Red Team Report
With 2 fellow students, we performed a pentest assignment during the red vs blue team event.
This Red Team report contains all efforts that were conducted in order to test the security of the systems that were developed by the security engineers. The purpose of this report is to transfer the findings to the security engineer that developed the system, so he can take action upon this.
The objective of this assesment is to perform an internal penetration test against systems developed by their security engineers.
Red Team Report - High-Level Summary
The task was to perform an internal penetration test towards the systems that have been developed by the security engineers. An internal penetration test is a dedicated attack against internally connected systems. The focus of this test is to perform attacks and infiltrate these systems. The overall objective was to evaluate the network, identify systems, and exploit flaws while reporting the findings back to the security engineers.
Red Team Report - Findings
- Nearly all the systems used HTTP, so a man in the middle attack is possible.
- When requests are send directly to the microservices, there is no authorization because this happens through the gateway normally.
- The password for the test account was being re-used for Portainer, which gave us full access to the whole application.
- Use https instead of http
- The authorization should be fixed, make sure to implement a check on the microservices as well.
- Use strong and unique passwords for each service