Hi! It is time to look at the third part of the Metasploit rooms on TryHackMe, this part covering Meterpreter. I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by THMs rooms.
Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Room URL: https://tryhackme.com/room/meterpreter
Task 1 (Introduction to Meterpreter)
Meterpreter is a Metasploit payload that runs on the target system and supports the penetration testing process. It can interact with the target operating system and files, and allows us to use specialized commands.
The great things about Meterpreter is that it runs on the target system without the need to install it. This is because it runs on memory and avoids writing files files to the disk. because of this it is harder to detect by antivirus software. In addition, Meterpreter uses encrypted communication with the server where Metasploits runs.
Questions
No answer needed
Answer: No answer needed
Task 2 (Meterpreter Flavors)
Metasploit payloads can be initially divided into two categories:
- Inline (also called single):Larger. Payload is sent in one step.
- Staged: Smaller, since payload is sent in two steps. First the initial part (stager) is installed, and then the rest of the payload is requested.
In addition to this division, meterpreter has a wide range of different versions you can choose from based on your target system. You can list all payloads by using the following command:
msfvenom --list payloads
You can then add pipe and the grep meterpreter command to only show payloads that include a meterpreter payload.
Your decision on which version of Meterpreter to use is dependant on different factors:
- The target OS
- Components on the target system (Python, PHP website etc.)
- Network connection types (TCP/HTTPS/IP6)
When using a module, you can write show payloads to list available payloads for that specific module.
Questions
Answer: No answer needed
Task 3 (Meterpreter Commands)
Next we will cover the different available commands when in a meterpreter session. These run on the target system without loading other scripts or executable files.
A very useful command is help. This lists all available commands. If you run the help command, you will see Meterpreter commands are listed under different categories.
Core commands
background
: Backgrounds the current sessionexit
: Terminate the Meterpreter sessionguid
: Get the session GUID (Globally Unique Identifier)help
: Displays the help menuinfo
: Displays information about a Post moduleirb
: Opens an interactive Ruby shell on the current sessionload
: Loads one or more Meterpreter extensionsmigrate
: Allows you to migrate Meterpreter to another processrun
: Executes a Meterpreter script or Post modulesessions
: Quickly switch to another session
File system commands
cd
: Will change directoryls
: Will list files in the current directory (dir will also work)pwd
: Prints the current working directoryedit
: will allow you to edit a filecat
: Will show the contents of a file to the screenrm
: Will delete the specified filesearch
: Will search for filesupload
: Will upload a file or directorydownload
: Will download a file or directory
Networking commands
arp
: Displays the host ARP (Address Resolution Protocol) cacheifconfig
: Displays network interfaces available on the target systemnetstat
: Displays the network connectionsportfwd
: Forwards a local port to a remote serviceroute
: Allows you to view and modify the routing table
System commands
clearev
: Clears the event logsexecute
: Executes a commandgetpid
: Shows the current process identifiergetuid
: Shows the user that Meterpreter is running askill
: Terminates a processpkill
: Terminates processes by nameps
: Lists running processesreboot
: Reboots the remote computershell
: Drops into a system command shellshutdown
: Shuts down the remote computersysinfo
: Gets information about the remote system, such as OS
Others Commands
idletime
: Returns the number of seconds the remote user has been idlekeyscan_dump
: Dumps the keystroke bufferkeyscan_start
: Starts capturing keystrokeskeyscan_stop
: Stops capturing keystrokesscreenshare
: Allows you to watch the remote user’s desktop in real timescreenshot
: Grabs a screenshot of the interactive desktoprecord_mic
: Records audio from the default microphone for X secondswebcam_chat
: Starts a video chatwebcam_list
: Lists webcamswebcam_snap
: Takes a snapshot from the specified webcamwebcam_stream
: Plays a video stream from the specified webcamgetsystem
: Attempts to elevate your privilege to that of local systemhashdump
: Dumps the contents of the SAM database
Questions
Answer: No answer needed
Task 4 (Post-Exploitation with Meterpreter)
Once you have gained access with meterpreter, we are in what we call a post-exploitation phase. Meterpreter provides us with many useful commands at this point. We will cover some of the important ones here:
getuid
The getuid command will display the user with which Meterpreter is currently running. This will give you an idea of your possible privilege level on the target system.
ps
The ps command will list running processes. The PID column will also give you the PID information you will need to migrate Meterpreter to another process.
