Outdated Auth protocol

[m3rcer]

Great work with the project it really simplifies all mod_rewrite rules.

• The "[Errno 17] File exists" Traceback error as described in the previous complain still persists even after setting up a virtualenv for python3.6. This din't ruin the overall functionality though.

• I tried default and the new random malleable c2 profiles, they did work and succesfully redirected the traffic to my teamserver(Cobalt Strike 4.3) however it errors out saying "Invalid auth protocol(old client?)" on my CS teamserver.

This might work succesfully with previous versions of CS 4.3 prior, Checked the changelog of CS , not sure what might be updated in version 4.3.

I tried setting this up manually with nginx and apache2 using scripts like cs2modrewrite for assistance but the same issue persists.

[mgeeky]

Hi,

Thanks for submitting these issues. I was away for some time but will get back to reviewing and addressing reported errors hopefully early next week.

As for the invalid auth protocol (old client?) - this is really unusual, never seen that kind of a response coming from a Teamserver. Will need to review 4.3 release more thoroughy to see what's going on. What's even stranger is that I was successfully working with that version through RedWarden without any issues.

In the meantime, could you please provide anonymised versions of your malleable profile and RedWarden's configuration used?

Thanks!

[m3rcer]

Hey,

Yeah, the response is quite unusual and this is just not an issue w RWarden but most rewrite tutorials or scripts like cs2modrewrite only with CS 4.3. Their changelog dosen't hint much on what's changed under the hood. Dumb pipe redirection w Socat and iptables just misses out on so much that mod_rewrite apache proxy rules can achieve. Basically i'm stuck trying to get this to work.

So this is what i've used:

• VPS - Ubuntu 20.04LTS - Used a single server with CS hosted on port 54321 and RWarden on port 80/443.
• Cobalt Strike 4.3 (cracked - test on a NIX VM) ( ͡° ͜ʖ ͡°)
• Jquery 2.4.3 profile for CS 4.3
• I just changed a few things namely theredirect-->https://google.com, the profile to jquery(the one above) and the teamserver url from the default example-config RWarden's shipped with.

A tool like RWarden definitely does simplify setting these cumbersome mod_rewrite redirects on the fly, looking forward to more work on it 👍 .

[mgeeky]

@me4cer98 - well, I can assure you that RedWarden worked for me during my last red team engagement I had in May on Cobalt Strike's 4.3 version but the original, purchased one. Also, all my time with CS was spent on an original version and I never had such an error before.

Therefore I cannot offer any support for the cracked versions of the framework as they come with their non-standard quirks and modifications. Addressing pecularities of customized, cracked CS versions would make me spent a lot of time troubleshooting issues likely introduced through unofficial patches.

Regards, M.

[m3rcer]

I understand. Will def try implementing this with the original/ other c2's like silentrinity,covenant and get it to work.. Thanks for the assistance!

[m3rcer]

@mgeeky

Update: RWarden works flawlessly even with the cracked version of CS 4.3, proxy redirects unrecognized hosts and supports staging too as expected. Awesome! Some things were off that i successfully fixed in my malleable c2 profile.