TryHackMe – Metasploit: Meterpreter Write Up

Hello friend,

this is the third room on TryHackMe regarding Metasploit. Time to learn more about Meterpreter, Metasploit’s payload, and shell.

If you don’t know what to do in Meterpreter, help will show you the available commands. First, there are some explanations of what you can do with Meterpreter and how it works. Task 5 is, where we have to do something ourselves. Let’s get to it.

First, we use the windows/smb/psexec exploit with the given credentials to get our shell. For that, we set the RHOSTS, LHOST, SMBPass, and SMBUser options and run it.

What is the computer name?

Once we are in our Meterpreter shell, we can use sysinfo to get this information.

sysinfo

ACME-TEST

What is the target domain?

This is also shown through the sysinfo command.

FLASH

What is the name of the share likely created by the user?

You can just browse to C:\Shares to find out, or use the post/windows/gather/enum_shares module, as recommended in the tip. Let’s try that.

First, background the session via CTRl+Z. Then set the SESSION and run the module.

enum_shares

Speedster is the one we are looking for. After that, you can return to the meterpreter session with sessions -i <session number>

What is the NTLM hash of the jchambers user?

To get the hashes we use hashdump again. But you might get an error:

failed hashdump

The issue is the process, your Meterpreter shell is running out of. You have to migrate first to another process. The hint suggested “lsass.exe” – I used one of the “svchost.exe” which also worked.

migrate and hashdump
What is the cleartext password of the jchambers user?

You can use john to crack the hash. Copy the whole line into a file and then use the command john <your hash file> --format=NT

using john to crack the hash

Trustno1

Where is the “secrets.txt” file located?

We can use the search command. It might take a few minutes though.

search

The answer is “c:\Program Files (x86)\Windows Multimedia Platform”.

What is the Twitter password revealed in the “secrets.txt” file?

You can browse to it, or just cat it from wherever you are. Needs a lot of escape-backslashes though.

cat secrets.txt

KDSvbsw3849!

Where is the “realsecret.txt” file located?

And another search – this one went faster.

search again
What is the real secret?
cat realsecrets.txt

And that’s it for the three Metasploit Rooms.

Share the Post:

Related Posts