TryHackMe: Metasploit Introduction  –  Walkthrough

Hi! Welcome to this walkthrough on the TryHackMe room Metasploit: Introduction, the first part of the Metasploit rooms on TryHackMe. Metasploit is the most widely used exploitation framework. Metasploit is a powerful tool that can support all phases of a penetration testing engagement, from information gathering to post-exploitation.

Metasploit Introduction Banner
Metasploit Introduction Banner

Room URL: https://tryhackme.com/room/metasploitintro

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by THMs rooms.
Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Part 1: Metasploit Introduction

Metasploit is the most popular exploitation framework, and it has two main versions:

  • Metasploit Pro: The commercial version that facilitates the automation and management of tasks. This version has a graphical user interface (GUI).
  • Metasploit Framework: The open-source version that works from the command line. This room will focus on this version, installed on the AttackBox and most commonly used penetration testing Linux distributions.

The Metasploit Framework is a set of tools that allow information gathering, scanning, exploitation, exploit development, post-exploitation, and more. The main components of the Metasploit Framework can be summarized as follows;

  • msfconsole: The main command-line interface.
  • Modules: supporting modules such as exploits, scanners, payloads, etc.
  • Tools: Stand-alone tools that will help vulnerability research, vulnerability assessment, or penetration testing. Some of these tools are msfvenom, pattern_create and pattern_offset.

Questions

Read the introduction to Metasploit

Answer: No answer needed

Part 2: Main Components of Metasploit

Metasploit can be open from the terminal using the msfconsole command. This will b e your main interface to interact with the different modules which Metasploit consists of. These modules are small components which each are built for a specific task.

Before moving on it is important to understand the following three concepts:

  • Exploit: A piece of code that uses a vulnerability present on the target system.
  • Vulnerability: A design, coding, or logic flaw affecting the target system. The exploitation of a vulnerability can result in disclosing confidential information or allowing the attacker to execute code on the target system.
  • Payload: An exploit will take advantage of a vulnerability. However, if we want the exploit to have the result we want (gaining access to the target system, read confidential information, etc.), we need to use a payload. Payloads are the code that will run on the target system.

Let’s briefly convert the different modules of Metasploit:

Auxiliary: Any supporting module, such as scanners, crawlers and fuzzers, can be found here.

Encoders: Encoders will allow you to encode the exploit and payload in the hope that a signature-based antivirus solution may miss them.

Evasion: While encoders will encode the payload, they should not be considered a direct attempt to evade antivirus software. On the other hand, “evasion” modules will try that, with more or less success.

Exploits: Exploits, neatly organized by target system.

NOPs: NOPs (No OPeration) do nothing, literally. They are represented in the Intel x86 CPU family they are represented with 0x90, following which the CPU will do nothing for one cycle. They are often used as a buffer to achieve consistent payload sizes.

Payloads: Payloads are codes that will run on the target system. Example payloads could be: getting a shell, load malware, or opening a backdoor.

You will see three different directories under payloads: singles, stagers and stages.

  • Singles: Self-contained payloads (add user, launch notepad.exe, etc.) that do not need to download an additional component to run.
  • Stagers: Responsible for setting up a connection channel between Metasploit and the target system. Useful when working with staged payloads. “Staged payloads” will first upload a stager on the target system then download the rest of the payload (stage). This provides some advantages as the initial size of the payload will be relatively small.
  • Stages: Downloaded by the stager. This will allow you to use larger sized payloads.

Post: Post modules will be useful on the final stage of the penetration testing process listed above, post-exploitation.

Questions

What is the name of the code taking advantage of a flaw on the target system?

A piece of code that uses a vulnerability present on the target system is called an exploit.

Answer: Exploit

What is the name of the code that runs on the target system to achieve the attacker’s goal?

We call code that runs on the target system to archieve the attacker’s goal payload. We exploit vulnerabilities on a target system to get our payload across to the target.

Answer: Payload

What are self-contained payloads called?

Self-contained payloads in Metasploit are called singles. This is the opposite of stagers, as these first run and then download more code to decrease the initial file size.

Answer: Singles

Is “windows/x64/pingback_reverse_tcp” among singles or staged payload?

Some quick googling let me to this page:

Metasploit Module Library

Here it mentions that the source code is found here: modules/payloads/singles/windows/x64/pingback_reverse_tcp.rb

The answer is thus singles.

Answer: singles

Part 3: Msfconsole

As mentioned earlier, you can launch Metasploit with the msfconsole command. Many of the regular command line commands that you know will work in the metasploit console. Examples of this are ls, ping, clear, history and much more. It is important to realize however that some features won’t work, such as output redirection. It does however feature tab completion!

