Chapter 12: Exercises — Exploitation Fundamentals and Metasploit

⚖️ Legal Note: All exercises must be performed in your own lab environment or on systems you have explicit written authorization to test. Never practice exploitation techniques against systems you do not own or have permission to test.

Exercise 12.1: Metasploit Setup and Database Configuration

Objective: Configure the Metasploit Framework with database support and verify functionality.

Instructions: 1. Start the PostgreSQL service and initialize the Metasploit database. 2. Launch msfconsole and verify database connectivity with db_status. 3. Create a new workspace named lab_exercise_12. 4. Import an Nmap XML scan of your lab network into the workspace. 5. Use hosts and services to verify the imported data.

Expected Deliverable: Screenshot showing database status, workspace creation, and imported scan data.

Exercise 12.2: Exploit Search and Analysis

Objective: Practice finding and analyzing exploits in Metasploit.

Instructions: 1. Use the search command to find all exploits targeting Apache Struts. 2. Find all exploits with CVE-2017 that target Windows SMB. 3. Select the EternalBlue exploit (ms17_010_eternalblue) and display its full info output. 4. List all available targets for this exploit. 5. Compare the EternalBlue exploit's ranking with the ms17_010_psexec variant. Which would you choose for a production healthcare environment, and why?

Expected Deliverable: Written analysis comparing the two MS17-010 exploits with a recommendation for the MedSecure scenario.

Exercise 12.3: Payload Selection and Configuration

Objective: Understand payload types and configure appropriate payloads for different scenarios.

Instructions: For each scenario below, identify the most appropriate payload and explain your reasoning:

  1. Target is a Windows Server 2019 (x64) behind a firewall that allows only outbound HTTPS traffic.
  2. Target is a Linux server with no outbound connectivity—only inbound connections are possible.
  3. Target is a Windows workstation, and you need to minimize payload size due to a small exploit buffer (200 bytes).
  4. Target is behind a restrictive proxy, and you need reliable C2 communication.

For scenario 1, configure the payload in msfconsole with all required options.

Expected Deliverable: Written justification for each payload choice and configured msfconsole output for scenario 1.

Exercise 12.4: Setting Up a Multi/Handler

Objective: Configure and manage payload handlers for receiving connections.

Instructions: 1. Set up a multi/handler listener for a windows/x64/meterpreter/reverse_https payload on port 443. 2. Configure the handler to continue listening after the first session connects. 3. Run the handler as a background job. 4. List all active jobs. 5. Set up a second handler for linux/x64/meterpreter/reverse_tcp on port 4444. 6. Generate a standalone payload using msfvenom for each handler.

Expected Deliverable: Screenshots of both handlers running as background jobs and the msfvenom commands used.

Exercise 12.5: Exploiting a Vulnerable Target

Objective: Perform a complete exploitation workflow against a vulnerable virtual machine.

Prerequisites: Set up Metasploitable2 or Metasploitable3 in your lab.

Instructions: 1. Scan the target with Nmap and import the results into Metasploit's database. 2. Identify at least three exploitable services. 3. Use the check command where available to confirm vulnerability. 4. Successfully exploit one service and obtain a Meterpreter session. 5. Run sysinfo, getuid, and ifconfig to document the compromised system.

Expected Deliverable: Complete penetration test log with timestamps, commands, and screenshots.

Exercise 12.6: Meterpreter Fundamentals

Objective: Practice essential Meterpreter commands.

Instructions (requires an active Meterpreter session): 1. Gather system information: sysinfo, getuid, getpid. 2. List running processes and identify potential migration targets. 3. Migrate to a stable process (e.g., explorer.exe or svchost.exe). 4. Navigate the file system: list the contents of the Desktop and Documents folders. 5. Upload a benign text file to the target's Desktop. 6. Download a non-sensitive file from the target. 7. Take a screenshot. 8. Set up port forwarding from your local port 8080 to the target's port 80.

Expected Deliverable: Log of all commands and their output, with explanations of why you chose specific migration targets.

Exercise 12.7: Post-Exploitation Enumeration

Objective: Use Metasploit post-exploitation modules for information gathering.

Instructions: 1. From an active Meterpreter session, background the session. 2. Run the following post modules and document the output: - post/windows/gather/enum_logged_on_users - post/windows/gather/enum_applications - post/windows/gather/enum_shares - post/windows/gather/checkvm 3. If running as SYSTEM, use hashdump to extract local account hashes. 4. Identify which gathered information would be most useful for lateral movement.

Expected Deliverable: Summary report of all enumeration findings with a lateral movement plan.

Exercise 12.8: Pivoting Through Compromised Hosts

Objective: Set up routing through a compromised host to reach additional network segments.

Instructions: 1. Set up a lab with two network segments: 10.10.10.0/24 and 192.168.1.0/24. The compromised host should have interfaces on both networks. 2. Exploit the dual-homed host and obtain a Meterpreter session. 3. Use autoroute to add a route to the 192.168.1.0/24 network. 4. Run a TCP port scan through the pivot against a host on 192.168.1.0/24. 5. Attempt to exploit a service on the pivoted network.

Expected Deliverable: Network diagram, routing configuration, and evidence of successful pivot.

Exercise 12.9: Resource Script Automation

Objective: Create Metasploit resource scripts for automated exploitation workflows.

Instructions: Write a resource script (.rc) that performs the following automated workflow: 1. Sets up the workspace. 2. Imports an Nmap scan. 3. Configures an EternalBlue exploit with appropriate payload and options. 4. Runs the exploit. 5. Automatically executes hashdump and enum_logged_on_users upon session creation.

