CTF

Covenant is a c2 built on .net core. It can run on Linux or Windows, so I thought I would do a quick install demo in the lab.

Resources

https://github.com/cobbr/Covenant/wiki/Installation-And-Startup

Prerequisites

The Windows GIT client
- https://git-scm.com/download/win
DotNet Core 3.1
- https://dotnet.microsoft.com/download/dotnet/3.1
The covenant files or git client

Installation

mkdir c:\c2

Cd c:\c2

git clone –recurse-submodules https://github.com/cobbr/Covenant

cd Covenant\Covenant

REM set the dotnet path

set PATH=%PATH%”;c:\Program Files\dotnet

And finally, it has built and is running:

Open a web broswer and navigate to: https://127.0.0.1:7443/

Now we can create a user account:

We create a new user and now we are running:

Notes

You need to set Defender Exclusions:

Creating a listener

Launching a grunt

We need to create a Launcher – by default this is set to DotNet3.5 we will change this to DotNet4. We will build then download the grunt. Then we simply execute it. This will cause it to connect back:

Now we can click on the POWERSHELL symbol: >_ to interact with the grunt:

Useful Commands

Command	Notes
WhoAmI	Show the running context
seatbelt -group=all	Audit for Privesc
Seatbelt AMSIProviders	Check for AMSI Providers (e.g. Security products such as Defender)
SharpUp audit	Audit for Privesc
BypassAmsi	Patch AMSI
ScreenShot	Take a screenshot
Keylogger 60	Keylogs for X seconds (60 in this example)
Upload/Download	Transfer Files
GetDomainUser	Gets a list of domain users
GetDomainGroup	Get a list of domain groups
GetDomainComputer	List all domain computer objects

Summary

In this post we’ve deployed Covenant with a basic setup, had a quick look around and run a few commands. You can see this isn’t the end of the setup nor the usage of the C2 but it’s a quick intro of how to get this up and running on a Windows machine.

Password Spraying/Credential Stuffing OWA with Metasploit Framework

Installing Subfinder on Windows