Covenant is a .NET c2 (Command & Control) Framework that aims to highlight the attack surface of .NET and aid red teamers! Today I’m going to jump into slip space with a Halo themed blog on my first use of Covenant in the lab. Let’s hope I don’t need Cortana to get this deployed (yes I’m a massive Halo nerd!)
First thing let’s head over to GitHub and check out the install notes:
The architecture seems to look like this:
- Covenant is a server (runs in docker)
- Elite is a client for the server for c2 management (https://cobbr.io/Covenant.html)
- Grunt is the agent
First thing first I’m going to need docker installed. I’m going to install this on a VM I have that I’m using to test the Metasploit 5 framework (it’s quite clean):
sudo apt-get update
sudo apt-get remove docker docker-engine docker.io* lxc-docker*
sudo apt-get install apt-transport-https ca-certificates curl gnupg2 software-properties-common
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add –
echo “deb [arch=amd64] https://download.docker.com/linux/debian stretch stable” >> /etc/apt/sources.list
sudo apt-get update
sudo apt-get install docker-ce
#set docker to run as non SU – meh who cares KALI everything is SU
############ I DID NOT RUN THE BELOW IN THE LAB#############
sudo groupadd docker
sudo usermod -aG docker $USER
#set docker to run on startup (maybe no?)
sudo systemctl enable docker
service docker start
Sweet! Docker installed and no errors on service start! Now let’s get building our Covenant:
Git clone https://github.com/cobbr/Covenant.git
Cd /Covenant, cd /Covenant
docker build -t covenant .
Downloading/Building all the things
(I’m including some of the output because if you are like me, you want to know all the things are working as expected)
Now we need to run Covenant (as per the docs):
docker run -it -p 7443:7443 -p 80:80 -p 443:443 –name covenant covenant –username AdminUser –computername 0.0.0.0
Ok, now we set a password (Super secret lab password: Pa55w0rd1)
(if we need to stop this container we can run: docker stop covenant)
Next stop is to deploy Elite
git clone https://github.com/cobbr/Elite.git
docker build -t elite .
docker run -it –rm –name elite elite –username AdminUser –computername 192.168.2.14
Type your admin password
Press ENTER for CertHASH
We now have a TTY prompt!
Start a listener:
(we can rename the listener as the random hex doesn’t really roll off the tongue – to do this use: Rename [LISTENER_NAME] [newname])
Now we set the connect address
Set ConnectAddress 192.168.2.14
Set listenerName [LISTENER_NAME]
You can rename the listener to something more human in the listener module previously used
We now run this on the target:
And Yasssssssssssssssss! We have a connection
There are far more options we can use for a staged shell or c# stager etc.
Now, we need to use the GRUNTS module:
Type Interact [GRUNT_NAME]
When we connect the Show command is run automatically
Now we can list modules by typing help:
I’m going to now execute a high integrity shell from the client:
We are going to run the GetSystem command:
And now we are going to dump the hashes:
And off we go to hashcat!
And here we have our hashes cracked!
In no time at all we’ve managed to deploy Covenant, Elite and get some grunts mobilised! Nothing we did here (other than hashcat) was different to the install guide but its show’s the COBBR can not only knock together decent code but also can spin a line or two and an eternal n00b like me can follow it! There’s clearly a ton of functionality in here. I’m going to take this for a spin in the Hack the Box offshore labs and see what pwnage we can achieve!