Hello all,
first of all, thank you very much for your hard work on this. Frankly, this is currently my favourite Mythic agent, rich in features and great evasion, kudos to devs.
When I was playing with the implant I discovered that one feature I kinda like to use, did not work for me. I decided to create this issue so that others facing the same issues could possibly copy&paste the solution and save some time debugging.
I encountered first problem when running dotnet-pwpick, which is supposed to run 'powershell without powershell'. The error I faced was following:
[+] Hardware Breakpoint bypass disabled
[+] Patch exit Disabled
Traceback (most recent call last):
File "/usr/local/lib/python3.12/dist-packages/mythic_container/agent_utils.py", line 455, in createTasking
createTaskingResponse = await cmd.create_go_tasking(taskData)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Mythic/Mythic/Kharon/AgentFunctions/dotnet.py", line 117, in create_go_tasking
pwpick_content: bytes = await get_content_by_name("kh_pwsh.x64.exe", task.Task.ID)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Mythic/Mythic/Kharon/AgentFunctions/Utils/u.py", line 661, in get_content_by_name
AgentFileId=file_resp.Files[0].AgentFileId
~~~~~~~~~~~~~~~^^^
IndexError: list index out of range
After short investigation I figured out that the problem was this line:
https://github.com/MythicAgents/Kharon-Mtc/blob/main/Payload_Type/kharon/Mythic/Kharon/AgentFunctions/dotnet.py#L113
Kharon is trying to load an executable called 'kh_pwsh.x64.exe' which does not exist in given folder, the one which is there is called 'kw_pwsh.x64.exe'. After renaming it, the module no longer returned any error, yet it still did not work as expected, it always returned following:
[+] Hardware Breakpoint bypass disabled
[+] Patch exit Disabled
[+] Received Output:
Error downloading script: The path is not of a legal form.
Althoug I was running using command dotnet-pwpick -command "whoami" which should work OK. I tracked the problem down to this line https://github.com/MythicAgents/Kharon-Mtc/blob/main/Payload_Type/kharon/Mythic/Kharon/AgentFunctions/dotnet.py#L118:
args:str = f"\"{command}\" \"{script}\""
When no script is given, this produces:
"whoami" ""
That empty quoted string "" is being passed as the script argument to kw_pwsh.x64.exe, which likely tries to interpret it as a file path — hence "The path is not of a legal form."
Hello all,
first of all, thank you very much for your hard work on this. Frankly, this is currently my favourite Mythic agent, rich in features and great evasion, kudos to devs.
When I was playing with the implant I discovered that one feature I kinda like to use, did not work for me. I decided to create this issue so that others facing the same issues could possibly copy&paste the solution and save some time debugging.
I encountered first problem when running dotnet-pwpick, which is supposed to run 'powershell without powershell'. The error I faced was following:
After short investigation I figured out that the problem was this line:
https://github.com/MythicAgents/Kharon-Mtc/blob/main/Payload_Type/kharon/Mythic/Kharon/AgentFunctions/dotnet.py#L113
Kharon is trying to load an executable called 'kh_pwsh.x64.exe' which does not exist in given folder, the one which is there is called 'kw_pwsh.x64.exe'. After renaming it, the module no longer returned any error, yet it still did not work as expected, it always returned following:
Althoug I was running using command dotnet-pwpick -command "whoami" which should work OK. I tracked the problem down to this line https://github.com/MythicAgents/Kharon-Mtc/blob/main/Payload_Type/kharon/Mythic/Kharon/AgentFunctions/dotnet.py#L118:
args:str = f"\"{command}\" \"{script}\""When no script is given, this produces:
"whoami" ""
That empty quoted string "" is being passed as the script argument to kw_pwsh.x64.exe, which likely tries to interpret it as a file path — hence "The path is not of a legal form."