Day 052 #FromZeroToHacker – Exploit vulnerabilities

There are many types of vulnerabilities: Let’s learn about how we can identify them and how we can exploit these vulnerabilities.

Let’s start our daily #FromZeroToHacker challenge.

Table of contents
Introduction
What have I learnt today?
Stats
Resources

Introduction to Exploit Vulnerabilities

We are going to study how to identify vulnerabilities and learn how these can be abused.

Also, our list of publicly available resources is going to increase with essential additions with tools that perform vulnerability research and exploitation.

What have I learnt today?

Automated vs Manual vulnerability research

We have a wide set of tools and services available for vulnerability scanning. One of the best is Nessus. Its commercial version costs thousands of euros for a year’s license but luckily has a free edition.

Nessus pros and cons

Metasploit framework also has vulnerability scanners. But we can also use manual scanning for vulnerabilities.

Manual scanning involves searching for the same vulnerabilities using techniques similar to automated scanning. But, at the end of the day, both techniques involve testing an application or program for vulnerabilities, which include:

Exploit vulnerabilities: Types

If you want to learn more about these vulnerabilities, check the OWASP Framework top 10 vulnerabilities lesson.

Finding manual exploits

Rapid7

Rapid7 is a vulnerability research database, like Exploit-DB and NVD, but it also acts as an exploit database, where you can filter by type of vulnerability.

Rapid7

This database also contains instructions for exploiting applications using the Metasploit tool:

Rapid7

GitHub

GitHub is a popular service for software developers where the source code of an application is shared. But we can find also rare or fresh exploits, as anyone can create an account and upload files.

GitHub

Searchsploit

Searchsploit is an offline copy of Exploit-DB, containing copies of exploits in our system. You can search by application name and/or vulnerability type:

Exploit vulnerabilities with Searchsploit

Exploit of manual exploitation

Using the information gathered from the Automated Vs Manual Vulnerability Research part, we can exploit a vulnerable service (legally!). We are going to find an exploit and use it to execute commands on the target that is running the vulnerable application or RCE.

This would allow us to read files or execute commands that we previously wouldn’t be able to perform in the system.

Mind you: Exploits rarely come out of the box ready to be used. Sometimes we need to configure the code before they work.

Exploit configuration

Let’s run help to learn more about this exploit:

Exploit arguments

Seems like to run it successfully, we need to provide the URL of the application and the command we want to be used.

Exploit example

Summary

In this lesson, we have:

  • Compared automated vs manual vulnerability research
  • Learn how to find manual exploits
  • Did one example of an exploit

Stats

From 81.508th to 80.471th. Still at the top 4%!

Here is also the Skill Matrix:

Skills Matrix

Resources

Path: Jr Penetration tester

Vulnerability research

TryHackMe: Exploit Vulnerabilities

Other resources

Nessus
OWASP Framework: Top 10 vulnerabilities
Rapid7
Vulnerability Databases
RCE