Init

.gitignore

@@ -0,0 +1 @@
+.*

findings.typ

@@ -0,0 +1,31 @@
+#import "helper.typ"
+
+= Findings
+
+////////////////////////////////////////////////////////////////////////////////////////////////
+
+== Administration Interfaces reachable
+
+#helper.cvsstable(confidentiality: "N", integrity: "N", availability: "N")
+
+=== Description
+
+Administrative web applications and interfaces enable the management of organizational resources, processes, and data. These applications are typically used by administrative staff and other authorized persons to perform a variety of tasks. For example, administrators can use technical administration interfaces to read runtime data from servers and ensure smooth operation.
+
+=== Finding
+
+When searching for administration interfaces, the applications `Uptime Kuma` at `https://status.maride.inv` and `Nginx Proxy Manager` at `https://nginx.maride.inv` were found. The URLs of the administration interfaces were found via TLS Transparency Logs#footnote[https://letsencrypt.org/docs/ct-logs/].
+
+Both applications have a login screen and cannot be used by unauthorized visitors. Since administration accounts are set up during the initial configuration of the applications, it was not possible to log in using default credentials. A brute force attack was not performed to check for common passwords.
+
+The version of `Uptime Kuma` is not specified, while the version of `Nginx Proxy Manager` is 2.11.2 and free of publicly known vulnerabilities (CVEs).
+
+=== Evaluation
+
+The administration interfaces are not vulnerable and cannot be used without valid credentials. Because of this, the findings are considered purely informative.
+
+=== Recommendation
+
+It should be checked whether these administration interfaces must be accessible via the Internet. Protecting the interfaces behind an additional authentication layer, such as HTTP Basic Auth, or only offering them within a protected network such as a VPN would minimize the attack surface and prevent the possible exploitation of security vulnerabilities in the administration interfaces that may be found in the future.
+
+////////////////////////////////////////////////////////////////////////////////////////////////

helper.typ

@@ -0,0 +1,145 @@
+#let panicOnPlaceholder = state("panicOnPlaceholder", true)
+#let hasCIATable = state("hasCIATable", false)
+#let hasCVSSTable = state("hasCVSSTable", false)
+
+// Function panics if value is not in the allowed array
+#let panicOnInvalid(value, allowed) = {
+  if allowed.find(x => x == value) == none {
+    panic("Value " + value + " is not in " + allowed.join(", "))
+  }
+}
+
+// Statistics for the Finding risk categories
+#let riskCategoryStats = (
+  Critical: state("riskCriticalStat", 0),
+  High: state("riskHighStat", 0),
+  Medium: state("riskMediumStat", 0),
+  Low: state("riskLowStat", 0),
+  None: state("riskInformativeStat", 0),
+  Other: state("riskOtherStat", 0)
+)
+// Function to update the statistics
+#let updateRiskCategoryStats(status) = {
+  // Update status
+  if status == "Critical" {
+    context(riskCategoryStats.Critical.update(riskCategoryStats.Critical.get() + 1))
+  } else if status == "High" {
+    context(riskCategoryStats.High.update(riskCategoryStats.High.get() + 1))
+  } else if status == "Medium" {
+    context(riskCategoryStats.Medium.update(riskCategoryStats.Medium.get() + 1))
+  } else if status == "Low" {
+    context(riskCategoryStats.Low.update(riskCategoryStats.Low.get() + 1))
+  } else if status == "None" {
+    context(riskCategoryStats.None.update(riskCategoryStats.None.get() + 1))
+  } else if status == "Other" {
+    context(riskCategoryStats.Other.update(riskCategoryStats.Other.get() + 1))
