Overview

The goal of this lab is to utilize Metasploit to gain a foothold on two different targets, and document Metasploit usage.

Useful Commands and Instructions

After conducting reconnaissance with nmap, you can locate exploits using resources such as ExploitDB--from here, Kali Linux has Metasploit built-in.

Use Metasploit:

sudo msfconsole

Use Exploit:

use [EXPLOIT_PATH] 

Once you're in the exploit path, it's a good idea to use the options command and see how the exploit can be set up. These options may look different from exploit to exploit, but the key is to provide the required information so that the exploit can work as expected. Here's how to configure the exploit options:

set [OPTION_NAME] [PARAMETER]

You can also see other compatible payloads with:

show payloads

To change payloads, you simply use:

set payload [PAYLOAD_PATH OR PAYLOAD_ID]

Once the exploit has been configured, you can run it with:

exploit

After starting an exploit, it can be moved to the background with:

background

You can list your session information with:

sessions -i

If you append the session number to the command above, you'll be brought back into that specific session.

Entering shell will open a shell on the target, so you can directly run commands on the target box.

Within this shell, you can open a Python shell by using the following command:

python -c 'import pty; pty.spawn("/bin/bash")'

Using this shell, you can gather information about other users, collect the kernel information, and search for additional exploits.

If you store exploits on the attacking machine (host), they can be uploaded to the Meterpreter using:

upload [FILE_PATH] /tmp/[FILE_NAME]

Issues and Troubleshooting

It took me a while to locate the relevant exploit paths within msfconsole after locating the vulnerability in Exploit Database--one of the helpful ways I filtered out content was to use the use command followed by what I anticipated to be the beginning of the filepath. For example, when I was looking for a phpmyadmin exploit, rather than digging through all of the modules, I ran the following:

I ended up choosing the disclosure date of 2018, since as we saw in the ExploitDB entry, the CVE was listed in 2018:

Once I had the relevant exploit I had to set the parameters that were requested. This is tough, since I still would've had to complete the same steps I did in the manual lab--determine the username, guess the password, and conduct more recon. In this context, it didn't feel like it would've been any easier to go about using msfconsole than it would've to follow the path I used in the previous pen test on Nancurunir.

Questions/Reflection

Some pros:

• A number of options to choose from in the DB, and there were customizable payloads
• Using the interface directly from the msfconsole kept things consolidated on the screen

Some cons:

• Locating the vulnerability within MSF console after finding it online took longer than it should've
• Other than the set, use, and exploit commands, the interface wasn't exceptionally intuitive