2022-07-10

Covenant C2 for OSCP AD lab - Part 2

 Hello all,

In this blog post, I am going demonstrate how to pivot inside the private network and connect to interanet based machine using Covenant C2 framework.

For basic setup, please have a look on part-1 of this blog post series.

AD environment setup and pivoting scenario:

I have 2 machines in my current AD environment:

1. Workstation-PC (Machine A): 172.20.10.9, 192.168.56.111

2. WIN-A08PEI13CFI (Machine A):  192.168.56.110

Attacker Machine: 172.20.10.10 (Covenant machine)

We have access on Machine Workstation-PC and want to gain access to WIN-A08PEI13CFI but direct access to WIN-A08PEI13CFI is not possible.

I am assuming that we have impersonated a user or got credentials who has access to machine WIN-A08PEI13CFI

By impersonating the user session or using the creds, we will launch SMB based Grunt on Machine B and then will connect to that Grunt using HTTP based grunt which is running on Machine A.

The flow diagram is something like this:


Pivoting using different Covenant 'Task':

In Covenant, we have a number of 'Task' using which we can pivot to Interanet based machine. For these Task, we are either going to impersonate a user or going to use creds to access machine B.

We will try following methods:

1. Using plain text creds

a) WMIGrunt
b) WMICommand
c) PowerShellRemotingCommand
d) PowerShellRemotingGrunt 

2. Using Impersonated user session

a) WMIGrunt
b) PowerShellRemotingGrunt

Creating HTTP listener

We have Grunt connection from machine A which is having external IP 172.20.10.9:


 This machine has 2 interfaces and second one is connected to intranet

There is a machine in intranet which has private IP and accessible through machine A only:

How to reach machine B using machine A?

Well we have SMBGrunt in Covenant which can help us. Using Machine A, we will launch SMB based Grunt on machine B and then will connect to that SMB grunt 

1. Dumping plain text creds

Using Mimikatz module, dump the credentials of the logged in users:

1. (a) WMIGrunt (using dumpped creds)

Configure launcher

Let's configure the PowerShell based Launcher in Launchers section. Note that, I have selected ImplantTemplate as GruntSMB and SMBPipeName is smbconnect_1:


Make Token using extracted creds:

Now, we will make a token for thw user using which we want to launch SMB based grunt on target machine. To do so, we need to use MakeToken module. Specify the details such as username, password and domain (it will be . in case user is not a domain user but a local one):

After clicking task button, we will have a messsage like this:

 Now, in tasks section, select WMIGrunt and specify theinformation such as computername, Launcher, username, password and domain name:

Afer execting the task, we need to wait for task to get finished:

Let's connect to the SMB grunt launched on the target machine. To do so, we need to execute below mentioned command:

in my case it was 


We got connection from machine B as well. 

To access the grunt, go to Grunt section:

And here we go:

1. (b) WMICommand (using dumpped creds)

Configure launcher

Let's configure the PowerShell based Launcher in Launchers section. Note that, I have selected ImplantTemplate as GruntSMB and SMBPipeName is smbconnect_2:

After clicking Generate button, copy the generated PowerShell payload.

Dont forget to perform make token step (demonstrated in method 1(a))

Now, switch to Grunt and select WMICommand task. In task, paste the copied PowerShell payload in Command input box from previous step. Specify the other parameters and click 'Task' button to launch SMB grunt on target machine:


 Upon successful execution, we will have output like this:


It's time to connect to launched grunt by using connect task. Specify the target host machine and SMBpipename and click Task button:

And we got connection.....

1. (c) PowerShellRemotingCommand (using dumpped creds)

Configure launcher

For this module, we need to configure PowerShell based Launcher. I have selected the listener as http, selected ImplantTemplate as GruntSMB, specified a name i.e. smbconnect_power2 in SMBpipename, clicked 'Generate' button and copied the generated PowerShell based payload.

Dont forget to perform make token step (demonstrated in method 1(a))

Switch to Grunt and in Task section, select PowerShellRemotingCommand task, paste the copied PowerShell basedpayload (from above step) in command input box, specify the other details such as username, password and domain (keep it . if user is local and not a domain user):


 After clicking 'Task' button, you will not get any output. 

