Solving the “Vulnversity” room following the Kill of Chain methodology

Figure 1. Cyber kill of chain

Reconnaissance

The main objective is to obtain as much information about the target as possible in order to find weaknesses in the target. There are two types of reconnaissance:

  • Active: This is a direct interaction with the target and will also generate alerts of the security systems that are monitoring the targeted application.
  • Passive: This is usually done via OSINT (Open Source Intelligence) in which we use publicly available information to learn more about our target without directly interacting with the target.
Figure 2. Nmap results
Figure 3. Identified web page
Figure 4. Gobuster enumeration
Figure 5. Upload server was found
  • .php
  • .php3
  • .php4
  • .php5
  • .phtml
Figure 6. Intercepting the file upload
Figure 7. Selecting our sniper subject
Figure 8. Extensions to test the webserver
Figure 9. Sniper results

Weaponization

Now that we have identified a web server as well as a place to put files with a fake file extension, now we can think about which is the better way to get into the system, usually, when we have a vulnerable web server that allows this type of files to be uploaded we can follow the File Inclusion attack, by sending a malicious script to the webserver and then trying to access the route in which it is being saved to execute the script. This script may send us a reverse shell so we can get into the target server.

Figure 10. Preparing our weapon

Delivery

Now you may be wondering how we are going to deliver it? Well, in our reconnaissance phase we found a place to upload files with a particular file extension .phtml, we are going to change the extension of our reverse shell script so the target server will save it in their records.

Figure 11. Delivering our payload.

Exploitation

Now that we know that our payload is in the target host, how can we access to it? well if you are aware of how the file uploads works, usually they put everything into an /uploads directory so let’s try to access that specific file following the URL, be sure that you are listening in the port that you have configured in that file!

Figure 12. Reverse shell spawned

Installation, Command and Control, and Actions on Objectives

The last three steps that usually are not in the scope of this room, is the installation in which we have already compromised the superuser and we have full control of the system to start installing more malware to be able to enable the command and control to do not lose the access to the system. Now those two steps are done, we finally can do whatever we want, and that phase is the actions on the objectives.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Josué Carvajal

Josué Carvajal

Sr. Security software engineer working in the DevSecOps area. CompTIA Sec+, C|EH