+  } else {
+    panic("Unknown state: " + status)
+  }
+}
+
+// Return the table cell formatted according to its content - for use with CIA values
+#let ciacolor(str) = {
+  if str == "H" {
+    table.cell(str, fill: red, align: center)
+  } else if str == "L" {
+    table.cell(str, fill: yellow, align: center)
+  } else if str == "N" {
+    table.cell(str, fill: lime, align: center)
+  } else {
+    panic("Unknown CIA state: " + str)
+  }
+}
+
+// Return the table cell formatted according to its content - for the CVSS result
+#let cvsscolor(str) = {
+  if str == "Critical" {
+    table.cell(str, fill: red, align: center)
+  } else if str == "High" {
+    table.cell(str, fill: orange, align: center)
+  } else if str == "Medium" {
+    table.cell(str, fill: yellow, align: center)
+  } else if str == "Low" {
+    table.cell(str, fill: lime, align: center)
+  } else if str == "None" {
+    table.cell(str, fill: white, align: center)
+  } else {
+    panic("Unknown CVSS state: " + str)
+  }
+}
+
+// Create a small CIA table to be included for every finding
+#let cvsstable(attackVector: "N", attackComplexity: "L", privilegesRequired: "N", userInteraction: "N", scope: "U", confidentiality: "H", integrity: "H", availability: "H") = {
+  // Check values
+  panicOnInvalid(attackVector, ("N", "A", "L", "P"))
+  panicOnInvalid(attackComplexity, ("L", "H"))
+  panicOnInvalid(privilegesRequired, ("N", "L", "H"))
+  panicOnInvalid(userInteraction, ("N", "R"))
+  panicOnInvalid(scope, ("U", "C"))
+  panicOnInvalid(confidentiality, ("H", "L", "N"))
+  panicOnInvalid(integrity, ("H", "L", "N"))
+  panicOnInvalid(availability, ("H", "L", "N"))
+
+  // Calculate base result, see https://www.first.org/cvss/v3-1/specification-document#7-1-Base-Metrics-Equations
+  let issLookup = ("H": 0.56, "L": 0.22, "N": 0)
+  let attackVectorLookup = ("N": 0.85, "A": 0.62, "L": 0.55, "P": 0.2)
+  let attackComplexityLookup = ("L": 0.77, "H": 0.44)
+  let privilegesLookup = ("N": 0.85, "L": if scope == "U" { 0.62 } else { 0.68 }, "H": if scope == "U" { 0.27 } else { 0.5 })
+  let userInteractionLookup = ("N": 0.85, "R": 0.62)
+  let iss = 1 - ((1 - issLookup.at(confidentiality)) * (1 - issLookup.at(integrity)) * (1 - issLookup.at(availability)))
+  let impact = if scope == "U" { 6.42 * iss } else { 7.52 * (ISS - 0.029) - 3.25 * (ISS - 0.02)}
+  let exploitability = 8.22 * attackVectorLookup.at(attackVector) * attackComplexityLookup.at(attackComplexity) * privilegesLookup.at(privilegesRequired) * userInteractionLookup.at(userInteraction)
+  let baseScore = if impact <= 0 { 0 } else { if scope == "U" { calc.round(calc.min(impact + exploitability, 10), digits: 1) } else { calc.round(calc.min(1.08 * (impact + exploitability), 10), digits: 1) } }
+
+  let status = "?"
+  if baseScore >= 9.0 {
+    status = "Critical"
+  } else if baseScore >= 7.0 {
+    status = "High"
+  } else if baseScore >= 4.0 {
+    status = "Medium"
+  } else if baseScore >= 0.1 {
+    status = "Low"
+  } else {
+    status = "None"
+  }
+
+  table(
+    columns: (1fr, 1fr, 1fr, 1fr, 1fr, 1fr, 1fr, 1fr, 1fr),
+    align: center,
+    stroke: 1pt,
+    table.cell(colspan: 5)[*Exploitability Metrics*],
+    table.cell(colspan: 3)[*Impact Metrics*],
+    table.cell(rowspan: 2, align: bottom)[*#sym.sum*],
+    [*AV*], [*AC*], [*PR*], [*UI*], [*S*], [*C*], [*I*], [*A*],
+    attackVector, attackComplexity, privilegesRequired, userInteraction, scope, ciacolor(confidentiality), ciacolor(integrity), ciacolor(availability), cvsscolor(status),
+  )
+
+  updateRiskCategoryStats(status)
+  hasCVSSTable.update(true)
+}
+
+// Return the value with a colorful background so it is visibly a placeholder.
