68 lines
1.8 KiB
YAML
68 lines
1.8 KiB
YAML
id: empirec2-default-login
|
|
|
|
info:
|
|
name: Empire C2 / Starkiller Interface - Default Login
|
|
author: clem9669,parzival
|
|
severity: high
|
|
description: |
|
|
Empire C2 / Starkiller Default Administrator Credentials Discovered.
|
|
reference:
|
|
- https://github.com/BC-SECURITY/Empire
|
|
- https://github.com/BC-SECURITY/empire-docs/blob/main/restful-api/README.md
|
|
metadata:
|
|
verified: true
|
|
max-request: 2
|
|
tags: default-login,empire,c2,intrusive
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /token HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoZwyedGcQU4FrcFV
|
|
Accept: application/json, text/plain, */*
|
|
|
|
------WebKitFormBoundaryoZwyedGcQU4FrcFV
|
|
Content-Disposition: form-data; name="username"
|
|
|
|
{{username}}
|
|
------WebKitFormBoundaryoZwyedGcQU4FrcFV
|
|
Content-Disposition: form-data; name="password"
|
|
|
|
{{password}}
|
|
------WebKitFormBoundaryoZwyedGcQU4FrcFV--
|
|
- |
|
|
POST /api/admin/login HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/json
|
|
|
|
{"username":"{{user}}","password":"{{pass}}"}
|
|
|
|
attack: pitchfork
|
|
payloads:
|
|
username:
|
|
- empireadmin
|
|
password:
|
|
- password123
|
|
stop-at-first-match: true
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- 'access_token'
|
|
- '{"token":".*"}'
|
|
condition: or
|
|
|
|
- type: word
|
|
part: header
|
|
words:
|
|
- application/json
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
|
|
# digest: 4a0a00473045022100f2eea687bd9664f2dabf8fa4f106042eb2da5ec770076c6c8b80462672a14149022038c06e445915ebbb34804bc070359ac549620393fec0fb93c21ec6a002e72c66:922c64590222798bb761d5b6d8e72950
|