by SudoChef · Part of the SudoCode Pentesting Methodology Guide series
This is the exploitation reference for the SudoCode Pentesting Methodology Guide — a no-fluff, plain English guide to penetration testing techniques built for people who want to actually understand what they are doing, not just run tools and hope something works.
Every section starts from plain English. Every term gets defined before it is used. Every technique builds on the one before it. Whether you are picking up a terminal for the first time or you have been doing this for years and want a solid reference — this guide was written with both of you in mind.
This repository is one part of a larger series:
| Repository | What It Covers |
|---|---|
| nmap-reference | Scanning and service detection |
| enumeration-reference | Enumeration methodology |
| google-dorking | OSINT and Google dorking |
| exploitation-reference | You are here — exploitation techniques |
If you are new: Start at Section 1 and work through in order. Each section builds on the previous one. Skipping ahead works for reference but not for learning.
If you are experienced: Use the section index below to jump directly to what you need. Every file stands alone as a reference.
If you are on a box right now: The cheatsheets and quick reference sections in each file are designed for exactly this. The shell cheatsheet in particular is built to be open in a second tab while you work.
The workflow from finding a service version to selecting an exploit. How to read a CVE, what CVSS scores actually mean for decision making, and how to pick the right approach.
| File | What It Covers |
|---|---|
| vuln-research/finding-exploits.md | CVE research, SearchSploit, Exploit-DB, NVD, MITRE ATT&CK |
When automated tools are the right choice, how to use them properly, and when to put them down.
| File | What It Covers |
|---|---|
| automated-exploitation/metasploit.md | Full Metasploit workflow — all OS installs, payloads, Meterpreter |
| automated-exploitation/other-tools.md | SQLmap, Nuclei, BEEF, Empire, msfvenom |
The theory behind why vulnerabilities work. Read this before manual exploitation — understanding the why makes the how make sense.
| File | What It Covers |
|---|---|
| exploit-categories/buffer-overflow.md | Memory, the stack, EIP control, shellcode, ASLR/DEP/ROP |
| exploit-categories/sqli.md | SQL injection — every type with plain English explanation |
| exploit-categories/rce.md | Remote Code Execution — all paths to execution |
| exploit-categories/lfi-rfi.md | File inclusion, path traversal, chaining to RCE |
| exploit-categories/ssrf.md | Server-Side Request Forgery, cloud metadata, blind SSRF |
| exploit-categories/deserialization.md | PHP, Java, Python, Node.js deserialization attacks |
| exploit-categories/advanced-chaining.md | Multi-vulnerability chains, APT techniques, LOLBins |
Running, modifying, and writing exploits without relying on automated frameworks.
| File | What It Covers |
|---|---|
| manual-exploitation/overview.md | Running raw exploits, reading code, real worked examples |
| manual-exploitation/modifying-exploits.md | Fixing offsets, replacing shellcode, Python 2→3 conversion |
| manual-exploitation/writing-exploits.md | Fuzzing, crash analysis, BoF from scratch, ROP, format strings |
Everything about getting, keeping, and working in shells. The most important section for day-to-day work.
| File | What It Covers |
|---|---|
| shells/shell-types.md | Bind vs reverse, web shells, encrypted shells, first steps |
| shells/reverse-shells.md | Every reverse shell one-liner across every language |
| shells/upgrading-shells.md | Python PTY, socat, pwncat — dumb shell to full TTY |
| shells/shell-tools.md | Netcat, ncat, socat, pwncat, Evil-WinRM, Chisel |
| shells/shell-cheatsheet.md | One page — everything you need mid-box |
Staying under the radar. AV, EDR, WAF, and AMSI — how they work and how to operate around them.
| File | What It Covers |
|---|---|
| evasion/av-waf-evasion.md | AV/EDR/WAF/AMSI evasion, LOLBins, payload encoding |
What to do when nothing works. Systematic debugging, knowing when to pivot, and the mental discipline that gets you through hard boxes.
| File | What It Covers |
|---|---|
| when-it-fails/debugging.md | Debugging exploits, shells, AV blocks, WAF blocks, the stuck workflow |
Where to build the skills and how to approach every box with the right methodology.
| File | What It Covers |
|---|---|
| practice/platforms.md | HTB, TryHackMe, VulnHub, PortSwigger, machine curation by exploit type |
Shell listener — fastest:
rlwrap nc -lvnp 4444Shell upgrade — fastest:
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Ctrl+Z → stty raw -echo; fg → export TERM=xtermFind your HTB IP:
ip -4 addr show tun0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'First commands after shell lands (CTF):
whoami && id
cat /home/*/user.txt 2>/dev/null
hostname && uname -aFind exploits:
searchsploit SERVICE VERSIONFull cheatsheet: shells/shell-cheatsheet.md
exploitation-reference/
│
├── vuln-research/
│ └── finding-exploits.md
│
├── automated-exploitation/
│ ├── metasploit.md
│ └── other-tools.md
│
├── exploit-categories/
│ ├── buffer-overflow.md
│ ├── sqli.md
│ ├── rce.md
│ ├── lfi-rfi.md
│ ├── ssrf.md
│ ├── deserialization.md
│ └── advanced-chaining.md
│
├── manual-exploitation/
│ ├── overview.md
│ ├── modifying-exploits.md
│ └── writing-exploits.md
│
├── shells/
│ ├── shell-types.md
│ ├── reverse-shells.md
│ ├── upgrading-shells.md
│ ├── shell-tools.md
│ └── shell-cheatsheet.md
│
├── evasion/
│ └── av-waf-evasion.md
│
├── when-it-fails/
│ └── debugging.md
│
└── practice/
└── platforms.md
This guide is licensed under Creative Commons Attribution 4.0 International (CC BY 4.0).
You are free to share and adapt this material for any purpose, including commercial use, as long as you give appropriate credit.
Attribution: SudoChef · SudoCode Pentesting Methodology Guide · github.com/commit-issues
This guide is written for authorized penetration testing, security research, and educational purposes only.
Everything documented here is for use against systems you own or have explicit written permission to test. Unauthorized access to computer systems is illegal in every jurisdiction. The techniques in this guide exist to help defenders understand what attackers do — and to help authorized testers find vulnerabilities before malicious actors do.
If you are using this guide:
- On HackTheBox, TryHackMe, VulnHub, or similar platforms → you are authorized by the platform terms of service
- On your own lab environment → you are authorized
- On a client engagement with a signed scope of work → you are authorized
- On any other system without explicit written permission → stop
The community builds these skills to make systems safer. Keep it that way.
This is a read-only reference — pull requests are not accepted. If you find errors or have suggestions, use the CVE Security Intelligence Monitor feedback channel or reach out directly.
by SudoChef · SudoCode Pentesting Methodology Guide github.com/commit-issues
