Username can contain an tailing asterisk that gets included in the upload path

[compr00t]

The username is extracted with the following snippet:

RTOVMSetup/CobaltStrike/persistence.cna

Line 54 in d2b2c5b

$username = binfo($bid[0], "user");

Problem with that is, that sometimes CS is adding a tailing asterisk to the username and this gets copy into the following command:

RTOVMSetup/CobaltStrike/persistence.cna

Line 58 in d2b2c5b

$path = "C:\\Users\\ $+ $username $+ \\AppData\\Local\\Temp\\ $+ $filename $+ .ps1";

This results in a path C:\Users\test *\AppData\Local\Temp\svnfjury.ps1 that definitely does not exist:

New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Hours 1) -RepetitionDuration (New-TimeSpan -Days 30); $action = New-ScheduledTaskAction -Execute "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Argument "-Sta -Nop -Window Hidden -Exec Bypass -File C:\Users\test *\AppData\Local\Temp\svnfjury.ps1 " -WorkingDirectory "C:\Windows\System32";

Therefore, if the username contains a space it need to be removed first.

[rasta-mouse]

Thanks @compr00t. I'm assuming that you can't legitimately have a space within a Windows username?

[compr00t]

@rasta-mouse good catch, I'm not completely sure if it is prevented to have a space in your username or just not recommended.

Potentially it would be a better fix if instead of splitting by spaces the string is checked if it ends with a space and an asterisk and the trim the string's end by two characters if this comes back true.

[rasta-mouse]

The same question would apply to the asterisk in Windows usernames. Maybe there's a better / more reliable way to get the current username in Aggressor.

[compr00t]

@rasta-mouse I went over CS' documentation for Aggressor Script and I was not able to find anything more suitable that would not include the asterisk in the username.

However, the asterisk should not be a problem as it should not be used in a username according to Microsoft:

Username is a string with a maximum length of 256 characters. 
Do not use any of the following characters: "/[]:\|<>+=;,?*%@
Do not use the name "NONE", this is a restricted username.

So I guess, probing for an asterisk at the end and removing the last two chars would still be the best solution, do you agree?

[rasta-mouse]

Yes, that sounds reasonable.

[compr00t]

@rasta-mouse this should do the trick and works in my setup. Can you please verify?

[compr00t]

Any progress so far?