06 - Exploitation & Foothold

#Overview

The exploitation phase is where identified vulnerabilities are weaponized to gain initial access to a target system. This phase is the most varied because exploitation techniques differ radically depending on the attack surface: web applications, network services, Active Directory misconfigurations, and known software vulnerabilities each require distinct approaches.

The goal is initial code execution or unauthorized access -- a foothold. This first shell may be low-privileged. That is expected. Foothold is not the destination; it is the door.

#Decision Tree: Choosing the Right Attack Path

Vulnerability Identified
         |
         v
Is it a web application?
  YES ---> Web Attacks
  |           |-- SQLi --> sqlmap or manual injection
  |           |-- File Upload --> webshell
  |           |-- LFI/RFI --> code execution
  |           |-- Command Injection --> reverse shell
  |           |-- SSTI / Deserialization --> code execution
  |
  NO ---> Is it a network service?
  |         YES ---> Network Service Exploitation
  |         |           |-- Known CVE --> Metasploit / public exploit
  |         |           |-- Brute-force --> hydra / medusa / crackmapexec
  |         |           |-- Default creds --> simple authentication bypass
  |         |           |-- Protocol-specific --> SMB/RDP/FTP/SSH attacks
  |         |
  |         NO ---> Is it an AD misconfiguration?
  |                   YES ---> AD Techniques
  |                   |           |-- Kerberoasting --> crack ticket --> access
  |                   |           |-- AS-REP Roasting --> crack hash --> access
  |                   |           |-- LLMNR/NBT-NS Poisoning --> Responder --> hash capture
  |                   |           |-- Password spraying --> valid credentials
  |                   |
  |                   NO ---> Software Exploit
  |                               |-- Public exploit (ExploitDB, GitHub, Metasploit)
  |                               |-- Custom exploit (buffer overflow, logic flaws)

TEXT

#General Methodology

#1. Start Least-Destructive, Escalate as Needed

The exploitation ladder:

Default / weak credentials -- no exploits needed, just login
Misconfiguration abuse -- use what's already there in unintended ways
Public exploit with high reliability -- well-tested, stable exploits
Public exploit with low reliability -- PoCs that may require modification
Custom exploit development -- last resort, highest effort

#2. Always Check Exploit Safety

Before running any exploit:

Is the service business-critical?
Does the exploit have a crash/DoS risk?
Is there a check/verify mode (e.g., Metasploit check command)?
Can you test against a lab replica first?
Does the exploit create artifacts (new files, accounts, service changes)?

#3. Prepare Your Payloads

Before exploitation begins, have payloads ready:

Reverse shells (bash, PowerShell, Python, PHP, netcat variants)
Bind shells for NAT'd environments
Staged vs stageless payloads (e.g., windows/x64/meterpreter/reverse_tcp vs _/reverse_https)
Obfuscated payloads for AV evasion

#4. Expect Failure and Have Contingencies

Exploitation is iterative. If one path fails:

Re-examine the vulnerability -- was the version string wrong?
Check for WAF/IDS/AV that may be blocking the exploit
Try a different technique (e.g., manual SQLi vs sqlmap)
Look for a secondary vulnerability on the same service

#What's in This Section

File	Covers
`web-attacks.md`	SQL injection (in-band, blind, out-of-band), file upload bypasses, LFI/RFI to RCE chains, SSTI, command injection, XXE, deserialization attacks, CSRF, XSS for session hijacking
`network-services.md`	Exploiting FTP, SSH, SMB, RDP, SNMP, SMTP, MySQL/MSSQL/PostgreSQL, Redis, Java RMI, NFS; brute-force strategies, relay attacks (SMB, NTLM), protocol downgrade
`active-directory.md`	Kerberoasting, AS-REP roasting, password spraying, LLMNR/NBT-NS poisoning with Responder, SMB relay, NTLM relay, Golden/Silver ticket attacks (initial access context), DNS takeover
`software-exploits.md`	Public exploit identification and modification, Metasploit usage patterns, buffer overflow exploitation, compiling and adapting exploits, payload generation (msfvenom), AV evasion basics
`credential-attacks.md`	Brute-force (hydra, medusa, crackmapexec), password spraying, credential stuffing, hash cracking (hashcat, john), hash identification (hashid, hash-identifier)
`reverse-shells.md`	Shell type comparison, listener setup (netcat, socat, Metasploit multi/handler), shell stabilization, one-liner reference by language/platform
`client-side-attacks.md`	Phishing payloads, malicious documents (macro/VBA, DDE, OLE), HTML smuggling, browser exploitation

#Cross-References

04-vulnerability-assessment -- Vulnerabilities identified here are exploited in this phase
07-post-exploitation -- Once a foothold is established, move immediately to post-exploitation

#Quick Reference: Common Foothold Commands

# Standard reverse shell listeners
nc -lvnp 4444
msfconsole -q -x "use multi/handler; set payload linux/x64/meterpreter/reverse_tcp; set LHOST tun0; run"

# Quick SMB exploit check
msfconsole -q -x "use exploit/windows/smb/ms17_010_eternalblue; set RHOSTS 10.10.10.10; check"

# Password spraying
crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Spring2025!' --continue-on-success

# SQLi test
sqlmap -u "http://target.com/page.php?id=1" --batch --dbs