[Bug] GruntHTTP.exe failing to execute.

[DonnieMarco]

Feature Request or Bug Bug

Describe the feature request or bug When executing a vanilla GruntHTTP.exe on a windows build with real-time protection switched off, the execution fails

To Reproduce Steps to reproduce the behavior:

1. Create a HTTP Listener, modifying the name, port and connect address
2. Select Launchers -> Binary
3. Select the Listener created in step 1 and the GruntHTTP implant template
4. Select Generate and then download
5. Copy the exe to the host operating system
6. Switch off Windows Defender real-time protection on the target box
7. Copy the executable onto the target box
8. Launch a command prompt
9. Navigate to the directory with the GruntHTTP.exe and attempt to execute.
10. Error message generated with no connection back: Illegal characters in path. at System.Security.Permissions.FileIOPermission.HasIllegalCharacters(String[] str) at System.Security.Permissions.FileIOPermission.AddPathList(FileIOPermissionAccess access, AccessControlActions control, String[] pathListOrig, Boolean checkForDuplicates, Boolean needFullPath, Boolean copyPathList) at System.Security.Permissions.FileIOPermission..ctor(FileIOPermissionAccess access, String[] pathList, Boolean checkForDuplicates, Boolean needFullPath) at System.IO.Path.GetFullPath(String path) at System.Net.WebClient.GetUri(String path) at System.Net.WebClient.UploadString(String address, String data) at GruntStager.GruntStager.ExecuteStager()

Expected behavior I expected the execution of the implant to result in a 'grunt'

Screenshots

Covenant Server Information:

• OS: Kali
• Native

Browser Information:

• Browser Chrome
• Version [e.g. 22]

Target Information (System that implant is running on):

• OS: Windows 10
• Version 21H1 Build 19043.928

[vil3nce]

Tracing the error, it comes from line 98 of the default template: wc.DownloadString(uri + profileHttpUrls[random.Next(ProfileHttpUrls.Count)].Replace("{GUID}", "")); I stepped through it, and system.uri is throwing a ParsingError.BadAuthority because the first two characters of the full URL (http://:80/en-us/docs.html?type=&v=1) are not / or \ edit: the MustHaveAuthority URI flag is set, whatever that means, which is why it's doing that check.

[HackBalak]

Hi @DonnieMarco , I was having the same problem just like you then I used the dev branch and it's worked for me :

• here is the steps

rm packages-microsoft-prod.deb
dpkg --remove packages-microsoft-prod
apt update -y
wget https://packages.microsoft.com/config/debian/10/packages-microsoft-prod.deb
dpkg -i packages-microsoft-prod.deb
apt purge dotnet-sdk-3.1 aspnetcore-runtime-3.1 dotnet-runtime-3.1 dotnet-sdk-5.0 aspnetcore-runtime-5.0 dotnet-runtime-5.0 -y
apt update -y
apt update -y && apt install apt-transport-https -y && apt update -y && apt install dotnet-sdk-5.0 aspnetcore-runtime-5.0 dotnet-runtime-5.0 -y
git clone --branch dev --recurse-submodules https://github.com/cobbr/Covenant
cd Covenant/Covenant
dotnet clean
dotnet build
dotnet run

Thanks to @shorepwn

[mlcsec]

@HackBalak Same issue still persists after dev branch install, what env are you using for covenant?

[HackBalak]

@mlcsec make sure you run dotnet commands using root . because covenant need some permissions only root can run them ( even if using sudo ), hope this can solve your Issues ;) .

[mlcsec]

@HackBalak I was using root, will try with a fresh kali build!

[mlcsec]

@HackBalak fresh install as root using dev branch and still getting error:

[HackBalak]

@mlcsec I guess this is not a problem in covenant, it's a routing problem from the victim machine to your kali.

[HackBalak]

@mlcsec you can come private to figure out what is the problem!!!

[mlcsec]

@HackBalak got it working cheers :D

[DeathsPirate]

I'm getting this error too, @mlcsec can you enlighten me on how you got it working in the end please?

[mlcsec]

@DeathsPirate I honestly can't remember, maybe routing issue like mentioned?