Test the script by loading it with resource /path/to/script.rc.

Expected Deliverable: The complete .rc file with comments explaining each section.

Exercise 12.10: Custom Vulnerability Checker

Objective: Write a Python script that checks for common vulnerabilities using version detection.

Instructions: 1. Review the example-01-exploit-checker.py code from this chapter's code directory. 2. Extend the script to check for at least three additional CVEs relevant to the MedSecure environment (e.g., Apache Struts, Apache Log4j, Microsoft Exchange ProxyLogon). 3. The script should take a target IP and port range as input. 4. Output should clearly indicate whether each service appears vulnerable, safe, or unknown. 5. Include proper error handling and timeout management.

Expected Deliverable: Working Python script with documentation and sample output.

Exercise 12.11: Payload Generation and Evasion

Objective: Generate payloads with msfvenom and understand encoding/evasion techniques.

Instructions: 1. Generate a basic Windows Meterpreter reverse TCP payload as an EXE. 2. Generate the same payload with shikata_ga_nai encoding (3 iterations). 3. Generate a payload as a Python script. 4. Generate a payload as a PowerShell one-liner. 5. For each generated payload, calculate and record the MD5 hash. 6. Generate two instances of the shikata_ga_nai-encoded payload and compare their hashes (they should differ due to polymorphism).

Expected Deliverable: All generated payloads, their hashes, and an analysis of how encoding affects detection.

Exercise 12.12: Exploit Documentation Practice

Objective: Practice professional documentation of exploitation activities.

Instructions: Perform any successful exploitation in your lab and document it in the following format:

  1. Executive Summary — One paragraph describing the vulnerability and its business impact.
  2. Technical Details — CVE number, affected versions, CVSS score, exploit mechanism.
  3. Steps to Reproduce — Exact commands and configurations used.
  4. Evidence — Screenshots, command output, hashes of exfiltrated data.
  5. Risk Rating — Critical/High/Medium/Low with justification.
  6. Remediation — Specific, actionable steps to fix the vulnerability.

Expected Deliverable: Professional-quality vulnerability report (1-2 pages).

Exercise 12.13: Comparing Exploit Frameworks

Objective: Understand the strengths and limitations of different exploitation tools.

Instructions: Research and compare the following exploitation frameworks: 1. Metasploit Framework 2. Cobalt Strike 3. Sliver 4. Empire / Starkiller 5. Covenant

For each, document: licensing model, primary use case, payload types supported, evasion capabilities, post-exploitation features, and community/commercial support.

Expected Deliverable: Comparison matrix with a recommendation for which tools to use in different engagement types.

Exercise 12.14: Meterpreter Scripting

Objective: Write a Meterpreter script to automate post-exploitation tasks.

Instructions: Write a Ruby script for Meterpreter that: 1. Checks the current privilege level. 2. If not SYSTEM, attempts getsystem. 3. Runs hashdump and saves results. 4. Enumerates network interfaces and routing tables. 5. Lists recently modified files in common locations. 6. Saves all output to a structured report file on the attacker machine.

Expected Deliverable: Working Meterpreter script with comments.

🧪 Exercise 12.15: MedSecure Full Exploitation Lab

Objective: Complete an end-to-end exploitation exercise against a simulated MedSecure environment.

Lab Setup Requirements: - Windows Server 2016 (FILE01) — vulnerable to MS17-010 - Windows Server 2019 (DC01) — domain controller - Ubuntu 20.04 (WEB01) — running a vulnerable web application - Kali Linux — attacker machine

Instructions: 1. Scan the environment and identify all vulnerabilities. 2. Exploit FILE01 using EternalBlue. 3. Extract credentials from FILE01. 4. Use extracted credentials to move laterally to DC01. 5. Demonstrate domain-wide access by listing all domain users and groups. 6. Document the complete attack chain, including timestamps and screenshots. 7. Write remediation recommendations for each vulnerability exploited.

Expected Deliverable: Full penetration test report following a standard methodology (executive summary, methodology, findings, recommendations).

Exercise 12.16: Exploit Development Introduction

Objective: Understand the basic concepts of exploit development.

Instructions: 1. Install a deliberately vulnerable application (e.g., VulnServer, SLMail) in your Windows lab. 2. Using a debugger (Immunity Debugger or x64dbg), send an oversized input to crash the application. 3. Identify the offset at which you overwrite the EIP (Extended Instruction Pointer). 4. Replace the EIP overwrite value with the address of a JMP ESP instruction. 5. Add a NOP sled followed by a basic payload (e.g., a MessageBox shellcode). 6. Document the complete exploit development process.

Expected Deliverable: Working exploit script and development documentation showing each step.

Exercise 12.17: Ethical Considerations Scenario

Objective: Practice ethical decision-making in exploitation scenarios.

Instructions: Consider the following scenario and write a 500-word analysis:

During the MedSecure penetration test, you successfully exploit a Windows Server 2016 file server and discover it hosts medical images from the radiology department. While documenting your findings, you notice a folder labeled "Oncology Reports" containing what appear to be cancer diagnosis documents with patient names.

Address the following: 1. What should you do immediately? 2. How do you handle this data in your report? 3. What are the HIPAA implications? 4. How does this change the risk rating of the finding? 5. What would you recommend to MedSecure's CISO?

Expected Deliverable: Written ethical analysis with specific action items.