HardHatC2

File Browser

GUI File Browser

  • Located on the Interact page, the second tab is the file browser. The file browser allows operators to search the file system without always having to issue ls commands themselves.

  • Each tab in the browser is per host

  • operators select the implant that will conduct the browsing from a dropdown menu

    • the dropdown shows the hostname, username, pid, address, integrity, and sleep time

  • Users can choose to filter the list to just implants on the current machine and to show or hide offline implants from the list

  • Operators can pick to include Item count and ACL info during the ls command

    • file count will get the number of items in all folders inside the listed folder for example, ls C:\ /getCount true might show C:\Users\ has 5 items inside it, while C:\Empty has 0, or that C:\noAccess is -1, meaning it cannot be accessed by our current user.

    • ⚠️ ACL info gathering is not perfect; often when conducted from a medium int (non admin) implant exceptions are thrown as often those users do not have permission to enumerate ACL info at will. This can cause issues with the returned data.

  • To browse, simply make sure an implant is selected in the dropdown, the desired gathering options are selected, then click on a folder in the browser side bar, or enter a path in the side bar, and an ls command will populate in the interact window of the implant so it may be referenced to later, and tracked by others.

  • Normal ls commands will also populate the file browser for later viewing.

  • All file browser data is replicated across clients and saved in the teamserver, so when others browse to a location, everyones browser will update, and if a tab is closed, opening another on the host will continue from where you left off.

  • On the file browser sidebar, folders with an open icon (Gold border, but dark center) are ones that you have browsed to and seen the data of. Those with a closed icon but the gold color have data from another user or an issued ls command and have data waiting for viewing.

Directory Content Table

  • The file browser uses the same display table as the ls command. This table can be searched, sorted, and filtered. It contains an icon for the file type, the file name, size, owner, item count, important dates, and ACL info.

  • It is broken into pages for easy viewing and by default, up to 10 items per page.

Last updated