安装powershell-empire

官方6.1版本在菜单更新了个低版本powershell-empire，<权限维持-系统后门> ，看了下bin文件，用的poetry作为python环境，但是环境里啥也没有，而且低版本的pyproject.toml依赖和系统环境的3.11冲突，so，只能自行安装了

修改pip源

sudo vi /etc/pip.conf

[global]
index-url = https://pypi.tuna.tsinghua.edu.cn/simple

安装poetry

sudo pip install poetry --break-system-packages

安装mariadb

$ sudo apt install mariadb-server -y

# 启动服务
$ sudo service mysql start

# 初始化安全脚本
$ sudo mysql_secure_installation

- Enter current password for root    #直接回车(默认root是没有密码的)
- Switch to unix_socket authentication    #这个验证不需要密码不安全,输入n
- Change the root password    #输入n
- Remove anonymous users    #输入Y
- Disallow root login remotely    #输入Y
- Remove test database and access to it    #输入Y
- Reload privilege tables now    #输入Y

下载及安装powershell-empire

powershell-empire

Starkiller

git clone https://github.com/BC-SECURITY/Empire.git

mv Empire powershell-empire

sudo mv powershell-empire /usr/share/

.NET SDK

mkdir dotnet

mv dotnet-sdk-6.0.424-linux-x64.tar dotnet

tar -zxvf dotnet-sdk-6.0.424-linux-x64.tar

rm -rf dotnet-sdk-6.0.424-linux-x64.tar

chmod +x dotnet

sudo mv dotnet /usr/share/

sudo ln -sf /usr/share/dotnet/dotnet /usr/bin/

创建powershell-empire可执行文件

touch powershell-empire

sudo mv powershell-empire /usr/bin/

sudo vi /usr/bin/powershell-empire

#!/bin/bash
set -e

# Check if running as root
if [ `id -u` -ne 0 ]; then
   echo "Error: $0 must be run as root" 1>&2
   exit 1
fi

service mariadb start

# Check if the MySQL database empire exists.
# If the DB does not exist, it will create the DB, the DB user and the
# user password.
if ! mysqlshow "empire" > /dev/null 2>&1; then
    echo "Create mysql database empire"
    mysql -Bse "CREATE DATABASE empire;"
    mysql -Bse "CREATE USER empire_user@localhost IDENTIFIED BY 'empire_password';"
    mysql -Bse "GRANT ALL ON empire.* TO empire_user@localhost;"
    mysql -Bse "FLUSH PRIVILEGES;"
fi

cd /usr/share/powershell-empire

poetry run python3 empire.py ${@}

换poetry install国内源

sudo vi /usr/share/powershell-empire/pyproject.toml

# 修改pyproject.toml换源，添加以下

[[tool.poetry.source]]
name = "tsinghuapypi"
url = "https://pypi.tuna.tsinghua.edu.cn/simple"
priority = "primary"

或者用命令

poetry source add tsinghuapypi https://pypi.tuna.tsinghua.edu.cn/simple

安装poetry环境

cd /usr/share/powershell-empire

sudo rm -rf poetry.lock

sudo poetry install

启动

sudo powershell-empire server

sudo powershell-empire client

启动server的时候要把terminal或者全局挂代理，不然github pull就像一坨屎