Meterpreter commands in Kali Linux | TryHackMe Metasploit: Meterpreter

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
welcome back again to the pentester or junior pentester pathway in this video i'm going over the interpreter so meterpreter is a room that comes after the intro and exploitation rooms for metasploit i know i haven't made a video for these two rooms simply because they are simple and easy and they are very common so i want to make a video about this room about interpreter because not so many know how to use interpreter so interpreter is the payload that is installed on the target machine once you have access to it of course via metasploit now basically it's considered as a post exploitation tool where you use meterpreter to gather information or further information about the target for various reasons among which are privilege escalation dumping the sam database or the hash or dumping the hashes of the target system and of course searching and looking for such a device it's a stable shell that is as visible always to his interpreter if you can of course unless you're doing the oscp you can't use metaphor of course so in this room there is one challenge on task five i'm sure you can go over you can go through the readings from task one until task four in the last task five i will be answering the challenge questions so what it takes to answer the questions first deploy the machine take an ip address and you know launch with exploit on your kali system all right and then what you have to do you have to use this module exploit windows smp px exec so here is assuming that you have got access to the machine using the credentials they gave you so we use the exploit and we show the options in order to set the parameters correctly so what do we have here we have we're given the r hosts so set our hosts with corresponds to the ip address now we've also had the smp bass and the smp user which you also given so set this is the password set smb username was poland okay now we've also got to set the ip address of my machine so this is my ip connecting to detroit hackme network set l host and i will use l port four five four five as i used to do always okay now we run i don't think we're gonna need this anymore okay now we will start interacting with interpreter okay so here we interact with the interpreter the first thing if you are not familiar with interpreter use the help command to display all of the available commands that you can use against the machine as you can see every list of comments is categorized according to its function for example here we have cool commands next we have file system commands the kind of commands that we would resort to if you want to download upload files check the hash of some certain files cd to some certain directory copy a certain file here we have network commands system commands so you see every list of commands every list contains a set of commands and these commands are categorized according to their function all right so and you can see there is description beside every command so it is no brainer you can just go over according to your targets all right and according to your assignments or according to your objective you can select you can read every comment and what it does and then use it accordingly so if you go back here we have the list of questions the first thing is what is the computer name so the computer name is the kind of info is the kind of information that you would find by checking the os information so if you go up and look for this category so we have core commands so in the core commands i guess we are able to find information about the machine let's check that out so we got here run nope sleep network system commands so here get environment sysinfo this is what gets information about the remote system such as os so we found the appropriate command from the system commands so all all you have to do is just type this info and you will reveal all the system information including the computer name the os architecture the domain name so this command contains the answer for the first and second question the computer name is acme test and the domain is flash so test flash what is the name of the share likely created by the user so here we look for the shares all right so if you look closely at the command sometimes you won't be able to find the appropriate command for the thing you're looking for an example would be the case we're dealing with right now as you can see we are looking to find the shares on the target but unfortunately we can't do that because there is no appropriate commands to directly display the shares on the target system so let me resort back to my notes metasploit notes and see if there is some way we can handle that so let me look for shares okay so we have here this module where we can use to enumerate the shares now i know you we are inside the interpreter shell here how can we now use another module exploit module permit exploit and still keep the session so you have an option or you have a command called background this will background the current session or the current active session to the background which means it is still running but you still get to do other things with metasploit while it is running so you see here now it has been background now we can also now here we can get back to metaexploit and use whatever we would like whatever we would like to use so for example in our case i want to use a post exploitation module to reveal the shares i list the options required options so the only thing required is the session that i have active here so the session id i have to supply the session id here i can list the sessions using sessions as you can see we have one active session running with interpreter and the session id is one so what i can do here i can just set session and type in the id number run the post exploration module and as you can see the model has run and we are provided with the list of all of the shares now the question is saying what is the name of the share likely created by the user