+// Has the ability to panic if panicOnPlaceholder is set to true.
+#let placeholder(value) = {
+  highlight(
+    fill: rgb(0xff, 0xa2, 0x9c, 0xff),
+    
+    // Check which kind of placeholder is requested
+    if type(value) == str [
+      #if value.len() == 0 [
+        #lorem(30)
+      ] else [
+        #value
+      ]
+    ] else [
+      #value
+    ]
+  )
+
+  context(
+    if panicOnPlaceholder.get() {
+      panic("Found placeholder and panicOnPlaceholder is set.")
+    }
+  )
+}

main.typ

@@ -0,0 +1,165 @@
+#import "@preview/diagraph:0.3.6": render
+
+#import "pages.typ"
+#import "helper.typ"
+
+// Project-specific values
+#helper.panicOnPlaceholder.update(false)
+#let author = helper.placeholder("Martin \"maride\" Dessauer")
+#let targetFull = helper.placeholder("FooBar Dummy Lab")
+#let targetHandy = helper.placeholder("Dummy Lab")
+#let targetInSentence = helper.placeholder("the Dummy Lab")
+// ---
+
+#set text(font: "Helvetica Neue")
+#show heading: it => {
+  v(1em)
+  par(text(it.body, fill: color.linear-rgb(4.5%, 14.5%, 14.5%, 255)))
+}
+
+#pages.cover(targetFull, author)
+#pages.legal(author)
+
+#set page(
+  paper: "a4",
+  background: none,
+  margin: auto,
+  numbering: "1",
+  footer: text(size: 12pt, weight: "extralight")[
+    #text(fill: silver, [Penetration Test Report #targetFull])
+    #h(1fr)
+    #context(
+      text(fill: silver,
+        counter(page).display("1 of 1", both: true)
+      )
+    )
+  ]
+)
+
+#pages.toc()
+
+#set heading(numbering: "1.1")
+#set par(justify: true)
+
+= Management Summary
+
+== Motivation
+
+This penetration test was conducted to proactively identify, assess, and validate the severity of security vulnerabilities within the defined scope of #targetInSentence, specifically those exploitable by #helper.placeholder("external attackers in real-world scenarios"). Adversarial techniques to bypass controls, gain unauthorized access, and compromise critical assets were performed for this test scenario to determine the actual impact on confidentiality, integrity, and availability.
+
+== Test Object
+
+#helper.placeholder(lorem(30))
+
+== Test Methodology
+
+The aim of the test was to uncover vulnerabilities and weaknesses of all kinds. These were carried out in accordance with the OWASP Web Security Testing Guide, version 4#footnote("https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing"), and, where applicable, the MITRE ATT&CK Framework#footnote("https://attack.mitre.org"). Recommendations for system hardening were made based on the current version of the CIS Benchmarks#footnote("https://www.cisecurity.org/") and the appropriate variant in each case.
+
+The penetration test was performed as a #helper.placeholder("black box test, without any access to source code or other information other than the scope").
