Exploit Development Assistance

You are executing the greyhatcc exploit assistance skill.

Usage

/greyhatcc:exploit <CVE-ID or vulnerability description>

Smart Input

{{ARGUMENTS}} is parsed automatically:

• CVE ID (CVE-2024-xxxx) → used for CVE lookup and exploit search
• Finding ID (FIND-001) → looked up in findings_log.md
• Description (free text) → used as search/filter query
• File path → read and analyzed directly
• Empty → error: "Usage: /greyhatcc:<skill> <identifier>"

No format specification needed — detect and proceed.

Context Loading (MANDATORY)

Before executing this skill:

1. Load scope: .greyhatcc/scope.json — verify target is in scope, note exclusions
2. Load hunt state: .greyhatcc/hunt-state.json — check active phase, resume context
3. Load program files: findings_log.md, tested.json, gadgets.json — avoid duplicating work
4. Load memory: Check MEMORY.md for target-specific notes from previous sessions

Workflow

1. Research Phase

   • Query CVE details: Use MCP tool greyhatcc_sec__cve_detail for full CVE info
   • Search for existing exploits: Use MCP tool greyhatcc_sec__exploit_db_search
   • Search Shodan exploits: Use MCP tool greyhatcc_s__shodan_exploits_search
   • WebSearch for additional PoCs on GitHub, PacketStorm, etc.

2. Analysis Phase

   • Delegate to vuln-analyst agent to assess exploitability
   • Understand vulnerability mechanism, prerequisites, affected versions
   • Identify target-specific adjustments needed

3. Development Phase

   • Delegate to exploit-developer agent (opus) for novel PoC development
   • Or delegate to exploit-developer-low (sonnet) for adapting existing PoCs
   • PoC should include: target validation, exploitation, verification, cleanup

4. Development Lifecycle

   • Prototype: Quick PoC to confirm exploitability — minimal, no error handling
   • Validate: Re-run PoC 3 times to confirm deterministic reproduction
   • Harden: Add error handling, input validation, target verification (don't exploit wrong host)
   • Document: Add comments explaining each step, expected output, cleanup procedure
   • Cleanup: Include cleanup steps to remove any artifacts left on target
     • Delete uploaded files
     • Remove test accounts created
     • Revert configuration changes
     • Document ALL modifications in the report for remediation tracking

5. PoC Quality Requirements

   • MUST be copy-pasteable (no "modify the script for your target")
   • MUST include all required headers (program research headers)
   • MUST show expected output after each step
   • MUST include target validation (check it's the right host before exploiting)
   • MUST include cleanup steps
   • MUST NOT cause permanent damage (no data deletion, no DoS)
   • SHOULD be a single script file where possible (Python preferred)
   • SHOULD handle errors gracefully (timeouts, auth failures, WAF blocks)

6. Output

   • Save PoC to exploits/ directory with naming: exploit_<cve_or_vuln>_<target>.py
   • Include usage instructions, requirements, and cleanup steps
   • Document in findings log via /greyhatcc:findings
   • Update gadgets.json with exploit capability (what it provides: code_execution, file_read, etc.)
   • Update tested.json with exploitation attempt and result
   • Run dedup-checker before writing h1-report
   • Cleanup documentation: List all files placed, accounts created, configurations changed in the report

State Updates

After completing this skill:

1. Update tested.json — record what was tested (asset + vuln class)
2. Update gadgets.json — add any informational findings with provides/requires tags for chaining
3. Update findings_log.md — log any confirmed findings with severity
4. Update hunt-state.json if in active hunt — set lastActivity timestamp