官方6.1版本在菜单更新了个低版本powershell-empire,<权限维持-系统后门> ,看了下bin文件,用的poetry作为python环境,但是环境里啥也没有,而且低版本的pyproject.toml依赖和系统环境的3.11冲突,so,只能自行安装了
下载及安装
unzip Empire-main.zip
mv Empire-main powershell-empire
unzip Starkiller-main.zip
mv Starkiller-main Starkiller
# 把Starkiller移动到powershell-empire/empire/server/api/v2
mv Starkiller powershell-empire/empire/server/api/v2
sudo mv powershell-empire /usr/share/
mkdir dotnet
mv dotnet-sdk-6.0.424-linux-x64.tar dotnet
tar -zxvf dotnet-sdk-6.0.424-linux-x64.tar
rm -rf dotnet-sdk-6.0.424-linux-x64.tar
chmod +x dotnet
sudo mv dotnet /usr/share/
sudo ln -sf /usr/share/dotnet/dotnet /usr/bin/
创建powershell-empire可执行文件
touch powershell-empire
sudo mv powershell-empire /usr/bin/
sudo vi /usr/bin/powershell-empire
#!/bin/bash
set -e
# Check if running as root
if [ `id -u` -ne 0 ]; then
echo "Error: $0 must be run as root" 1>&2
exit 1
fi
service mariadb start
# Check if the MySQL database empire exists.
# If the DB does not exist, it will create the DB, the DB user and the
# user password.
if ! mysqlshow "empire" > /dev/null 2>&1; then
echo "Create mysql database empire"
mysql -Bse "CREATE DATABASE empire;"
mysql -Bse "CREATE USER empire_user@localhost IDENTIFIED BY 'empire_password';"
mysql -Bse "GRANT ALL ON empire.* TO empire_user@localhost;"
mysql -Bse "FLUSH PRIVILEGES;"
fi
cd /usr/share/powershell-empire
poetry run python3 empire.py ${@}
安装poetry环境
cd /usr/share/powershell-empire
rm -rf poetry.lock
# 下载依赖的时候巨慢,so,挂个代理,稳稳的
sudo proxychains poetry install
启动
sudo powershell-empire server
sudo powershell-empire client