+
+== Findings
+
+The penetration test revealed #context(helper.riskCategoryStats.values().map(v => v.final()).sum()) findings, which can be divided into the following risk categories:
+
+#table(
+  columns: (16.66%, 16.66%, 16.66%, 16.66%, 16.66%, 16.66%),
+  align: center,
+  [Critical], [High], [Medium], [Low], [None], [Other],
+  table.cell(context(helper.riskCategoryStats.Critical.final()), fill: red, align: center),
+  table.cell(context(helper.riskCategoryStats.High.final()), fill: orange, align: center),
+  table.cell(context(helper.riskCategoryStats.Medium.final()), fill: yellow, align: center),
+  table.cell(context(helper.riskCategoryStats.Low.final()), fill: lime, align: center),
+  table.cell(context(helper.riskCategoryStats.None.final()), fill: white, align: center),
+  table.cell(context(helper.riskCategoryStats.Other.final()), fill: gray, align: center),
+)
+
+== Recommendations & Next Steps
+
+Based on the results of this penetration test, #targetInSentence may be exposed to a production environment.
+
+#pagebreak()
+== Test Scope and Setup
+
+The test was conducted from #helper.placeholder("01.01.1970") to #helper.placeholder("01.01.1970").
+#helper.placeholder([
+  Connection to #targetHandy was made through a dedicated VPN connection via vpnhost.maride.inv. The inner IP address of the test device was 10.0.0.42.
+])
+
+The following scope was set for the penetration test:
+
+#let inscope = table.cell("In scope", fill: lime, align: center)
+#let outscope = table.cell("Out of scope", fill: gray, align: center)
+
+#table(
+  columns: (25%, 50%, 25%,),
+  align: center,
+  [*Type*], [*Value*], [*State*],
+  [Address], [#helper.placeholder("10.23.42.1")], inscope,
+  [Address], [#helper.placeholder("2001:db8::2342")], inscope,
+  [Domain], [#helper.placeholder("*.maride.inv")], inscope,
+  [URL], [#helper.placeholder("secret.maride.inv/flag.txt")], outscope,
+  [URL], [#helper.placeholder("important.maride.inv/rickroll")], outscope,
+)
+
+From the perspective of the machine used for the penetration test, the network layout was seen as shown in the graph below - simplified by leaving out hops that are not relevant for the penetration test, like third-party network operators and ISPs.
+
+#figure(
+  render("
+    digraph G {
+      rankdir=LR;
+      node [shape=rectangle];
+
+      subgraph stage1 {
+        style=filled;
+        color=red;
+        label=\"Connection\";
+        User -> Firewall [label=\"OpenVPN\"];
+      }
+
+      subgraph targetnet1 {
+        style=filled;
+        color=red;
+        label=\"Target Network\";
+        Firewall -> Target1;
+        Firewall -> Target2;
+        Firewall -> Target3;
+        Firewall -> Target4;
+      }
+
+      subgraph targetnet2 {
+        style=filled;
+        color=red;
+        label=\"Target Network\";
+        Target2 -> Target5;
+        Target2 -> Target6;
+        Target2 -> Target7;
+      }
+
+      subgraph targetnet3 {
+        style=filled;
+        color=red;
+        label=\"Target Network\";
+        Target4 -> Target8;
+      }
+    }
+  "),
+  caption: [
+    Schematic graph showing the test objective network
+  ]
+)
+
+#pagebreak()
+#include "findings.typ"
+
+#pagebreak()
+= Appendix
+
+#context(
+  [
+    #if helper.hasCVSSTable.get() {
+      pages.cvssAppendix()
+      pagebreak()
+      pages.ciaAppendix()
+    }
+  ]
+)

pages.typ

@@ -0,0 +1,144 @@
+#import "helper.typ"
+
+#let cover(title, author) = {
+  // Define page
+  set page(
+    paper: "a4",
+    background: [
+      #image("title.png")
+    ],
+    margin: (
+      top: 50%
+    )
+  )
+  // Reset counter
+  counter(page).update(n => n - 1)
+  
+  text(size: 32pt, [
+    #text("Penetration Test Report")\ 
+    #text(title, weight: "black")
+  ])
+
+  v(0pt)
+  
+  text(size: 16pt, [
+    Düsseldorf, #datetime.today().display("[day].[month].[year]") • #author
+  ])
+}
+
+#let toc() = {
+  outline(
+    title: "Table of contents",
+    indent: 10pt,
+    depth: 2
+  )
+
+  pagebreak()
+}
+
+#let legal(author) = {
+    // Define page
+  set page(
+    paper: "a4",
+  )
+  // Reset counter
+  counter(page).update(n => n - 1)
+  
+  block(height: 1fr)
+
+  show heading: it => {
+  v(1em)
+    par(text(it.body, fill: gray))
+  }
+  text(fill: silver,
+    [
+    #heading(level: 2, outlined:false, "Report Version & Authorship")
+
+    #table(
+      columns: (15%, 15%, 40%, 30%,),
+      align: center,
+      stroke: gray,
+      [*Version*], [*Date*], [*Author*], [*Changes & Comment*],
