Overview#

MITRE ATT&CK Technique: T1083 — File and Directory Discovery

Tactic: Discovery

Definition: Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system or directory structure. Adversaries may use the information gathered to plan follow-up actions, such as identifying executable files or sensitive data.

This post documents a practical reconnaissance exercise against DVWA using command injection to enumerate the filesystem and identify critical directories, configuration files, and potential attack surfaces.

Context#

The exercise exploited DVWA’s command injection vulnerability to systematically discover:

  • Application structure and web root organization
  • Sensitive configuration directories (/etc)
  • Database locations
  • Writable directories for persistence
  • User home directories
  • Temporary storage locations
  • Backup and archive files
  • Application source code paths

Key Findings Summary#

FindingLocationRisk LevelSignificance
Application root/var/www/html/HighWeb application entry point
Configuration files/var/www/html/config/CriticalDatabase credentials, API keys
Vulnerability modules/var/www/html/vulnerabilities/HighExploitation vectors
Writable upload dir/var/www/html/dvwa/uploads/CriticalFile upload and persistence
System config/etc/HighOS-level security settings
Database locationMySQL (networked)HighData exfiltration target
Temp directory/tmp/MediumTemporary file storage, staging area

Technical Indicators#

Vulnerability Type: Command Injection (DVWA /vulnerabilities/exec/ endpoint)

Attack Vector: Unsanitized user input to system command execution

Example Payload: 127.0.0.1; ls -la /

Execution Context: www-data user (UID 33)

Operating System: Linux (kernel visible in /proc)

MITRE ATT&CK Mapping#

AspectValue
TechniqueT1083 — File and Directory Discovery
TacticDiscovery
PlatformsLinux
Execution MethodCommand Injection
Detection DifficultyMedium (command history, process monitoring)
Mitigation PriorityHigh (input validation, principle of least privilege)

Operational Impact#

  1. Reconnaissance Efficiency — Single command injection point yields entire filesystem visibility
  2. Privilege Assessment — www-data user reveals limited privilege model (no root access)
  3. Data Location Mapping — Critical files identified for targeted exfiltration
  4. Persistence Planning — Writable directories identified for malware staging
  5. Lateral Movement — Database network access identified; credentials not exposed at command level

Defensive Implications#

Organizations should:

  • Monitor filesystem access patterns — Repeated ls/find commands may indicate active reconnaissance
  • Restrict command execution — Disable or sandbox command injection points
  • Apply principle of least privilege — Limit www-data permissions to required directories only
  • Implement file integrity monitoring — Detect unauthorized directory enumerations
  • Use security controls — SELinux or AppArmor to restrict file access by web processes

References#

Exercise Date: 2026-03-05
Lab Environment: DVWA on Docker
Vulnerability Level: Low (deliberate exposure for training)