Open in app

Sign in

Write

Sign in

TryHackMe: Metasploit: Meterpreter room write-up

Cursemagic
4 min readOct 29, 2021

--

Hi, this is the write-up for Metasploit: Meterpreter from Jr Penetration Tester Path in TryHackMe. This room was for newbies to learn Metasploit. Let’s get started!

############################################

To THM: This room is often not able to run the exploit smoothly if we use VPN instead of the attack box provided.

############################################

REMINDER:

For Task 1 to 4, I skipped as it does not need to do anything. But reading through it is HIGHLY RECOMMENDED!

Task 5 Post-Exploitation Challenge

Run Metasploit console in terminal.

msfconsole

Search for exploit/windows/smb/psexec. (Ss given in the question)

Show options.

Set parameters such as RHOSTS (Attacking target IP), LHOST (Your attack machine IP), username, and password. Password and username are provided.

The exploit will run and we will get meterpreter.

Now we can input commands. First, we can go for sysinfo. And we get the answer.

The computer name?

Ans: ACME-TEST

The target doamin?

Ans: FLASH

Then, background the meterpreter by using “ctrl + z”. And search for enumshares.

Then choose the smb’s enumshares.

Set the parameters.

Run and we can see the names popping out.

The name of the share likely created by the user?

Ans: speedster

Now, run ps in meterpreter and locate the PID of lsass.exe

Then migrate to the PID and execute hash dump. For my machine is 760.

And we get the hash.

Next copy it and decode it.

I use hashcat to crack the hash and use rockyou.txt as thepassword file.

hashcat -a 0 -m 1000 <PATH TO YOUR HASH FILE> <PATH TO ROCKYOU.TXT>

AND WE HAVE IT!

NICE!

Next, search for the secret.txt file. We just need to type “search -f <filename>”. It takes some time to find it.

Then view it! (Remember to answer the directory’s question) I change the directory to the first then I change the directory again to secrets.txt

And we get the password!

After that, use the same method before this to search for the “realsecret.txt”. This is pretty quick.

And we can get the “Secret” inside!

And we are DONE!

Thank you for reading my write-up. I would like to improve my write-up skills in the future and can reach me through Twitter or comments. Any sponsors also welcomed. xD

Twitter: https://twitter.com/curse_jk

Buy me coffee:http://buymeacoffee.com/Cursemagic

Other medium write-ups: https://cursemagic.medium.com

Tryhackme
Writeup
Beginner
Metasploit
Meterpreter

--

--

Cursemagic
Cursemagic

Written by Cursemagic

15 Followers
1 Following

Just learning, together we are strong.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams