What Is an Exploit?
Vulnerabilities are one thing. These are weaknesses in software or systems. Taking
advantage of those weaknesses to compromise a system or gain unauthorized access,
including escalating your privileges above the ones provided to you, is an
exploitation
.
Exploits are being developed constantly to take advantage of vulnerabilities that have
been identified. Sometimes, the exploit is developed at roughly the same time the vul‐
nerability has been identified. Other times, the vulnerability is found first and is
essentially theoretical; the program crashes or the source code has been analyzed,
suggesting that there is a problem in the software. The exploit may come later. Find‐
ing vulnerabilities can require a different set of skills from writing exploits.
It’s important to note here that even when there is clearly a vulnerability, you may not
be able to exploit that vulnerability. There may not be an exploit available, or you may
not be able to exploit the vulnerability yourself. Additionally, exploiting a vulnerabil‐
ity does not always guarantee a system compromise or even privilege escalation. It is
not a straight line between vulnerability identification and the prize system compro‐
mise, privilege escalation, or data exfiltration. Getting what you want can be a lot of
work, even if you know the vulnerability and have the exploit.
You may have the exploit and know a vulnerability exists. Not all exploits work relia‐
bly. This is sometimes a matter of timing. It can also be a matter of specific system
configuration. A slight change in configuration, even if the software has the right
code in place that is vulnerable, can render an exploit ineffective or unusable. At
times you may run an exploit several times in a row without success, only to get suc‐
cess on, say, the sixth or tenth attempt. Some vulnerabilities simply work that way.
This is where diligence and persistence come in. The job of someone doing security
testing isn’t simple or straightforward.
Ethics
Performing any exploit can compromise the integrity of the system
and potentially the data on that system. This is where you need to
be straightforward in your communication with your target,
assuming you are working hand in hand with them. If the situation
is truly red team versus blue team, and neither really knows the
existence of the other, it may be a question of all’s fair in love and
system compromises. Make sure you know the expectations of your
engagement and that you are not doing anything that is deliberately
harmful or illegal.