Covenant is a .NET c2 (Command & Control) Framework that aims to highlight the attack surface of .NET and aid red teamers! Today I’m going to jump into slip space with a Halo themed blog on my first use of Covenant in the lab. Let’s hope I don’t need Cortana to get this deployed (yes I’m a massive Halo nerd!)

Installation

First thing let’s head over to GitHub and check out the install notes:

The architecture seems to look like this:

• Covenant is a server (runs in docker)
• Elite is a client for the server for c2 management (https://cobbr.io/Covenant.html)
• Grunt is the agent

Dependencies

First thing first I’m going to need docker installed. I’m going to install this on a VM I have that I’m using to test the Metasploit 5 framework (it’s quite clean):

https://gist.github.com/pawiromitchel/8a1343c618ea633e65fdabae31d5a651

export DEBIAN_FRONTEND=”noninteractive” sudo apt-get update sudo apt-get remove docker docker-engine docker.io* lxc-docker* sudo apt-get install apt-transport-https ca-certificates curl gnupg2 software-properties-common curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add – echo “deb [arch=amd64] https://download.docker.com/linux/debian stretch stable” >> /etc/apt/sources.list sudo apt-get update sudo apt-get install docker-ce #set docker to run as non SU – meh who cares KALI everything is SU ############ I DID NOT RUN THE BELOW IN THE LAB############# sudo groupadd docker sudo usermod -aG docker $USER #set docker to run on startup (maybe no?) sudo systemctl enable docker

service docker start

Sweet! Docker installed and no errors on service start! Now let’s get building our Covenant:

Git clone https://github.com/cobbr/Covenant.git

Cd /Covenant, cd /Covenant

docker build -t covenant .

Downloading/Building all the things

(I’m including some of the output because if you are like me, you want to know all the things are working as expected)

Now we need to run Covenant (as per the docs):

docker run -it -p 7443:7443 -p 80:80 -p 443:443 –name covenant covenant –username AdminUser –computername 0.0.0.0

Ok, now we set a password (Super secret lab password: Pa55w0rd1)

(if we need to stop this container we can run: docker stop covenant)

Next stop is to deploy Elite

https://github.com/cobbr/Elite

git clone https://github.com/cobbr/Elite.git

cd /Elite/Elite

docker build -t elite .

docker run -it –rm –name elite elite –username AdminUser –computername 192.168.2.14

Type your admin password

Press ENTER for CertHASH

We now have a TTY prompt!

Type help

Start a listener:

Listeners

HTTP

(we can rename the listener as the random hex doesn’t really roll off the tongue – to do this use: Rename [LISTENER_NAME] [newname])

Now we set the connect address

Set ConnectAddress 192.168.2.14

Start

Back

Back

Launchers

Type Powershell

Set listenerName [LISTENER_NAME]

You can rename the listener to something more human in the listener module previously used

We now run this on the target:

And Yasssssssssssssssss! We have a connection

There are far more options we can use for a staged shell or c# stager etc.

Now, we need to use the GRUNTS module:

Type Interact [GRUNT_NAME]

When we connect the Show command is run automatically

Now we can list modules by typing help:

I’m going to now execute a high integrity shell from the client:

We are going to run the GetSystem command:

And now we are going to dump the hashes:

And off we go to hashcat!

And here we have our hashes cracked!

Summary

In no time at all we’ve managed to deploy Covenant, Elite and get some grunts mobilised! Nothing we did here (other than hashcat) was different to the install guide but its show’s the COBBR can not only knock together decent code but also can spin a line or two and an eternal n00b like me can follow it! There’s clearly a ton of functionality in here. I’m going to take this for a spin in the Hack the Box offshore labs and see what pwnage we can achieve!