You ran nmap. You got a version number. Maybe it was Apache 2.4.49. Maybe it was vsftpd 2.3.4. Maybe it was Samba 3.0.20. That version number is not just information — it is a key. This section is about finding the lock it opens, understanding what is behind it, and choosing the right way through. I walk you through the complete workflow — from version number to exploitation decision — the way professionals actually do it.
🔰 Beginners: This section explains how to find and evaluate exploits before touching a single tool. Every term gets defined. Work through it in order before jumping to the exploit categories.
⚡ Seasoned practitioners: The CVSS decision framework and CVE Scanner plug toward the bottom are worth reviewing. Jump to Picking Your Approach for the decision tree.
- The Complete Workflow
- What Is a CVE — Plain English
- What Is CVSS — And Why It Actually Matters
- SearchSploit — Your Offline First Stop
- Exploit-DB — The Online Database
- NVD — The Official CVE Record
- MITRE ATT&CK — Mapping Technique to Tactic
- How to Read a CVE Like You Know What You Are Doing
- Picking Your Approach
- The CVE Security Intelligence Monitor
- CTF vs Real World
This is the process. Every time. No skipping steps.
Step 1 — Identify the service and version
nmap -sV gave you: vsftpd 2.3.4, Apache 2.4.49, OpenSSH 7.2
Step 2 — Search for known vulnerabilities
SearchSploit → Exploit-DB → NVD → Google
Step 3 — Read and understand the CVE
What is vulnerable? Why? What does exploitation look like?
Step 4 — Assess exploitability
CVSS score, public exploit available, authentication required?
Step 5 — Pick your approach
Metasploit module? Public exploit script? Manual technique?
Step 6 — Exploit
That is the rest of this guide.
The whole process for a known CVE on a CTF box can take under 5 minutes once you know it. On a real engagement it takes longer because you are verifying, documenting, and being deliberate. But the steps are the same.
CVE stands for Common Vulnerabilities and Exposures.
Think of it like a universal tracking number for security flaws. When a researcher discovers a vulnerability in a piece of software, it gets assigned a CVE number — a unique ID that everyone in the security world uses to refer to that specific flaw.
The format is always:
CVE-YEAR-NUMBER
CVE-2021-44228 ← Log4Shell (one of the most famous CVEs ever)
CVE-2019-0708 ← BlueKeep (critical Windows RDP vulnerability)
CVE-2017-0144 ← EternalBlue (the NSA exploit behind WannaCry)
The year is when it was assigned, not necessarily when it was discovered or when a patch was released. The number is sequential within that year.
Who assigns CVEs? MITRE Corporation manages the CVE program. Individual organizations called CNAs (CVE Numbering Authorities) — including major vendors like Microsoft, Google, and Apple — can assign CVEs for vulnerabilities in their own products. Independent researchers submit through MITRE.
What a CVE record tells you:
- What software is affected and which versions
- A description of the vulnerability
- References to patches, advisories, and proof-of-concept code
- CVSS score (severity rating)
- CWE classification (what type of vulnerability it is)
CVSS stands for Common Vulnerability Scoring System.
It is a standardized way of rating how severe a vulnerability is on a scale from 0.0 to 10.0. The score is calculated based on specific characteristics of the vulnerability — not just someone's opinion.
| Score | Severity | What It Means |
|---|---|---|
| 0.0 | None | Informational — no real impact |
| 0.1 – 3.9 | Low | Minimal impact, difficult to exploit |
| 4.0 – 6.9 | Medium | Moderate impact, some conditions required |
| 7.0 – 8.9 | High | Significant impact, easier to exploit |
| 9.0 – 10.0 | Critical | Maximum impact, exploitable remotely, no auth required |
CVSS v3.1 calculates the score from these factors:
Attack Vector — how is it exploited?
Network (N) → exploitable remotely over the internet — highest severity
Adjacent (A) → requires network access to the same segment
Local (L) → requires local access to the system
Physical (P) → requires physical access to the device
| Metric | Options | What It Means |
|---|---|---|
| Attack Vector | Network / Adjacent / Local / Physical | How far away can the attacker be? |
| Attack Complexity | Low / High | How hard is it to pull off? |
| Privileges Required | None / Low / High | What access does the attacker need first? |
| User Interaction | None / Required | Does a victim need to do something? |
| Scope | Unchanged / Changed | Does it affect systems beyond the vulnerable one? |
| Confidentiality | None / Low / High | Can data be read? |
| Integrity | None / Low / High | Can data be changed? |
| Availability | None / Low / High | Can the system be crashed or disrupted? |
Higher severity = Network vector, Low complexity, None privileges, None interaction, Changed scope, High across all three impact metrics. That combination is a 10.0. Log4Shell hit every single one.
**Impact — what happens when it is exploited?**
Confidentiality → can data be read? None / Low / High Integrity → can data be changed? None / Low / High Availability → can the system crash? None / Low / High
### Reading CVSS in Practice
**CVE-2021-44228 (Log4Shell): CVSS 10.0 Critical**
Attack Vector: Network ← exploitable from the internet Attack Complexity: Low ← no special conditions Privileges Required: None ← no account needed User Interaction: None ← fully automated Scope: Changed ← affects other systems Confidentiality: High Integrity: High Availability: High
This is why Log4Shell was a 10.0. Every single factor was worst case.
Remote. Easy. No auth. No user interaction. Full system compromise.
**The CTF relevance:**
In CTF boxes, look for CVEs with:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- A public exploit available
That combination means it is likely the intended path.
---
## 🛠️ SearchSploit — Your Offline First Stop
SearchSploit is a command-line tool that searches the Exploit-DB database
locally — no internet required. It comes pre-installed on Kali Linux.
**Why offline first?**
On a real engagement your internet may be restricted. On a CTF the VPN
sometimes has limited routing. SearchSploit works anywhere.
### Installation
```bash
# Kali Linux — pre-installed
searchsploit --version
# Update the database
searchsploit -u
# Other Linux / macOS
sudo apt install exploitdb
# or
brew install exploitdb
# Search by service name
searchsploit vsftpd
# Search by service and version
searchsploit vsftpd 2.3.4
# Search by CVE number
searchsploit CVE-2021-44228
# Search for Apache exploits
searchsploit apache 2.4
# Search for Windows SMB exploits
searchsploit windows smb
# Search for WordPress exploits
searchsploit wordpress 5.0Exploit Title | Path
----------------------------------------|----------------------------------
vsftpd 2.3.4 - Backdoor Command Exec | unix/remote/17491.rb
vsftpd 2.3.4 - Backdoor Command Exec | unix/remote/49757.py
The path shows you where the exploit file lives on your system and what type it is:
.rb= Ruby — likely a Metasploit module.py= Python — standalone script.c= C — needs to be compiled.sh= Bash shell script.txt= Documentation or manual technique
# Read the exploit without copying
searchsploit -x unix/remote/49757.py
# Copy exploit to current directory
searchsploit -m unix/remote/49757.py
# Open the exploit in your editor
searchsploit -x vsftpd 2.3.4# Exclude results containing "DoS" (denial of service)
searchsploit apache --exclude="DoS"
# Search only webapps
searchsploit -w wordpress
# Output as JSON
searchsploit -j vsftpdThis is a classic CTF vulnerability. Here is the full SearchSploit workflow:
# Step 1 — search
searchsploit vsftpd 2.3.4
# Output:
# vsftpd 2.3.4 - Backdoor Command Exec | unix/remote/17491.rb
# vsftpd 2.3.4 - Backdoor Command Exec | unix/remote/49757.py
# Step 2 — read the Python version
searchsploit -x unix/remote/49757.py
# Step 3 — copy it to your working directory
searchsploit -m unix/remote/49757.py
# Step 4 — run it
python3 49757.py <target_ip>Practice target: HackTheBox — Lame (classic vsftpd 2.3.4 box)
URL: https://www.exploit-db.com
Exploit-DB is the online database that SearchSploit pulls from. The web interface gives you more filtering options and sometimes has exploits that have not yet synced to your local SearchSploit database.
