The document details a penetration testing assessment of the website certifiedhacker.com, revealing various vulnerabilities including Cross-Site Scripting (XSS) and HTML forms lacking CSRF protection, which could lead to unauthorized actions by attackers. It highlights the server's infrastructure, the operational technologies in use, and notes that despite some minor vulnerabilities, the overall website security appears to be fairly robust. Additionally, the testing uncovered a directory listing and recommended implementing strict security measures for embedded external content and missing HTTP headers.

2. Project:
Penetration Testing on Webserver
Aman Srivastava
Summer Training Program Batch, EICT, IITK
Website: http://certifiedhacker.com

3. <Footprinting and Reconnaissance>
1. About:
Site: http://www.certifiedhacker.com Domain: certifiedhacker.com
Netblock Owner: Unified Layer Nameserver: ns1.bluehost.com
Hosting Company: Endurance International Group Organisation: 5335 Gate Parkway care of Network Solutions, Jacksonville,
32256, US
Top Level Domain: Commercial entities (.com) DNS Admin: dnsadmin@box5331.bluehost.com
2. IP address of Website: 162.241.216.11
3. Location of sever:
4. Operating System of Server: Red Hat Enterprise Linux 6
5. Web Server Technology and version: Apache
6. Built-in Technology:
jQuery
clueTIP
Jquery bgiframe
Fancybox
Cufon
SPF
jQuery Easing
jQuery UI
BlueHost
Hover Intent

4. 7. Website First Seen: December 2002
8. Previous Technology used by website:
9. ISP IP Server Range:
10. Other Domains on Same Server:
11. Ports open on webserver:
110 587 143
21 53 2222
993 443 26
22 995 5432
80 3306 465
12. Registrar info:

5. 13. Email ID of some employees of company: NOT FOUND
14. Social Networking Profiles of employees: NOT FOUND
15. LinkedIn Search for profiles with company name: NOT FOUND
16. Location of Company: NOT FOUND
17. Director/CEO of Company: NOT FOUND
18. Firewall:
Load Balancer:
DNS-Loadbalancing: NOT FOUND
HTTP-Loadbalancing: NOT FOUND
19. Directory Listing:

6. While dorking confidential file found, which is whole webserver’s backup/compressed file:
=>http://certifiedhacker.com/certifiedhacker.zip
20. Files such as robots.txt and sites.xml: NOT FOUND
<Vulnerabilities>
1. XSS Vector in Document Body
Vulnerability Description:
The entire tainted data flow from source to sink takes place in the browser. Insecure reference and use (in a
client side code) of DOM objects that are not fully controlled by the server provided page.
Affected Item:
http://certifiedhacker.com/P-folio/images/500.php/.htaccess.aspx--%3E%22%3E'%3E'%22%3Csfi000317v352289%3E
Memo: injected '<sfi...>' tag seen in HTML
POC:
=== REQUEST ===
GET /P-folio/images/500.php/.htaccess.aspx-->">'>'"<sfi000317v352289> HTTP/1.1
Host: certifiedhacker.com
Accept-Encoding: gzip
Connection: keep-alive
User-Agent: Mozilla/5.0 SF/2.10b
Range: bytes=0-399999
Referer: http://certifiedhacker.com/
=== RESPONSE ===
HTTP/1.1 200 Partial Content
Date: Sun, 30 Aug 2020 06:23:52 GMT
Server: Apache
Vary: Accept-Encoding

