Skip to content

Module 04 — Exploitation Fundamentals

Type 3 · Blast-Radius Trace — exploit a real Vulhub CVE with and without a framework and trace the full chain vulnerability → exploit → payload → session. (Secondary: Detonate & Detect — commit the T1190 telemetry the exploit leaves behind.) Go to the hands-on lab →

Last reviewed: 2026-06

Offensive Securityturn a known vulnerability into access — and understand what the exploit actually does.

Difficulty: Intermediate  ·  Estimated time: ~5–7 hrs (study + lab)  ·  Prerequisites: Foundations

In 60 seconds

This is where recon and vuln-ID cash out: a confirmed weakness becomes access. The thing to genuinely understand — not memorise — is the chain: vulnerability (the flaw) → exploit (what triggers it) → payload (the code that runs after) → session (your access). Blurring these is why "push button, get shell" is so fragile: when it fails, only someone who knows which link broke can fix it. And every exploit leaves artifacts — the same T1190 telemetry the defensive track hunts.

Why this matters

This is the moment recon and vuln-ID pay off: a confirmed weakness becomes a foothold. The goal isn't to memorise Metasploit commands — it's to understand how an exploit delivers a payload, what a shell really is, and why the same techniques that gain access also leave the artifacts defenders hunt. "Push button, get shell" without understanding is fragile; understanding is the skill.

Objective

Exploit a real, known-vulnerable service in your lab — with and without a framework — and explain each stage: vulnerability → exploit → payload → session.

The core idea

This is where recon and vuln-ID cash out: a confirmed weakness becomes access. The thing to genuinely understand — not memorise — is the chain: vulnerability (the flaw) → exploit (what triggers it) → payload (the code that runs afterward) → session (your access). Blurring these is why "push button, get shell" is so fragile: when it fails — wrong target build, a mitigation, a payload that doesn't match the architecture — only someone who knows which link broke can fix it.

flowchart LR
    V["vulnerability<br/>(the flaw)"] --> E["exploit<br/>(triggers it)"]
    E --> P["payload<br/>(code that runs after)"]
    P --> S["session<br/>(your access)"]

The mental model

A framework like Metasploit automates the plumbing; it does not supply the understanding, and it hides precisely the details you need the moment it doesn't just work. Two concepts that click once you hold the chain straight: bind vs. reverse shells — a reverse shell has the target connect out to you, because outbound traffic escapes firewalls that block inbound (the same NAT/egress asymmetry any network engineer knows). Staged vs. stageless payloads — a tiny stub that pulls the rest down, or one self-contained blob: a size/stealth/reliability tradeoff.

The defensive bridge: every exploit leaves artifacts — the crash, the spawned child process, the network callback — which is exactly the telemetry the defensive track hunts (this is T1190 from the other side). Exploiting consciously means you can later tell a defender what to look for.

The gotcha

"Push button, get shell" without understanding is fragile: a mismatched payload architecture, an unmet mitigation, or the wrong target build will fail silently or — worse — crash the service. Per the charter, this lab uses real CVEs on Vulhub, not a hand-rolled stand-in: exploitation should be the real thing.

AI caveat

A model will confidently hand you the wrong module or a mismatched payload — "I ran what the AI said" is how you crash the target or pop the wrong box. Understand the exploit before you fire it.

Learn (~4 hrs)

The framework - HackerSploit — Metasploit for Beginners #1: The Basics (video) — modules, exploits, and payloads demonstrated end to end. - Rapid7 — Metasploit Documentation — the official reference; read the "Using Metasploit" basics rather than memorising commands.

Where it sits - MITRE ATT&CK — Exploit Public-Facing Application (T1190) — the technique you're performing, and how it's detected.

Key concepts

  • Vulnerability vs exploit vs payload
  • Bind vs reverse shells (and why reverse is usual)
  • Staged vs stageless payloads
  • What a framework automates — and what it hides
  • The artifacts an exploit leaves behind

AI acceleration

A model will suggest an exploit and the options to set in seconds — and just as easily point you at the wrong module or a mismatched payload. Understand the exploit before you run it; "I ran what the AI said" is how you crash the target or pop the wrong box.

Check yourself

  • Name the four links in the chain — vulnerability, exploit, payload, session — and what each one is.
  • Why does a reverse shell usually succeed where a bind shell fails?
  • What does a framework like Metasploit hide from you, and why does that matter when an exploit doesn't "just work"?

Comments

Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).