By software name and version:
Go to exploit-db.com → search bar → type vsftpd 2.3.4
By CVE number:
Search CVE-2021-44228 — returns all exploits tagged with that CVE
Filters available:
- Type: Remote, Local, DoS, WebApp, Shellcode
- Platform: Linux, Windows, macOS, Multiple
- Language: Python, Ruby, C, PHP, etc.
- Verified: Only show exploits verified by the Exploit-DB team
The verified badge matters: Unverified exploits may not work, may be incomplete, or may need modification. Verified exploits have been tested by the Exploit-DB team. Start with verified when available.
Every entry has:
CVE: CVE-2021-41773
Author: The researcher who found/wrote it
Type: Remote / Local / DoS / WebApp
Platform: Linux / Windows / Multiple
Date: When it was published
Tested on: What environment it was tested in
Read the "Tested on" section carefully. An exploit tested on Ubuntu 20.04 may not work on CentOS 7. An exploit for Apache 2.4.49 specifically will not work on 2.4.50 (which was patched).
URL: https://nvd.nist.gov
The National Vulnerability Database is the US government's official CVE repository. It has the most authoritative and complete information about any CVE — including the official CVSS score, affected versions, patch information, and references.
- When you need the official CVSS score for a CVE
- When you need to know exactly which versions are affected
- When you need references to vendor patches and advisories
- When Exploit-DB does not have enough context about the vulnerability
NVD URL format:
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Key fields to read:
→ Description — what is actually vulnerable and why
→ CVSS v3.1 Score — severity and attack characteristics
→ Weakness — CWE classification (what type of bug)
→ Affected Software — exact versions affected
→ References — patches, advisories, PoC links
The CWE classification tells you what category of vulnerability it is:
CWE-79 → Cross-Site Scripting (XSS)
CWE-89 → SQL Injection
CWE-94 → Code Injection
CWE-119 → Buffer Overflow
CWE-200 → Information Disclosure
CWE-287 → Improper Authentication
CWE-502 → Deserialization of Untrusted Data
CWE-918 → Server-Side Request Forgery (SSRF)
Knowing the CWE tells you what class of technique to research even if you have never seen this specific CVE before.
MITRE ATT&CK is a framework that catalogs the tactics, techniques, and procedures (TTPs) used by real threat actors in real attacks. It is the language that professional red teams, blue teams, and threat intelligence analysts all speak.
ATT&CK maps techniques to real-world usage. When you find a vulnerability and understand what technique it enables, ATT&CK tells you:
- What real threat actors use this technique
- What the technique looks like to a defender
- What comes next in the attack chain
- How to detect it (useful for understanding your footprint)
Tactics → The goal (what the attacker is trying to achieve)
Techniques → How they achieve it (the method)
Sub-techniques → Specific variations of a technique
Procedures → How specific threat actors implement it
Relevant tactics for exploitation:
TA0001 → Initial Access (getting in)
TA0002 → Execution (running code)
TA0003 → Persistence (staying in)
TA0004 → Privilege Escalation (going higher)
TA0005 → Defense Evasion (staying hidden)
TA0006 → Credential Access (getting passwords)
TA0007 → Discovery (looking around)
TA0008 → Lateral Movement (moving through the network)
1. Identify what your exploit does
→ Remote code execution via a web application
2. Find the ATT&CK technique
→ T1190: Exploit Public-Facing Application
3. Read the technique page
→ What actors use it?
→ What does it look like in logs?
→ What detections exist?
4. Note what comes next
→ T1059: Command and Scripting Interpreter (running commands)
→ T1078: Valid Accounts (using found credentials)
Most people look at a CVE and only read the score. Professionals read the whole thing. Here is what to extract from every CVE you research.
Step 1 — Read the description carefully. The description tells you the mechanism. Look for key phrases:
"allows remote attackers to execute arbitrary code"
→ Remote Code Execution. High value. Look for a public exploit.
"allows remote attackers to read arbitrary files"
→ Path traversal or LFI. Useful for credential disclosure.
"allows remote attackers to cause a denial of service"
→ DoS. Usually not useful for getting a shell.
"via a crafted HTTP request"
→ Web-based. No authentication required if not stated.
"authenticated attackers"
→ You need credentials first. Still useful if you have them.
"local attackers"
→ You need existing access. Useful for privilege escalation.
Step 2 — Check the affected versions precisely.
