> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/getting-started_mod-2/exploitation/msf-tiny-walkthrough.md).

# MSF tiny Walkthrough

Use this walkthrough to move from service discovery to a working Metasploit exploit and capture the flag.

### Goal

Identify the vulnerable service.

Match it to a Metasploit module.

Exploit it and recover the flag.

{% stepper %}
{% step %}

### Run a scan and identify the attack surface

Start with a service scan.

Look for anything that gives you a clear exploit path.

<figure><img src="/files/bB0lQXehXyrX6AQ9toM8" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}

### Check public exploit paths

Use `searchsploit` and Metasploit to review likely exploit options.

This gives you a starting point, but it is not enough on its own.

<figure><img src="/files/yoJI6tWyADrLmcD05qvI" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/fHlG1BWFkXPmobHEqwym" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}

### Review the web app for version clues

Open the target site and inspect it closely.

The page reveals a WordPress backup plugin version `2.7.1`.

That version becomes the best lead.

<figure><img src="/files/7Hfi9KwmSGkNT3yaGlpC" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}

### Search Metasploit for the matching module

With the plugin name and version identified, search for a matching Metasploit exploit.

This confirms that the plugin is the intended target.

<figure><img src="/files/KY3AnIsgaNM5KTcfa50N" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/ffF8uFINKqcau6tcSFAE" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}

### Review module options and payloads

Before running the exploit, check the required settings.

Review both the module options and the available payloads.

<figure><img src="/files/smXtIoGJdAQNf6zFwD3L" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}

### Set the required values

Set the payload and target values required by the task.

Double-check `RHOSTS`, `LHOST`, and any module-specific options.

<figure><img src="/files/3mMYOdf3m1xmPPWm2ojx" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}

### Run the exploit and capture the flag

Launch the module after the configuration is complete.

The exploit succeeds and the flag is recovered.
{% endstep %}
{% endstepper %}

### Key takeaway

This path works because the enumeration stays focused:

* The scan identifies the best attack surface.
* The web app exposes the vulnerable plugin version.
* Metasploit provides a direct exploit path once the version is confirmed.

### Useful references

* [Exploitation](/capcap/readme/ctf-modules/getting-started_mod-2/exploitation.md)
* [Metasploit](/capcap/readme/cheat-sheets/metasploit.md)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/getting-started_mod-2/exploitation/msf-tiny-walkthrough.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
