[SOLVED] Exploit completed, but no sessions created.

I have recently started HTB and learned of Metasploit. In the process of learning Metasploit I haven’t been successfully able to create a session after completing an exploit. I started with Lame and haven’t been able to successfully use the exploit, although I managed to get Root by using CVE-2007-2447 exploit I found on GitHub. I then went on to Legacy and attempted to use Metasploit to no avail. I looked for more ways to attack but most have led me to Metasploit or some form of using the msfconsole.

I am currently attempting Blue and it seems to successfully establish connection and send the payload (ETERNALBLUE overwrite completed successfully). But instead of a WIN I get a FAIL, and it restarts the process twice more. My process for debugging has been:

• Confirming RHOSTS and LHOST and their respective ports

• Switching between payloads (staged and single)

• Restarting Boxes

• Checking my Firewalls (ufw) and confirming that I am accepting connections from my VPN to HTB on port 4444

• Disabling Firewall in general

• Using the old model “kali-grant-root” instead of running msfconsole as root

• Taking down my VM and Building a new one.

I am running Kali Linux 2020.1. Any pointers are greatly appreciated.

OK, so I finally found the fix.

I uninstalled metasploit ( sudo apt-get remove --auto-remove metasploit-framework ) and then re-installed the new build from their github repo. Installed it in my /opt folder and then installed all the dependencies (a bunch of ruby gems that will probably need some manual dpkg installs themselves) and now it works.

I guess the defualt Metasploit just didn’t work and upgrading it also didn’t.

I have the same issue.

Any guidance is appreciated. I haven’t been able to exploit any machine on HTB, - LAME, LEGACY, or BLUE. I tried the reinstall from GitHub - the nightly installer, no dice.

msf5 exploit(windows/smb/ms17_010_eternalblue) > run

[] Started reverse TCP handler on 10.0.3.15:4444
[] 10.10.10.40:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.10.40:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[] 10.10.10.40:445 - Scanned 1 of 1 hosts (100% complete)
[] 10.10.10.40:445 - Connecting to target for exploitation.
[+] 10.10.10.40:445 - Connection established for exploitation.
[+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply
[] 10.10.10.40:445 - CORE raw buffer dump (42 bytes)
[] 10.10.10.40:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[] 10.10.10.40:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[] 10.10.10.40:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[] 10.10.10.40:445 - Trying exploit with 12 Groom Allocations.
[] 10.10.10.40:445 - Sending all but last fragment of exploit packet
[-] 10.10.10.40:445 - RubySMB::Error::CommunicationError: An error occured reading from the Socket Connection reset by peer
[*] Exploit completed, but no session was created.

@abashi that RubySMB error seems interesting. It states that the connection was reset by peer. Have you tried my debugging process in the original post?

Just in case anyone is trying to solve this and comes across this post…

I ran into this problem just now on Lame as well and was able to figure it out. My guess is the actual exploit itself has changed since the walkthroughs were written, or else maybe my metasploit somehow was different.

Anyway, it appears the exploit did not have a payload specified, or else maybe had a generic payload specified. I did some Googling and found how to select and specify a payload using (withing metasploit) “show payloads”. This will list the payloads which are compatible with your selected exploit. Then I just tried a few until I found one which worked. Note that you may need to define certain additional options once you’ve selected a payload, such as LHOST and LPORT. Just type “options” after choosing your payload and it should show what you need to define.

Hope this helps.

@japh42

Hey I just want to say thank you for the help. I was having the same issue with Metasploit as the members above, in that it was not giving me a session. I had to change the payload and it worked perfectly. I was working on Blunder for 3 days and could not figure out what I was doing wrong. Thanks for tip of changing the Payload.

Thanks for the help once again!!

wow this is a lifesaver… was getting super frustrated

@Osiris21

Oh, no worries! I’m learning here as well, so when I noticed the problem and was able to get it working, I wanted to pass along what I’d learned.

@Osiris21 said:

@japh42

Hey I just want to say thank you for the help. I was having the same issue with Metasploit as the members above, in that it was not giving me a session. I had to change the payload and it worked perfectly. I was working on Blunder for 3 days and could not figure out what I was doing wrong. Thanks for tip of changing the Payload.

Thanks for the help once again!!

show options

LHOST 192.xxx.x.xxx yes The local listener hostname

set LHOST (IP de openvpn, tun0 )

El problema es que te carga automaticamente la ip de eth0 y tendria que cargar la de tun0

hello guys,

have an issue with Metasploit… while doing Lame, i first get

“No payload configured, defaulting to cmd/unix/reverse_netcat”

then i configure RSHOSTS ,RPORT and for the rev shell LHOST and LPORT
hence i fire up nc and hit run on Metasploit … but

“Exploit completed, but no session was created.”

has anyone experienced that?
Thanks!

Type your comment> @blackhoodee said:

hello guys,

have an issue with Metasploit… while doing Lame, i first get

“No payload configured, defaulting to cmd/unix/reverse_netcat”

then i configure RSHOSTS ,RPORT and for the rev shell LHOST and LPORT
hence i fire up nc and hit run on Metasploit … but

“Exploit completed, but no session was created.”

has anyone experienced that?
Thanks!

I am having a similar issue with Lame. Everyone keeps saying make sure to set the payload within the exploit which I keep trying to do, there are quite a few meterpreter payloads and ive tried most of the Linux meterpreter payloads but it is not letting me set it as there is a some sort of error I get when I try to set it.

My next move is to try to run the payload first and attempt to somehow get a session on the machine and then background the session and try to run the exploit after.

But I am still lost as to why this is happening as I double checked on walk throughs and they have no issues with the automatic payload that is built into the exploit itself.

About to uninstall metasploit and reinstall it but it worked okay on my eJPT labs yesterday so im lost.

I fail to see why the automatic payload cmd/unix/reverse_netcat wouldn’t work as it seems like an unstaged payload that netcat should be able to pick up on. NC wouldnt be as handy as meterpreter I suppose but I would guess it should still work.

Type your comment> @juanhk said:

show options

LHOST 192.xxx.x.xxx yes The local listener hostname

set LHOST (IP de openvpn, tun0 )

El problema es que te carga automaticamente la ip de eth0 y tendria que cargar la de tun0

this you it helped me, the error was that I was configuring LHOST with my wlan0 ip instead of the ip that the vpn assigned me (in my case was tun1). Once i changed the parameter i was able to use the reverse_tcp without problem

Type your comment> @japh42 said:

Just in case anyone is trying to solve this and comes across this post…

I ran into this problem just now on Lame as well and was able to figure it out. My guess is the actual exploit itself has changed since the walkthroughs were written, or else maybe my metasploit somehow was different.

Anyway, it appears the exploit did not have a payload specified, or else maybe had a generic payload specified. I did some Googling and found how to select and specify a payload using (withing metasploit) “show payloads”. This will list the payloads which are compatible with your selected exploit. Then I just tried a few until I found one which worked. Note that you may need to define certain additional options once you’ve selected a payload, such as LHOST and LPORT. Just type “options” after choosing your payload and it should show what you need to define.

Hope this helps.

I am currently trying this. Hope it works. I am literally going down the list 1 through 56. I’m wondering if using msf6 is an issue? will update later for anyone curious out there.

Type your comment> @abashi said:

Any guidance is appreciated. I haven’t been able to exploit any machine on HTB, - LAME, LEGACY, or BLUE. I tried the reinstall from GitHub - the nightly installer, no dice.

msf5 exploit(windows/smb/ms17_010_eternalblue) > run

[] Started reverse TCP handler on 10.0.3.15:4444
[] 10.10.10.40:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.10.40:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[] 10.10.10.40:445 - Scanned 1 of 1 hosts (100% complete)
[] 10.10.10.40:445 - Connecting to target for exploitation.
[+] 10.10.10.40:445 - Connection established for exploitation.
[+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply
[] 10.10.10.40:445 - CORE raw buffer dump (42 bytes)
[] 10.10.10.40:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[] 10.10.10.40:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[] 10.10.10.40:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[] 10.10.10.40:445 - Trying exploit with 12 Groom Allocations.
[] 10.10.10.40:445 - Sending all but last fragment of exploit packet
[-] 10.10.10.40:445 - RubySMB::Error::CommunicationError: An error occured reading from the Socket Connection reset by peer
[*] Exploit completed, but no session was created.

You are using an outdated version of msf. Current build is v6

not sure if this was a spoiler so i’ve retracted the comment

I know this is already solved but I was stuck on this for some time and I think a little more detailed steps could help someone.

I was able to fix the same problem by downgrading to msf5 so if you’re on msf6, then try following what I did. The thing is that msf5 is more stable than msf6 and that’s why I recommend downgrading. I can give out some steps:

Uninstall metasploit 6. I did: sudo apt-get --auto-remove metasploit-framework (just type meta and press tab key to autocomplete)

I downloaded the msf5.tar.gz which can be found here: Release 5.0.101 · rapid7/metasploit-framework · GitHub
and extracted it with tar command: tar xvzf filename.tar.gz

go to home directory with cd ~
Then do: gem install bundle
The command above is be required to install the different gems(dependencies) which are required in metasploit

Then go back into the extracted folder and use this command to get all the gems for metasploit: bundle install
**Keep in mind you might have to do bundle install a few times later on so make sure you go into the metasploit extracted folder before you do bundle install

These gems are the dependencies that OP was talking about and how he fixed his issue. Now here’s the kicker, when you try to do bundle install, it will say some error. Try reading through that error line by line and it will give a command saying make sure something is installed before bundling.
Use that command inside the quotations that it says and then it will give you another error which will say something like check log file and it will give the path to that file.