Affected: Apache HTTP Server 2.4.49
Fixed in: Apache HTTP Server 2.4.50
If the target is running 2.4.48 — this specific CVE does not apply. If it is 2.4.49 — you have a match.
Version precision matters. An exploit written for 2.4.49 will not work on 2.4.48 or 2.4.50. Always verify exact version match.
Step 3 — Check the references section.
The references section links to:
- Vendor security advisories (official patch info)
- GitHub commits that fixed the bug (shows what changed = shows the bug)
- Proof of concept code (sometimes directly links to working exploits)
- Blog posts explaining the vulnerability in depth
The GitHub commit that fixed the bug is particularly valuable — reading the diff shows you exactly what the vulnerability was at the code level.
Step 4 — Search for public PoC.
After reading the CVE, search:
"CVE-2021-41773" poc
"CVE-2021-41773" exploit github
"CVE-2021-41773" proof of concept
GitHub is where most PoC code lives. Be careful — not all PoC code is safe to run. Read it before executing it.
You have found the CVE. You know it is exploitable. Now you choose how to exploit it. There are three paths:
Use when:
- A Metasploit module exists for the CVE
- You are in a CTF or authorized lab environment
- Speed matters more than stealth
- You want reliable, tested exploitation
How to check:
msfconsole
search CVE-2021-44228
search vsftpd
search eternalblueIf a module exists — it is usually the fastest path. Metasploit modules are tested, maintained, and handle edge cases you would otherwise debug for hours manually.
When NOT to use Metasploit:
- OSCP exam — Metasploit is heavily restricted
- Real engagements where stealth matters — Metasploit leaves signatures
- When you want to actually learn what is happening
Use when:
- No Metasploit module exists
- A standalone Python/C/Ruby script is available on Exploit-DB
- You want more control than Metasploit but do not want to write from scratch
The workflow:
# Find it
searchsploit apache 2.4.49
# Copy it
searchsploit -m linux/webapps/50383.py
# READ IT before running it
cat 50383.py
# Run it
python3 50383.pyAlways read the exploit before running it. Public exploits sometimes need modification — wrong IP format, missing dependency, hardcoded path that does not match your target. Reading it first saves time and prevents running something broken or malicious.
Use when:
- No public exploit exists
- You are on OSCP or a restricted exam
- The public exploit does not work and you need to understand why
- You want to actually understand the vulnerability
This is the path that separates people. Manual exploitation is covered in full depth in the Manual Exploitation section.
Does a Metasploit module exist?
├── Yes + CTF/lab environment → use Metasploit
├── Yes + OSCP/exam → skip, use manual
└── No → does a public exploit script exist?
├── Yes → read it, modify if needed, run it
└── No → manual exploitation
→ research the vulnerability class
→ build or adapt your own
Manually searching NVD, Exploit-DB, and SearchSploit for every service you find gets tedious fast. The CVE Security Intelligence Monitor by SudoChef automates this entire workflow — pulling from NVD, tracking CVSS scores, mapping to MITRE ATT&CK, and alerting on critical new vulnerabilities automatically.
It is the tool that does the research phase of this workflow for you — continuously, in the background, while you focus on the actual work.
github.com/commit-issues/cve-security-monitor
Built in Python. SQLCipher encrypted local database. Cross-platform. The kind of tool that belongs in every security professional's stack. 👀
| CTF | Real Engagement | |
|---|---|---|
| CVE research | Find the box's intended CVE fast | Thorough — document everything |
| CVSS score | Just want exploitability | Full scoring analysis in report |
| Exploit choice | Whatever works fastest | Justified, documented, stealthy |
| Public exploits | Run freely | Test in lab first, review code |
| Metasploit | Yes, freely | Restricted — check rules of engagement |
| Documentation | Optional | Mandatory — every step |
| Resource | What It Covers |
|---|---|
| Automated Exploitation | Metasploit full workflow |
| Manual Exploitation | When tools fail, you do not |
| Exploit Categories | Deep dives by vulnerability type |
| nmap-reference | Where the version number came from |
| enumeration-reference | What you did before this |
by SudoChef · Part of the SudoCode Pentesting Methodology Guide