| name | exploitation |
| description | Exploit lookup, payload generation, and delivery for confirmed vulnerabilities. Use only after validation has established concrete attack path. |
Exploitation
When to use
Use this skill in Phase 4: Exploitation only after a specific vulnerability is confirmed:
- Locate public exploit code (ExploitDB, Google) for validated CVE
- Generate payloads for specific delivery context (web shell, reverse shell, staged)
- Execute Metasploit modules against confirmed services
- Test privilege escalation vectors on compromised host
Working Style
Explicit targeting reduces collateral and detection:
- Lookup —
exploit_db query for exact CVE or service version [critical, ~1-3 min]
- Verify — Confirm exploit applicability and target readiness (no unexpected dependencies) [critical, ~30-60s]
- Generate —
msfvenom with explicit payload type (e.g., php/meterpreter/reverse_tcp) [high, ~1-3 min]
- Deliver — Use most appropriate channel (web shell upload, command injection, SQL UDF) [high, ~2-10 min]
Decision fields (aligned with smb_lateral_movement prompt):
- result_context: After
nmap --script smb-vuln-ms17-010, check "VULNERABLE" → Path A (EternalBlue metasploit module). If "NOT VULNERABLE" → Path B (hydra brute-force).
- Fallback (Path A): If EternalBlue metasploit fails, architecture mismatch (x86 vs x64) or host patched despite nmap flag.
- Fallback (Path B): If hydra finds no creds with Administrator:rockyou.txt, try common usernames (admin, guest, vagrant) or domain users from smb-enum STEP 2.
Entry point:
exploit_db(query="Apache 2.4.49 path traversal", type="webapps")
Notes
- Requires Confirmation:
aireplay_ng (mode 9), metasploit (exploit/*), responder (poisoning) require explicit approval
- Effectiveness: metasploit (0.88), msfvenom payload accuracy (0.90+)
- Prerequisites: Do NOT attempt without confirmed vuln; validate target state before payload execution
- Staging: Prefer multi-stage payloads to minimize detection footprint
- Avoid: Blind exploit targeting; untested payloads; assume EDR/WAF filtering