[-] Trapped javax.crypto.BadPaddingException during RSA decrypt [HTTP session handler]: Decryption error
javax.crypto.BadPaddingException: Decryption error
at sun.security.rsa.RSAPadding.unpadV15(RSAPadding.java:380)
at sun.security.rsa.RSAPadding.unpad(RSAPadding.java:291)
at com.sun.crypto.provider.RSACipher.doFinal(RSACipher.java:363)
at com.sun.crypto.provider.RSACipher.engineDoFinal(RSACipher.java:389)
at javax.crypto.Cipher.doFinal(Cipher.java:2165)
at dns.AsymmetricCrypto.decrypt(AsymmetricCrypto.java:35)
at beacon.BeaconC2.process_beacon_metadata(BeaconC2.java:269)
at beacon.BeaconHTTP$GetHandler.serve(BeaconHTTP.java:64)
at c2profile.MalleableHook.serve(MalleableHook.java:47)
at cloudstrike.WebServer._serve(WebServer.java:228)
at cloudstrike.WebServer.serve(WebServer.java:209)
at cloudstrike.NanoHTTPD$HTTPSession.run(NanoHTTPD.java:359)
at java.lang.Thread.run(Thread.java:745)
[-] decrypt of metadata failed
[-] A Malleable C2 attempt to recover data from a '.http-get.client.metadata' transaction failed. This could be due to a bug in the profile, a change made to the profile after this Beacon was run, or a change made to the transaction by some device between your target and your Cobalt Strike controller. The following information will (hopefully) help narrow down what happened.
From '10.24.*.*'
URI '/load'
Headers
-------
'User-Agent' = 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.163 Safari/537.36'
'Cookie' = 'jTqIympJrRgVpoOvsfWDXJvKUo6k4mTYYxFK4Il8i6cdkTrv8YZ1SnTPdzKQaDNtgjuWL+cIPccOaE9/BWJC3UO1YU9puJ46e/sYOzFougZPiyupHgAh+TQjq6Eo0yGGIaqWWFj+i0OipAahB8iIKTehvlRXopubRl0bfiZjb6Q='
'Accept' = '*/*'
'Host' = '10.48.*.*:9999'
'REMOTE_ADDRESS' = '/10.24.*.*'
'Connection' = 'keep-alive'
CobaltStrike 3.12 TeamServer环境:CentOS、Java8
Beacon执行后,TeamServer报错如下(似乎是TeamServer无法解密Beacon传输过来的流量):