TryHackMe: Complete Beginner

author: Nathan Acks
date: 2021-10-20

Metasploit

Move That Shell!

Use db_nmap $FLAGS $IP to run nmap directly from Metasploit and dump the results into the Metasploit DB. All nmap $FLAGS are supported. If you choose a scan type where root access is required, Metasploit will automatically prompt you to elevate privileges. Dumping nmap output directly into the database removes (?) the need to save output files using -oA.

Some useful Metasploit console commands:

The output of these three commands is updated as Metasploit gains more information through scans, etc.

Note that you can also call regular shell commands (ip, ls, etc.) from msfconsole.

REMEMBER: Open up the port Metasploit’s going to use in your firewall before running the exploit. Generally this is port 4444 by default (set with LPORT).

We’re In, Now What?

Meterpreter (Metasploit remote shell) commands:

I think that Meterpreter is being run directly from memory, and what migrate is doing is basically creating a new process using the memory of a different application, hopping to that process, and then shutting down the old process.

The main reason to migrate the Meterpreter process is to hide it in a service or application that is likely to be long-lived. (Also, the initial Meterpreter process often isn’t all that stable, and migration generally ensures that it won’t just die on us.)

Potentially useful Metsploit modules to run from Meterpreter:

Makin’ Cisco Proud

There seem to be a lot of options for the post/multi/manage/autoroute and auxiliary/server/socks_proxy modules, but I don’t see a way to access them from Meterpreter (it looks like to get help you need to background Meterpreter and use the console).

The advantage of setting up a SOCKS proxy on the target is that you can then use proxychains to route through the target; this can allow you to pivot more deeply into the network that you’re attacking. (You probably want to create a custom proxychains.conf file to do this. Fortunately, /etc/proxychains.conf is well documented.)