TryHackMe CyberLens: Mastering Metasploit Framework
Introduction
Metasploit is a very popular framework that can cover almost the entire “lifecycle” of an attack. It combines enumeration, vulnerability scanning, exploitation, and other features, allowing users to perform all necessary penetration testing exercises from one interface. This is perfectly demonstrated in the TryHackMe room called CyberLens.
Link to the TryHackMe CyberLens: https://tryhackme.com/r/room/cyberlensp6
Walkthrough
Enumeration
As usual, the first step is to identify points of connection with our target systems: open ports. Normally, we can do this with NMAP or Nikto, whereas Metasploit provides the same ability out of the box.
At the beginning, we need to define Remote Hosts (RHOSTS). This will identify the target IP for the NMAP module:
set RHOSTS 10.10.39.10… where 10.10.39.10 is IP of my target machine.
Now, we can activate the module
use auxiliary/scanner/portscan/tcpFor more adjustments, such as port range we can use command:
show options… however, defaults are OK for us.
Fun fact: You still have to supply NMAP with the target IP as the argument. Nevertheless, you can also use the rest of the NMAP commands, including:
- -A — Identification of services
- -sV — Identification of services versions
db_nmap -sV -A 10.10.39.10
It is possible to notice that we have a web server on port 80. One of the functionalities is image metadata extraction.
Naturally, the first thing I tried was CVE-2021–22204 in ExifTool, which caused Remote Code Execution, but it was in vain. Then, I tried to investigate the source code of the page and found an interesting snippet among the JavaScript code:
fetch("http://cyberlens.thm:61777/meta", {
method: "PUT",
body: fileData,
headers: {
"Accept": "application/json",
"Content-Type": "application/octet-stream"
}
})… which basically shows that we overlooked one important port: 61777. This was due to the high number of the port. Let’s scan it as well using the -p flag.
We found an Apache Tika 1.17 server with CVE-2018–1335 (Remote Code Execution).
Le Classique: Vulnerable Apache
Using capabilities of Metasploit we can find an exploit for that as well:
Fortunately, it is for Windows since our target based on this OS as well. Let’s select the exploit:
use exploit/windows/http/apache_tika_jp2_jscriptHowever, if we look to the options of the exploit, we have to tune several parameters:
- RPORT: we are using custom port 61777
- LHOST: IP of listener. Normally, it has to be our IP.
I configured corresponding settings using set command.
Let’s exploit using run command and get the first shell.
As it usually happens in CTFs, the flag is in the Desktop directory:
Privilege Escalation
Of course, this is not enough for us, and we need the root (administrator) flag. Let’s keep our machine hacked by putting it in the background using the background command:
… and look for something like Windows Privilege Escalation Awesome Scripts (WinPEAS). But again, no need to download anything since this kind of scripts are also available by default as Exploit Suggester.
Let’s activate it using use command and look for the options.
use post/multi/recon/local_exploit_suggester
We need only to setup a session using set command and we can run it.
And as we can see, it runs check against multiple exploits with detection of 5 possible variants for our victim:
As we are lazy, let’s select the first provided:
use exploit/windows/local/always_install_elevated That is the vulnerability for a regular user to install MSI files with high privileges. More info. Again, we need to setup SESSION and LHOST.
Let’s run it.
And we get the most powerful account in this system. As powerful, so we can enter Administrator’s Desktop folder and grab the flag:
Hacked.
Conclusion
Metasploit is a powerful tool
It is not just a tool — it is a framework that has everything you need for your legal red team exercises.
Never ever
… use outdated components. That can really cause reverse shells in your real systems. Also, do not forget to manage user permissions to avoid any kind of privilege escalation.
