Part 3 – Delivering the Payload and Gaining Admin Access
Goals
- Use social engineering tactics to deliver the malicious .exe file we created
- Gain a Meterpreter shell with administrator-level access on the target system
Process
Now that we’ve created a malicious payload and opened a listener in our Kali VM, we need to devise a way of getting that file onto the target system and executing it. Often, this is where a little ‘social engineering’ tactics will be useful. There are ways to remotely deliver a file to a target, but they almost always still require severely compromised security at the target and involve much more trial and error than this series can cover.
So, here’s a potential scenario that an attacker might use:
- The attacker has used passive reconnaissance techniques to create a list of email addresses at a target company, we’ll call it Timmy’s Open Ports & More.
- The attacker crafts an official-looking email (with the official logo and a few real company links) with a spoofed email address from Timmy’s.
- This email contains a message from the fake IT Department instructing users to double-click the attached “Microsoft Defender Update” to manually install a critical security update.
- In many cases, the victims’ computers will reject the file as unsafe (although there are ways to get around that too), but you only need one user to successfully install the file. The more email addresses you have, the better.
Will a user actually fall for this old phishing trick? Yes, probably. I’ve gradually developed the opinion that most people don’t really know how to use computers and, especially if the target is a non-technical group, the likelihood of someone installing your file in an attempt to follow official-looking instructions is pretty good.
Because this tutorial exists for educational purposes only, go ahead and use a USB drive to copy the .exe file you created over to your target system or email it to yourself. If you’ve downgraded the built-in security tools as described in Part 1, Windows won’t even bat an eyelash at downloading or copying over the file. Here is what an unsuspecting user will see in their downloads after clicking your link:
Looks pretty official, right? Because of the shady social engineering tactics an attacker might use as described above, many users would have no problem double-clicking this file as instructed. After double-clicking from the target’s point of view, nothing happens – no windows or messages pop up and they can go on about their day as normal. However, from the listener on our Kali VM, we can see that we are in business:
From your Meterpreter shell, type a few commands to check the privilege level you have on the system, as well as your current directory.
getuidpwdThe first command will show that you are logged in as whomever the current user is. In my case, since I’m using a Windows 11 VM on VMWare, I am simply logged in as “User.” The second command shows that my working directory is currently C:\Users\User\Downloads.
This is ok – I have local administrator account on the target machine already, but Meterpreter makes it incredibly easy to do better. Still at the Meterpreter prompt, type:
getsystemBAM! You now have system-level access to the target machine and can literally accomplish any task on the system as if you were the OS itself; there is no higher level of access to Windows than SYSTEM.
Finally, you can drop into a Windows shell by simply typing <shell> and now you have a Windows command prompt. You can search the file system, call programs (such as Powershell), and otherwise create quite a bit of havoc, all of it with no warning to the real human user of the system (that is, until you break something). Here is what this looks like from Kali:
Well, that’s it for now. I really hope you’ve enjoyed learning this process as much as I have getting it all organized into an organized format. Please leave your comments/questions below and stay tuned for future tutorials!