[SOLVED] Exploit completed, but no sessions created.

edited April 12 in Machines

I have recently started HTB and learned of Metasploit. In the process of learning Metasploit I haven't been successfully able to create a session after completing an exploit. I started with Lame and haven't been able to successfully use the exploit, although I managed to get Root by using CVE-2007-2447 exploit I found on GitHub. I then went on to Legacy and attempted to use Metasploit to no avail. I looked for more ways to attack but most have led me to Metasploit or some form of using the msfconsole.

I am currently attempting Blue and it seems to successfully establish connection and send the payload (ETERNALBLUE overwrite completed successfully). But instead of a WIN I get a FAIL, and it restarts the process twice more. My process for debugging has been:

  • Confirming RHOSTS and LHOST and their respective ports

  • Switching between payloads (staged and single)

  • Restarting Boxes

  • Checking my Firewalls (ufw) and confirming that I am accepting connections from my VPN to HTB on port 4444

  • Disabling Firewall in general

  • Using the old model "kali-grant-root" instead of running msfconsole as root

  • Taking down my VM and Building a new one.

I am running Kali Linux 2020.1. Any pointers are greatly appreciated.

«1

Comments

  • OK, so I finally found the fix.

    I uninstalled metasploit ( sudo apt-get remove --auto-remove metasploit-framework ) and then re-installed the new build from their github repo. Installed it in my /opt folder and then installed all the dependencies (a bunch of ruby gems that will probably need some manual dpkg installs themselves) and now it works.

    I guess the defualt Metasploit just didn't work and upgrading it also didn't.

  • I have the same issue.

  • Any guidance is appreciated. I haven't been able to exploit any machine on HTB, - LAME, LEGACY, or BLUE. I tried the reinstall from GitHub - the nightly installer, no dice.

    msf5 exploit(windows/smb/ms17_010_eternalblue) > run

    [] Started reverse TCP handler on 10.0.3.15:4444
    [
    ] 10.10.10.40:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
    [+] 10.10.10.40:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
    [] 10.10.10.40:445 - Scanned 1 of 1 hosts (100% complete)
    [
    ] 10.10.10.40:445 - Connecting to target for exploitation.
    [+] 10.10.10.40:445 - Connection established for exploitation.
    [+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply
    [] 10.10.10.40:445 - CORE raw buffer dump (42 bytes)
    [
    ] 10.10.10.40:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
    [] 10.10.10.40:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
    [
    ] 10.10.10.40:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
    [+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply
    [] 10.10.10.40:445 - Trying exploit with 12 Groom Allocations.
    [
    ] 10.10.10.40:445 - Sending all but last fragment of exploit packet
    [-] 10.10.10.40:445 - RubySMB::Error::CommunicationError: An error occured reading from the Socket Connection reset by peer
    [*] Exploit completed, but no session was created.

  • @abashi that RubySMB error seems interesting. It states that the connection was reset by peer. Have you tried my debugging process in the original post?

  • Just in case anyone is trying to solve this and comes across this post...

    I ran into this problem just now on Lame as well and was able to figure it out. My guess is the actual exploit itself has changed since the walkthroughs were written, or else maybe my metasploit somehow was different.

    Anyway, it appears the exploit did not have a payload specified, or else maybe had a generic payload specified. I did some Googling and found how to select and specify a payload using (withing metasploit) "show payloads". This will list the payloads which are compatible with your selected exploit. Then I just tried a few until I found one which worked. Note that you may need to define certain additional options once you've selected a payload, such as LHOST and LPORT. Just type "options" after choosing your payload and it should show what you need to define.

    Hope this helps.

  • @japh42

    Hey I just want to say thank you for the help. I was having the same issue with Metasploit as the members above, in that it was not giving me a session. I had to change the payload and it worked perfectly. I was working on Blunder for 3 days and could not figure out what I was doing wrong. Thanks for tip of changing the Payload.

    Thanks for the help once again!!

  • wow this is a lifesaver.... was getting super frustrated

  • edited July 6

    @Osiris21

    Oh, no worries! I'm learning here as well, so when I noticed the problem and was able to get it working, I wanted to pass along what I'd learned. :smiley:

    @Osiris21 said:

    @japh42

    Hey I just want to say thank you for the help. I was having the same issue with Metasploit as the members above, in that it was not giving me a session. I had to change the payload and it worked perfectly. I was working on Blunder for 3 days and could not figure out what I was doing wrong. Thanks for tip of changing the Payload.

    Thanks for the help once again!!

