CS 4.4 + Artifact + MImikatz + Extras
by abapi - October 14, 2021 at 08:35 PM
#97
Thank you for sharing this. You're great!
Reply
#98
Thanks very much! Will test it soon.
Reply
#99
hook.jar looks suspicious ...
Reply
(October 20, 2021 at 08:51 PM)GetRaid3d Wrote: hook.jar looks suspicious ...

the hook.jar is legit and working.  if you are suspicious just upload it to https://www.decompiler.com/ and then see in the code where the authorization class is overriden by that string?  That string is a class file (compiled java) so just copy paste that string to base64 decode like https://www.base64decode.org/ and you will see the raw class file, click to download as file, then that authorization.class payload you go back to decompile.com and you'll see it's just working crack authorization file replacement just read the java source code.

TLDR: there is nothing suspicious about it and I even pasted the source earlier.  it's legit you can easily check it yourself.
Reply
Thank you for posting this
Reply
Thank you for sharing!!
Reply
(October 21, 2021 at 03:55 AM)zeneq Wrote:
(October 20, 2021 at 08:51 PM)GetRaid3d Wrote: hook.jar looks suspicious ...

the hook.jar is legit and working.  if you are suspicious just upload it to https://www.decompiler.com/ and then see in the code where the authorization class is overriden by that string?  That string is a class file (compiled java) so just copy paste that string to base64 decode like https://www.base64decode.org/ and you will see the raw class file, click to download as file, then that authorization.class payload you go back to decompile.com and you'll see it's just working crack authorization file replacement just read the java source code.

TLDR: there is nothing suspicious about it and I even pasted the source earlier.  it's legit you can easily check it yourself.

even base64 decode is hard for people like this xD

(October 18, 2021 at 07:17 PM)panscan Wrote: Got this working but there is no cobalstrike.auth included - as such it fails to start client.

it seems you didnt use it well... you must use the launcher start.bat or start.sh in this case or at least read it and you just saw it use hook.jar to bypass it
Reply
Thanks for share.......
Reply
Interesting about hook.jar, sound like we can bypass "EICAR String"
Reply
(October 24, 2021 at 01:05 PM)ducnp Wrote: Interesting about hook.jar, sound like we can bypass "EICAR String"

yes cobaltstrike has a routine that checks whether the user is using a trial copy and if so it sticks the eicar string everywhere.  if detected as full pro authorized copy then it sticks some random data instead.  honestly i haven't looked into it enough to know why the fck they do that. (meaning, why append random data at all, if its full product, padding or something dunno doesn't seem necessary)

anyway here is the source code you can see for yourself:

ListenerConfig.java
      while(var3.length() < var2) {
        if (this.watermark == 0) {
            var3.append("5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*\u0000");
        } else {
            var3.append((char)CommonUtils.rand(255));
        }
      }

BaseArtifactUtils.java
        var10.addString(var7, var7.length);
        if (License.isTrial()) {
            var10.addString("X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*");
            CommonUtils.print_trial("Added EICAR string to " + var2);
        }
Reply
Always sharing great information!

(October 24, 2021 at 06:27 PM)zeneq Wrote:
(October 24, 2021 at 01:05 PM)ducnp Wrote: Interesting about hook.jar, sound like we can bypass "EICAR String"

yes cobaltstrike has a routine that checks whether the user is using a trial copy and if so it sticks the eicar string everywhere.  if detected as full pro authorized copy then it sticks some random data instead.  honestly i haven't looked into it enough to know why the fck they do that. (meaning, why append random data at all, if its full product, padding or something dunno doesn't seem necessary)

anyway here is the source code you can see for yourself:

ListenerConfig.java
      while(var3.length() < var2) {
        if (this.watermark == 0) {
            var3.append("5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*\u0000");
        } else {
            var3.append((char)CommonUtils.rand(255));
        }
      }

BaseArtifactUtils.java
        var10.addString(var7, var7.length);
        if (License.isTrial()) {
            var10.addString("X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*");
            CommonUtils.print_trial("Added EICAR string to " + var2);
        }
Reply
Thanks!
The temp.sh link seems to be down, but GoFile is working.
3 thumbs up
Reply

 Users browsing this thread: 1 Guest(s)