Which category best describes this activity?

A CMS plugin creates two files that are accessible from the Internet myplugin.html and exploitable.php. A newly discovered exploit takes advantage of an injection vulnerability in exploitable.php. To exploit the vulnerability, one must send an HTTP POST with specific variables to exploitable.php. You see traffic to your webserver that consists of only HTTP GET requests to myplugin.html. Which category best describes this activity?
A. weaponization
B. exploitation
C. installation
D. reconnaissance

cisco-exams

17 thoughts on “Which category best describes this activity?

  1. Its A… exploitable.php has not been loaded yet so you cannot proceed with options B or C, If they were trying to use an exploit they would have already identified the vulnerability therfore the reconnaissance part has already been done besides it would be very difficlut to determine if someone is doing reconnaissance from a simple HTTP Get requests… In contrast weaponization might be in process of being developed if you must first do some activity (login, submit info, etc..) on myplugin.html to get to exploitable.php

  2. Answer is B – exploitation

    Think about it, attacker will send HTTP POST to act like a server, and the victim should see HTTP GET. You already see traffic, as it has been exploited.

    1. That is not how that works.
      HTTP POST is just a HTTP Method.
      The exploit is not being exploited. So they are likely looking for signs of that particular CSM that has that exploit. Being that myplugin.html is a sign of that: I would say D barring legitimate traffic.

  3. The question talks about a CMS plugin. Think about a wordpress plugin. If the attacker is only sendind GET to the myplugin.html, this means that the attacker is only trying to discover if the website IS or NOT running that plugin. It is definitely reconnaissance

    1. The question clearly says “To EXPLOIT the vulnerability, one must send an HTTP POST”. If the attracker is only sending HTTP GET, it is NOT exploitiation. For me, its D or C…

  4. the answer is B..we are over thinking this…Nemo you are right..
    Recoinnasance takes us back to information gathering…remember these steps its not like they move back at every stage…you dont go to Installation then you decide to go to recoinaisance….

    we already know the Vulnerability…we can not trust HTTP Get request….to me l start to suspect…

  5. D. Reconnaissance. Hackers are probing websites to find who is vulnerable. They cannot go after exploitable.php as it would be quickly discovered /patched/protected/denied by FW.

    They have the weapon(exploit is already created and available to share/buy).
    For Installation or for exploitation they first need to DELIVER the exploit to the website.

  6. After reading this very slowly I would say the answer is D

    A CMS plugin creates two files that are accessible from the Internet myplugin.html and exploitable.php. ( Let´s say My Company added this plugin to our website)

    A newly discovered exploit takes advantage of an injection vulnerability in exploitable.php. To exploit the vulnerability, one must send an HTTP POST with specific variables to exploitable.php.

    ( somebody discover a vulneravility and explain the process of how to attack exploitable.php , this does not mean somebody is attacking our site. A vulnerability has been discovered, Hackers will start building a script for it while property vendors will work on a patch probably)

    You see traffic to your webserver that consists of only HTTP GET requests to myplugin.html. ( http get request to your site could be consider normal behaviour. Plus, no one is going after exploitable.php apparently) In this is true you are not even being attacked.

    On the other hand, if we assume that myplugin.html always has an associated file called exploitable.php this could be an indirect reconnaissance attack. Hacker would be searching for myplugin.html on all websites to have a list of sites with the recently found vulnerability for a later attack. If they go directly to exploitable.php they may get caught and call the attention of the Security team to patch the vulnerability or remove the php file.

    D is the most suitable answer , what you guys think?

  7. Looks like its D. If we follow the cyber kill chain and step 2 is weaponization, step 2 has not happened yet, so it has to be reconnaissance as there are only get requests

    1. It cant be D because recon is referred to as information gathering to help determine potential targets. Can be gathered through external info eg. Social media, News articles, Company websites etc. They already know the vulnerability(injection vulnerability in exploitable.php.) and the “weapon”(send http post request with specific variables).

      We already know the vulnerability so Reconnaissance is phased out,
      We know the weapon so Weaponization is also phased out,
      Delivery is not included in the answers.
      So it has to be B

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.