Metasploit tries to open meterpreter session to wrong IP

Tutorials Other
, , , ,
1

Hey y’all,
I am a total noob at HTB and pentesting, so I hope someone can help me with my question. Idk why, but my Metasploit tries to open meterpreter sessions to an IP which is not specified in rhosts.

Example: (I deleted the specific exploit name and stuff, to make sure no one is spoilered)

msf6 exploit(…) > options

RHOSTS 10.10.10.75 yes The target host(s), range CIDR identifier

Payload options (php/meterpreter/reverse_tcp):

Name Current Setting Required Description

LHOST 10.10.14.2 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port

msf6 exploit(…) > run

[] Started reverse TCP handler on 10.10.14.2:4444
[] Sending stage (39282 bytes) to 10.10.10.8
[] Meterpreter session 4 opened (10.10.14.2:4444 → 10.10.10.8:49206) at 2020-12-09 09:05:07 -0500
[] Sending stage (39282 bytes) to 10.10.10.75
[] Meterpreter session 5 opened (10.10.14.2:4444 → 10.10.10.75:48466) at 2020-12-09 09:05:08 -0500
[+] Deleted image.php
[] Sending stage (39282 bytes) to 10.10.10.8
[*] Meterpreter session 6 opened (10.10.14.2:4444 → 10.10.10.8:49205) at 2020-12-09 09:05:10 -0500

meterpreter > sysinfo
[-] Unknown command: sysinfo.

In that example I tried a metasploit exploit on the retired machine “Nibbles” (10.10.10.75) today, which i set rhosts to. When running that exploit, Metasploit opened a meterpreter session at 10.10.10.75, but it opened two more sessions on 10.10.10.8, which is relates to the retired machine “Optimum”. I’ve completed Optimum today, before I went on to Nibbles.
I don’t know, why this happens and how to get rid of this behaviour. I restarted my Metasploit and Kali VM several times and even ended up installing a complete new VM. Unfortunately the weird behaviour remains. The sessions at 10.10.10.8 tend to die after a short while, but I have to switch to the correct session before I can move on.

I looked up some write-ups of Nibbles and this does not seem to be the normal behaviour in any of those. Actually I even completed Nibbles already another time and had no trouble with this, I just forgot to enter the root flag on my HTB page :smiley: , so I decided to do it again today.

I’m sorry if this is a dumb question, but was not able to solve this problem by myself. I hope someone has a hint on what to do :slight_smile:

Thanks a lot!

2

I didn’t do any of those machines, but my guess would be that the “Optimum” machine’s service still tries to call back home to you, after you terminated your session.
Have you tried resetting the Optimum machine on HTB?
You can also try setting another LPORT value, and then see if you still get incoming connections from other machines (which shouldn’t be the case).

3

maybe you have some jobs running? or autoscripts ? Type jobs in the prompt (msf>) and see if you have any background jobs running, if you do jobs -k id to kill it. However jobs should end when you exit msf.

4

Type your comment> @HomeSen said:

I didn’t do any of those machines, but my guess would be that the “Optimum” machine’s service still tries to call back home to you, after you terminated your session.
Have you tried resetting the Optimum machine on HTB?
You can also try setting another LPORT value, and then see if you still get incoming connections from other machines (which shouldn’t be the case).

Thanks a lot for your comments. I reset the machine, but it didn’t work - maybe someone blocked it. Anyways, yesterday evening I used that workaround with the different Port and today everything seems to be back to normal again :slight_smile: