[SOLVED] Exploit completed, but no sessions created.

edited April 12 in Machines

I have recently started HTB and learned of Metasploit. In the process of learning Metasploit I haven't been successfully able to create a session after completing an exploit. I started with Lame and haven't been able to successfully use the exploit, although I managed to get Root by using CVE-2007-2447 exploit I found on GitHub. I then went on to Legacy and attempted to use Metasploit to no avail. I looked for more ways to attack but most have led me to Metasploit or some form of using the msfconsole.

I am currently attempting Blue and it seems to successfully establish connection and send the payload (ETERNALBLUE overwrite completed successfully). But instead of a WIN I get a FAIL, and it restarts the process twice more. My process for debugging has been:

  • Confirming RHOSTS and LHOST and their respective ports

  • Switching between payloads (staged and single)

  • Restarting Boxes

  • Checking my Firewalls (ufw) and confirming that I am accepting connections from my VPN to HTB on port 4444

  • Disabling Firewall in general

  • Using the old model "kali-grant-root" instead of running msfconsole as root

  • Taking down my VM and Building a new one.

I am running Kali Linux 2020.1. Any pointers are greatly appreciated.

Comments

  • OK, so I finally found the fix.

    I uninstalled metasploit ( sudo apt-get remove --auto-remove metasploit-framework ) and then re-installed the new build from their github repo. Installed it in my /opt folder and then installed all the dependencies (a bunch of ruby gems that will probably need some manual dpkg installs themselves) and now it works.

    I guess the defualt Metasploit just didn't work and upgrading it also didn't.

  • I have the same issue.

  • Any guidance is appreciated. I haven't been able to exploit any machine on HTB, - LAME, LEGACY, or BLUE. I tried the reinstall from GitHub - the nightly installer, no dice.

    msf5 exploit(windows/smb/ms17_010_eternalblue) > run

    [] Started reverse TCP handler on 10.0.3.15:4444
    [
    ] 10.10.10.40:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
    [+] 10.10.10.40:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
    [] 10.10.10.40:445 - Scanned 1 of 1 hosts (100% complete)
    [
    ] 10.10.10.40:445 - Connecting to target for exploitation.
    [+] 10.10.10.40:445 - Connection established for exploitation.
    [+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply
    [] 10.10.10.40:445 - CORE raw buffer dump (42 bytes)
    [
    ] 10.10.10.40:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
    [] 10.10.10.40:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
    [
    ] 10.10.10.40:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
    [+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply
    [] 10.10.10.40:445 - Trying exploit with 12 Groom Allocations.
    [
    ] 10.10.10.40:445 - Sending all but last fragment of exploit packet
    [-] 10.10.10.40:445 - RubySMB::Error::CommunicationError: An error occured reading from the Socket Connection reset by peer
    [*] Exploit completed, but no session was created.

  • @abashi that RubySMB error seems interesting. It states that the connection was reset by peer. Have you tried my debugging process in the original post?

  • Just in case anyone is trying to solve this and comes across this post...

    I ran into this problem just now on Lame as well and was able to figure it out. My guess is the actual exploit itself has changed since the walkthroughs were written, or else maybe my metasploit somehow was different.

    Anyway, it appears the exploit did not have a payload specified, or else maybe had a generic payload specified. I did some Googling and found how to select and specify a payload using (withing metasploit) "show payloads". This will list the payloads which are compatible with your selected exploit. Then I just tried a few until I found one which worked. Note that you may need to define certain additional options once you've selected a payload, such as LHOST and LPORT. Just type "options" after choosing your payload and it should show what you need to define.

    Hope this helps.

  • @japh42

    Hey I just want to say thank you for the help. I was having the same issue with Metasploit as the members above, in that it was not giving me a session. I had to change the payload and it worked perfectly. I was working on Blunder for 3 days and could not figure out what I was doing wrong. Thanks for tip of changing the Payload.

    Thanks for the help once again!!

  • wow this is a lifesaver.... was getting super frustrated

  • edited July 6

    @Osiris21

    Oh, no worries! I'm learning here as well, so when I noticed the problem and was able to get it working, I wanted to pass along what I'd learned. :smiley:

    @Osiris21 said:

    @japh42

    Hey I just want to say thank you for the help. I was having the same issue with Metasploit as the members above, in that it was not giving me a session. I had to change the payload and it worked perfectly. I was working on Blunder for 3 days and could not figure out what I was doing wrong. Thanks for tip of changing the Payload.

    Thanks for the help once again!!

Sign In to comment.