Exploitable Interview Virtual Machine
Hey All! Recently, during a job interview, I was given a virtual machine with a web application to exploit and report on. There is a major flaw with this type of assessment, specifically giving a virtual machine disk image to applicants, making this testing scenario much easier to reverse and exploit. For starters, I could do raw forensics on the machine image, giving me the ability to do trivial tests such as run strings on the unencrypted machine image, and grep for hashes from the shadow file. Even far more dangerous, I could boot the machine into recovery mode, and then drop into a root shell. Once I was in the root shell, I was able to go through logs and user history to see detailed information, essentially creating a timeline of which services were installed, which files were created, and when new users were added. This information allowed me to infer what challenges existed and where I could find the respective source code. I was able to see what services started automatically on bootup and then dived into the source code for the web application test. Using the source code to find the vulnerabilities, I could also easily check to make sure that I wasn't missing any extra functionality within the web application. Essentially, I got a white box, full source code approach, to what was supposed to be an external web application audit. The proper way to administer such a test would be to remotely host the application as well as any supporting services. Further, you would want to scrub all logs that detail how the challenges were set up, giving the hackers as little help as possible in discovering the purposefully engineered vulnerabilities.