search

gloxec / CrossC2

generate CobaltStrike's cross-platform payload
2.19k stars 335 forks source link

服务端解密失败 #172

Open z0edff0x3d opened 2 years ago

z0edff0x3d commented 2 years ago

cs4.2 `[-] A Malleable C2 attempt to recover data from a '.http-get.client.metadata' transaction failed. This could be due to a bug in the profile, a change made to the profile after this Beacon was run, or a change made to the transaction by some device between your target and your Cobalt Strike controller. The following information will (hopefully) help narrow down what happened.

From 'x.x.x.x' URI '/load'

Headers

'User-Agent' = 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.163' 'Cookie' = 'xxxx' 'Accept' = '/' 'Host' = 'x.x.x.x:8443' 'REMOTE_ADDRESS' = '/x.x.x.x' 'Connection' = 'keep-alive'

[-] Trapped javax.crypto.BadPaddingException during RSA decrypt [HTTP session handler]: Decryption error javax.crypto.BadPaddingException: Decryption error at sun.security.rsa.RSAPadding.unpadV15(RSAPadding.java:379) at sun.security.rsa.RSAPadding.unpad(RSAPadding.java:290) at com.sun.crypto.provider.RSACipher.doFinal(RSACipher.java:365) at com.sun.crypto.provider.RSACipher.engineDoFinal(RSACipher.java:391) at javax.crypto.Cipher.doFinal(Cipher.java:2168) at dns.AsymmetricCrypto.decrypt(Unknown Source) at beacon.BeaconC2.process_beacon_metadata(Unknown Source) at beacon.BeaconHTTP$GetHandler.serve(Unknown Source) at c2profile.MalleableHook.serve(Unknown Source) at cloudstrike.WebServer._serve(WebServer.java:232) at cloudstrike.WebServer.serve(WebServer.java:213) at cloudstrike.NanoHTTPD$HTTPSession.run(NanoHTTPD.java:372) at java.lang.Thread.run(Thread.java:748) [-] decrypt of metadata failed`

gloxec commented 2 years ago

teamserver是否配置了c2profile?

nnsssa commented 9 months ago

解决了吗

nnsssa commented 9 months ago

这个问题

gloxec commented 9 months ago

@nnsssa 需要提供

  1. cs版本信息
  2. crossc2版本信息
  3. teamserver运行时是否指定了c2profile
  4. genCrossC2生成beacon时的命令
  5. .cobaltstrike.beacon_keys文件是否与server端一致
nnsssa commented 9 months ago

1 cs4.8 2 3.2版本 3 未指定genCrossC2.Win.exe 38.xx.xx.xx xxxx .cobaltstrike.beacon_keys null linux x64 ./cc stager 4.8 4一致

gloxec commented 9 months ago

@nnsssa 怀疑是4.8版本相关问题,相似的问题 https://github.com/gloxec/CrossC2/issues/194 ,可否共享下相关文件,以便进行分析

  1. 用例中4.8客户端解压后的 resources/default.profile 文件
  2. 在新环境中,使用干净的4.8服务端临时创建任意listener时,自动生成的 .cobaltstrike.beacon_keys 文件