‘cat’ the output of that log file that the error shares and you’ll see the error there. It will say something like this directory/file does not exist. Now just google that error and some stack overflow like websites should show up with the answer. The basic issue here is that those dependencies that you are installing for metasploit have their own dependencies and its a simple matter of using apt to install them (sudo apt-get install packagename). I had to install these dependencies and then do bundle install in the extracted folder. Then it would give another error and it carried on for a few more times. After a while when you do bundle install, it should say something like bundle is complete and it should not give any more errors.

You’re technically done (to run metasploit, just go in the extracted folder and do ./msfconsole) but here’s what you could do to make it a little bit easier to start metasploit.
I used an alias so you can access metasploit from anywhere instead having to type in the directory each time you want to use metasploit

to create an alias, I kept the command similar to the original which is msfconsole.

Just keep in mind if you keep msf6 installed or install it later, then this alias command might intervene so either don’t use msfconsole as the alias command or just replace the msfconsole before the = to something else like msfconsole5 or msf5console.

I used: alias msfconsole=‘cd “path to metasploit extracted folder”/ && ./msfconsole -q’
the -q runs metasploit faster.

I was stuck on this for a while and I hope this helps someone.

Type your comment> @Phantom95 said:

I know this is already solved but I was stuck on this for some time and I think a little more detailed steps could help someone.

I was able to fix the same problem by downgrading to msf5 so if you’re on msf6, then try following what I did. The thing is that msf5 is more stable than msf6 and that’s why I recommend downgrading. I can give out some steps:

Uninstall metasploit 6. I did: sudo apt-get --auto-remove metasploit-framework (just type meta and press tab key to autocomplete)

I downloaded the msf5.tar.gz which can be found here: Release 5.0.101 · rapid7/metasploit-framework · GitHub
and extracted it with tar command: tar xvzf filename.tar.gz

go to home directory with cd ~
Then do: gem install bundle
The command above is be required to install the different gems(dependencies) which are required in metasploit

Then go back into the extracted folder and use this command to get all the gems for metasploit: bundle install
**Keep in mind you might have to do bundle install a few times later on so make sure you go into the metasploit extracted folder before you do bundle install

These gems are the dependencies that OP was talking about and how he fixed his issue. Now here’s the kicker, when you try to do bundle install, it will say some error. Try reading through that error line by line and it will give a command saying make sure something is installed before bundling.
Use that command inside the quotations that it says and then it will give you another error which will say something like check log file and it will give the path to that file.

‘cat’ the output of that log file that the error shares and you’ll see the error there. It will say something like this directory/file does not exist. Now just google that error and some stack overflow like websites should show up with the answer. The basic issue here is that those dependencies that you are installing for metasploit have their own dependencies and its a simple matter of using apt to install them (sudo apt-get install packagename). I had to install these dependencies and then do bundle install in the extracted folder. Then it would give another error and it carried on for a few more times. After a while when you do bundle install, it should say something like bundle is complete and give no errors.

You’re technically done (to run metasploit, just go in the extracted folder and do ./msfconsole) but here’s what you could do to make it a little bit easier to start metasploit.
I used an alias so you can access metasploit from anywhere instead having to type in the directory each time you want to use metasploit

to create an alias, I kept the command similar to the original which is msfconsole.

Just keep in mind if you keep msf6 installed or install it later, then this alias command might intervene so either don’t use msfconsole as the alias command or just replace the msfconsole before the = to something else like msfconsole5 or msf5console.

I used: alias msfconsole=‘cd / && ./msfconsole -q’
the -q runs metasploit faster.

I was stuck on this for a while and I hope this helps someone.

Nice. I thought about doing this and may still downgrade. I found another way around my problem using a different problem but still a bit worried about the transition between python2/msf5 and python3/msf6 as someone new trying to follow tutorials

Type your comment> @fazersheen said:

Nice. I thought about doing this and may still downgrade. I found another way around my problem using a different problem but still a bit worried about the transition between python2/msf5 and python3/msf6 as someone new trying to follow tutorials

I’m kinda new too and it took me a while too but I’m happy I did it and I guess you learn only by doing it.

I’m a noob and using metasploit 5 and still get the error on Legacy. Any ideas?

Started reverse TCP handler on 192.168.0.40:4444
10.10.10.4:445 - Attempting to trigger the vulnerability…
Exploit completed, but no session was created.