Vulnerability Assessment and Penetration Test Exercise (Individual): Security Vulnerability Assessment, Assignment, Singapore

1. Vulnerability Assessment and Penetration Test Exercise (Individual)

1.1 Project Overview

CDF Artworks Pte Ltd is a Singapore-based SME that is well-known for displaying high- profile artwork in a virtual setting. The business has just won a local productivity award using cloud technologies to run their virtual gallery platform called “The Artisan’s Gallery’.

The Client had called (as part of an annual internal review) a tender to perform a Vulnerability Assessment and Penetration Test (VAPT) on a specific set of assets hosted on the Staging environment, before they are pushed to the production cloud. The awarded vendor is to report any findings and provide recommendations.

Your company, 1337 Security Services Pte Ltd, had responded to the tender and is awarded the deal. Your managing consultant has assigned your team to perform the assessment for CDF Artworks Pte Ltd.

1.2 General Requirements

a. Students are to form groups of 2 to 3 for this assignment. The main objective for all groups is to identify and exploit security vulnerabilities on 3 target machines (CS-BOX1, CS-BOX2, CS-BOX3).

b. Each target is configured with 2 levels of challenges, and the logical network diagram for each target is shown below:

c. A quick description of the levels are as follows:

LEVEL1-Network vulnerability assessment & penetration testing

LEVEL2 – Web application vulnerability assessment & penetration testing

d. Each level is also designed with the following exploits that you are to discover during your case study attempt:

• Initial Entry/Initial Exploitation (security misconfiguration/vulnerability to low-
  privileged user)
• Privilege Escalation Exploit (low-privileged user to high-privileged root user) –

e. The table below shows an overview of vulnerabilities (12 vulnerabilities in total) for all three target boxes:

f. Each student in the group is to do a writeup on ONE vulnerability (initial entry OR privilege escalation) on any one of the level challenges. Template for the writeup will be provided in POLITEMall.

g. More marks will be awarded for the following:

• Gaining initial access (remote command execution) to a Level 2 challenge.
• Attaining full ‘root’/administrative access of a Level 1 OR a Level 2 challenge.

h You are NOT to perform vulnerability assessments and penetration tests beyond the scope given, such as scanning other networks and systems. Anyone caught doing so could result in immediate failure of this subject or even more severe disciplinary action.

Submission Requirements

a. All groups are to submit a combined report that contains the following:

• Cover Page
• Declaration of Originality (with complete signatures)
• Executive Summary
• Findings Overview
• Detailed Findings and Recommendations (compiled finding writeups written by all 2-3 members)