Introduction to Metasploit Framework

Disclaimer: Please note that the writeups provided are solely intended to provide additional understanding for completing certain tasks. They do not provide direct answers, as some data has been partially masked to avoid revealing the exact solutions. The purpose is to guide readers through the proper methodology and thought process required to solve the challenges independently.

Introduction to Metasploit

Metasploit Framework is one of the most popular penetration testing frameworks used by security professionals and ethical hackers. It provides a large collection of exploits, payloads, scanners, encoders, and post-exploitation modules that simplify vulnerability testing and exploitation.

Metasploit is commonly used in:

  • Penetration Testing
  • Red Team Operations
  • Capture The Flag (CTF) Challenges
  • Exploit Development
  • Privilege Escalation
  • Post-Exploitation Activities

The framework allows attackers and security researchers to automate exploitation and gain deeper access into vulnerable systems.

Metasploit Framework

Q: Which version of Metasploit comes equipped with a GUI interface?

Answer: Metasploit Pro

Q: What command do you use to interact with the free version of Metasploit?

Answer:

msfconsole

Q: Use the Metasploit Framework to exploit the target with EternalRomance. Find the flag.txt file on Administrator's desktop and submit the contents as the answer.

The question mentions EternalRomance, which is associated with the MS17–010 SMB vulnerability. I searched for related exploits inside Metasploit and found an exploit module related to SMB remote code execution.

Used exploit:

exploit/windows/smb/ms17_010_psexec

Set the following:

  • RHOSTS
  • LHOST

After running the exploit, a reverse shell session was established successfully. Navigating to the Administrator desktop revealed the flag.txt file.

Answer: HTB{MSF-W1nD0w5–3xPL01t4t1**}

Payloads

Q: Exploit the Apache Druid service and find the flag.txt file. Submit the contents of this file as the answer.

While enumerating the target, Apache Druid was identified running on port 8888.

I searched Metasploit for Apache Druid related exploits:

search apache druid

I used a remote command execution exploit related to Apache Druid and configured:

  • RHOSTS
  • LHOST

After running the exploit, a Meterpreter session was obtained successfully. From there, I navigated through the directories and located the flag.txt file.

Answer: HTB{MSF_Expl01t4t1**}

Sessions

Q: The target has a specific web application running that we can find by looking into the HTML source code. What is the name of that web application?

While browsing the target website, I checked the page source code using the browser's "View Page Source" option. From the source code and directory references, I identified that an open-source file manager application was running.

Answer: **finder

Q: Find the existing exploit in MSF and use it to get a shell on the target. What is the username of the user you obtained a shell with?

After identifying the application from the previous question, I searched for available exploits inside Metasploit:

search elfinder

I found two exploits and used the archive command injection exploit.

Used exploit:

exploit/linux/http/elfinder_archive_cmd_injection

Configured:

  • LHOST
  • RHOSTS

After exploitation, a Meterpreter session was established successfully.

To obtain a standard shell:

shell

Then executed:

whoami

Answer: ***-data

Q: The target system has an old version of Sudo running. Find the relevant exploit and get root access to the target system. Find the flag.txt file and submit the contents of it as the answer.

Instead of closing the current Meterpreter session, I backgrounded it using:

background

Checking active sessions:

sessions

I then searched for exploits related to vulnerable Sudo versions:

search sudo

I found a local privilege escalation exploit related to:

Sudo Heap-Based Buffer Overflow

Used exploit:

exploit/linux/local/sudo_baron_samedit

Configured:

  • SESSION
  • LHOST

After running the exploit, root access was obtained successfully. Navigating to the root directory revealed the flag.txt file.

Answer: HTB{5e55ion5_4r3_sw***}

Meterpreter

Q: Find the existing exploit in MSF and use it to get a shell on the target. What is the username of the user you obtained a shell with?

I started with an Nmap scan against the target:

nmap -sV -p- -A <TARGET_IP>

The scan results revealed the FortiLogger service running on the target system.

I searched Metasploit for FortiLogger related exploits and selected the relevant module. After setting:

  • RHOSTS
  • LHOST

I executed the exploit and received a Meterpreter session.

To identify the current user:

getuid

Answer: NT AUTHORITY\******

Q: Retrieve the NTLM password hash for the "htb-student" user. Submit the hash as the answer.

Inside the existing Meterpreter session, I attempted to dump password hashes using:

lsa_dump_sam

Meterpreter requested loading the Kiwi extension first.

Loaded extension:

load kiwi

Then reran:

lsa_dump_sam

The command displayed NTLM password hashes for local users, including the htb-student account.

Answer: cf3a5525ee9414229e66279623ed5***

Conclusion

This module provided practical hands-on experience with the Metasploit Framework, including exploitation, payload management, session handling, privilege escalation, and post-exploitation techniques. Throughout the exercises, multiple real-world vulnerabilities such as EternalRomance, Apache Druid RCE, elFinder Command Injection, and Sudo Baron Samedit were exploited successfully using Metasploit modules and Meterpreter sessions.