so the share name likely created by the user is definitely speedster not netlogon not this volume now what is the ntlm hash of the j champers user now we have to get back to interpreter so what we can do we can type sessions dash i and type the session id here we interact with the session we restored it back from the background so what is the ntlm hash of that user so display all of the hashes of the current system or the target we type hash password gets same hashes operations fail the parameter is incorrect okay let's look at the end maybe something is wrong interpreter you will need to migrate to the lsas process first okay that's why we were not able to run hashtag maybe because we didn't have we need we needed to migrate to another process so basically sometimes some commands won't run as you expect them to run because you may need to migrate to another process which has more preferences right so in order to migrate to another process first we have to select a process which means we have to list the running processes using ps so ps reveals the running processes now we use why we select lsas process so if you look closely at the running processes here we notice let's see the lsas right so we want to migrate to this process if you want to dump the hashes of the sam database so this is the process responsible for that for the sound database so we check the id pid it is 780. so we scroll down and we type migrate 780. now we hide interpreter within another process let's pre-type now hash dump now we are able to dump the sam database if you look closely at the j-champers we have it is ntlm hash now we can do here we can just copy this part and open a new tab i have already done that yesterday so i just put the hash inside the file called user met cat user met this is the hash now i use john theripper user met dash dash word list user share oh we have to define the format so dash dash format called nt now nc stands for ntlm as you can see the password or the hash has been cracked and this is the password trust no one but of course now we answer two questions at once we answered the hash part and we answered the password part next thing what is this where is the secret.txt file located and here we come to the part where we use interpreter to look for sensitive files in the case here we look for a hypothetical file called secrets but in real world scenario we look for configuration files we look for uh let me yeah mostly configuration files plain text uh plain text containing uh files plaintext passwords containing files of course now here we search for file using the search command dash f and we specify the file name so in this case we take the file name secrets and we search for that file now it will take some time i'm gonna stop this but you will find that the path is this one what is that whatever password revealed in the secrets file now knowing we have revealed the path that contained contained the uh file we can just cd to the path right cd so i guess it is the so we cannot find the files specified okay now we can drop to shell it's more easier to deal it's more easier to use the shell when you are dealing with files and directories so cd now we type the ir and we then use the type command to reveal the contents of this file so this is the twitter password next thing where is the real secret dot txt file located now here we go back to interpreter and we search for this file again i'm not gonna run this uh actually i run this but i'm not gonna let this continue because it will take some time you will find that the path of this file is this one now what is the secret real secret so it means we have to reveal the contents of this file let's take this path navigate to that path and then reveal the content so drop to shell see the dir type real secret and this is real secret the flash is the fastest man alive all right so that concludes the challenge here i hope you found that helpful for you and don't forget that if you want to take the notes i have released a new set of notes for metaesploit contains my notes on my testlot you can access the notes from google drive if you are subscribed to the channel membership thank you very much see you in the next video
Info
Channel: Motasem Hamdan
Views: 20,875
Rating: undefined out of 5
Keywords: Metasploit, Meterpreter, Training
Id: sL8fT4xRiLc
Channel Id: undefined
Length: 16min 7sec (967 seconds)
Published: Fri Nov 05 2021
Related Videos
Packet Sniffing with Tcpdump and Rsync Enumeration | Metamorphosis TryHackMe
Motasem Hamdan
1K
Metasploit: Exploitation - TryHackMe Junior Penetration Tester: 7.2
Brock Rosen
6.7K
SQL Injection Using Burp Suite Repeater | TryHackMe JR Penetration Tester
Motasem Hamdan
8.1K
Linux Red Team Privilege Escalation Techniques - Kernel Exploits & SUDO Permissions
HackerSploit
30K
Complete Guide to Threat Emulation Using Caldera | TryHackMe CALDERA
Motasem Hamdan
318
DEF CON 31 - Infinite Money Glitch - Hacking Transit Cards - Bertocchi, Campbell, Gibson, Harris
DEFCONConference
323K
catch EVERY reverse shell while hacking! (VILLAIN)
John Hammond
218K
Metasploit: Meterpreter - TryHackMe Junior Penetration Tester: 7.3
Brock Rosen
2.7K
Live Linux Forensics | Processes & Cronjobs | TryHackMe Linux Process Analysis
Motasem Hamdan
799
Metasploit Tutorial
PBER ACADEMY
21K
[UPDATED] The Complete Windows Privilege Escalation | EP1 | TryHackMe Windows Privesc
Motasem Hamdan
33K
virus.pdf
Loi Liang Yang
194K
How SSH Works
Mental Outlaw
495K
30 Windows Commands you CAN’T live without
NetworkChuck
2.2M
The Complete Linux Privilege Escalation Capstone | TryHackMe Junior Penetration Tester
Motasem Hamdan
81K
Try Hack Me : Metasploit: Exploitation
stuffy24
35K
License to Kill: Malware Hunting with the Sysinternals Tools
Mark Russinovich
76K
The Complete Windows Privilege Escalation Guide | TryHackMe Windows Privesc
Motasem Hamdan
24K
Windows Red Team Privilege Escalation Techniques - Bypassing UAC & Kernel Exploits
HackerSploit
22K
TryHackMe! PickleRick - BYPASSING Denylists
John Hammond
292K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.