Table of Contents

1 Statement of Confidentiality

The contents of this document have been developed by SancLogic. SancLogic considers the contents of this document to be proprietary and business confidential information. This information is to be used only in the performance of its intended use. This document may not be released to another vendor, business partner or contractor without prior written consent from SancLogic. Additionally, no portion of this document may be communicated, reproduced, copied or distributed without the prior consent of SancLogic.

The contents of this document do not constitute legal advice. SancLogic's offer of services that relate to compliance, litigation or other legal interests are not intended as legal counsel and should not be taken as such.

2 Engagement Contacts

Client Contacts
Contact	Title	Contact Email
Steven Mah	Managing Director	[email protected]

Assessor Contact
Assessor Name	Title	Assessor Contact Email
SancLogic	Security Analyst	[email protected]

3 Executive Summary

MahCyberDefense (on behalf of Kerning City Dental, "Kerning City Dental" herein) contracted SancLogic to perform a full-scope red team assessment of Kerning City Dental's externally facing web infrastructure to identify security weaknesses, determine the impact to Kerning City Dental, document all findings in a clear and repeatable manner, and provide remediation recommendations.

3.1 Approach

SancLogic performed testing under a "Black Box" approach on 12 February 2026 without credentials or any advance knowledge of Kerning City Dental's externally facing environment with the goal of identifying unknown weaknesses. Testing was performed from a non-evasive standpoint with the goal of uncovering as many misconfigurations and vulnerabilities as possible. Testing was performed remotely from SancLogic's assessment infrastructure via ProtonVPN. Each weakness identified was documented and manually investigated to determine exploitation possibilities and escalation potential. SancLogic sought to demonstrate the full impact of every vulnerability, up to and including data exfiltration and command and control establishment.

3.2 Scope

The scope of this assessment was the external web application and underlying web server infrastructure.

Host/URL/IP Address	Description
kerningcitydental.ca	Primary web application
KCD-Web (172.16.1.4)	Windows Server 2022 (DMZ)
ADDC01	Active Directory Domain Controller — Not Reachable (DMZ Isolation)
KCD-EXCH01	Exchange Server — Not Reachable (DMZ Isolation)
KCD-FS01	File Server — Not Reachable (DMZ Isolation)

Out of Scope: Denial of Service (DoS) attacks, third-party infrastructure

3.3 Assessor Infrastructure

The following infrastructure was used to conduct the assessment. This information is provided to assist Kerning City Dental in distinguishing penetration test activity from any unrelated or malicious traffic occurring during the assessment window.

Component	Detail	Notes
Assessor Location	Remote	Testing conducted remotely throughout
VPN Provider	ProtonVPN	All traffic egressed via ProtonVPN
Egress IP	Documented at time of testing	Available on request for log correlation
C2 Infrastructure	sync.cloud-endpoint.net	Cloudflare Tunnel — used for Sliver C2 during Phase 6 only
C2 Port	8443 (HTTPS)	Outbound from KCD-Web to C2 listener
Assessment OS	Kali Linux	Primary assessment platform
Assessment Window	12 February 2026, 09:14 – 10:15	Total active testing: ~61 minutes

Any traffic originating from ProtonVPN exit nodes or the domain cloud-endpoint.net during the above window should be attributed to this authorised assessment.

3.3 Assessment Overview and Recommendations

During the penetration test against Kerning City Dental, SancLogic identified 11 findings that threaten the confidentiality, integrity, and availability of Kerning City Dental's information systems. The findings were categorised by severity level, with 5 of the findings being assigned a critical-risk rating, 1 high-risk, 3 medium-risk, and 2 low risk.

The assessment demonstrated that an external attacker could fully compromise the web server, access all patient records (including Social Insurance Numbers), harvest credentials, and establish command and control access. This represents a significant breach of PIPEDA compliance obligations.

Kerning City Dental should create a remediation plan based on the Remediation Summary section of this report, addressing all critical and high findings as soon as possible according to the needs of the business. Kerning City Dental should also consider performing periodic vulnerability assessments if they are not already being performed.

Key recommendations include:

• Immediate rotation of all exposed credentials (SQL, SMTP, API keys, staff accounts)
• Removal or restriction of the diagnostic.aspx page
• Implementation of parameterised queries to prevent SQL injection
• Encryption of patient health information at rest
• PIPEDA compliance review due to PHI exposure

4 Penetration Test Assessment Summary

SancLogic began all testing activities from the perspective of an unauthenticated user on the internet. The client provided only the target domain; no additional information such as operating system or configuration details was provided.

