Ne0nd0g / merlin

Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang.
GNU General Public License v3.0
5.1k stars 805 forks source link

404 Error #152

Closed powerseb closed 10 months ago

powerseb commented 10 months ago

Prerequisite

Expected Behavior

Agent is able to register

Actual Behavior

Agent fails the registration with the error "404"

Steps to Reproduce Behavior

I used the latest release of the merlin server and agent. As Listener I used HTTP and confirmed that the PSK is set on both ends the same. As agent I used the windows Debug agent. Besides Interface, Port and URLS the listner options were not touched (one exception I experimented with JWTLeeway - and set it to 10 Hours but it changed nothing).

Misc Information

Debug Information from the agent:

PS C:\Users\test\Documents\test> .\merlinAgent-Windows-x64-Debug.exe -v -debug -url http://172.30.91.102:9090 -proto http [DEBUG]Entering agent.New() function [DEBUG]entering tokens.GetTokenIntegrityLevel() [i]Host Information: [i] Agent UUID: df9667de-d0fa-48c9-b2a8-9e36b24923b3 [i] Hostname: DESKTOP-386JQER [i] Platform: windows [i] Architecture: amd64 [i] PID: 8048 [i] Process: C:\Users\test\Documents\test\merlinAgent-Windows-x64-Debug.exe [i] User Name: DESKTOP-386JQER\test [i] User GUID: S-1-5-21-1920880800-2681415070-817309990-513 [i] Integrity Level: 2 [i] IPs: [fe80::8ec0:8bc8:9fbf:4724/64 172.30.84.196/20 ::1/128 127.0.0.1/8] [DEBUG]Leaving agent.New function [DEBUG]Entering into clients.http.New()... [DEBUG]Config: {AgentID:df9667de-d0fa-48c9-b2a8-9e36b24923b3 Protocol:http Host: Headers: URL:[http://172.30.91.102:9090] Proxy: UserAgent:Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.85 Safari/537.36 Parrot: PSK:merlin JA3: Padding:4096 AuthPackage:opaque Opaque:[] Transformers:jwe,gob-base InsecureTLS:true} [DEBUG]new client PSK: merlin [DEBUG]new client Secret: f6274d9892026fe47dd5f96f708ef8983dccc7bacf5ee4a90b2400805adaea0a [DEBUG]Entering into clients.http.getClient()... [DEBUG]Protocol: http, Proxy: , JA3 String: , Parrot: [DEBUG]Entering into clients.http.getProxy()... [DEBUG]Protocol: http, Proxy: [i]Client information: [i] Protocol: http [i] Authenticator: OPAQUE [i] Transforms: [jwe gob-base] [i] URL: [http://172.30.91.102:9090] [i] User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.85 Safari/537.36 [i] HTTP Host Header: [i] HTTP Headers: map[] [i] Proxy: [i] Payload Padding Max: 4096 [i] JA3 String: [i] Parrot String: [-]Agent version: 2.3.0 [-]Agent build: f0624a3082928d01eaa86a0fb101b0d1d72cde02 [DEBUG]clients/http.Initial(): entering into function [DEBUG]clients/http.Authenticate(): entering into function with message: {ID:00000000-0000-0000-0000-000000000000 Type:Undefined Payload: Padding: Token: Delegates:[]} [DEBUG]Entering into clients.http.getJWT()... [DEBUG]Entering into opaque.UserRegisterInit... [DEBUG]OPAQUE UserID: df9667ded0fa48c9b2a89e36b24923b3 [DEBUG]OPAQUE Alpha: 77e9e60c5ca81ce78cb6ae8b46da112e73f580ebf8d04b1d47c3610e836d38b0 [DEBUG]OPAQUE PwdU: 4a58921f042e9f0ee77b658ec9e58f2b2217f5ccc84780cbb60b55f13d74b7d4 [-]Starting OPAQUE Registration [DEBUG]clients/http.Send(): Entering into function with message: {ID:df9667de-d0fa-48c9-b2a8-9e36b24923b3 Type:OPAQUE Payload:{Type:RegInit Payload:[0 0 0 16 223 150 103 222 208 250 72 201 178 168 158 54 178 73 35 179 119 233 230 12 92 168 28 231 140 182 174 139 70 218 17 46 115 245 128 235 248 208 75 29 71 195 97 14 131 109 56 176]} Padding: Token: Delegates:[]} [-]Sending OPAQUE message to http://172.30.91.102:9090 [DEBUG]clients/http.Construct(): entering into function with message: {ID:df9667de-d0fa-48c9-b2a8-9e36b24923b3 Type:OPAQUE Payload:{Type:RegInit Payload:[0 0 0 16 223 150 103 222 208 250 72 201 178 168 158 54 178 73 35 179 119 233 230 12 92 168 28 231 140 182 174 139 70 218 17 46 115 245 128 235 248 208 75 29 71 195 97 14 131 109 56 176]} Padding:oBUetDgYxIeHAtrsTdZguEeClQZdDFqQiNQSaVWojyWfJdkHiGbNKAbMJMWmsfjLyrxjMhrFxAkelxCNhCIOzZgPONXELFphQAGTCsehgeuzrakcTWjAIUmu Token: Delegates:[]} [DEBUG]clients/http.Construct(): Transformers: [jwe gob-base] [DEBUG]2 call with transform gob-base - Constructed data(509) []uint8: 