Now, in 'Task' tab, select 'connect' and specify the target machine hostname, smbpipename specified for the PowerShell based launcher (in my case it was smbconnect_power2) and click 'Task' button:

Wait for a while and you will have connection from remote machine:

1. (d) PowerShellRemotingGrunt (using dumpped creds)

Configure launcher

For this module, we need to configure PowerShell based Launcher. I have selected the listener as http, selected ImplantTemplate as GruntSMB, specified a name i.e. smbconnect_power2 in SMBpipename, clicked 'Generate' button and copied the generated PowerShell based payload.

Dont forget to perform make token step (demonstrated in method 1(a))

Switch to Grunt and in Task section, select PowerShellRemotingGrunt task, specify the details such as Computername, Luncher, username, password and domain (keep it . if user is local and not a domain user):

After clicking 'Task' button, you will not get any output. 


Now, in 'Task' tab, select 'connect' and specify the target machine hostname, smbpipename specified for the PowerShell based launcher (in my case it was smbconnect_power1337) and click 'Task' button:

Wait for a while and you will have connection from remote machine:

2. Using Impersonated User session

Let's assume we have auser 'Administrator' logged in to the compromised machine and this user has access to machine B. To gain access as 'Administrator' user on machine B, we need to go for following approach:

Enumerate logged in users -> Impersonate user -> Launch SMB grunt on machine A with the privilege of impersonate user -> use new grunt session to launch SMB grunt on Machine B

Enumerate logged in user

To enumerate logged-in user, Covenant has Task GetNetLoggedOnUser. Specify the machine Hostname and click Task button:

We have a user Administrator logged-in to the compromised machine:

Impersonate logged in user

To impersonate logged-in user, use Task ImpersonateUser. Specify the username of the user which we want to impersonate (specify the domain name if user is a domain user):

After successful impersonattion, we will have following message:

Now, we just need to configure Launcher and select ImplantTemplate as GruntSMB. In my case, I specified SMBpipename as smb_pshell:

Launch SMB grunt on machine A with the privilege of impersonate user - WMIGrunt

Now, launch Grunt using WMI. This time, I am not going to specify the creds because we have access to a user who is logged in and  can launch grunt on local machine.

Command will be:

in my case it was 


After Launching the grunt successfully, we need to connect to it using connect command because this is SMB based grunt.

In my case it was:

Use new grunt session to launch SMB grunt on Machine B

Once we got the grunt session as impersonated user, we can use this session to launch Grunt on another machine directly. 


After switching to newly created grunt session, use WMIGrunt task, specify target machine hostname, powershell as launcher name and wait for the response:


 Connect to the SMB grunt using connect command:

Launch SMB grunt on machine A with the privilege of impersonate user - WMIGrunt

Similar way, we can use PowerShellRemotingGrunt.

Dont forget to create PowerShell launcher with different SMBPipename:


Execute command to launch Grunt on target machine using PowerShellRemotingGrunt and connect to it by using connect command:

Thanks for reading.


Special thanks to: - Burcu YARAR, Sean Metcalf, OJ, hacker fantastic, A K Reddy,Vincent Yiu, Andrew Robbins, will, Benjamin Delpy, Marcello, Andrew van der Stock, g0tmi1k, Alvaro Muñoz, b33f, pancake, m3g9tr0nAnurag Srivastava, vivek chauhan, Manoj and  Karan


                            
 --==[[ Greetz To ]]==--
############################################################################################
#zero cool, code breaker ica, root_devil, google_warrior, INX_r0ot, Darkwolf indishell, Baba, Silent poison India, Magnum sniper, 
#ethicalnoob Indishell, Reborn India, L0rd Crus4d3r, cool toad
#Hackuin,Alicks,mike waals, Dinelson Amine, cyber gladiator, Cyber Ace, 
#Golden boy INDIA, Ketan Singh, AR AR, saad abbasi, Minhal Mehdi, Raj bhai ji,Hacking queen, lovetherisk, Bikash Dash, D3
#############################################################################################
                             --==[[Love to]]==--
# My Father ,my Ex Teacher, cold fire hacker, Mannu, ViKi,Ashu bhai ji, Soldier Of God, Bhuppi, Anurag, Cyber Warrior, Vivek Sir
#Mohit, Ffe, Ashish, Shardhanand, Budhaoo,Incredible, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)






Share this post

0 comments

© 2009 Start With Linux | Mannu Linux
Designed by cyb3r.gladiat0r
Posts RSSComments RSS
Back to top