4.1 Summary of Findings

During the course of testing, SancLogic uncovered a total of 11 findings that pose a material risk to Kerning City Dental's information systems. The below chart provides a summary of the findings by severity level.

In the course of this penetration test: 5 Critical, 1 High, 3 Medium, 2 Low vulnerabilities were identified:

Below is a high-level overview of each finding identified during testing:

#	Severity Level	Finding Name	Page
1	9.8 (Critical)	OS Command Injection (Remote Code Execution)	12
2	9.8 (Critical)	SQL Injection — Authentication Bypass	13
3	9.1 (Critical)	Plaintext Credential Storage	14
4	9.1 (Critical)	Protected Health Information Exposure	15
5	8.8 (Critical)	Antivirus Bypass via Custom Tooling	16
6	7.5 (High)	Sensitive Information in robots.txt	17
7	5.3 (Medium)	Verbose Error Messages	17
8	5.3 (Medium)	Server Information Disclosure	18
9	5.3 (Medium)	Directory Browsing Enabled	18
10	3.7 (Low)	Missing Security Headers	19
11	3.7 (Low)	Debug Mode Enabled	19

5 Attack Path Walkthrough

During the course of the assessment, SancLogic gained a foothold via the external web application, access all patient records, harvest credentials, and establish command and control access on the web server. The steps below demonstrate the path taken from initial reconnaissance to full compromise.

5.1 Detailed Walkthrough

SancLogic performed the following to fully compromise the KCD-Web server:

1. Passive reconnaissance identified infrastructure (Cloudflare, IIS 10.0, Windows Server 2022, M365 mail)
2. Subdomain enumeration via crt.sh revealed mail and wildcard certificates
3. robots.txt disclosed sensitive paths including /tools/diagnostic.aspx
4. OS command injection achieved via ping field (127.0.0.1 & whoami)
5. Post-exploitation enumeration revealed SeImpersonatePrivilege (potato attack potential)
6. web.config harvested via RCE, exposing SQL credentials (sa), SMTP password, and API keys
7. SQL injection on /admin/login.aspx bypassed authentication
8. Admin panel accessed — last login from internal IP 192.168.10.103
9. Patient data exfiltrated (10 records with SIN, DOB, plaintext passwords) — IIS request filtering bypassed
10. Custom Nim stager deployed, establishing Sliver C2 sessions (terminated by Defender after ~2 min)

Phase 1: Reconnaissance

Passive reconnaissance revealed the target infrastructure:

Component	Value
Domain	kerningcitydental.ca
CDN/WAF	Cloudflare
Web Server	Microsoft IIS 10.0
Framework	ASP.NET 4.8
OS	Windows Server 2022 (build 20348)
Registrant	DFIRINTLY INC (Steven Mah)
Mail	Microsoft 365 (kerningcitydental-ca.mail.protection.outlook.com)
Third-party Developer	[email protected] (found in source comments)

Subdomains discovered via crt.sh:

• kerningcitydental.ca
• *.kerningcitydental.ca (wildcard)
• mail.kerningcitydental.ca
• mail-relay.kerningcitydental.ca

Phase 2: Vulnerability Discovery

Analysis of robots.txt disclosed sensitive paths:

The /tools/diagnostic.aspx page was publicly accessible and exposed server information including hostname, OS version, and application paths.

Phase 3: Initial Access — Command Injection

The diagnostic.aspx page contained network troubleshooting tools (ping, nslookup, traceroute) that passed user input directly to cmd.exe without sanitisation.

Payload:

Server Executed:

Result: Arbitrary command execution confirmed. The whoami command returned iis apppool\defaultapppool.

Phase 4: Post-Exploitation Enumeration

Using command injection, SancLogic enumerated the system:

Property	Value
Hostname	KCD-Web
OS	Windows Server 2022 (10.0.20348.0)
Network	172.16.1.4/29 (DMZ segment)
Domain	WORKGROUP (not domain-joined)

Token Privileges:

The SeImpersonatePrivilege token enables privilege escalation via "potato" attacks (PrintSpoofer, GodPotato, JuicyPotatoNG). These were blocked by Defender, SancLogic pivoted to custom tooling instead.

