Module 04 — Exploitation Fundamentals¶
Type 3 · Blast-Radius Trace — exploit a real Vulhub CVE with and without a framework and trace the full chain vulnerability → exploit → payload → session. (Secondary: Detonate & Detect — commit the T1190 telemetry the exploit leaves behind.) Go to the hands-on lab →
Last reviewed: 2026-06
Offensive Security — turn a known vulnerability into access — and understand what the exploit actually does.
In 60 seconds
This is where recon and vuln-ID cash out: a confirmed weakness becomes access. The thing to genuinely understand — not memorise — is the chain: vulnerability (the flaw) → exploit (what triggers it) → payload (the code that runs after) → session (your access). Blurring these is why "push button, get shell" is so fragile: when it fails, only someone who knows which link broke can fix it. And every exploit leaves artifacts — the same T1190 telemetry the defensive track hunts.
Why this matters¶
This is the moment recon and vuln-ID pay off: a confirmed weakness becomes a foothold. The goal isn't to memorise Metasploit commands — it's to understand how an exploit delivers a payload, what a shell really is, and why the same techniques that gain access also leave the artifacts defenders hunt. "Push button, get shell" without understanding is fragile; understanding is the skill.
Objective¶
Exploit a real, known-vulnerable service in your lab — with and without a framework — and explain each stage: vulnerability → exploit → payload → session.
The core idea¶
This is where recon and vuln-ID cash out: a confirmed weakness becomes access. The thing to genuinely understand — not memorise — is the chain: vulnerability (the flaw) → exploit (what triggers it) → payload (the code that runs afterward) → session (your access). Blurring these is why "push button, get shell" is so fragile: when it fails — wrong target build, a mitigation, a payload that doesn't match the architecture — only someone who knows which link broke can fix it.
flowchart LR
V["vulnerability<br/>(the flaw)"] --> E["exploit<br/>(triggers it)"]
E --> P["payload<br/>(code that runs after)"]
P --> S["session<br/>(your access)"]
The mental model
A framework like Metasploit automates the plumbing; it does not supply the understanding, and it hides precisely the details you need the moment it doesn't just work. Two concepts that click once you hold the chain straight: bind vs. reverse shells — a reverse shell has the target connect out to you, because outbound traffic escapes firewalls that block inbound (the same NAT/egress asymmetry any network engineer knows). Staged vs. stageless payloads — a tiny stub that pulls the rest down, or one self-contained blob: a size/stealth/reliability tradeoff.
The defensive bridge: every exploit leaves artifacts — the crash, the spawned child process, the network callback — which is exactly the telemetry the defensive track hunts (this is T1190 from the other side). Exploiting consciously means you can later tell a defender what to look for.
The gotcha
"Push button, get shell" without understanding is fragile: a mismatched payload architecture, an unmet mitigation, or the wrong target build will fail silently or — worse — crash the service. Per the charter, this lab uses real CVEs on Vulhub, not a hand-rolled stand-in: exploitation should be the real thing.
AI caveat
A model will confidently hand you the wrong module or a mismatched payload — "I ran what the AI said" is how you crash the target or pop the wrong box. Understand the exploit before you fire it.
Learn (~4 hrs)¶
The framework - HackerSploit — Metasploit for Beginners #1: The Basics (video) — modules, exploits, and payloads demonstrated end to end. - Rapid7 — Metasploit Documentation — the official reference; read the "Using Metasploit" basics rather than memorising commands.
Where it sits - MITRE ATT&CK — Exploit Public-Facing Application (T1190) — the technique you're performing, and how it's detected.
Key concepts¶
- Vulnerability vs exploit vs payload
- Bind vs reverse shells (and why reverse is usual)
- Staged vs stageless payloads
- What a framework automates — and what it hides
- The artifacts an exploit leaves behind
AI acceleration¶
A model will suggest an exploit and the options to set in seconds — and just as easily point you at the wrong module or a mismatched payload. Understand the exploit before you run it; "I ran what the AI said" is how you crash the target or pop the wrong box.
Check yourself
- Name the four links in the chain — vulnerability, exploit, payload, session — and what each one is.
- Why does a reverse shell usually succeed where a bind shell fails?
- What does a framework like Metasploit hide from you, and why does that matter when an exploit doesn't "just work"?
Comments
Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).