Introduction
We covered Meterpreter as a post-exploitation tool from Metasploit. This video covered most popular commands and their use. This was part of TryHackMe Junior Penetration Tester pathway.
Meterpreter is a Metasploit payload that supports the penetration testing process with many valuable components. Meterpreter will run on the target system and act as an agent within a command and control architecture. You will interact with the target operating system and files and use Meterpreter’s specialized commands.
Meterpreter has many versions which will provide different functionalities based on the target system.
Complete Practical Metasploit Course
How does Meterpreter work?
Meterpreter runs on the target system but is not installed on it. It runs in memory and does not write itself to the disk on the target. This feature aims to avoid being detected during antivirus scans. By default, most antivirus software will scan new files on the disk (e.g. when you download a file from the internet) Meterpreter runs in memory (RAM – Random Access Memory) to avoid having a file that has to be written to the disk on the target system (e.g. meterpreter.exe). This way, Meterpreter will be seen as a process and not have a file on the target system.
Meterpreter also aims to avoid being detected by network-based IPS (Intrusion Prevention System) and IDS (Intrusion Detection System) solutions by using encrypted communication with the server where Metasploit runs (typically your attacking machine). If the target organization does not decrypt and inspect encrypted traffic (e.g. HTTPS) coming to and going out of the local network, IPS and IDS solutions will not be able to detect its activities.
While Meterpreter is recognized by major antivirus software, this feature provides some degree of stealth.
Setup and Launch
he instructor demonstrates how to exploit a target machine using the smb/psexec module in Metasploit by configuring parameters like RHOST (remote host IP), SMB username, password, and local host settings.After setting these parameters, they run the exploit and start interacting with the Meterpreter shell.
Meterpreter Commands
By using the help command, users can see the full list of Meterpreter commands categorized into sections like core commands, file system commands, network commands, and system commands.The commands allow users to perform tasks such as file uploads/downloads, navigating directories, retrieving system info, and interacting with the target network.
Practical Challenge Walkthrough
The video addresses a specific challenge that involves answering questions based on interacting with a compromised machine:
- Retrieve the computer name and domain: By running the
sysinfocommand, the instructor extracts the target system’s information. - Find the user-created share: The instructor uses a post-exploitation module to list the available shares and identifies the one created by the user.
- Extract NTLM hashes: After migrating to the LSASS process (responsible for handling authentication), the instructor dumps the password hashes.
- Crack the hash: Using John the Ripper, they crack the NTLM hash to reveal the password.
Searching for Files
The challenge involves locating files like secrets.txt and real_secret.txt. The instructor uses the search command in Meterpreter to locate these sensitive files and reveals their content using commands like cd, ls, and type.
TryHackMe Metasploit: Meterpreter | Room Answers
What is the target domain?
What is the name of the share likely created by the user?
What is the NTLM hash of the jchambers user?
What is the cleartext password of the jchambers user?
Where is the “secrets.txt” file located?
What is the Twitter password revealed in the “secrets.txt” file?
Where is the “realsecret.txt” file located?
What is the real secret?
Video Walk-through
