3-2: Exploit Research
Exploit research tends to be much more involved than what is needed for enumeration. In rough order of preference once we've identified a service, and hopefully a version, we can search for any specific known vulnerabilities using these methods:
- Searchsploit / exploit-db. Useful as a first check to see if anything exists, because if it does a PoC is much more likely to both exist and work.
- CVE research
- Web searches (e.g., "library 1.0 CVE or exploit PoC") to reveal Github repos in particular, or writeups about the vulnerability.
- Github / release notes review looking for commits and/or diffs of code to suggest where a fix was applied.
- General CVE search using NVD, MITRE, or other CVE indexers.
- General exploit path research
- Lean on what was found in enumeration and pick viable specific pathways based on app functionality and run initial tests. Like with SQLi and the
'payload. - For privilege escalation sites that catalog specific pathways like GTFOBins and similar can be used.
- Lean on what was found in enumeration and pick viable specific pathways based on app functionality and run initial tests. Like with SQLi and the