537F030101044261736501FF800001060102494401FF820001045479706501040001075061796C6F6164011000010750616464696E67010C000105546F6B656E010C00010944656C65676174657301FF8600000010FF81060101045555494401FF8200000022FF85020101135B5D6D657373616765732E44656C656761746501FF860001FF8400004AFF830301010844656C656761746501FF8400010401084C697374656E657201FF820001054167656E7401FF820001075061796C6F6164010A00010944656C65676174657301FF8600000070FF800110DF9667DED0FA48C9B2A89E36B24923B30104012F6769746875622E636F6D2F4E65306E6430672F6D65726C696E2D6D6573736167652F6F70617175652E4F7061717565FF87030101064F706171756501FF8800010201045479706501040001075061796C6F6164010A000000FFB7FF88390102013400000010DF9667DED0FA48C9B2A89E36B24923B377E9E60C5CA81CE78CB6AE8B46DA112E73F580EBF8D04B1D47C3610E836D38B00001786F42556574446759784965484174727354645A67754565436C515A6444467151694E51536156576F6A7957664A646B486947624E4B41624D4A4D576D73666A4C7972786A4D68724678416B656C78434E6843494F7A5A67504F4E58454C46706851414754437365686765757A72616B6354576A4149556D7500 [DEBUG]1 call with transform jwe - Constructed data(890) []uint8: 65794A68624763694F694A51516B56544D693149557A55784D6974424D6A5532533163694C434A6C626D4D694F694A424D6A553252304E4E4969776963444A6A496A6F7A4D4441774C434A774D6E4D694F694A4A4D326831576C6C5761546C574F484672644655745A6B524A617A6C42496E302E6E6569666838794534344D70576448382D777633442D67415164396130536B6A4835465F3046506169382D4661686C415343794C39512E2D506F3973536257726345684B5247672E5F4931307656656E43566F2D4E2D3065496E4672614B66415049714A7174413546626F48373731354774346B7249636D50317232727268766C58744364705156375479416E4A35496E77693164426C446F35654A4865345835684437332D5779414F4E446232392D384C305A784D62776E625072486F396F587A386B7172536765693556427A4E6D716766784439464358596E43594A4F32772D6D556D5773665A765653305359476174795079326458524E5654376938332D776D487A535A45346E37346152565657675A786D4E516D74355A37537355353470557853355264384F30434F68617979746A74627245615A6B525A58666751735F746C547552524A6F4C596C6442686E38334E57565A78554842787034694D39306343596636686F4232485374424534516B2D5761444156337A78474E53546A49704E7A54584B45577756676D3752347038366356395A715964534A49396A5446516F7673517161656176374D5F505831736A6D5F5478517469446C4E446B6B704851357A69694A516A4F33344433746C395F5734487241506347386F58625263774967414D4270475163587077774D325770575045527177377754395A4D494141516C345A776A44415430725274546C5949316D7830537649466659517859374A554678756642524E51314B3839304C4A5A4448666730354A55684D59653365767A35784C2D735A664A7634425351356C457168586B7A524C595773354B3577524F7A7634686D642D4C4976695A677838667434326331446C32304D7164714C4A5435356B774C396236704A434D36354B524B4674484473344A655A6270794B626C766D537749376A7A623036435A6E79766637564D5643444569722D7961626B7A5459396842686B31456371415F2D795737487050793670566F684D583571375238415A616263354B7A56342E4C77587639464D7065755F6A646148486D5048787751 [DEBUG]Sending POST request size: 890 to: http://172.30.91.102:9090 [DEBUG]HTTP Request: &{Method:POST URL:http://172.30.91.102:9090 Proto:HTTP/1.1 ProtoMajor:1 ProtoMinor:1 Header:map[Authorization:[Bearer eyJhbGciOiJkaXIiLCJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwidHlwIjoiSldUIn0..JIUiM5vQIyDnHgc1.bvkFgslUNYYq5VBlehKntRJKvsLc94rO-gJetw6I9WR3-LYz0093fKVulQZO0nWqsfPk42ahGXsBz6Pd0l6XbcOGKpO-u1XOOqxKvapM9YbzRlQQEj5VAi4zCYq6t7o8oTEm6fMMgA5lxzrdhqUtN1rRSAaBHukJJSPAOqJeAlgKWWpVbCFyxyNBzvI0vnhoHBQ7NPr3YgES1TX5yh7VYQfLUhhe3CUFdEjze1Hfb9-1a8PVBIxtOC6BQZY.y0_KTy2KkAgHx_GJh-rU_g] Content-Type:[application/octet-stream; charset=utf-8] User-Agent:[Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.85 Safari/537.36]] Body:{Reader:0xc00029c270} GetBody:0x8f53c0 ContentLength:890 TransferEncoding:[] Close:false Host:172.30.91.102:9090 Form:map[] PostForm:map[] MultipartForm: Trailer:map[] RemoteAddr: RequestURI: TLS: Cancel: Response: ctx:{emptyCtx:{}}} [DEBUG]HTTP Response: &{Status:404 Not Found StatusCode:404 Proto:HTTP/1.1 ProtoMajor:1 ProtoMinor:1 Header:map[Content-Length:[19] Content-Type:[text/plain; charset=utf-8] Date:[Fri, 05 Jan 2024 19:01:46 GMT] X-Content-Type-Options:[nosniff]] Body:0xc000092080 ContentLength:19 TransferEncoding:[] Close:false Uncompressed:false Trailer:map[] Request:0xc000236100 TLS:} [!]there was an error communicating with the server: 404 [-]1 out of 7 total failed checkins [-]Sleeping for 31.332s at 2024-01-05T19:01:47Z

