Skip to content

Lab 03 — From Service Version to Known Vulnerability

Hands-on lab · ← Back to the module concept

Setup

git clone https://github.com/plaintext-security/plaintext-labs
cd plaintext-labs/offensive/03-vuln-id
make up      # builds the Python vuln-assessment harness
make demo    # runs 5-step CVE research workflow + writes vuln-assessment.md
make down

Bundled data: NVD CVE records for Log4Shell (CVE-2021-44228), HTTP/2 Rapid Reset (CVE-2023-44487), and FortiGate RCE (CVE-2024-21762) plus the CISA KEV catalog entries. The vuln_assess.py harness walks the CVE→CWE→CVSS→KEV→PoC research chain and generates vuln-assessment.md.

Authorization: this app is yours — attack it freely. The habit still matters everywhere else: only test systems you own or have explicit written permission to test (DVWA, PortSwigger Academy, targets you own).

Scenario

Your module 02 scan fingerprinted the edge nginx in the CVE-2017-7529 range (nginx ≤ 1.13.2 — range-filter integer overflow) on ports 80/443, and the module 01 recon flagged vpn.example.com (FortiGate). Research the vulnerability surface, prioritize by real-world exploitation signal, and produce a risk verdict before moving to exploitation.

Do

  1. [ ] Run make demo. Read the priority table in Step 3: why does CVE-2023-44487 (CVSS 7.5) rank P1 while a hypothetical CVSS 9.8 with no KEV entry would rank P2?

  2. [ ] Look up CVE-2021-44228 in the NVD directly. Verify that the bundled data (data/nvd_cves.json) matches the live NVD CVSS score, vector string, and CWE. Note any discrepancy.

  3. [ ] The CVSS vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H for Log4Shell decodes to: Network / Low Complexity / No Privileges / No User Interaction / Changed Scope / High CIA. Explain what "Changed Scope" (S:C) means and why it's significant for a library-level RCE.

  4. [ ] Add a fourth CVE to data/nvd_cves.json and data/kev.json: CVE-2023-22515 (Atlassian Confluence broken access control — your recon found jira.example.com / confluence.example.com). Look it up on NVD and fill in the correct CVSS, CWE, and KEV status. Re-run the demo and confirm it appears in the priority table.

  5. [ ] Run python3 vuln_assess.py --live CVE-2021-44228 (from inside the container shell via make shell). This queries the real NVD API. Does the live score match the bundled data?

Success criteria — you're done when

  • [ ] You can explain why KEV status matters more than CVSS for prioritization, with a concrete example from the demo output.
  • [ ] Your added CVE-2023-22515 entry is factually correct (NVD-verified score, CWE, and KEV status).
  • [ ] vuln-assessment.md includes all four CVEs with correct risk verdicts.

Deliverables

vuln-assessment.md (generated by make demo): the CVE→CWE→CVSS→KEV→PoC chain and one-line risk verdict for each finding. This is the input to module 04 — exploitation starts with the highest-priority, most accessible CVE.

AI acceleration

Have a model summarize a CVE's description — then verify every claim (CVSS score, affected version range, KEV status) against the NVD and CISA KEV directly. Models frequently hallucinate CVSS scores; NVD is the ground truth.

Automate & own it

Required. With AI drafting and you reviewing every line: extend vuln_assess.py to query the real NVD API (--live is already stubbed) and pull the current KEV catalog from CISA's JSON feed (https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json). Commit the extended script.

Connects forward

The highest-priority CVEs from this assessment — Log4Shell and the FortiGate RCE — are the targets for module 04 (exploitation). The full assessment doc also feeds module 03's output into the SIEM (module 06) as threat-intel context.

Marketable proof

"I turn an enumerated service list into a risk-prioritized CVE assessment — CVE, CWE, CVSS, KEV, PoC — and can explain exactly why a CVSS 7.5 in KEV outranks a CVSS 9.8 that's never been exploited."

Stretch

  • Add automated version-range checking: given the detected nginx 1.13.2, query the NVD API with &keywordSearch=nginx&keywordExactMatch and filter results to only CVEs whose affected version range includes 1.13.2 (you should surface CVE-2017-7529). This is what a real vulnerability scanner does.

Comments

Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).