·1 min read·Blog

MSF-X: Remote Shell to Local Privilege Escalation; Analysing Linux Metasploit Modules

SS
Shailendra Singh Sachan

Security Researcher

MetasploitLinuxPrivilege EscalationRemote ShellMeterpreter
Image

Virtual Environment setup

Ubuntu 64 (Victim Machine) & Kali Linux (Attacker Machine)

Image

Figure 1: VM Setup

Remote shell: Access to the victim system

We have divided this evaluation into two phases:

  • Obtaining remote access to the victim system, specifically as a non-root user, which allows us to utilize Linux local privilege escalation exploit modules in phase two, thereby escalating the non-root remote session to a root remote session.
  • Escalating from a non-root remote shell to a root remote shell, either upgrading the existing non-root remote shell to a root shell or opening a new root remote shell.

Remote Access Modules for Linux in Metasploit

There are multiple modules/payloads available in the Metasploit tool to configure for remote shell/access on the target Linux system. For this evaluation, we have used 10 modules of different categories to diversify our research and detonation. Selected modules include both Meterpreter & shell payloads, covering traffic flow for both sides “reverse” & “bind” and utilizing both application (http,https) and non-application layer protocols (tcp)

  • payload/linux/x64/meterpreter/reverse_tcp
  • payload/linux/x64/shell/reverse_tcp
  • payload/linux/x64/exec
  • payload/linux/x64/meterpreter_reverse_https
  • payload/linux/x64/meterpreter_reverse_tcp
  • payload/linux/x64/shell_reverse_tcp
  • payload/linux/x64/meterpreter/bind_tcp
  • payload/linux/x64/shell/bind_tcp
  • payload/linux/x64/meterpreter_reverse_http
  • payload/linux/x64/shell_bind_tcp

Related articles

Fileless Malware and Process-Based Attacks Analysis

Fileless malware is one of the most dangerous and evasive attack techniques. Unlike traditional malware, it leaves no files on disk; instead, it hides inside the system's own trusted processes and tools, making it nearly invisible to conventional security software. In this article, we break down how fileless and process-based attacks work, how attackers use built-in Windows utilities like PowerShell and WMI to execute malicious code entirely in memory, and what defenders need to do to detect and stop them before it's too late.

Project MSFDefender

The Threat Research & Intelligence (TRI) team at Bloo conducted a structured evaluation of Windows payloads from the Metasploit Framework. The intent was not exploitation for its own sake, but defensive research to observe how these payloads behave at runtime and to collect high-quality endpoint telemetry that could directly support the  Detection Engineering (DE) team. […]

The Death of Static Lineage: Fusing Co-Occurrence Math with Call Stack Anomalies

The security industry has historically relied on monitoring parent-child process trees to identify malicious execution. If Microsoft Word spawns a command shell, a static rule triggers. However, advanced adversaries - particularly those operating in high-stakes financial and telecommunications sectors - are fully aware of these static registries.

We use cookies to provide essential site functionality and, with your consent, to analyze site usage and enhance your experience. View our Privacy Policy