Ramblings from a beginner:
I’ve had similar thoughts too, My ultimate goal is to get OSCP. Yes, it’s a bit rubbish when the solution is “Use MSF”, it’s a very good tool but doesn’t teach you a whole amount if you use it out the box. It seems to me that its real power lies in using it like an expert - writing your own exploits, payloads, tools etc. While this may be no good for OSCP, a complete understanding of how the MSF framework works means you can take your script kiddie solution which you have proven works, then use your knowledge to recreate the exploit using your own tools (like python - wow what a great language, where was that when I grew up with C and Pascal).
The normal (lazy) Metaspolit workflow seems to be:
- Identify exploitable application
- search in Metasploit
- try each exploit one by one until it works
The manual workflow (I guess) would be:
- Identify exploitable application and as much detail about its version etc.
- Google for all the CVEs
- weed out the CVEs that are not relevant (wrong version, not useful, not a relevant exploit type etc) and rank the remaining in order of ease of exploit/usefulness
- Google for example code for each exploit (including metasploit scripts)
- Adapt code as necessary, just enough that you can identify if the CVE is exploitable
- Once you have identified a working exploit, work on a reverse shell or appropriate, keeping it simple.
- Document your homemade exploit, so you have it for the future (for example during the OSCP - am I right in thinking you can preload your machine with your own scripts?)
The problem is, 3,4 and 5 might take a very long time and be very disheartening, especially if you mess up an exploit and end up disregarding an attack. However, using metasploit method first you can bypass these steps and still learn a fair bit. I say this, I’m yet to go back to old boxes and do this, but I plan to.
Metasploit after all is only a very simple framework around a ton of seperate tools, many of which are available as scripts you can adapt into your own code.