+      [#helper.placeholder("Draft")], [#helper.placeholder("01.01.1970")], [#helper.placeholder(author)], [#helper.placeholder("Some")]
+    )
+
+    #heading(level: 2, outlined:false, "Classification")
+    This report and all associated materials are strictly confidential and may be communicated and/or distributed by the Client only with written approval of the author. All report data, including findings and recommendations, may be stored encrypted in the author's secure archive for a minimum of 3 months post-engagement, in compliance with applicable data protection regulations.
+
+    #heading(level: 2, outlined:false, "Legal Disclaimer")
+    This report constitutes the professional findings of a penetration test conducted under the scope and terms agreed upon by the client. All results reflect the state of security vulnerabilities as assessed during the engagement using standardized methodologies and tools. The findings presented are not guarantees of security or compliance; they represent identified weaknesses which may require remediation as by the professional impression of the author.
+
+    The client is responsible for interpreting these findings within their operational context and for implementing appropriate security measures. No liability is assumed for actions taken based on this report. This assessment does not constitute security certification, and its results are valid only for the scope and timeframe of the engagement. Neither the contents of this document nor the expressions of the author in any form are legal advice.
+  ])
+}
+
+#let ciaAppendix() = {
+  [
+    == CIA Triad
+
+    The CIA triad is a fundamental framework for information security that encompasses three important principles: confidentiality, integrity, and availability. In this report, each of the three principles is used to highlight specific aspects of the security implications for the area under observation. All three principles are explained in more detail below.
+
+    === Confidentiality (C)
+    The principle of confidentiality means that information is only accessible to authorized users or entities. It protects sensitive data from unauthorized access or disclosure through measures such as encryption, access controls, and data classification. By maintaining confidentiality, companies reduce the risks of data breaches and unauthorized disclosure, thereby preserving the privacy and trustworthiness of their information assets.
+
+    === Integrity (I)
+    Integrity preserves the accuracy, consistency, and reliability of data. It prevents unauthorized changes, deletions, or falsifications through techniques such as checksums, digital signatures, and access controls. By maintaining data integrity, companies ensure the reliability and credibility of their information assets, thereby minimizing the risk of fraud or manipulation.
+
+    === Availability (A)
+    Availability ensures the smooth and reliable provision of information. Potential interruptions to services, systems, or networks are mitigated through redundancy, failover mechanisms, and disaster recovery planning. By maintaining high availability, companies maintain operational continuity and user satisfaction by mitigating the impact of downtime or failures. At the same time, the unavailability of information can have serious consequences, such as lost revenue.
+  ]
+}
+
+#let cvssAppendix() = {
+  [
+    == Common Vulnerability Scoring System (CVSS)
+
+    The Common Vulnerability Scoring System (CVSS) provides a standardized, vendor- and platform-agnostic methodology for quantifying the technical severity of software, hardware, and firmware vulnerabilities. Its outputs deliver numerical scores that contextualize a vulnerability’s risk relative to others, facilitating consistent prioritization across diverse systems. CVSS is structured around three interdependent metric groups: *Base*, *Temporal*, and *Environmental*. The Base Score captures the inherent characteristics of a vulnerability (e.g., exploitability, impact), assigning it a severity rating under idealized conditions. Temporal Metrics dynamically adjust this base score based on time-sensitive factors like exploit availability or the existence of patches. Finally, Environmental Metrics tailor the severity assessment to an organization’s specific deployment, accounting for mitigations, criticality of affected assets, and other contextual factors unique to the environment.
