TryHackMe: Metasploit: Meterpreter— Walkthrough

November 28, 2024
November 28, 2024 Jasper

Hi! It is time to look at the third part of the Metasploit rooms on TryHackMe, this part covering Meterpreter. I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by THMs rooms.

Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Room URL: https://tryhackme.com/room/meterpreter


Task 1 (Introduction to Meterpreter)

Meterpreter is a Metasploit payload that runs on the target system and supports the penetration testing process. It can interact with the target operating system and files, and allows us to use specialized commands.

The great things about Meterpreter is that it runs on the target system without the need to install it. This is because it runs on memory and avoids writing files files to the disk. because of this it is harder to detect by antivirus software. In addition, Meterpreter uses encrypted communication with the server where Metasploits runs.

Questions

No answer needed

Answer: No answer needed


Task 2 (Meterpreter Flavors)

Metasploit payloads can be initially divided into two categories:

  • Inline (also called single):Larger. Payload is sent in one step.
  • Staged: Smaller, since payload is sent in two steps. First the initial part (stager) is installed, and then the rest of the payload is requested.

In addition to this division, meterpreter has a wide range of different versions you can choose from based on your target system. You can list all payloads by using the following command:

msfvenom --list payloads

You can then add pipe and the grep meterpreter command to only show payloads that include a meterpreter payload.

Your decision on which version of Meterpreter to use is dependant on different factors:

  1. The target OS
  2. Components on the target system (Python, PHP website etc.)
  3. Network connection types (TCP/HTTPS/IP6)

When using a module, you can write show payloads to list available payloads for that specific module.

Questions

Answer: No answer needed


Task 3 (Meterpreter Commands)

Next we will cover the different available commands when in a meterpreter session. These run on the target system without loading other scripts or executable files.

A very useful command is help. This lists all available commands. If you run the help command, you will see Meterpreter commands are listed under different categories.

Core commands

  • background: Backgrounds the current session
  • exit: Terminate the Meterpreter session
  • guid: Get the session GUID (Globally Unique Identifier)
  • help: Displays the help menu
  • info: Displays information about a Post module
  • irb: Opens an interactive Ruby shell on the current session
  • load: Loads one or more Meterpreter extensions
  • migrate: Allows you to migrate Meterpreter to another process
  • run: Executes a Meterpreter script or Post module
  • sessions: Quickly switch to another session

File system commands

  • cd: Will change directory
  • ls: Will list files in the current directory (dir will also work)
  • pwd: Prints the current working directory
  • edit: will allow you to edit a file
  • cat: Will show the contents of a file to the screen
  • rm: Will delete the specified file
  • search: Will search for files
  • upload: Will upload a file or directory
  • download: Will download a file or directory

Networking commands

  • arp: Displays the host ARP (Address Resolution Protocol) cache
  • ifconfig: Displays network interfaces available on the target system
  • netstat: Displays the network connections
  • portfwd: Forwards a local port to a remote service
  • route: Allows you to view and modify the routing table

System commands

  • clearev: Clears the event logs
  • execute: Executes a command
  • getpid: Shows the current process identifier
  • getuid: Shows the user that Meterpreter is running as
  • kill: Terminates a process
  • pkill: Terminates processes by name
  • ps: Lists running processes
  • reboot: Reboots the remote computer
  • shell: Drops into a system command shell
  • shutdown: Shuts down the remote computer
  • sysinfo: Gets information about the remote system, such as OS

Others Commands

  • idletime: Returns the number of seconds the remote user has been idle
  • keyscan_dump: Dumps the keystroke buffer
  • keyscan_start: Starts capturing keystrokes
  • keyscan_stop: Stops capturing keystrokes
  • screenshare: Allows you to watch the remote user’s desktop in real time
  • screenshot: Grabs a screenshot of the interactive desktop
  • record_mic: Records audio from the default microphone for X seconds
  • webcam_chat: Starts a video chat
  • webcam_list: Lists webcams
  • webcam_snap: Takes a snapshot from the specified webcam
  • webcam_stream: Plays a video stream from the specified webcam
  • getsystem: Attempts to elevate your privilege to that of local system
  • hashdump: Dumps the contents of the SAM database

Questions

Answer: No answer needed


Task 4 (Post-Exploitation with Meterpreter)

Once you have gained access with meterpreter, we are in what we call a post-exploitation phase. Meterpreter provides us with many useful commands at this point. We will cover some of the important ones here:

getuid

The getuid command will display the user with which Meterpreter is currently running. This will give you an idea of your possible privilege level on the target system.

ps

The ps command will list running processes. The PID column will also give you the PID information you will need to migrate Meterpreter to another process.

