I’m pretty new to all this stuff - so far I’ve only got root on 2 of the machines here (Bastion and Resolute).
I haven’t used Metasploit at all yet, but in a lot of people’s write ups or hints I see that’s what they used. Now unless I’m misunderstanding (which is entirely possible), it seems like it kind of does most of the work for you? Like you just identify which service it is you want to exploit, then all you do is pick the relevant metasploit module and next thing you know you’ve got a reverse shell as local system.
Maybe it isn’t that straight forward or easy in reality, but if it is… doesn’t that kind of defeat the point of a hacking “challenge”? If all you do is run a port scan, run some pre made script (Enum4Linux etc), then run a metasploit module. Isn’t that the definition of a “script kiddie”? Or am I missing something?
On the one hand I get it - why re invent the wheel or waste time manually looking through files etc when you can automate it. Plus in the real world, all that matters is the end result of you actually owning the system. But on the other hand I dunno it just seems at odds with the idea of doing these challenges to learn things or to test your skill.
So yeah, is it as simple as it seems or is there still a lot of skill/knowledge required to use it?
It can be simple to use a MSF module to attack a system but that isn’t always the case and, for most HTB boxes, you get a foot hold rather than exploit the box.
It’s a bit like saying is it cheating to upload netcat and use that to create a shell rather than direct TCP manipulation via bash commands.
Is using nmap for a port scan cheating when you can manually use bash/nc to check the port and analyse the response to determine if it is open, closed or if there might be a firewall in the way?
Realistically, the tool is there to be used if people want to use it. If you dont want to use it, don’t use it. If the box is easily compromisable by MSF, chances are any other exploit would be trivially easy or downloadable from GitHub.
Like you just identify which service it is you want to exploit, then all you do is pick the relevant metasploit module and next thing you know you’ve got a reverse shell as local system.
The thing that you’ve missed in your argument, is that enumerating properly and knowing what to attack is a huge part of the entire process. It’s not something you “just” do. Metasploit makes some things easier but doesn’t make the most difficult parts of hacking easier. It’s convenient but you need to know what to do in situations when the off-the-shelf tools don’t work.
Ah ok maybe its not quite as simple as I thought then? Because from things I’ve read on here, it looked like in some cases people were literally just scanning a box and going oh X port is open so I just select X metasploit module and I’ve got a reverse shell. Obviously not for everything, but it seemed like some parts of some boxes were pretty much that simple.
If in reality it still requires you to do a fair bit of work to figure out exactly what needs to be run then fair enough
I dunno, I try to avoid MSF, to get a better understanding of how the exploits works by reading papers, watching talks, reading poc code, and trying to do it manually.
@popcorn same here, and it definitely helps. A good example of this: I got root on another box yesterday and didn’t use anything other than native Windows tools, but now I’m seeing plenty of comments on the thread (and in my PMs) basically saying “I’ve run X tool that normally does everything for me but it doesn’t work. Now I’m stuck”.
Also lots of people just asking which tool they need to run to get creds, before even looking at the easily accessible information themselves.
Oh and a message from someone asking how I got root on the previous machine if I didn’t just use some metasploit psexec module.
Like @TazWake said though, you have to draw a line somewhere and say I’ll use a pre made tool rather than writing my own or directly manipulating TCP streams etc. I guess everyone just has different points at which they cross that line.
Personally I don’t like how common it is on older boxes (i.e. just plug in a port and host and watch it go) but I don’t mind it when you have to dig deep to reveal the vulnerability, or need additional information to get it to run.
That said, learning the exploits and writing your own is more fun.