+
+    The only metric group that can be calculated without deep knowledge of the environment and situation is the Base Score, as the Base Score reflects intrinsic vulnerability characteristics (e.g., exploit complexity, impact on confidentiality/integrity) and is designed to be vendor-neutral and environment-agnostic. It does not account for the specific client’s infrastructure, patch status, or operational context. Since a penetration test reports on a single target environment, the Base Score represents the objective severity of the flaw within the scope of the test (e.g., "this flaw could be exploited in this network").
+
+    The version of the Common Vulnerability Scoring System used in this report is 3.1#footnote("https://www.first.org/cvss/v3-1/user-guide").
+
+    === Attack Vector (AV)
+
+    This metric quantifies how remotely an attacker can exploit a vulnerability, directly influencing the Base Score:
+
+    - *Network (N)*: Highest severity. Attack possible from anywhere on the internet (e.g., sending a malicious packet across routers).
+    - *Adjacent (A)*: Moderate severity. Exploit limited to local networks (e.g., same subnet, Bluetooth/Wi-Fi, or secure VPN).
+    - *Local (L)*: Lower severity. Requires local access (console/SSH) or user interaction (e.g., phishing a document).
+    - *Physical (P)*: Lowest severity. Requires direct physical contact (e.g., evil-maid attacks, cold boot, DMA via USB).
+
+    === Attack Complexity (AC)
+
+    This metric quantifies the technical difficulty of exploiting a vulnerability, independent of user interaction. It directly impacts the Base Score:
+
+    - *Low (L)*: Attack is repeatable and predictable with no special conditions. Example: Exploiting a buffer overflow in a service accessible via network.
+    - *High (H)*: Exploit requires attacker preparation or external factors, reducing reliability. This may include:
+      - Gathering target-specific knowledge (e.g., configuration settings, shared secrets).
+      - Overcoming mitigations (e.g., race conditions, anti-exploit techniques).
+      - Network manipulation (e.g., man-in-the-middle attacks).
+      - Example: Exploiting a flaw requiring a victim’s browser to accept a malicious file.
+
+    === Privileges Required (PR)
+
+    This metric measures the attacker’s initial access level needed to exploit a vulnerability, directly impacting the Base Score:
+
+    - *None (N)*: Highest severity. Exploitable by unauthorized attackers with no prior access (e.g., unauthenticated web attack).
+    - *Low (L)*: Moderate severity. Requires basic user privileges (e.g., standard account access to non-sensitive resources).
+    - *High (H)*: Lowest severity. Needs administrative privileges to access critical system settings/files (e.g., root/superuser access).
+
+    === User Interaction (UI)
+
+    This metric assesses whether a vulnerability requires human involvement (beyond the attacker) to be exploited, directly influencing the Base Score:
+
+    - *None (N)*: Highest severity. Exploitable without user action (e.g., automated network attack).
+    - *Required (R)*: Lower severity. Requires user interaction (e.g., clicking a malicious link or installing software).
+
+    === Scope (S)
+
+    This metric determines if a vulnerability breaches security boundaries, allowing impact on components outside its original security scope (e.g., an app exploiting a database). Directly impacts Base Score severity:
+
+    - *Unchanged (U)*: Lowest severity. Vulnerability only affects resources within the same security authority (e.g., a web app affecting its own files).
+    - *Changed (C)*: Highest severity. Vulnerability crosses security boundaries, impacting components under different authorities (e.g., a compromised web server accessing a database).
+  ]
+}