7. Content-Encoding: gzip
host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==
Content-Range: bytes 0-274/275
Content-Length: 275
Keep-Alive: timeout=5, max=54
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<!-- PHP Wrapper - 500 Server Error -->
<html><head><title>500 Server Error</title></head>
<body bgcolor=white>
<h1>500 Server Error</h1>
A misconfiguration on the server caused a hiccup.
Check the server logs, fix the problem, then try again.
<hr>
URL: http://certifiedhacker.com/P-folio/images/500.php/.htaccess.aspx-->">'>'"<sfi000317v352289><br>
</body></html>
=== END OF DATA ===
Possible remediations or prevention methods:
Avoiding client side document rewriting, redirection, or other sensitive actions, using client side data.
Analysing and hardening the client side (Javascript) code.
Reference: https://www.a2hosting.in/kb/developer-corner/php/500-internal-server-error-while-running-php
https://owasp.org/www-community/attacks/xss/
2. External content embedded on a page
Vulnerability Description:
External content embedded on a page means something isn't right with the site – wrong – yet some way or
another we appear to continue building sites that do. This can prompt issues, for example identity theft. The
content is usually sent through email and directs users to an http site instead of https.
Affected Items:
→Higher Risk:-
http://certifiedhacker.com/Online%20Booking/
Memo:
http://www.google.com/jsapi?autoload={'modules':[{name:'maps',version:3,other_params:'sensor=false'}]}
→Lower Risk:-
http://certifiedhacker.com/Turbo%20Max/js/jquery.prettyPhoto.js
Memo: http://www.youtube.com/v/'+grab_param('v',images[setPosition])+'

8. http://certifiedhacker.com/Turbo%20Max/js/jquery.prettyPhoto.js
Memo: http://www.apple.com/qtactivex/qtplugin.cab
Possible Countermeasures:
i. Ensure that external content is embedded using HTTPs.
ii. Acknowledge that all the HTTP segments of the correspondence stay powerless hence you have to
ensure against the SSL hostile to designs.
3. HTML Form Without CSRF Protection Vulnerability:
Vulnerability Description:
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of
malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. I found a
HTML form with no apparent CSRF protection implemented.
Affected Items:
1. http://certifiedhacker.com/
2. http://certifiedhacker.com/corporate-learning-website/01-homepage.html
3. http://certifiedhacker.com/corporate-learning-website/contact_us.html
4. http://certifiedhacker.com/corporate-learning-website/most_popular_schools_california.html
5. http://certifiedhacker.com/corporate-learning-website/most_popular_schools_North%20Carolina.html
6. http://certifiedhacker.com/corporate-learning-website/most_popular_schools_usa.html
7. http://certifiedhacker.com/Online%20Booking/?lang=1¤cy=1
8. http://certifiedhacker.com/Social%20Media/
9. http://certifiedhacker.com/Social%20Media/about-us.html
10. http://certifiedhacker.com/Social%20Media/sample-blog.html
11. http://certifiedhacker.com/Social%20Media/sample-portfolio.html
12. http://certifiedhacker.com/Turbo%20Max/
The impact of this vulnerability:
An attacker may force the users of a web application to execute actions of the attacker's choosing. A successful
CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the
administrator account, this can compromise the entire web application.
POC:
Form name<empty>
Form action: http://certifiedhacker.com/corporate-learning-website/contact_us.html
Form method: POST

9. How to fix this vulnerability:
Check if this form requires CSRF protection and implement CSRF countermeasures if necessary.
4. Fingerprinted CMS Components’ Vulnerabilities:
i.

10. Reference:
CWE-79 – Cross-site-scripting
CWE-400—Prototype-Pollution
ii.
5. Missing Required HTTP Headers and their description:
i. Strict-Transport-Security: HTTP Strict-Transport-Security (HSTS) header forces browser to
access the website via HTTPS.
ii. X-Frame-Options: X-Frame-Options header specifies whether the website should allow itself
to be framed, and from which origin. Blocking framing helps defend against attacks such as Clickjacking.
iii. X-XSS-Protection: X-XSS-Protection defines how browsers should enforce XSS protection.
iv. X-Content-Type-Options: X-Content-Type-Options direct browsers to disable the ability
to sniff the pages content-type and only to use the content-type-defined in the directive itself. This
provides protection against XSS or Drive-by-Download attacks.
v. Expect-CT: Expect-CT header allows a website to determine if it is ready for the upcoming
Chrome requirements and/or enforce their policy.
vi. Feature-Policy: Feature-Policy header allows to enable, disable, or modify behaviour of web
browser’s APIs(e.g. access to camera, Geolocation, etc.).
<Pentesting Services Running on Server>