  • show options

    LHOST 192.xxx.x.xxx yes The local listener hostname

    set LHOST (IP de openvpn, tun0 )

    El problema es que te carga automaticamente la ip de eth0 y tendria que cargar la de tun0

  • hello guys,

    have an issue with Metasploit.. while doing Lame, i first get

    "No payload configured, defaulting to cmd/unix/reverse_netcat"

    then i configure RSHOSTS ,RPORT and for the rev shell LHOST and LPORT
    hence i fire up nc and hit run on Metasploit .. but

    "Exploit completed, but no session was created."

    has anyone experienced that?
    Thanks!

  • edited July 15

    Type your comment> @blackhoodee said:

    hello guys,

    have an issue with Metasploit.. while doing Lame, i first get

    "No payload configured, defaulting to cmd/unix/reverse_netcat"

    then i configure RSHOSTS ,RPORT and for the rev shell LHOST and LPORT
    hence i fire up nc and hit run on Metasploit .. but

    "Exploit completed, but no session was created."

    has anyone experienced that?
    Thanks!

    I am having a similar issue with Lame. Everyone keeps saying make sure to set the payload within the exploit which I keep trying to do, there are quite a few meterpreter payloads and ive tried most of the Linux meterpreter payloads but it is not letting me set it as there is a some sort of error I get when I try to set it.

    My next move is to try to run the payload first and attempt to somehow get a session on the machine and then background the session and try to run the exploit after.

    But I am still lost as to why this is happening as I double checked on walk throughs and they have no issues with the automatic payload that is built into the exploit itself.

    About to uninstall metasploit and reinstall it but it worked okay on my eJPT labs yesterday so im lost.

    I fail to see why the automatic payload cmd/unix/reverse_netcat wouldn't work as it seems like an unstaged payload that netcat should be able to pick up on. NC wouldnt be as handy as meterpreter I suppose but I would guess it should still work.

  • Type your comment> @juanhk said:

    show options

    LHOST 192.xxx.x.xxx yes The local listener hostname

    set LHOST (IP de openvpn, tun0 )

    El problema es que te carga automaticamente la ip de eth0 y tendria que cargar la de tun0

    this you it helped me, the error was that I was configuring LHOST with my wlan0 ip instead of the ip that the vpn assigned me (in my case was tun1). Once i changed the parameter i was able to use the reverse_tcp without problem

  • Type your comment> @japh42 said:

    Just in case anyone is trying to solve this and comes across this post...

    I ran into this problem just now on Lame as well and was able to figure it out. My guess is the actual exploit itself has changed since the walkthroughs were written, or else maybe my metasploit somehow was different.

    Anyway, it appears the exploit did not have a payload specified, or else maybe had a generic payload specified. I did some Googling and found how to select and specify a payload using (withing metasploit) "show payloads". This will list the payloads which are compatible with your selected exploit. Then I just tried a few until I found one which worked. Note that you may need to define certain additional options once you've selected a payload, such as LHOST and LPORT. Just type "options" after choosing your payload and it should show what you need to define.

    Hope this helps.

    I am currently trying this. Hope it works. I am literally going down the list 1 through 56. I'm wondering if using msf6 is an issue? will update later for anyone curious out there.

  • Type your comment> @abashi said:

    Any guidance is appreciated. I haven't been able to exploit any machine on HTB, - LAME, LEGACY, or BLUE. I tried the reinstall from GitHub - the nightly installer, no dice.

    msf5 exploit(windows/smb/ms17_010_eternalblue) > run

    [] Started reverse TCP handler on 10.0.3.15:4444
    [
    ] 10.10.10.40:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
    [+] 10.10.10.40:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
    [] 10.10.10.40:445 - Scanned 1 of 1 hosts (100% complete)
    [
    ] 10.10.10.40:445 - Connecting to target for exploitation.
    [+] 10.10.10.40:445 - Connection established for exploitation.
    [+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply
    [] 10.10.10.40:445 - CORE raw buffer dump (42 bytes)
    [
    ] 10.10.10.40:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
    [] 10.10.10.40:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
    [
    ] 10.10.10.40:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
    [+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply
    [] 10.10.10.40:445 - Trying exploit with 12 Groom Allocations.
    [
    ] 10.10.10.40:445 - Sending all but last fragment of exploit packet
    [-] 10.10.10.40:445 - RubySMB::Error::CommunicationError: An error occured reading from the Socket Connection reset by peer
    [*] Exploit completed, but no session was created.

    You are using an outdated version of msf. Current build is v6

    LMAY75
    Always happy to help, DM me if you need anything!
    Link to Profile

  • Cool, I didn't know "show payloads" yet.

    Hack The Box

  • edited September 23

    not sure if this was a spoiler so i've retracted the comment

  • edited September 25

    I know this is already solved but I was stuck on this for some time and I think a little more detailed steps could help someone.

