentials | Rotate credentials and store them securely in environment/configuration files. |
| Unprotected `/adminCreds` | Apply access controls; restrict sensitive endpoints. |
| SQL Injection vulnerability | Use parameterized queries; validate all user inputs. |
| Access control on `/internal` | Enforce strict authorization and monitor for 403 bypass attempts. |
---
## ๐ธ Appendix: Screenshots
Screenshots demonstrating the exploitation of identified vulnerabilities are available in the `screenshots/` directory:
- `flag1_robots_txt.png`: Exposure of sensitive file via `robots.txt`.
- `flag2_admin_creds.png`: Retrieved admin credentials from `/adminCreds`.
- *(Include additional screenshots as necessary.)*
---
## ๐ References
- [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)
- [Penetration Testing Execution Standard (PTES)](http://www.pentest-standard.org/index.php/Main_Page)
- [Hack The Box: Penetration Testing Reports Guide](https://www.hackthebox.com/blog/penetration-testing-reports-template-and-guide)
---
## โ ๏ธ Disclaimer
This penetration testing report is intended solely for educational purposes. All testing activities were conducted on systems for which explicit authorization was obtained. No unauthorized testing was performed. All sensitive information has been removed to protect privacy and confidentiality.
```