Metasploit: Meterpreter TryHackMe

Overview

This room introduces Meterpreter, Metasploit’s advanced payload and post-exploitation environment. It explains how Meterpreter runs on the target, why it is useful, how payload flavors differ, and which commands matter most once you land a session.

Core idea: a Meterpreter session gives you a more capable post-exploitation interface than a simple shell, but you still need to understand the target, pick the right payload, and use the right built-in commands.

1) What Meterpreter Is

Meterpreter is a Metasploit payload that runs as an agent on the compromised target and provides specialized post-exploitation functionality.

It is designed to run in memory rather than being dropped to disk as a normal executable.
It communicates back to the attacker through an encrypted channel.
It gives access to commands for file operations, networking, processes, and system interaction.

2) Why Meterpreter Is Considered Stealthier

The room emphasizes that Meterpreter is meant to reduce obvious artifacts on the target.

It runs in memory, which avoids creating a simple payload file on disk.
Its traffic is encrypted, which can make detection harder for network monitoring that does not inspect encrypted streams.
It often appears inside another legitimate process rather than as a process named after the payload.

Important limit: this does not mean Meterpreter is invisible. Modern antivirus and security products still detect it frequently.

3) Process Context and PIDs

The room shows how getpid reveals the process ID Meterpreter is using, and how ps can list running processes on the target.

getpid tells you which process Meterpreter is currently running inside.
ps helps identify process names, parent-child relationships, and user context.
This is useful when deciding whether to migrate to a different process or verify your execution context.

4) Meterpreter Flavors

Meterpreter is available in multiple variants depending on the target environment.

Supported platforms include Windows, Linux, Android, Java, PHP, Python, macOS, and more.
Some payloads are staged; others are stageless.
You can inspect available Meterpreter payloads with msfvenom --list payloads | grep meterpreter.

Your choice depends on:

the target operating system,
available runtimes or components on the target,
the kind of network connection that is realistic, such as raw TCP or HTTPS.

5) Payload Selection Inside Exploits

Many Metasploit exploit modules already suggest or default to a Meterpreter payload.

For example, an exploit may default to something like windows/x64/meterpreter/reverse_tcp.
You can view compatible alternatives with show payloads.
Your final payload choice may be constrained by the exploit module and the target architecture.

Practical rule: do not blindly accept the default payload. Check architecture, network constraints, and whether a staged or stageless option makes more sense.

6) Core Meterpreter Commands

Once you land a session, help should be one of the first commands you run.

Session control: background, sessions, exit
General info: help, guid, info
Migration and extensions: migrate, load, run

Available commands vary by Meterpreter flavor, so the help menu is always the authoritative reference for the current session.

7) Useful Command Categories

The room groups Meterpreter functionality into practical categories.

File system: cd, ls, pwd, cat, upload, download, search
Networking: ifconfig, netstat, arp, portfwd, route
System: getuid, sysinfo, ps, kill, shell, execute, reboot, shutdown

These built-in commands run through Meterpreter itself, which is often cleaner than dropping additional tools to disk.

8) Practical Post-Exploitation Mindset

This room is mainly about using the session effectively after exploitation succeeds.

Confirm who you are with getuid.
Confirm what system you are on with sysinfo.
Inspect running processes with ps.
Use built-in file and network commands before adding more tooling.
Background the session when you need to return to msfconsole.

Exam Notes (PT1)

Meterpreter is an in-memory Metasploit payload with an encrypted C2 channel and rich post-exploitation commands.
It is stealthier than a plain dropped binary, but it is still widely detectable.
Payload selection depends on OS, architecture, target components, and network constraints.
show payloads reveals compatible payloads for an exploit module; help reveals commands available in the current session.
Know the common Meterpreter commands for session control, file access, process inspection, networking, and system enumeration.