Open try-catch-try opened 11 months ago
Hey! I just need a bit of context
1.) Is this the upload
command in Athena?
2.) What error message is being returned?
3.) Is this going through a HTTP redirector? Are there any limitations on the max size of messages?
Thanks for your help!
This behavior seems to have a possible link to the socks5 proxy appearing to drop packets. server { listen 443 ssl http2; server_name xxx; ssl_certificate /etc/ssl/fullchain.pem; ssl_certificate_key /etc/ssl/privkey.pem;
# Prevents an issue where uploads of large files fail.
client_max_body_size 0;
location / { resolver 1.1.1.1; set $rhost "xxx:443"; proxy_pass https://$rhost; proxy_cache off; proxy_set_header X-Forwarded-For $remote_addr; proxy_ssl_server_name on; proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2; } }
Thanks for the extra info, I'm on vacation this week but plan on doing some dev work when I get back. I'll take a look at it then!
Thanks enjoy your vacation. I will continue to test to figure out a trigger for the file upload. It seems to work 99% of the time.
Note on the proxy i noticed the mythic_server container is throwing the following errors in the logs.
{"level":"error","error":"write tcp 172.100.0.6:7004->172.100.0.1:35670: write: broken pipe","func":"github.com/its-a-feature/Mythic/rabbitmq.(*callbackPortUsage).handleSocksConnections.func1","line":429,"server_id":1796788476,"time":"2023-10-03T20:04:47Z","message":"Failed to write to connection"}
{"level":"error","error":"EOF","func":"github.com/its-a-feature/Mythic/rabbitmq.(*callbackPortUsage).handleSocksConnections.func2","line":449,"server_id":368956113,"time":"2023-10-03T20:04:51Z","message":"Failed to read from connection, sending exit"}
{"level":"error","error":"EOF","func":"github.com/its-a-feature/Mythic/rabbitmq.(*callbackPortUsage).handleSocksConnections.func2","line":449,"server_id":2066524734,"time":"2023-10-03T20:04:56Z","message":"Failed to read from connection, sending exit"}
{"level":"error","error":"EOF","func":"github.com/its-a-feature/Mythic/rabbitmq.(*callbackPortUsage).handleSocksConnections.func2","line":449,"server_id":88056412,"time":"2023-10-03T20:04:57Z","message":"Failed to read from connection, sending exit"}
This was the command run through the proxy.
proxychains4 wget https://dev.mysql.com/get/Downloads/MySQLGUITools/mysql-workbench-community-8.0.34-winx64.msi
wget throws this error and rdp was throwing a similar error.:
2023-10-03 20:02:48 (473 MB/s) - Read error at byte 16084/48623616 (error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac). Retrying.
Just wanted to give you a heads up, I'm currently doing a pretty big rewrite to Athena, and I plan on getting this issue checked out as part of it
I've been doing a lot of testing, and think this has been resolved in my new rewrite
branch. Feel free to give it a test if you have some cycles
Thank you again for your help! However retesting appears to show that the issue still continues.
Setup:
--2024-02-02 14:49:54-- (try:18) https://cdn.mysql.com//Downloads/MySQLGUITools/mysql-workbench-community-8.0.36-winx64.msi Connecting to cdn.mysql.com (cdn.mysql.com)|224.0.0.2|:443... [proxychains] Strict chain ... 127.0.0.1:7003 ... cdn.mysql.com:443 ... OK connected. HTTP request sent, awaiting response... 206 Partial Content Length: 44032000 (42M), 33308960 (32M) remaining [application/octet-stream] Saving to: ‘mysql-workbench-community-8.0.36-winx64.msi’
mysql-workbench-community-8.0.36-winx64.msi 28%[+++++++++++++++++++++++++++===> ] 11.88M 4.39MB/s in 0.4s
2024-02-02 14:49:55 (4.39 MB/s) - Read error at byte 12457808/44032000 (error:1C800066:Provider routines::cipher operation failed; error:0A000119:SSL routines::decryption failed or bad record mac). Retrying.
--2024-02-02 14:50:05-- (try:19) https://cdn.mysql.com//Downloads/MySQLGUITools/mysql-workbench-community-8.0.36-winx64.msi Connecting to cdn.mysql.com (cdn.mysql.com)|224.0.0.2|:443... [proxychains] Strict chain ... 127.0.0.1:7003 ... cdn.mysql.com:443 ... OK connected. HTTP request sent, awaiting response... 206 Partial Content Length: 44032000 (42M), 31574192 (30M) remaining [application/octet-stream] Saving to: ‘mysql-workbench-community-8.0.36-winx64.msi’
mysql-workbench-community-8.0.36-winx64.msi 30%[+++++++++++++++++++++++++++++++==> ] 12.96M 876KB/s in 1.3s
2024-02-02 14:50:07 (876 KB/s) - Read error at byte 13589728/44032000 (error:1C800066:Provider routines::cipher operation failed; error:0A000119:SSL routines::decryption failed or bad record mac). Retrying.
--2024-02-02 14:50:17-- (try:20) https://cdn.mysql.com//Downloads/MySQLGUITools/mysql-workbench-community-8.0.36-winx64.msi Connecting to cdn.mysql.com (cdn.mysql.com)|224.0.0.2|:443... [proxychains] Strict chain ... 127.0.0.1:7003 ... cdn.mysql.com:443 ... OK connected. HTTP request sent, awaiting response... 206 Partial Content Length: 44032000 (42M), 30442272 (29M) remaining [application/octet-stream] Saving to: ‘mysql-workbench-community-8.0.36-winx64.msi’
mysql-workbench-community-8.0.36-winx64.msi 30%[++++++++++++++++++++++++++++++++++ ] 12.96M --.-KB/s in 0s
2024-02-02 14:50:17 (0.00 B/s) - Read error at byte 13589728/44032000 (error:1C800066:Provider routines::cipher operation failed; error:0A000119:SSL routines::decryption failed or bad record mac). Giving up.
FFS, I'll keep messing around with it I guess lol
The Athena agent appears to be dropping network packets causing proxy and uploads to fail in some cases.
When uploading larger binary files 10-20MB I have observed that sometimes the upload fails before completion. The file will be smaller than the original and corrupt. This happens more frequent with larger files and with non-text files. Makes me think that packets are lost or something fails when it encounters a bad character.
Noticed that the proxy server is dropping packets causing binary data such as RDP/TLS streams to break when being proxied This is less noticeable when text data is transferred such as http.
Note my agents are not using the aes message encryption, so maybe that could contribute?