The power of Meterpreter
Meterpreter is an extremely efficient and powerful payload (charge utile) for the post-exploitation phase.
If you want to discover all the commands available in Meterpreter, you just need to type the command `help` (or `?`).
This will display a well-structured list of all the commands you can execute.
We first find the basic commands to navigate or get help.
You also have the `getuid` command which gives you the name of the user under which the session is running, as well as their level of privileges.
Meterpreter also allows you to execute most of the basic commands of a Linux terminal.
You will also find network commands there (to analyze connections), system commands, user interface control commands, or functions to manipulate the webcam (to take photos or make recordings) or capture audio from the target machine.
Finally, it offers advanced commands for privilege escalation or to extract the password database.
Let's do a few tests.
If I type `pwd`, I see that I am in the folder `C:\Windows\System32`.
I can move back in the tree structure and go to the folder `C:\Users`.
If I type `ls` (which works under Meterpreter even on a Windows target), I see the folder of the user `John`.
Know that in some cases, if you perform too heavy commands, Meterpreter can crash and cut the connection with your attack server.
Let's navigate to John's folder.
By doing a `ls`, we see his personal directories (like `Music`), as well as hidden system files like `NTUSER.DAT` or `PrintHood`.
If I want to create a file using commands like `touch` or `echo`, I notice that some commands do not execute directly from the Meterpreter prompt.
To bypass this, I can open a native Windows command prompt by simply typing the command `shell`.
Here I am now in a standard Microsoft Windows system shell.
If I type `dir`, I get the file list with the usual Windows commands.
I move to the Desktop with `cd Desktop`.
The folder is currently empty.
I can create a text file by typing `echo Hello World > test.txt`.
By typing `dir`, we clearly see that the `test.txt` file has been created.
This system shell allows us to execute all classic Windows commands.
To return to the Meterpreter console, I just need to type `exit` and confirm.
Back in Meterpreter, one of the most interesting commands for post-exploitation is `hashdump`.
It allows extracting from memory the prints (hashes) of the passwords of the local accounts of the machine: the Administrator account, the Guest account and John's account.
This information is crucial.
I am going to copy and save them in a notes file on CherryTree in order to try to decrypt them later.
We can also display the target's network routing table with the `route` command.
This is an essential step if you want to perform pivoting to attack other machines on the internal network from this compromised machine.
If we want to escalate our privileges, we can test the `getsystem` command.
It will use different escalation techniques to try to obtain the highest system privileges (SYSTEM).
In our case, if we restart `getuid`, we find that we are already under the user `NT AUTHORITY\SYSTEM`.
We therefore have the highest privileges on the machine.
Meterpreter also offers the possibility to upload tools or download files from the target.
This is very useful if you want to install a persistence script to maintain your access on the machine.
Do not forget that as a professional pentester, you must ensure not to disrupt the system and to clean your traces.
Logging in and manipulating the system leaves traces in the Windows event logs.
In addition, we created a `test.txt` file on the Desktop that must be deleted before leaving the machine.
In the next lesson, we will see how to try to crack the passwords we just retrieved as hashes thanks to tools like John the Ripper or Hashcat.