4-1: Exploits for gaining a foothold / initial access
Once the potential exploit(s) are identified on either a service or within a web application the next step is to attempt to execute the exploit. There are two broad ways this can go:
Using a known exploit
The most direct way to exploit is with an existing payload/script that has been created for a specific CVE. Whether this was found via searchsploit
/exploit-db, or found on Github. The simplest case here will be that the script can be run straight, without any modification, using the required arguments.
In other cases the script doesn't work exactly as intended, whether due to code version differences (strongly recommended to containerize the script it if this kind of thing happens), or situations unique to this particular app/service it may be necessary to tweak the script. What that means in practice is highly dependent on the specific exploit, so the most I can say is that observing the response to the initial exploit attempt, and testing modifications piece by piece may be necessary.
Sometimes you may need to go further and take the concept of the exploit and re-write it to make it work.
Using an exploit class
The other major type of exploit will be the class, which will be any exploit that uses a more general vulnerability in application logic. Common exploits of this type will be SQL injections, command injections, XSS, etc.
In this case the process will be to first determine if the application is likely to be vulnerable to one of these specific types. With SQL injection passing in a basic payload into a vulnerable field with a'
to see if that input triggers an error which indicates an injection is possible. After that a combination of manual testing and using more automated methods, like sqlmap
in this case will be necessary to see if the exploit can be fully utilitzed.
Goals
In an ideal world the exploit should give us some form of RCE which gets us a shell on the system that allows us to move to the next stage: system exploitation. This will not always be the case, even when the exploit itself is successful.
With that in mind, our goal with each exploit is to gain more information at minimum, and if possible some additional level of access. It may require multiple stages of exploits to gain a foothold on the system. Or in other cases the exploit reveals sensitive information that allows us to directly access the system via a password, SSH key, or similar.