Migrate
This command allows Meterpreter to migrate to another process, giving the possibility to interact with it. Ff you see a word processor running on the target (e.g. word.exe, notepad.exe, etc.), you can migrate to it and start capturing keystrokes sent by the user to this process. Some Meterpreter versions will offer you the keyscan_start
, keyscan_stop
, and keyscan_dump
command options to make Meterpreter act like a keylogger. Migrating to another process may also help you to have a more stable Meterpreter session. To migrate to any process, you need to type the migrate command followed by the PID of the desired target process. Be careful; you may lose your user privileges if you migrate from a higher privileged (e.g. SYSTEM) user to a process started by a lower privileged user (e.g. webserver).
Hashdump
The hashdump command will list the content of the SAM database. The SAM (Security Account Manager) database stores user’s passwords on Windows systems. While it is not mathematically possible to “crack” these hashes, you may still discover the cleartext password using online NTLM databases or a rainbow table attack.
Search
The search command is useful to locate files with potentially juicy information. In a CTF context, this can be used to quickly find a flag or proof file, while in actual penetration testing engagements, you may need to search for user-generated files or configuration files that may contain password or account information.
Shell
The shell command will launch a regular command-line shell on the target system. Pressing CTRL+Z will help you go back to the Meterpreter shell.
Questions
Answer: No answer needed
Task 5 (Post-Exploitation Challenge)
I hope it is clear that Meterpreter provides several important post-exploitation tools. It is also possible to load additional tools by using the load command. This allows us for example to load the whole Python language. Once any additional tool is loaded using the load command, you will see new options on the help menu.
The questions below will help you have a better understanding of how Meterpreter can be used in post-exploitation.
You can use the credentials below to simulate an initial compromise over SMB (Server Message Block) (using exploit/windows/smb/psexec)
Username: ballen
Password: Password1
Questions
What is the computer name?
Startup msfconsole, and enter use exploit/windows/smb/pasexec
Set the relevant options, in this case RHOSTS (target ip), SMBPass (Password1) and SMBUser (ballen). Finish by entering run! You should have a meterpreter session now.
Let’s try some of the commands that we learned. To answer the question we can use sysinfo:
Answer: ACME-TEST
What is the target domain?
This one is also given on the above screenshot.
Answer: FLASH
What is the name of the share likely created by the user?
It is time to use some port-exploitation commands. Start by backgrounding meterpreter (Control-Z). Take a look at the session ID by entering sessions -l. This will probably be 1.
Search for the right module by entering search enum. This came up:
This sounds interesting. Load it and set the session option to 1).
Since the username is ballen (Barry Allen, aka the Flash), and the domain was called FLASH I am going to guess the answer is speedster.
Answer: speedster
What is the NTLM hash of the jchambers user?
Well, this was a new thing for me. I tried entering the meterpreter session again by entering sessions -i 1. Then I tried to run hashdump, but this did not work. Some quick googling lead pinpointed me to the migrate command. I listed all processes by using ps. Then I migrated to a system process:
Now hashdump works.
Note: according to the hint you have to migrate to lsass.exe, but I used another system process. I assume any system process will theoretically work.
Answer: 69596c7aa1e8daee17f8e78870e25a5c
What is the cleartext password of the jchambers user?
According to the theory of task 4, we can use online NTLM databases to find the password, since mathematically it is impossible to crack a NTLM hash. I entered the hash at https://crackstation.net/ and got the answer.
Answer: Trustno1
Where is the “secrets.txt” file located?
This one is easy. Simply enter the following command in the meterpreter session:
search -f secrets.txt
The search might take a while, so grab a coffee!
Answer: c:\Program Files (x86)\Windows Multimedia Platform
What is the Twitter password revealed in the “secrets.txt” file?
Enter the following command:
cat “c:\Program Files (x86)\Windows Multimedia Platform\secrets.txt”
Remember the citation marks. This is because of all the spaces in the path.
Answer: KDSvbsw3849!
Where is the “realsecret.txt” file located?
Same as before, use the search command:
search -f realsecret.txt
Answer: c:\inetpub\wwwroot
What is the real secret?
You know the drill:
Since it is located in the wwwroot folder we can also see it in our browser:
Answer: The Flash is the fastest man alive
We are done! Great job. I hope you liked this article.
Like my articles?
You are welcome to give my article a clap or two 🙂
I would be so grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link: