TryHackMe: Metasploit: Introduction Writeup
This room is an introduction to the main components of the Metasploit Framework. It can be accessed using the link: https://tryhackme.com/room/metasploitintro
Task 2: Main Components of Metasploit
Auxiliary: Any supporting module, such as scanners, crawlers and fuzzers, can be found here.
Encoders: Encoders will allow you to encode the exploit and payload in the hope that a signature-based antivirus solution may miss them.
Evasion: While encoders will encode the payload, they should not be considered a direct attempt to evade antivirus software.
Exploit: A piece of code that uses a vulnerability present in the target system.
NOPs: NOPs (No OPeration) do nothing, literally.
Payloads: Payloads are codes that will run on the target system. We will see three different directories under payloads: singles, stagers and stages.
- Singles: Self-contained payloads (add user, launch notepad.exe, etc.) that do not need to download an additional component to run.
- Stagers: Responsible for setting up a connection channel between Metasploit and the target system. Useful when working with staged payloads. “Staged payloads” will first upload a stager on the target system and then download the rest of the payload (stage). This provides some advantages as the initial size of the payload will be relatively small compared to the full payload sent at once.
- Stages: Downloaded by the stager. This will allow you to use larger sized payloads.
Post: Post modules will be useful in the final stage of the penetration testing process listed above, post-exploitation.
Q&A
- What is the name of the code taking advantage of a flaw in the target system? Answer: Exploit
- What is the name of the code that runs on the target system to achieve the attacker’s goal? Answer: Payload
- What are self-contained payloads called? Answer: Singles
- Is “windows/x64/pingback_reverse_tcp” among singles or staged payload? Answer: Singles
Task 3: Msfconsole
- How would you search for a module related to Apache? Answer: search apache
- Who provided the auxiliary/scanner/ssh/ssh_login module? Answer: todb
Task 4: Working with modules
When dealing with Metasploit, you may see five different prompts:
- The regular command prompt: You can not use Metasploit commands here.
- The msfconsole prompt: msf5 (or msf6 depending on your installed version) is the msfconsole prompt. As you can see, no context is set here, so context-specific commands to set parameters and run modules can not be used here.
- A context prompt: Once you have decided to use a module and used the set command to choose it, the msfconsole will show the context. You can use context-specific commands (e.g. set RHOSTS 10.10.x.x) here.
- The Meterpreter prompt: Meterpreter is an important payload we will see in detail later in this module. This means a Meterpreter agent was loaded to the target system and connected back to you. You can use Meterpreter specific commands here.
- A shell on the target system: Once the exploit is completed, you may have access to a command shell on the target system. This is a regular command line, and all commands typed here run on the target system.
Parameters you will often use are:
- RPORT: “Remote port”, the port on the target system the vulnerable application is running on.
- RHOSTS: “Remote host”, the IP address of the target system. A single IP address or a network range can be set. This will support the CIDR (Classless Inter-Domain Routing) notation (/24, /16, etc.) or a network range (10.10.10.x — 10.10.10.y). You can also use a file where targets are listed, one target per line using file:/path/of/the/target_file.txt.
- PAYLOAD: The payload you will use with the exploit.
- LHOST: “Localhost”, the attacking machine (your AttackBox or Kali Linux) IP address.
- LPORT: “Local port”, the port you will use for the reverse shell to connect back to. This is a port on your attacking machine, and you can set it to any port not used by any other application.
- SESSION: Each connection established to the target system using Metasploit will have a session ID. You will use this with post-exploitation modules that will connect to the target system using an existing connection.
The set command to set a value using a module and you switch to another module, you will need to set the value again. The setg command allows you to set the value so it can be used by default across different modules. You can clear any value set with setg using unsetg.
The exploit -z command will run the exploit and background the session as soon as it opens.
Q&A
- How would you set the LPORT value to 6666? Answer: set LPORT 6666
- How would you set the global value for RHOSTS to 10.10.19.23? Answer: setg RHOSTS 10.10.19.23
- What command would you use to clear a set payload? Answer: unset PAYLOAD
- What command do you use to proceed with the exploitation phase? Answer: exploit
Hope this blog helped you.