Migrate

This command allows Meterpreter to migrate to another process, giving the possibility to interact with it. Ff you see a word processor running on the target (e.g. word.exe, notepad.exe, etc.), you can migrate to it and start capturing keystrokes sent by the user to this process. Some Meterpreter versions will offer you the keyscan_start, keyscan_stop, and keyscan_dump command options to make Meterpreter act like a keylogger. Migrating to another process may also help you to have a more stable Meterpreter session. To migrate to any process, you need to type the migrate command followed by the PID of the desired target process. Be careful; you may lose your user privileges if you migrate from a higher privileged (e.g. SYSTEM) user to a process started by a lower privileged user (e.g. webserver).

Hashdump

The hashdump command will list the content of the SAM database. The SAM (Security Account Manager) database stores user’s passwords on Windows systems. While it is not mathematically possible to “crack” these hashes, you may still discover the cleartext password using online NTLM databases or a rainbow table attack.

Search

The search command is useful to locate files with potentially juicy information. In a CTF context, this can be used to quickly find a flag or proof file, while in actual penetration testing engagements, you may need to search for user-generated files or configuration files that may contain password or account information.

Shell

The shell command will launch a regular command-line shell on the target system. Pressing CTRL+Z will help you go back to the Meterpreter shell.

Questions

Answer: No answer needed


Task 5 (Post-Exploitation Challenge)

I hope it is clear that Meterpreter provides several important post-exploitation tools. It is also possible to load additional tools by using the load command. This allows us for example to load the whole Python language. Once any additional tool is loaded using the load command, you will see new options on the help menu.

The questions below will help you have a better understanding of how Meterpreter can be used in post-exploitation.

You can use the credentials below to simulate an initial compromise over SMB (Server Message Block) (using exploit/windows/smb/psexec)

Username: ballen

Password: Password1

Questions

What is the computer name?

Startup msfconsole, and enter use exploit/windows/smb/pasexec

Loading the pasexec module

Set the relevant options, in this case RHOSTS (target ip), SMBPass (Password1) and SMBUser (ballen). Finish by entering run! You should have a meterpreter session now.

Let’s try some of the commands that we learned. To answer the question we can use sysinfo:

Checking out sysinfo

Answer: ACME-TEST

What is the target domain?

This one is also given on the above screenshot.

Answer: FLASH

What is the name of the share likely created by the user?

It is time to use some port-exploitation commands. Start by backgrounding meterpreter (Control-Z). Take a look at the session ID by entering sessions -l. This will probably be 1.

Listing the running sessions

Search for the right module by entering search enum. This came up:

Finding the enum_shares module

This sounds interesting. Load it and set the session option to 1).

Loading and running the enum_shares module

Since the username is ballen (Barry Allen, aka the Flash), and the domain was called FLASH I am going to guess the answer is speedster.

Answer: speedster

What is the NTLM hash of the jchambers user?

Well, this was a new thing for me. I tried entering the meterpreter session again by entering sessions -i 1. Then I tried to run hashdump, but this did not work. Some quick googling lead pinpointed me to the migrate command. I listed all processes by using ps. Then I migrated to a system process:

Accessing user hashes

Now hashdump works.

Note: according to the hint you have to migrate to lsass.exe, but I used another system process. I assume any system process will theoretically work.

Answer: 69596c7aa1e8daee17f8e78870e25a5c

What is the cleartext password of the jchambers user?

According to the theory of task 4, we can use online NTLM databases to find the password, since mathematically it is impossible to crack a NTLM hash. I entered the hash at https://crackstation.net/ and got the answer.

Answer: Trustno1

Where is the “secrets.txt” file located?

This one is easy. Simply enter the following command in the meterpreter session:

search -f secrets.txt

The search might take a while, so grab a coffee!

Answer: c:\Program Files (x86)\Windows Multimedia Platform

What is the Twitter password revealed in the “secrets.txt” file?

Enter the following command:

cat “c:\Program Files (x86)\Windows Multimedia Platform\secrets.txt”

Remember the citation marks. This is because of all the spaces in the path.

Answer: KDSvbsw3849!

Where is the “realsecret.txt” file located?

Same as before, use the search command:

search -f realsecret.txt

Answer: c:\inetpub\wwwroot

What is the real secret?

You know the drill:

Reading the real secret!

Since it is located in the wwwroot folder we can also see it in our browser:

Same file on the web server

Answer: The Flash is the fastest man alive

We are done! Great job. I hope you liked this article.


Like my articles?

You are welcome to give my article a clap or two 🙂
I would be so grateful if you support me by buying me a cup of coffee:

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

Leave a Reply

Your email address will not be published. Required fields are marked *