| name | exploit-chaining |
| description | Multi-step exploit chaining methodology for combining low-severity findings into full compromise paths. Covers attack chain scoring, approval gates, and systematic approach to turning individual findings into complete attack paths. |
Exploit Chaining Methodology
Overview
Exploit chaining is the process of combining multiple lower-severity vulnerabilities to achieve a high-impact compromise. This skill provides a systematic approach to building attack chains from individual findings.
Chain Philosophy
Chain Scoring
Probability Scoring (1-10):
- 1-3: Low probability (many dependencies, hard prerequisites)
- 4-6: Medium probability (some dependencies, achievable)
- 7-9: High probability (few dependencies, likely to succeed)
- 10: Certain (direct path, no barriers)
Impact Scoring (1-10):
- 1-3: Low impact (information disclosure, minor access)
- 4-6: Medium impact (limited access, some data)
- 7-9: High impact (full access, sensitive data)
- 10: Critical (domain admin, full compromise)
Stealth Scoring (1-10, 10 = quietest):
- 1-3: Loud (triggers alerts, obvious)
- 4-6: Moderate (some noise, might alert)
- 7-9: Quiet (stealthy, unlikely to alert)
- 10: Silent (no artifacts, invisible)
Chain Value = (Probability × Impact × Stealth) / 100
Attack Chain Patterns
Pattern 1: Recon → Web → Initial Access
[1] Subdomain Enumeration (Info)
↓
[2] Technology Detection (Info)
↓
[3] Directory Brute Force (Info)
↓
[4] Login Panel Discovery (Low)
↓
[5] Default Credentials (Medium)
↓
[6] Admin Access Achieved (High)
Pattern 2: SSRF → Cloud → Credentials
[1] SSRF Vulnerability (Medium)
↓
[2] Metadata Endpoint Access (High)
↓
[3] IAM Role Credentials (Critical)
↓
[4] AWS Account Compromise (Critical)
Pattern 3: XSS → Session Hijack → Admin
[1] Stored XSS in Comments (Medium)
↓
[2] Admin Views Comments (Trigger)
↓
[3] Session Cookie Exfil (High)
↓
[4] Admin Session Impersonation (Critical)
Pattern 4: LFI → Log Poisoning → RCE
[1] Local File Inclusion (Medium)
↓
[2] Apache Log Location Known (Info)
↓
[3] User-Agent Log Poisoning (Medium)
↓
[4] Include Poisoned Log File (High)
↓
[5] Code Execution Achieved (Critical)
Pattern 5: SQLi → Credential Dump → Lateral Movement
[1] SQL Injection (High)
↓
[2] Password Hash Extraction (High)
↓
[3] Hash Cracking / Pass-the-Hash (Medium)
↓
[4] Lateral Movement (Critical)
↓
[5] Domain Compromise (Critical)
Chain Building Process
Step 1: Inventory Findings
┌─────────────────────────────────────────────────────────────┐
│ Finding Inventory │
├─────────────────────────────────────────────────────────────┤
│ ID | Finding | Severity | Status │
├─────┼────────────────────────────┼──────────┼───────────────┤
│ F01 | Open S3 Bucket | Medium │ Unexploited │
│ F02 | XSS on Login Page | Low │ Unexploited │
│ F03 | SQLi in Search | High │ Unexploited │
│ F04 | XXE in File Upload | Medium │ Unexploited │
│ F05 | JWT Weak Secret | Medium │ Unexploited │
│ F06 | SSRF in Image Proxy | Medium │ Unexploited │
└─────┴────────────────────────────┴──────────┴───────────────┘
Step 2: Find Connection Points
Connection Analysis:
F02 (XSS) → F05 (JWT):
Can steal JWT tokens via XSS
→ Chain value: Medium
F06 (SSRF) → F01 (S3):
Can access internal S3 endpoints
→ Chain value: High
F03 (SQLi) → Admin:
Can extract admin credentials
→ Chain value: High
F04 (XXE) → Internal Recon:
Can scan internal network
→ Chain value: Medium
Step 3: Build Chains
Chain Alpha: XSS → JWT → Admin
Step 1: Plant XSS payload in profile
Step 2: Wait for admin to view profile
Step 3: Receive JWT token via callback
Step 4: Impersonate admin
Probability: 7/10
Impact: 8/10
Stealth: 6/10
Value: 3.36/10
Chain Beta: SQLi → Dump → Access
Step 1: Extract password hashes via SQLi
Step 2: Crack hashes offline
Step 3: Login as admin
Probability: 8/10
Impact: 9/10
Stealth: 4/10
Value: 2.88/10
Chain Gamma: XXE → Recon → SSRF → Cloud
Step 1: Use XXE to scan internal network
Step 2: Discover internal image proxy
Step 3: Exploit SSRF to hit metadata
Step 4: Extract cloud credentials
Probability: 5/10
Impact: 10/10
Stealth: 7/10
Value: 3.5/10
Step 4: Prioritize Chains
Priority Matrix:
Low Impact Med Impact High Impact
─────────────────────────────────────────
Low Prob│ Avoid │ Optional │ Long-term
Med Prob│ Optional │ Priority 3 │ Priority 2
High Prb│ Priority 3 │ Priority 2 │ Priority 1
Approval Gates
Gate Structure
Each chain should have approval checkpoints:
[Finding 1] ───┐
├──[Gate 1]──[Finding 3]──[Gate 2]──[Finding 5]──[Goal]
[Finding 2] ───┘
Gate Requirements:
- Evidence of previous step success
- Target still in scope
- Time window available
- Next step authorized
Approval Gate Template
┌────────────────────────────────────────────────────────────┐
│ APPROVAL GATE CHECKPOINT │
├────────────────────────────────────────────────────────────┤
│ Chain: [Chain Name] │
│ Step: [X] of [Y] │
│ │
│ Current Status: │
│ □ Previous step completed │
│ □ Evidence collected │
│ □ Scope verified │
│ □ Time window confirmed │
│ □ Next step authorized by [Name] │
│ │
│ Next Action: [Description] │
│ Expected Outcome: [Description] │
│ Risk Level: [Low/Medium/High] │
│ Estimated Time: [Duration] │
└────────────────────────────────────────────────────────────┘
Chain Examples
Chain: Web to Domain Admin
Scenario: External web app in corporate environment
[1] Information Disclosure (Info)
↓ Technology versions leaked
[2] Known CVE Exploit (Medium)
↓ Unauthenticated RCE achieved
[3] Reverse Shell Established (High)
↓ Linux host compromised
[4] Local Privilege Escalation (High)
↓ Root access on web server
[5] Credential Harvesting (High)
↓ Found database credentials
[6] Database Access (High)
↓ Password hashes extracted
[7] Password Cracking (Medium)
↓ Domain admin hash cracked
[8] Pass-the-Hash (High)
↓ Domain Admin access achieved
↓ Domain compromised
Total Steps: 8
Total Time: 4-6 hours
Probability: 60%
Impact: Critical
Chain: API to Cloud Infrastructure
Scenario: Public API with cloud backend
[1] API Discovery (Info)
↓ Hidden admin endpoints found
[2] JWT Analysis (Info)
↓ Weak algorithm detected
[3] JWT Forgery (Medium)
↓ Admin token created
[4] Admin API Access (High)
↓ Can execute commands
[5] Container Escape (High)
↓ Host access gained
[6] IAM Role Extraction (Critical)
↓ Cloud credentials obtained
[7] Lateral Movement in Cloud (Critical)
↓ Multiple services compromised
Total Steps: 7
Total Time: 2-4 hours
Probability: 70%
Impact: Critical
Chain Automation
Chain Templates
chain_template:
name: "Web to System Compromise"
description: "Standard web app compromise chain"
prerequisites:
- Web application in scope
- Outbound callbacks allowed
steps:
- id: 1
name: recon
tool: ffuf
command: "ffuf -u {target}/FUZZ"
gate: false
- id: 2
name: exploit
tool: sqlmap
command: "sqlmap -u {target}/vuln"
gate: true
requires: [1]
- id: 3
name: privesc
tool: linpeas
command: "./linpeas.sh"
gate: true
requires: [2]
Chain Visualization
┌─────────────────────────────────────────────────────────────┐
│ Attack Chain: Web App Compromise │
└─────────────────────────────────────────────────────────────┘
[Recon] ──────┐
│ │
[Discovery] ──┤
│ │
[Vuln ID] ────┼──[Gate 1]──┐
│ │ │
[Exploit] ────┘ │
↓
[Initial Access]
│
[Privilege Esc]
│
[Persistence]
│
[Impact Demo]
✓ = Complete
⏳ = Pending
✗ = Blocked
Chain Risk Assessment
Risk Factors
Detection Risk:
- Network IDS/IPS triggering
- Endpoint detection alerts
- Behavioral analysis flags
- Log anomalies
Impact Risk:
- Service disruption
- Data loss
- Scope creep
- Collateral damage
Mitigation Strategies:
- Use stealth techniques (low-and-slow)
- Test in staging first
- Time-box activities
- Maintain rollback capability
Risk Matrix
Impact │ Low │ Med │ High
───────┼───────┼───────┼───────
Low │ ✓ │ ✓ │ ⚠️
Med │ ✓ │ ⚠️ │ ⛔
High │ ⚠️ │ ⛔ │ ⛔
✓ = Proceed
⚠️ = Extra caution
⛔ = Requires explicit approval
Chain Documentation
Chain Report Template
# Attack Chain Report
## Executive Summary
- Chain Name: [Name]
- Target: [System]
- Duration: [Time]
- Result: [Success/Partial/Failure]
## Prerequisites
1. [Requirement 1]
2. [Requirement 2]
## Steps Executed
### Step 1: [Name]
**Objective:** [What we wanted to achieve]
**Method:** [How we did it]
**Result:** [Success/Failure with details]
**Evidence:** [Screenshot, output, etc.]
**Time:** [Duration]
[Repeat for each step]
## Impact Achieved
- [ ] Initial Access
- [ ] Privilege Escalation
- [ ] Lateral Movement
- [ ] Data Access
- [ ] Persistence
- [ ] Complete Compromise
## Detection Opportunities
1. [Alert 1]
2. [Alert 2]
## Recommendations
1. [Fix 1]
2. [Fix 2]
## Indicators of Compromise
- [IOC 1]
- [IOC 2]
Chain Validation
Post-Chain Checklist
References
- MITRE ATT&CK Chaining
- PTES Technical Guidelines
- OWASP Testing Guide
- Red Team Attack Chain Framework