Msfconsole is managed by context. If you a parameter setting, and afterwards change module, you will lose your settings! This is unless you specific the variable as a global type.

You select a module by giving the use command, followed by the name of the module. You can afterwards see the available options in the context by writing show options. It also shows the variables we can or are required to set.

The show command can be used followed by the module type (auxiliary, payload, exploit) to list available modules. If used from the msfconsole prompt, the show command will list all modules.

Further information on any module can be obtained by typing the info command within its context.

The search command is one of the most useful commands available. It will search the Metasploit Framework database for modules relevant to the search query. You can search on both exploit name, CVE numbers and/or target system. An important thing to note is that the search results show a number at the beginning of each result line. This number can be used to to activate a module. You can therefore use use 0, instead of use auxiliary/admin/smb/ms17_010_command (if this is the first result of your search).

Questions

I would start searching on apache by running search apache.

Answer: search apache

Who provided the auxiliary/scanner/ssh/ssh_login module?

We can use the info command followed by the module path:

info auxiliary/scanner/ssh/ssh_login module

See the results under Provided by:

Running info on the ssh_info module
Running info on the ssh_info module

Answer: todb

Part 4: Working with modules

After using the use command to select a module name, you need to set its parameters. Although many parameters are shared by different modules, additional or different parameters may need to be set. You can list the parameters by entering show options.

You set a parameter by entering set PARAMETER_NAME VALUE. It is important to note that some parameters have default values (make sure these fit your case), and others might be required for the tools to run. You can see this in the show options menu under the “required” column. Once you have set a parameter, you can use the show options command to check the value was set correctly.

Parameters you will often use are:

  • RHOSTS: “Remote host”, the IP address of the target system. A single IP address or a network range can be set. You can also use a file where targets are listed, one target per line using file:/path/of/the/target_file.txt.
  • RPORT: “Remote port”, the port on the target system the vulnerable application is running on.
  • PAYLOAD: The payload you will use with the exploit.
  • LHOST: “Localhost”, the attacking machine (your AttackBox or Kali Linux) IP address.
  • LPORT: “Local port”, the port you will use for the reverse shell to connect back to. This is a port on your attacking machine.
  • SESSION: Each connection established to the target system using Metasploit will have a session ID. You will use this with post-exploitation modules that will connect to the target system using an existing connection.

You can override any set parameter using the set command again with a different value. You can also clear any parameter value using the unset command or clear all set parameters with the unset all command.

The setg command is used to set global values which are used for all modules. When you switch module you will still have the value set. You can clear any value set with setg using unsetg.

Once all module parameters are set, you can launch the module using the exploit command. Metasploit also supports the run command, which is an alias created for the exploit command.

Some modules support the check option. This will check if the target system is vulnerable without exploiting it.

Once a vulnerability has been successfully exploited, a session will be created. This is the communication channel established between the target system and Metasploit.

You can use the background command to background the session prompt and go back to the msfconsole prompt. Alternatively, CTRL+Z can be used to background sessions.

Questions

How would you set the LPORT value to 6666?

We need to use the following syntax: SET <PARAMETER> <VALUE>. In this case SET LPORT 6666.

Answer: SET LPORT 6666

How would you set the global value for RHOSTS to 10.10.19.23 ?

Similar syntax as last question, but now using SETG to set a global value.

Answer: SETG RHOSTS 10.10.19.23

What command would you use to clear a set payload?

To clear a value we use unset. Payload is the value name. So we can just write unset payload.

Answer: unset payload

What command do you use to proceed with the exploitation phase?

Run or exploit. In this case THM expects a 6 letter word so the answer here is exploit!

Answer: Exploit

Part 5: Summary

As we have seen so far, Metasploit is a powerful tool that facilitates the exploitation process. The exploitation process comprises three main steps; finding the exploit, customizing the exploit, and exploiting the vulnerable service. Metasploit provides many modules that you can use for each step of the exploitation process. Through this room, we have seen the basic components of Metasploit and their respective use. I hope you enjoyed this walkthrough on the TryHackMe room Metasploit Introduction.

Read more of my walkthroughs here.

Questions

No answer needed.

Answer: No answer needed

Like my articles?

You are welcome to comment on my article, and share this post with friends 🙂
I would be so grateful if you support me by buying me a cup of coffee:

Buy me a coffee
Buy me a coffee

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

https://referral.hackthebox.com/mzwwXlg

Tags

Newsletter Updates

Enter your email address below and subscribe to our newsletter

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *


Trending now

Background
Data Fundamentals Part 1: Understanding Roles & Concepts