APP01

Web Application Server
OS: Windows Server 2022
Role: IIS Web Server + MySQL Database
IP: 192.168.56.4
Domain: cjcs.local
Status: EXPOSED
APP01 hosts a minimal IIS web application and MySQL database. While modest in scope, it remains are the primary entry point for attackers due to often misconfigured web permissions and unpatched services. Once compromised, it becomes a prime method of lateral movement to the domain controller.
⚔️ Attack Simulations
Directory Enumeration / Browsing MySQL Default Credentials Web Shell Upload (RCE) App Pool Identity PrivEsc
🛡️ Detection & Remediation
Hardening IIS Configurations Securing MySQL Instances File Integrity Monitoring (FIM) Service Account Least Privilege

Critical Findings

📂 Directory Browsing Enabled

IIS Directory Browsing is enabled, allowing attackers to map the entire web root structure and discover sensitive files without authentication.

Impact: Information Disclosure

👑 Domain Admin App Pool

The IIS Application Pool runs as a Domain Admin service account (marcus_chen), providing immediate domain compromise via web shell.

Impact: Instant Domain Admin

🛢️ MySQL Root Exposed

MySQL is listening on all interfaces (0.0.0.0) with root accessible via weak password (MySQL123!).

Impact: Data Exfiltration

Techniques (MITRE ATT&CK)

T1083 MEDIUM
File and Directory Discovery
DirBuster Gobuster Feroxbuster
T1505.003 CRITICAL
Server Software Component: Web Shell
ChinaChopper aspx_shell Weevely
T1190 HIGH
Exploit Public-Facing Application
Burp Suite SQLMap Nikto