Merlin Server - Listner

+---------------+----------------------------------------------+ | NAME | VALUE | +---------------+----------------------------------------------+ | Name | My HTTP Listener | +---------------+----------------------------------------------+ | PSK | merlin | +---------------+----------------------------------------------+ | URLS | http://172.30.91.102:9090 | +---------------+----------------------------------------------+ | ID | 5d6f927d-3619-4291-a092-72a34be0c169 | +---------------+----------------------------------------------+ | Description | Default HTTP Listener | +---------------+----------------------------------------------+ | Protocol | HTTP | +---------------+----------------------------------------------+ | Interface | 172.30.91.102 | +---------------+----------------------------------------------+ | Port | 9090 | +---------------+----------------------------------------------+ | JWTKey | Qk1pZWZiRmd6YldydkVsWnNLRmVkcnFBdHRXamdHdng= | +---------------+----------------------------------------------+ | Authenticator | OPAQUE | +---------------+----------------------------------------------+ | JWTLeeway | 10h0m0s | +---------------+----------------------------------------------+ | Transforms | jwe,gob-base, | +---------------+----------------------------------------------+ | Status | Running | +---------------+----------------------------------------------+

+---------------+----------------------------------------------+ | NAME | VALUE | +---------------+----------------------------------------------+ | ID | e854ef3b-3170-4c42-8acd-2537bc0e665d | +---------------+----------------------------------------------+ | Transforms | jwe,gob-base, | +---------------+----------------------------------------------+ | JWTKey | Q2dORGlYWVp2dlVNSU5IekV2WVp0d1pUb2tyTHZVSW0= | +---------------+----------------------------------------------+ | Name | My HTTP Listener | +---------------+----------------------------------------------+ | Description | Default HTTP Listener | +---------------+----------------------------------------------+ | Authenticator | OPAQUE | +---------------+----------------------------------------------+ | JWTLeeway | 1m0s | +---------------+----------------------------------------------+ | Protocol | HTTP | +---------------+----------------------------------------------+ | URLS | http://172.30.91.102:9090 | +---------------+----------------------------------------------+ | PSK | merlin | +---------------+----------------------------------------------+ | Interface | 172.30.91.102 | +---------------+----------------------------------------------+ | Port | 9090 | +---------------+----------------------------------------------+ | Status | Closed |

I hope you can help me with that

powerseb commented 10 months ago

OMG - I should have read the documentation more careful - the issue is resolved for anybody else - be careful with the URLS option.