Open z0edff0x3d opened 2 years ago
teamserver是否配置了c2profile?
解决了吗
这个问题
@nnsssa 需要提供
.cobaltstrike.beacon_keys
文件是否与server端一致1 cs4.8 2 3.2版本 3 未指定genCrossC2.Win.exe 38.xx.xx.xx xxxx .cobaltstrike.beacon_keys null linux x64 ./cc stager 4.8 4一致
@nnsssa 怀疑是4.8版本相关问题,相似的问题 https://github.com/gloxec/CrossC2/issues/194 ,可否共享下相关文件,以便进行分析
resources/default.profile
文件.cobaltstrike.beacon_keys
文件
cs4.2 `[-] A Malleable C2 attempt to recover data from a '.http-get.client.metadata' transaction failed. This could be due to a bug in the profile, a change made to the profile after this Beacon was run, or a change made to the transaction by some device between your target and your Cobalt Strike controller. The following information will (hopefully) help narrow down what happened.
From 'x.x.x.x' URI '/load'
Headers
'User-Agent' = 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.163' 'Cookie' = 'xxxx' 'Accept' = '/' 'Host' = 'x.x.x.x:8443' 'REMOTE_ADDRESS' = '/x.x.x.x' 'Connection' = 'keep-alive'
[-] Trapped javax.crypto.BadPaddingException during RSA decrypt [HTTP session handler]: Decryption error javax.crypto.BadPaddingException: Decryption error at sun.security.rsa.RSAPadding.unpadV15(RSAPadding.java:379) at sun.security.rsa.RSAPadding.unpad(RSAPadding.java:290) at com.sun.crypto.provider.RSACipher.doFinal(RSACipher.java:365) at com.sun.crypto.provider.RSACipher.engineDoFinal(RSACipher.java:391) at javax.crypto.Cipher.doFinal(Cipher.java:2168) at dns.AsymmetricCrypto.decrypt(Unknown Source) at beacon.BeaconC2.process_beacon_metadata(Unknown Source) at beacon.BeaconHTTP$GetHandler.serve(Unknown Source) at c2profile.MalleableHook.serve(Unknown Source) at cloudstrike.WebServer._serve(WebServer.java:232) at cloudstrike.WebServer.serve(WebServer.java:213) at cloudstrike.NanoHTTPD$HTTPSession.run(NanoHTTPD.java:372) at java.lang.Thread.run(Thread.java:748) [-] decrypt of metadata failed`