# TryHackMe Wreath Official Walkthrough Task 27: Command and Control - Empire: Agents ## Метаданные - **Канал:** DarkSec - **YouTube:** https://www.youtube.com/watch?v=T9Pr9pPjdMM ## Содержание ### [0:00](https://www.youtube.com/watch?v=T9Pr9pPjdMM) Segment 1 (00:00 - 05:00) hey everyone welcome back to another video over the wreath network on tri hackme today we're going to be going over task 27 empire agents within the command and control section now that we've started a listener and created a stager it's time to put them together to get an agent we've been building up to uh up towards getting an agent on the compromised web server so let's do that now the process for this is identical whether we are using starkiller or cli or the empire cli rather we need to get the file onto the target and executed there are a variety of ways we could do this the simplest would be simply by be to use your preferred cli text editor to create a file on the target and then copy and paste the script in then you just need to execute it at the end very simple if using this method please do it in the forward slash temp directory and follow the file name username dot sh naming convention we could also use something here called a here document or here dash document to execute the entire script without ever writing it to the disk that said this is overkill we need if we read through the script we can see that it is in three main parts so we have bimbash and then we are uh the actual body of the script here and then at rm f uh dollar sign zero and exiting and the green square we have the shebang this tells the shell which interpreter to run the script under uh in this case we would uh the script would be run using the bimbash interpreter so just bash the red square contains the payload itself this is the section we're interested in the blue square contains post-processing commands specifically these two lines tell the script to delete itself then exit knowing this we can just copy everything in the red square and then execute it in a terminal on the target so we can just copy this bit here nice and easy um in this case i'll probably end up doing that where i just copied this to my clipboard open up a visual text editor like mousepad and then we'll just take the middle bit out because that's what we ultimately need this results in an agent being received by a reading listener in the empire cli receiving a listener looks something like this so very similar to receiving a metasploit connection right there we can then type agents and hit enter to see a full list of available agents and we can see that down here this name is random i believe you can yeah you can change that pretty easily to interact with an agent we use interact and then agent name this puts us into the context of the agent we can you view a full list of empire available commands rather with help so we can do interact the name of the agent there and then help gives us all the commands and there's lots and lots of stuff we can do note that this menu will change depending on the stage you're used when we have finished with our agent we use the bat command to switch back or contacts back to the agent menu this doesn't destroy the agent however if we did want to kill our agent we would do it with the kill and then agent name command and we can see that demo right down here below we can also rename agents using the command rename and then the agent name as it stands and then our new name at the end to interact with agents in starkiller we go to the agents tab which is going to be right down here so the third one on the left hand side of the screen here we can see that our agent has checked in and there we go note that once again if you have an agent back to an empire listener this will uh also show up here to interact with an agent in starkiller we can either click on it directly or click on the pop out icon in the rubbish bin action or icon in the actions column or next to the rubbish bin icon rather this results in a pop-up menu giving us the option to execute shell commands or modules let's go ahead i am going to copy this to a clipboard and i'm going to actually sudo sue i'm going to go ahead and run my stager so that we just get this back and we can see what it looks like so cd web uh cd loot web server and then we're going to do ssh dash i and we'll run that full command there and now we can go ahead and nano sager dash dark dash initial uh dot sh i'm gonna go and pop or paste this in and there we go mod plus x stager dash dark dash initial dot sh and then we can go ahead and run that and we should be able to see it now in our menu and there we go cool uh so we can see that we can interact with it here this would be to kill it and then we can interact with it they're a little dangerous having those close together but we can easily just click on this as well so ### [5:00](https://www.youtube.com/watch?v=T9Pr9pPjdMM&t=300s) Segment 2 (05:00 - 07:00) this results in a pop-up menu giving us the option to execute shells or commands uh we'll go ahead and click on that here and there's our pop-up menu that uh that's a little big gives us a nice um way that we can interact with that agent specifically really convenient um in this case we can actually even just close the ssh session that we have open to that because well we have an agent writing on there which is even better as noted previously starkiller's collaborative features are superb any command executed here will show up attached to the username of the circular account who executed it so in this case i'm running his empire admin so i'll be the one executing it typically you want to have one of those per team member with a code name for that team member to delete agents in starkiller we can use either the trashcan icon in the pop-out agent window or the trashcan in the agents menu itself so there's a trashcan there if we want to kill it i don't want to i like having shells on things i don't know about you um guys rather we can kill right there let's see using the command for guidance uh in the cl empire cli how would we run uh the hum i command inside of an agent um in this case i'm gonna take a look through the commands that we have um it looks like it's just going to be shell and then who am i judging from this and there we go we now have uh we have now covered the basics of empire with the exception of modules which we will look at after getting back or getting an agent back from the git server kill your agents on the web server then let's look at proxying empire agents so i'm gonna mark that as completed i'm going to go ahead and as much as it pains me i am going to kill this agent i can always rerun that if i want to oh that was painful oh i did not like doing that i don't know about you guys not uh not ideal um that being said i'll see you guys next time when we cover task 28 hop listeners with empire but until then happy hacking --- *Источник: https://ekstraktznaniy.ru/video/38727*