{
	"id": "d18ad464-73d4-4f99-8867-737841b70f50",
	"created_at": "2026-04-06T03:35:53.098839Z",
	"updated_at": "2026-04-10T03:21:05.918572Z",
	"deleted_at": null,
	"sha1_hash": "7e630f8cca24982d252fab0a9312c0141ff6c1e0",
	"title": "GitHub - r00t-3xp10it/meterpeter: C2 Powershell Command \u0026 Control Framework with BuiltIn Commands",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 602113,
	"plain_text": "GitHub - r00t-3xp10it/meterpeter: C2 Powershell Command \u0026\r\nControl Framework with BuiltIn Commands\r\nBy r00t-3xp10it\r\nArchived: 2026-04-06 03:18:59 UTC\r\nmmeetteerrppeetteerr vv22..1100..1144\r\n RReelleeaassee SSttaabbllee OS WWiinnddoowwss,,LLiinnuuxx lliicceennssee GPLv3 llaasstt ccoommmmiitt mmaarrcchh 22002244\r\niissssuueess 88 ooppeenn\r\n rreeppoo ssiizzee 6600..99 MMiiBB\r\n Quick Jump List\r\nProject Description\r\nList Of Available Modules\r\nMeterpeter C2 Latest Release\r\nHow To - Under Linux Distributions\r\nHow To - Under Windows Distributions\r\nSpecial Thanks|Contributions|Videos\r\nPlease Read my 'WIKI' page for detailed information about each Module\r\n Project Description\r\nThis PS1 starts a listener Server on a Windows|Linux attacker machine and generates oneliner PS reverse shell\r\npayloads obfuscated in BXOR with a random secret key and another layer of Characters/Variables Obfuscation to\r\nbe executed on the victim machine (The payload will also execute AMSI reflection bypass in current session to\r\nevade AMSI detection while working). You can also recive the generated oneliner reverse shell connection via\r\nnetcat. (in this case you will lose the C2 functionalities like screenshot, upload, download files, Keylogger,\r\nAdvInfo, PostExploit, etc)\r\nmeterpeter payloads/droppers can be executed using User or Administrator Privileges depending of the cenario\r\n(executing the Client as Administrator will unlock ALL Server Modules, amsi bypasses, etc.). Droppers mimic a\r\nfake KB Security Update while in background download\\exec Client in '$Env:TMP' trusted location, with the\r\nintent of evading Windows Defender Exploit Guard. meterpeter payloads|droppers are FUD (please dont test\r\nsamples on VirusTotal).\r\nUnder Linux users required to install powershell and apache2 webserver, Under Windows its optional the install\r\nof python3 http.server to deliver payloads under LAN networks. If this requirements are NOT met, then the\r\nhttps://github.com/r00t-3xp10it/meterpeter\r\nPage 1 of 5\n\nClient ( Update-KB4524147.ps1 ) will be written in meterpeter working directory for manual deliver.\r\nQuick Jump List\r\nATTACKER MACHINE: [Linux Kali]\r\n Warning: powershell under linux distributions its only available for x64 bits archs ..\r\nInstall Powershell (Linux x64 bits)\r\napt-get update \u0026\u0026 apt-get install -y powershell\r\nInstall Apache2\r\nhttps://github.com/r00t-3xp10it/meterpeter\r\nPage 2 of 5\n\napt-get install Apache2\r\nStart Apache2 WebServer\r\nservice apache2 start\r\nStart C2 Server (Local)\r\ncd meterpeter\r\npwsh -File meterpeter.ps1\r\nDeliver Dropper/Payload To Target Machine (apache2)\r\nUSE THE 'Attack Vector URL' TO DELIVER 'Update-KB4524147.zip' (dropper) TO TARGET ..\r\nUNZIP (IN DESKTOP) AND EXECUTE 'Update-KB4524147.bat' (Run As Administrator)..\r\nRemark:\r\n IF dropper.bat its executed: Then the Client will use $env:tmp has its working directory ('recomended')..\r\n IF Attacker decided to manualy execute Client: Then Client remote location (pwd) will be used has working dir .\r\nQuick Jump List\r\nATTACKER MACHINER: [Windows PC]\r\nInstall Python3 (optional)\r\nInstall Python3 (http.Server) to deliver payloads under LAN networks ..\r\nhttps://www.python.org/downloads/release/python-381/\r\nhttps://github.com/r00t-3xp10it/meterpeter\r\nPage 3 of 5\n\nCheck if python http.server its installed\r\n$Local_Host = ((ipconfig | findstr [0-9].\\.)[0]).Split()[-1]\r\npython -m http.server 8080 --bind $Local_Host\r\nCTRL+C # Exit webserver console\r\nStart C2 Server (Local)\r\ncd meterpeter\r\npowershell Set-ExecutionPolicy Unrestricted -Scope CurrentUser\r\npowershell -File meterpeter.ps1\r\nRemark\r\nmeterpeter.ps1 delivers Dropper/Payload using python3 http.server. IF attacker has python3 installed.\r\n'If NOT then the payload (Client) its written in Server Local Working Directory to be Manualy\r\nDeliver' ..\r\nRemmnenber to close the http.server terminal after the target have recived the two files (Dropper \u0026 Client)\r\n'And we have recived the connection in our meterpeter Server { to prevent Server|Client connection\r\nerrors }'\r\nDeliver Dropper/Payload To Target Machine (manual OR python3)\r\nDELIVER 'Update-KB4524147' (.ps1=manual) OR (.zip=automated|silentExec) TO TARGET ..\r\nRemark:\r\n IF dropper.bat its executed: Then the Client will use $env:tmp has its working directory ('recomended')..\r\n IF Attacker decided to manualy execute Client: Then Client remote location (pwd) will be used has working dir .\r\nQuick Jump List\r\nVideo Tutorials:\r\nSpecial Thanks:\r\n@ZHacker13 (Original Rev Shell) | @tedburke (CommandCam.exe binary)\r\n@codings9 (debugging modules) | @ShantyDamayanti (debugging Modules)\r\n@AHLASaad (debugging Modules) | @gtworek (EnableAllParentPrivileges)\r\nmeterpeter WIKI pages (Oficial Documentation)\r\nhttps://github.com/r00t-3xp10it/meterpeter\r\nPage 4 of 5\n\nJump To Top of this readme File\r\nSource: https://github.com/r00t-3xp10it/meterpeter\r\nhttps://github.com/r00t-3xp10it/meterpeter\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://github.com/r00t-3xp10it/meterpeter"
	],
	"report_names": [
		"meterpeter"
	],
	"threat_actors": [],
	"ts_created_at": 1775446553,
	"ts_updated_at": 1775791265,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7e630f8cca24982d252fab0a9312c0141ff6c1e0.pdf",
		"text": "https://archive.orkl.eu/7e630f8cca24982d252fab0a9312c0141ff6c1e0.txt",
		"img": "https://archive.orkl.eu/7e630f8cca24982d252fab0a9312c0141ff6c1e0.jpg"
	}
}