Lab 03 — From Service Version to Known Vulnerability¶
Hands-on lab · ← Back to the module concept
Setup¶
git clone https://github.com/plaintext-security/plaintext-labs
cd plaintext-labs/offensive/03-vuln-id
make up # builds the Python vuln-assessment harness
make demo # runs 5-step CVE research workflow + writes vuln-assessment.md
make down
Bundled data: NVD CVE records for Log4Shell (CVE-2021-44228), HTTP/2
Rapid Reset (CVE-2023-44487), and FortiGate RCE (CVE-2024-21762) plus
the CISA KEV catalog entries. The vuln_assess.py harness walks the
CVE→CWE→CVSS→KEV→PoC research chain and generates vuln-assessment.md.
Authorization: this app is yours — attack it freely. The habit still matters everywhere else: only test systems you own or have explicit written permission to test (DVWA, PortSwigger Academy, targets you own).
Scenario¶
Your module 02 scan fingerprinted the edge nginx in the CVE-2017-7529
range (nginx ≤ 1.13.2 — range-filter integer overflow) on ports 80/443,
and the module 01 recon flagged vpn.example.com (FortiGate). Research
the vulnerability surface, prioritize by real-world exploitation signal,
and produce a risk verdict before moving to exploitation.
Do¶
-
[ ] Run
make demo. Read the priority table in Step 3: why does CVE-2023-44487 (CVSS 7.5) rank P1 while a hypothetical CVSS 9.8 with no KEV entry would rank P2? -
[ ] Look up CVE-2021-44228 in the NVD directly. Verify that the bundled data (
data/nvd_cves.json) matches the live NVD CVSS score, vector string, and CWE. Note any discrepancy. -
[ ] The CVSS vector
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:Hfor Log4Shell decodes to: Network / Low Complexity / No Privileges / No User Interaction / Changed Scope / High CIA. Explain what "Changed Scope" (S:C) means and why it's significant for a library-level RCE. -
[ ] Add a fourth CVE to
data/nvd_cves.jsonanddata/kev.json: CVE-2023-22515 (Atlassian Confluence broken access control — your recon foundjira.example.com/confluence.example.com). Look it up on NVD and fill in the correct CVSS, CWE, and KEV status. Re-run the demo and confirm it appears in the priority table. -
[ ] Run
python3 vuln_assess.py --live CVE-2021-44228(from inside the container shell viamake shell). This queries the real NVD API. Does the live score match the bundled data?
Success criteria — you're done when¶
- [ ] You can explain why KEV status matters more than CVSS for prioritization, with a concrete example from the demo output.
- [ ] Your added CVE-2023-22515 entry is factually correct (NVD-verified score, CWE, and KEV status).
- [ ]
vuln-assessment.mdincludes all four CVEs with correct risk verdicts.
Deliverables¶
vuln-assessment.md (generated by make demo): the CVE→CWE→CVSS→KEV→PoC
chain and one-line risk verdict for each finding. This is the input to
module 04 — exploitation starts with the highest-priority, most
accessible CVE.
AI acceleration¶
Have a model summarize a CVE's description — then verify every claim (CVSS score, affected version range, KEV status) against the NVD and CISA KEV directly. Models frequently hallucinate CVSS scores; NVD is the ground truth.
Automate & own it¶
Required. With AI drafting and you reviewing every line: extend
vuln_assess.py to query the real NVD API (--live is already stubbed)
and pull the current KEV catalog from CISA's JSON feed
(https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json).
Commit the extended script.
Connects forward¶
The highest-priority CVEs from this assessment — Log4Shell and the FortiGate RCE — are the targets for module 04 (exploitation). The full assessment doc also feeds module 03's output into the SIEM (module 06) as threat-intel context.
Marketable proof¶
"I turn an enumerated service list into a risk-prioritized CVE assessment — CVE, CWE, CVSS, KEV, PoC — and can explain exactly why a CVSS 7.5 in KEV outranks a CVSS 9.8 that's never been exploited."
Stretch¶
- Add automated version-range checking: given the detected
nginx 1.13.2, query the NVD API with&keywordSearch=nginx&keywordExactMatchand filter results to only CVEs whose affected version range includes 1.13.2 (you should surface CVE-2017-7529). This is what a real vulnerability scanner does.
Comments
Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).