In this video we continue with post exploitation, this time using metasploit and meterpreter. We have socially engineered the victim to visit our malicious webpage which has provided us with an initial connection to our victim machine, and our meterpreter shell. Now we will show a few simple commands you can use to escalate your permission level, clear logs and gather info post exploit.
If you have not read the previous guides or watched the videos I recommend taking a look as all the steps are shown and explained in detail, so if you are not sure about something shown here, go back and read the previous guides.
As with this entire series, the attacker machine is on the right with the victim on the left.
Commands used in this video are;
- getuid – shows who we are currently running as on the victim server.
- sysinfo – gets the details about the victim computer such as OS and name.
- screenshot – grabs a screenshot of the meterpreter desktop.
- download – downloads a selected file.
- upload – uploads a selected file.
- getsystem – uses 15 built-in methods to gain sysadmin privileges.
- load kiwi – mimikatz (if you don’t know what this is go have a look online) has been ported into Metasploit and when you load the extension you can use it straight from the meterpreter session.
- lsa_dump_sam – dumps the sam database file on screen. (uses Kiwi).
- ps – lists running processes on the victim machine.
- shell – opens a command shell on the victim machine.
- clearev – clears the event logs on the victim’s computer
We are on our victim machine using our Meterpreter shell, and first off we want some basic information from the machine such as the user account and OS.
Using the getuid command we can see we are running as administrator on testadmin-pc
Using the sysinfo command shows us a bit more about the host; for example that it is a 32-bit version of Windows 7 running service pack 1.
Next we take a screenshot of the desktop just out of curiosity. You never know what you might grab by chance.
Next we use the download command to steal a file named “Passwords.txt”. (Obviously in real life you will need to list and browse the victim file system looking for files of interest, but we have skipped that part in this video as it would be boring just watching me browse through directories lol!)
Note the double back slashes.
Here we can see the file saved to our root directory after being downloaded from the victims machine.
We can also upload files if we wish. If want to install a more persistent backdoor (even something like teamviewer) we can get our installer onto the target.
BACKDOOR.exe is the file we want to upload. Again note the double back slashes below.
Above we can see the file on the victims machine. (You would obviously upload to somewhere less conspicuous)
Currently we are running as administrator which is really great, but if we want to access all other user credentials on the victim machine we need to be running as system. Let’s try and elevate our privileges using the getsystem command.
Now let’s load kiwi and try and dump the SAM file. First we load kiwi
Then run lsa_dump_sam
Success! It returns 6 account names and their password hashes. (If you don’t know what to do with password hashes check out our guide on how to crack them). https://blog.2code-monte.co.uk/2020/08/02/cracking-password-hashes-hacking-rdp-servers-part-3/
If we want to look at running processes we simply use ps
Below we have highlighted our malicious process running on the victim which is our meterpreter shell.
If we want to open a Windows cmd prompt and interact with the victim machine using Windows commands we use shell.
Here we just open the windows calculator to demo, but there is much more you can do which we will cover in future guides.
All of this activity leaves a trace and we don’t want anyone knowing what we have been up to so before we go we want to delete the logs from the system. For this we have the clearev command.
We open up event viewer on the victim so you can see the logs full initially, then empty after the command has completed.
Now clearing the log is evidence in itself that something has happened on the machine, but they will not have specific events which can point them in the right direction, and some will never check event logs anyway so won’t even notice.
Hope you got something out of this, and it has helped you be more aware of what can happen on a system. There will be one more post exploitation video, and then we will start to look at how you detect, and spot this activity on your endpoints.