    I was able to fix the same problem by downgrading to msf5 so if you're on msf6, then try following what I did. The thing is that msf5 is more stable than msf6 and that's why I recommend downgrading. I can give out some steps:

    Uninstall metasploit 6. I did: sudo apt-get --auto-remove metasploit-framework (just type meta and press tab key to autocomplete)

    I downloaded the msf5.tar.gz which can be found here: https://github.com/rapid7/metasploit-framework/releases/tag/5.0.101
    and extracted it with tar command: tar xvzf filename.tar.gz

    go to home directory with cd ~
    Then do: gem install bundle
    The command above is be required to install the different gems(dependencies) which are required in metasploit

    Then go back into the extracted folder and use this command to get all the gems for metasploit: bundle install
    **Keep in mind you might have to do bundle install a few times later on so make sure you go into the metasploit extracted folder before you do bundle install

    These gems are the dependencies that OP was talking about and how he fixed his issue. Now here's the kicker, when you try to do bundle install, it will say some error. Try reading through that error line by line and it will give a command saying make sure something is installed before bundling.
    Use that command inside the quotations that it says and then it will give you another error which will say something like check log file and it will give the path to that file.

    'cat' the output of that log file that the error shares and you'll see the error there. It will say something like this directory/file does not exist. Now just google that error and some stack overflow like websites should show up with the answer. The basic issue here is that those dependencies that you are installing for metasploit have their own dependencies and its a simple matter of using apt to install them (sudo apt-get install packagename). I had to install these dependencies and then do bundle install in the extracted folder. Then it would give another error and it carried on for a few more times. After a while when you do bundle install, it should say something like bundle is complete and it should not give any more errors.

    You're technically done (to run metasploit, just go in the extracted folder and do ./msfconsole) but here's what you could do to make it a little bit easier to start metasploit.
    I used an alias so you can access metasploit from anywhere instead having to type in the directory each time you want to use metasploit

    to create an alias, I kept the command similar to the original which is msfconsole.

    Just keep in mind if you keep msf6 installed or install it later, then this alias command might intervene so either don't use msfconsole as the alias command or just replace the msfconsole before the = to something else like msfconsole5 or msf5console.

    I used: alias msfconsole='cd "path to metasploit extracted folder"/ && ./msfconsole -q'
    the -q runs metasploit faster.

    I was stuck on this for a while and I hope this helps someone.

  • edited September 24

    Type your comment> @Phantom95 said:

    I know this is already solved but I was stuck on this for some time and I think a little more detailed steps could help someone.

    I was able to fix the same problem by downgrading to msf5 so if you're on msf6, then try following what I did. The thing is that msf5 is more stable than msf6 and that's why I recommend downgrading. I can give out some steps:

    Uninstall metasploit 6. I did: sudo apt-get --auto-remove metasploit-framework (just type meta and press tab key to autocomplete)

    I downloaded the msf5.tar.gz which can be found here: https://github.com/rapid7/metasploit-framework/releases/tag/5.0.101
    and extracted it with tar command: tar xvzf filename.tar.gz

    go to home directory with cd ~
    Then do: gem install bundle
    The command above is be required to install the different gems(dependencies) which are required in metasploit

    Then go back into the extracted folder and use this command to get all the gems for metasploit: bundle install
    **Keep in mind you might have to do bundle install a few times later on so make sure you go into the metasploit extracted folder before you do bundle install

    These gems are the dependencies that OP was talking about and how he fixed his issue. Now here's the kicker, when you try to do bundle install, it will say some error. Try reading through that error line by line and it will give a command saying make sure something is installed before bundling.
    Use that command inside the quotations that it says and then it will give you another error which will say something like check log file and it will give the path to that file.

    'cat' the output of that log file that the error shares and you'll see the error there. It will say something like this directory/file does not exist. Now just google that error and some stack overflow like websites should show up with the answer. The basic issue here is that those dependencies that you are installing for metasploit have their own dependencies and its a simple matter of using apt to install them (sudo apt-get install packagename). I had to install these dependencies and then do bundle install in the extracted folder. Then it would give another error and it carried on for a few more times. After a while when you do bundle install, it should say something like bundle is complete and give no errors.

    You're technically done (to run metasploit, just go in the extracted folder and do ./msfconsole) but here's what you could do to make it a little bit easier to start metasploit.
    I used an alias so you can access metasploit from anywhere instead having to type in the directory each time you want to use metasploit

    to create an alias, I kept the command similar to the original which is msfconsole.

    Just keep in mind if you keep msf6 installed or install it later, then this alias command might intervene so either don't use msfconsole as the alias command or just replace the msfconsole before the = to something else like msfconsole5 or msf5console.

    I used: alias msfconsole='cd / && ./msfconsole -q'
    the -q runs metasploit faster.

