How to Upgrade a Normal Command Shell to a Metasploit Meterpreter

Nov 6, 2015 12:55 PM
635823291394232411.jpg

When attempting to compromise a target, we want as much control as possible over the victim. Metasploit's meterpreter allows us to have immense control over the victim, the only issue is that sometimes we can't land a meterpreter. We may only be able to land a standard shell, but fear not, there is a way to upgrade our shell into the all powerful meterpreter!

Anyone who has delved into the wonderful framework that is metasploit should know that it contains post-exploitation modules. These are modules that can be used after a victim has been compromised. Among these modules is the shell to meterpreter upgrade, and today we'll be learning how to use it, so let's fire up metasploit and get started!

The Setup

We'll be practicing this on metasploitable. This is a virtual machine that was built to be hacked, so it's a perfect example! Since metasploitable runs a flavor of linux, we'll be using UNIX payloads, but don't fret, this tactic will work equally well for windows payloads.

Compromise the Target

This might seem a bit broad to be put under one step, but this is just the prerequisite for this tutorial.

We'll be using a samba exploit against our victim in order to land a UNIX shell, written in perl. Let's start by finding our exploit...

635823312047199832.jpg

Alright, we get a lot of results when we run this, so let's do some sifting and find what we're looking for...

635823312457043804.jpg

This is the exploit we'll be using against metasploitable, let's select it with the use command...

635823312669543066.jpg

Alright, now that we've selected our exploit, let's see what requirements are needed to properly execute it...

635823313100793038.jpg
635823313403763181.jpg
635823313100793038.jpg
635823313403763181.jpg

Here we see that we need to set the RHOST (target address), and the RPORT (target port) has already been set for us, now let's set that RHOST!

635823313733762410.jpg

Now that we've set our RHOST, let's try and set our payload. Just to get a better picture of the situation, let's try and set the meterpreter as our payload first...

635823314658763107.jpg

We see here that the meterpreter is not a compatible payload with this exploit, so instead of using it, let's try using something else...

635823314882669430.jpg

Now that we've selected a compatible payload, let's set the options for it, we can see the options by using the show options command...

635823315182982017.jpg

We see here that our options have been set up for us, so let's move on.

Now that we've selected our exploit and payload, and set their options, let's enter the exploit command and launch our attack!

635823315471420313.jpg

Alright! We've landed a shell on the target, but there's only so much we can do with it. Now let's move on to step 2 and begin the upgrade!

Locate and Select the Upgrade Module

Now that we have our shell, it's time for an upgrade. First we have to background the current shell session by giving a control + z...

635823315593605985.jpg

Alright, now let's find our upgrade module by searching for shell_to_meterpreter...

635823316128918204.jpg

Now let's select the upgrade module with the use command...

635823316273449618.jpg

Now that we've found and selected our module, let's use it to upgrade our shell!

Set Values for and Use the Upgrade Module

Now that we have it selected, let's see what options it needs. We'll enter the info command to display the needed values...

635823316714074717.jpg

We can see here that the only options that hasn't been set and is required is the session number, we can enter the sessions -l command to see our current sessions...

635823316988137399.jpg

As we can see, the session number for our normal shell is session 1, let's feed that number to the session value of our module. We'll also be setting the LPORT to 8080...

635823317301887085.jpg

Alright, now when we execute this module, it will use the session we already have to spawn a new meterpreter session, this will give us the control we want! So let's execute this module and get our meterpreter!

635823317702044820.jpg

Now that we have our meterpreter session, we just have to use it.

Interact with the New Session

We finally upgraded to our powerful meterpreter, now we just have to interact with the session in order to use it. This is a very simple, but very necessary step.

First, we'll list our sessions again to see it...

635823319131578470.jpg

Ok, our meterpreter session number is session 3, now we just have to interact with it! We'll enter the sessions -i command followed by our session number (3) in order to start the interaction...

635823319697355721.jpg

There we have it! We were able to compromise the target without landing a fully-fledged meterpreter, and then upgrade the standard command shell that we managed to land instead. This gave us the meterpreter and in turn, the control we wanted!

Feedback!

Sorry if this tutorial seemed a bit mundane, but the information contained is still valuable! It's been a while since I did something other than how to train your python, so I figured I'd break the monotony with something simple and useful. Don't forget to voice your comments, questions, or concerns, I'm positive that they'll all be addressed in some form.

Thank you for reading!

-Defalt

Just updated your iPhone? You'll find new Apple Intelligence capabilities, sudoku puzzles, Camera Control enhancements, volume control limits, layered Voice Memo recordings, and other useful features. Find out what's new and changed on your iPhone with the iOS 18.2 update.

Comments

No Comments Exist

Be the first, drop a comment!