This article details a step-by-step approach to utilizing Meterpreter in a Hack The Box challenge, demonstrating how to scan a target, exploit a vulnerability in the FortiLogger service, and perform post-exploitation actions to extract sensitive data. Affected: FortiLogger, Microsoft Windows
Keypoints :
- Meterpreter is a powerful post-exploitation tool for interacting with compromised systems.
- The target IP for the challenge was 10.129.124.49.
- Utilized Metasploit’s db_nmap feature for scanning open ports and services.
- Identified multiple open ports: 135 (msrpc), 139 (netbios-ssn), 445, 3389 (Microsoft Terminal Services), and 5000 (http).
- Discovered a login page on the open port 5000, attempting default credentials.
- Assessed known exploits for the FortiLogger service.
- Successfully exploited an arbitrary file upload vulnerability to gain access.
- Opened a Meterpreter session and attained SYSTEM-level access.
- Dumped password hashes and utilized Mimikatz for further credential analysis.
- The challenge highlighted the effectiveness of Meterpreter for accessing and controlling compromised systems.
MITRE Techniques :
- Execution (T1203) – Exploited a vulnerability in FortiLogger for arbitrary file upload.
- Persistence (T1546) – Utilized Meterpreter for maintaining access post-exploitation.
- Credential Access (T1003) – Collected password hashes with the hashdump command.
- Credential Dumping (T1003.001) – Used the lsa_dump_sam command from Mimikatz to dump credentials.
- Privilege Escalation (T1068) – Achieved SYSTEM-level privileges through exploitation.
Indicator of Compromise :
- [IP Address] 10.129.124.49
- [IP Address] 10.10.14.75
- [Domain] WIN-51BJ97BCIPV
- [Hash: NTLM] bdaffbfe64f1fc646a3353be1c2c3c99
- [Hash: NTLM] 4b4ba140ac0767077aee1958e7f78070