Phase 5: Credential Harvesting

The web.config file was readable via command injection:

Credentials Discovered:

Service	Username	Password
SQL Server (KCD-SQL01)	sa	SQLAdmin2024!
SMTP	—	EmailKCD2024!
Backup API	—	sk-kcd-a8f29b4c1d3e5f6g7h8i9j0k

Phase 8: Command & Control

Known privilege escalation tools (PrintSpoofer, GodPotato, JuicyPotatoNG) were detected and quarantined by Windows Defender. A custom Nim-based stager with in-memory shellcode execution was deployed, successfully evading static detection:

Sessions were terminated by Defender behavioural analysis after approximately 2 minutes.

6 Remediation Summary

As a result of this assessment there are several opportunities for Kerning City Dental to strengthen its security posture. Remediation efforts are prioritised below starting with those that will likely take the least amount of time and effort to complete. Kerning City Dental should ensure that all remediation steps and mitigating controls are carefully planned and tested to prevent any service disruptions or loss of data.

6.1 Short Term

• Rotate all credentials: SQL (sa), SMTP, backup API key, all staff accounts
• Remove or restrict access to /tools/diagnostic.aspx
• Implement parameterised queries on /admin/login.aspx
• Remove sensitive paths from robots.txt
• Disable debug SQL output in production

6.2 Medium Term

• Hash all stored passwords using bcrypt or Argon2
• Encrypt patient data at rest
• Disable verbose error messages (customErrors mode="On")
• Use Azure Key Vault or similar for connection strings
• Disable directory browsing
• Remove server information disclosure

6.3 Long Term

• Conduct PIPEDA compliance review due to PHI exposure
• Implement EDR with behavioural analysis capabilities
• Perform periodic penetration testing
• Security awareness training for development team
• Consider migration to modern framework with built-in security controls

7 Technical Findings Details

1. OS Command Injection (Remote Code Execution) - Critical

CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command
CVSS 3.1	9.8
Location	/tools/diagnostic.aspx (txtTarget, txtDns, txtTracert parameters)
Root Cause	User input is concatenated directly into system commands without sanitisation, enabling arbitrary command execution as the IIS application pool identity.
Impact	Full server compromise, data exfiltration, lateral movement capability, persistent access via webshell or C2.
Remediation	Remove diagnostic.aspx from production or restrict access via authentication. Implement input validation using allowlists (IP address regex). Use parameterised commands, not string concatenation.

Finding Evidence

2. SQL Injection — Authentication Bypass - Critical

CWE	CWE-89: Improper Neutralization of Special Elements used in an SQL Command
CVSS 3.1	9.8
Location	/admin/login.aspx (Username parameter)
Root Cause	Login form constructs SQL queries via string concatenation, enabling injection attacks.
Impact	Complete authentication bypass, administrative access without credentials, potential database compromise.
Remediation	Implement parameterised queries / prepared statements. Remove debug SQL output from production. Implement account lockout mechanisms.

Finding Evidence

3. Plaintext Credential Storage - Critical

CWE	CWE-256: Plaintext Storage of a Password
CVSS 3.1	9.1
Location	/App_Data/users.csv, web.config
Root Cause	Staff and patient passwords stored in plaintext. Database credentials stored in plaintext in web.config.
Impact	Mass credential compromise, potential credential reuse attacks against other systems.
Remediation	Hash passwords using bcrypt/Argon2. Use Azure Key Vault or similar for connection strings. Rotate all exposed credentials immediately.

Finding Evidence

Staff credentials discovered in /App_Data/users.csv:

Username	Password	Role
admin	KCDental2024!	administrator
drpatel	Smile2024!	dentist
drnguyen	Nguyen2024!	dentist
sthompson	Sarah2024!	manager
arodriguez	Amanda2024!	receptionist

5. Antivirus Bypass via Custom Tooling - Critical

CWE	CWE-693: Protection Mechanism Failure
CVSS 3.1	8.8
Location	KCD-Web (Windows Defender)
Root Cause	Reliance on signature-based detection allowed custom tooling to evade static analysis.
Impact	Persistent access, data exfiltration channel, further network compromise capability.
Remediation	Implement EDR with behavioural analysis. Enable AMSI for PowerShell/script-based attacks. Monitor for unusual outbound connections.

Finding Evidence

Known privilege escalation tools were detected and quarantined:

• PrintSpoofer — Quarantined
• GodPotato — Quarantined
• JuicyPotatoNG — Quarantined

Custom Nim-based stager with in-memory shellcode execution successfully evaded static detection:

Note: Sessions were terminated by Defender behavioural analysis after approximately 2 minutes. See Positive Observations section.

6. Sensitive Information in robots.txt - High

CWE	CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CVSS 3.1	7.5
Location	/robots.txt
Root Cause	robots.txt used to hide sensitive paths instead of implementing proper access controls.
Impact	Attack surface discovery, targeted attacks against administrative and diagnostic functionality.
Remediation	Remove sensitive paths from robots.txt. Implement authentication rather than obscurity.

Finding Evidence

7. Verbose Error Messages - Medium

CWE	CWE-209: Generation of Error Message Containing Sensitive Information
CVSS 3.1	5.3
Location	Application-wide (404 pages, exception handlers)
Root Cause	IIS detailed errors enabled in production environment.
Impact	Physical paths, stack traces, and server configuration leaked to attackers.
Remediation	Set <customErrors mode="On"/> and <httpErrors errorMode="Custom"/> in web.config.

Finding Evidence

404 error pages leaked internal physical path:

8. Server Information Disclosure - Medium

CWE	CWE-200: Exposure of Sensitive Information
CVSS 3.1	5.3
Location	/tools/diagnostic.aspx, HTTP headers
Root Cause	Server information table publicly accessible. Custom X-Server-Info header exposes "Microsoft-IIS/10.0" despite Cloudflare CDN, enabling backend fingerprinting.
Impact	Targeted attacks based on known OS/software versions. Cloudflare protection bypassed for fingerprinting.
Remediation	Remove server information table from diagnostic page. Remove X-Server-Info and X-Powered-By headers. Configure Cloudflare to strip server headers.

Finding Evidence

Information disclosed via diagnostic.aspx:

• Server Name: KCD-Web
• OS Version: Microsoft Windows NT 10.0.20348.0
• CLR Version: 4.0.30319.42000
• App Path: C:\inetpub\kerningcitydental\
• IIS Identity: IIS APPPOOL\DefaultAppPool

HTTP response headers leaked backend details despite Cloudflare:

9. Directory Browsing Enabled - Medium

CWE	CWE-548: Exposure of Information Through Directory Listing
CVSS 3.1	5.3
Location	/admin/
Root Cause	IIS directory browsing enabled on administrative directory.
Impact	File structure exposure, discovery of additional attack vectors.
Remediation	Set <directoryBrowse enabled="false"/> in web.config.

10. Missing Security Headers - Low

CWE	CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag
CVSS 3.1	3.7
Location	Application-wide
Root Cause	HttpOnly and Secure flags not set on session cookies.
Impact	Session hijacking via XSS attacks if combined with other vulnerabilities.
Remediation	Set <httpCookies httpOnlyCookies="true" requireSSL="true"/> in web.config.

11. Debug Mode Enabled - Low

CWE	CWE-489: Active Debug Code
CVSS 3.1	3.7
Location	web.config
Root Cause	<compilation debug="true"/> enabled in production web.config.
Impact	Performance degradation, additional information disclosure, larger attack surface.
Remediation	Disable debug mode in production deployments.

8 Positive Observations

The following security controls were observed functioning effectively during the assessment:

P1: DMZ Network Segmentation

The web server was properly isolated in a DMZ segment (172.16.1.4/29). Internal network resources (Active Directory, Exchange, file servers) were not reachable from the compromised host. This segmentation prevented lateral movement into the corporate network and limited the blast radius of the compromise.

P2: Windows Defender Behavioural Detection

While static analysis was bypassed with custom tooling, Windows Defender's behavioural analysis successfully detected and terminated C2 sessions within approximately 2 minutes of execution. Known privilege escalation tools (PrintSpoofer, GodPotato, JuicyPotatoNG) were also blocked on initial delivery. This demonstrates that Defender provided meaningful defense-in-depth despite the bypass.