11. i. Service=ftp Version=Pure-FTPd
Known vulnerabilities: External Authentication Bash Environment Variable Code Injection
I tried to exploit this vulnerability but error occurred:
Reference: https://www.exploit-db.com/exploits/34862
Then I tried:
Enumerating users and passwords using hydra:

12. Conclusion: There may be some kind of firewall rules which are rate limiting the
brute-forcing, that’s why after one or two attempt hydra aborts.
ii. Service=ssh Version=OpenSSH 5.3
Known vulnerabilities: Not Found
Enumerating users using msf module:
Brute Forcing password for user “hacker”:
Then, checked for false positives:
Conclusion: There may be some honeypot which is giving every input for user as true and
firewall is rate limiting the attempt, that’s why after one or two attempt hydra aborts.
iii. Service=smtp Version=Exim smtpd 4.93
Known vulnerabilities: Not Found

13. Reference:
https://www.cvedetails.com/vulnerability-list/vendor_id-10919/product_id-19563/Exim-Exim.html
iv. Service=smtp Version=Exim smtpd 4.93
Known vulnerabilities: Found
Reference:
https://www.cvedetails.com/vulnerability-list/vendor_id-64/product_id-144/version_id-127585/ISC-Bind-9.8.2.html
https://nvd.nist.gov/vuln/search/results?adv_search=true&cpe_version=cpe%3a%2fa%3aisc%3abind%3a9.8.2%3arc1
v. Service=imap/pop3 Version=imap3d/pop3d
Known vulnerabilities: Found
Reference:
https://www.cvedetails.com/cve/CVE-2019-7524/
https://www.cvedetails.com/cve/CVE-2019-11500/
<Database>
Database found:
i. MySQL
ii. PostgreSQL DB
Checked for SQLi on every single webpage but didn’t found any webpage that is vulnerable to SQLi.
Ran sqlmap but that aborts due to WAF.
Then ran again with following parameters:
Result:
Result: As no SQLi parameter is found, it’s database can’t be dumped.

14. FINAL CONCLUSION:
Initial reconnaissance of certifiedhacer.com resulted in the discovery of directory listing and firewall on the website and
no load balancer was found. Some other domains were also found on the same server the website in running, which
provides the larger area to pentest(I didn’t test those…). While dorking whole website’s zip file found, which can be
useful for security researchers to look at and see for bugs in programming of website.
An examination of web interface revealed that external content was embedded on a page, which means something is
isn’t right with the site. This can prompt issues, for example identity theft. After closer examination, two vulnerabilities
found, (a) HTML Form without CSRF Protection, which may attacker force the users of a web application to execute
actions of the attacker’s choosing and a successful exploit can compromise end user data and operation in case of normal
user AND (b) XSS Vector in Document Body on the 500 server page. After some more deep examination, some Required
HTTP Headers were missing and some vulnerabilities were found in CMS Components.
Then I went for pentesting services which are running on server. FTP service was running on port21 of version Pure-FTPd
which later I found an vulnerability and exploit for that, but was not able to exploit this vulnerability and firewall is rate
limiting the attempt, so user enumeration can’t be done. And same for SSH some kind of honeypot and firewall rules
results in false positives on user enumeration. After researching for versions of other services, some known
vulnerabilities were found(which again I was not able to exploit).
Then it comes for Database testing, I went through all the webpages manually and didn’t any SQLi vulnerability then I ran
sqlmap which also was not able to any. So I ended not able to dump the database.
Now as far as security of the website is concerned, it is secured but some minor vulnerabilities are there which can be
exploited but overall the website is pretty much secured.