    I was stuck on this for a while and I hope this helps someone.

    Nice. I thought about doing this and may still downgrade. I found another way around my problem using a different problem but still a bit worried about the transition between python2/msf5 and python3/msf6 as someone new trying to follow tutorials

  • Type your comment> @fazersheen said:

    Nice. I thought about doing this and may still downgrade. I found another way around my problem using a different problem but still a bit worried about the transition between python2/msf5 and python3/msf6 as someone new trying to follow tutorials

    I'm kinda new too and it took me a while too but I'm happy I did it and I guess you learn only by doing it.

  • I'm a noob and using metasploit 5 and still get the error on Legacy. Any ideas?

    Started reverse TCP handler on 192.168.0.40:4444
    10.10.10.4:445 - Attempting to trigger the vulnerability...
    Exploit completed, but no session was created.

  • Type your comment> @juanhk said:

    show options

    LHOST 192.xxx.x.xxx yes The local listener hostname

    set LHOST (IP de openvpn, tun0 )

    El problema es que te carga automaticamente la ip de eth0 y tendria que cargar la de tun0

    This worked for me. Thanks.

  • edited November 1

    Has anyone managed to get a resolution on this issue?
    I have tried all solutions on this forum including reinstalling Metasploit, rolling back Metasploit to v5, disabling firewalls, trying each payload, running msfconsole as sudo.

    All config under 'show options' is set correctly, RHOSTS as the Lame box and LHOST as the IP of my tun0 adapter.

    If anybody could offer any advice or resolution I would be very grateful as I am very stuck and not sure what to try next!

  • edited November 1

    This was driving me crazy for the past 2 hours. This is an easy box so my fragile ego is in shambles (boo hoo). Is there something wrong with this box or am I just doing it wrong?

    I have tried the metasploit solution, and I have tried a script I found on the internet. I have tried using the pwnbox os that htb offers as well to do the metasploit solution. Metasploit on both give me the same no session created issue, and the script either isn't working or cant make it back. Can anyone make me sane again? At this point I feel like someone patched it on me to pull a sick prank.

    This is the name of the script, I assume this isn't spoilers since there's a writeup but it has the same name as metasploit exploit. You can find it on gitlab if you google search it.

    usermap_script.py by amriunix

  • whe running nmap -p 445 -A 10.10.10.3 im getting that the smb version is 3.0.28a instead of the 3.0.20 which is the one in the walkthroughs. Does this make any difference for the exploit?

  • edited November 2

    @T0fu said:

    whe running nmap -p 445 -A 10.10.10.3 im getting that the smb version is 3.0.28a instead of the 3.0.20 which is the one in the walkthroughs. Does this make any difference for the exploit?

    I noticed the same thing. The documented exploit only works for version 3.0.20 < 3.0.25rc3 and the current version is 3.0.28a.

    I'm still digging, but haven't found a fix yet. I might try the fix fluffikinz recommends, but it would be nice to know if there was some kind of change in the box/challenge. Seems inconsistent to make such a drastic change after the box is retired and so many have already owned it - to require a completely different tactic.

  • edited November 2

  • In case someone else would encounter a problem here ... Basically, I'd say that Metasploit, if not specified with LHOST, will use the default network card's IP. The thing is, because we're connected to the lab through a VPN, this makes Metasploit listen on the "wrong" interface in this context.

    To fix this, you'll have to change LHOST with the IP address you have on the HTB network (tun0)

    set LHOST 10.10.1X.X

    Hope it helps

  • Yes, Samba might be upgraded, but there are still other vulnerable services exposed.

    Also I found its quite handy to set LHOST to tun0 and not to specific IP, as the IP changes between connections.

  • There are 2 things you need to do:

    • Update msf-framework. You will need to go into its /usr/share/metasploit-frame and "bundle install". From there, your msf will have all updates and upgrade. There is a problem upgrading it in command line.
    • For LHOST, please try to figure out your IP address and set LHOST to that. Try to choose the right one by Google. You should be fine.
  • edited November 12

    Not sure what I did different, but I just skipped this one for about a week and came back to it. Magically msf worked this time.

    However I did type in the wrong ip the first time running it, I'm going to chalk it up to either user error or something was wonky with the servers that got fixed. numbors R hard, make sure the connection handler in msf binds and if it doesnt check that your options are correct.

    I was going through what I did step by step and realized:

    I used the OTHER samba port! I don't know if maybe I refused to try that port for some odd reason but that was the issue. That seems like an issue I'd catch, but... seems that isn't the case. Look at your scan, and try the other ports (if you dont know which one just try all of them, but nmap should give enough info to know which one). Feel dumb lol

Sign In to comment.