A Appendix

A.1 Finding Severities

Each finding has been assigned a severity rating of critical, high, medium, low or info. The rating is based off of an assessment of the priority with which each finding should be viewed and the potential impact each has on the confidentiality, integrity, and availability of Kerning City Dental's data.

Rating	CVSS Score Range
Critical	9.0 – 10.0
High	7.0 – 8.9
Medium	4.0 – 6.9
Low	0.1 – 3.9
Info	0.0

A.2 Host & Service Discovery

IP Address / URL	Port	Service	Notes
kerningcitydental.ca	443	HTTPS	Primary web application (behind Cloudflare)
104.21.45.10	443	HTTPS	Cloudflare edge IP
172.67.207.71	443	HTTPS	Cloudflare edge IP
KCD-Web (172.16.1.4)	—	IIS 10.0	Windows Server 2022 (DMZ segment)

DNS Records:

Record	Value	Notes
A	104.21.45.10, 172.67.207.71	Cloudflare IPs
MX	kerningcitydental-ca.mail.protection.outlook.com	Microsoft 365
TXT	MS=ms72239418	Microsoft domain verification
TXT	v=spf1 include:spf.protection.outlook.com	SPF record confirms M365
NS	clara.ns.cloudflare.com, wesley.ns.cloudflare.com	Cloudflare nameservers

WHOIS:

Field	Value
Registrant	DFIRINTLY INC
Admin Contact	Steven Mah ([email protected])
Address	REDACTED
Phone	REDACTED
Created	2025-09-24

A.3 Subdomain Discovery

URL	Description	Discovery Method
kerningcitydental.ca	Primary domain	Provided in scope
*.kerningcitydental.ca	Wildcard certificate	crt.sh
mail.kerningcitydental.ca	Mail subdomain	crt.sh
mail-relay.kerningcitydental.ca	Mail relay	crt.sh

A.4 Exploited Hosts

Host	Scope	Method	Notes
KCD-Web	External	OS Command Injection	Full compromise via diagnostic.aspx

A.5 Compromised Users

Username	Type	Method	Notes
admin	Staff	Plaintext in users.csv	Administrator role
drpatel	Staff	Plaintext in users.csv	Dentist role
drnguyen	Staff	Plaintext in users.csv	Dentist role
sthompson	Staff	Plaintext in users.csv	Manager role
arodriguez	Staff	Plaintext in users.csv	Receptionist role
sa	SQL Server	Plaintext in web.config	Database admin

A.6 Changes/Host Cleanup

The following artifacts were left on target systems during testing and should be removed:

Host	Path/Change	Cleanup Required
KCD-Web	C:\Windows\Temp\svc.exe	Delete Nim stager binary
KCD-Web	Windows Defender quarantine	Review quarantined items (PrintSpoofer, GodPotato, JuicyPotatoNG)

Note: C2 sessions were terminated by Defender behavioural analysis. No persistent access or scheduled tasks were established.

A.7 MITRE ATT&CK Mapping

Tactic	Technique	ID
Reconnaissance	Active Scanning	T1595
Initial Access	Exploit Public-Facing Application	T1190
Execution	Command and Scripting Interpreter	T1059
Persistence	Web Shell (attempted)	T1505.003
Credential Access	Credentials from Password Stores	T1555
Credential Access	Unsecured Credentials	T1552
Collection	Data from Local System	T1005
Exfiltration	Exfiltration Over C2 Channel	T1041
Command and Control	Application Layer Protocol	T1071

A.8 Tools Used

• Kali Linux
• curl, dig, whois
• whatweb
• Sliver C2 Framework
• Custom Nim stager
• ProtonVPN
• Cloudflare Tunnel

A.9 Evidence Files

Timestamp	Finding	File
2026-02-12	WHOIS	recon/whois.txt
2026-02-12	DNS records	recon/dns_*.txt
2026-02-12	Subdomains	recon/subdomains_crt.txt
2026-02-12	Tech fingerprint	recon/whatweb.txt
2026-02-12	robots.txt	recon/robots.txt
2026-02-12	diagnostic.aspx	recon/diagnostic_page.html
2026-02-12	RCE PoC	Screenshots Image 1-2
2026-02-12	Credentials	Screenshots Image 3, 7
2026-02-12	SQL Injection	Screenshots Image 4-6
2026-02-12	PHI Exfiltration	Screenshots Image 8
2026-02-12	C2 Sessions	Screenshots Image 9