Introduction to Metasploit
Which version of Metasploit comes equipped with a GUI interface?
metasploit pro
What command do you use to interact with the free version of Metasploit?
msfconsole
Modules
Use the Metasploit-Framework to exploit the target with EternalRomance. Find the flag.txt file on Administrator’s desktop and submit the contents as the answer.
We already know that we need to use EternalRomance exploit. So let’s start Metasploit.
Search for the exploit
And see what we need to set
Set the parameters
And run the exploit to get a shell
Now that we already inside the server, let’s search for the file. We know that this file is in the Administrator’s desktop.
HTB{MSF-W1nD0w5-3xPL01t4t10n}
Payloads
First, we need to scan the server
We saw that there’s a Apache running in port 8081.
Now that we know that the server is running Apache Druid, we need to discovery if there’s a exploit for this application . First, open Metasploit.
We found a RCE exploit, let’s use it.
Set the parameters and run it.
To get a better shell, let’s execute a python command.
python -c ‘import pty; pty.spawn(“/bin/bash”)’If we get back one directory, we find the flag.
HTB{MSF_Expl01t4t10n}
Sessions & Jobs
The target has a specific web application running that we can find by looking into the HTML source code. What is the name of that web application?
Find the existing exploit in MSF and use it to get a shell on the target. What is the username of the user you obtained a shell with?
Go and see the webpage in 80 port. When you look to the source code, you will find the Application.
Open Metasploit
Search for a exploit for this application
In this case, we gonna use a command injection exploit. Select the exploit, see the options and set the parameters
Run the exploit and get a shell. When you get the shell, execute the command whoami
www-data
The target system has an old version of Sudo running. Find the relevant exploit and get root access to the target system. Find the flag.txt file and submit the contents of it as the answer.
Write background to put this session in the second plane. And search for the vulnerability sudo heap
Show the options and set the parameters
Run the exploit and get the shell
HTB{5e55ion5_4r3_sw33t}
Meterpreter
Find the existing exploit in MSF and use it to get a shell on the target. What is the username of the user you obtained a shell with?
Go to the browser and access this site
Now that we know the application that is running in this server, let’s search for a vulnerability. Open Metasploit, search for the explorer and set the parameters
nt authority\system
Retrieve the NTLM password hash for the “htb-student” user. Submit the hash as the answer.
Go back to the Menterpreter command line pressing Ctrl + z and user the command hashdump
You have the answer
aad3b435b51404eeaad3b435b51404ee:cf3a5525ee9414229e66279623ed5c58