GoLang Binary Issue

[def3n]

When running a the Sandcat GoLang agent for linux, it fails. Looks like the Go binary breaks when it is decoding the http response (probably over ssl cert). Is there a fix available for this issue?

Starting sandcat in verbose mode.
[*] Attempting to set channel HTTP
Beacon API=/beacon
[*] Set communication channel to HTTP
initial delay=0
server=https://xxxxxxxxxx/file/download
group=red
privilege=User
allow local p2p receivers=false
beacon channel=HTTP
[-] Failed to decode HTTP response: illegal base64 data at input byte 3
[-] beacon: DEAD
[-] Failed to decode HTTP response: illegal base64 data at input byte 3
[-] beacon: DEAD
[-] Failed to decode HTTP response: illegal base64 data at input byte 3
[-] beacon: DEAD

[github-actions[bot]]

Looks like your first issue -- we aim to respond to issues as quickly as possible. In the meantime, check out our documentation here: http://caldera.readthedocs.io/

[garunagiri]

Hi def3n,

I have a couple questions that could help us figure out this issue.

What release of CALDERA are you running? Do you have GoLang installed on your server? If so, was the instance of the agent dynamically compiled, or was it the version that is shipped with the CALDERA code?

[def3n]

Thanks for the response.

• Caldera version is 3.0.0
• GoLang is installed on the server. Version 1.13.9 (linux/amd64)
• Used the agent that was shipped with the Caldera code

[garunagiri]

There have been instances in the past where the agent executable that was shipped with the code didn't work on certain environments. Best results are achieved when the CALDERA server has access to the GoLang installation and is able to dynamically compile a new Sandcat agent on each request. Can you configure the server so that it is able to do so please?

When done correctly, if you start the server with the flag -l DEBUG you should be able to see debugging output informing that a new agent is being dynamically compiled when you run the deployment command on the target.

[def3n]

Is there any documentation which I can refer to for this?

[garunagiri]

At the moment there is no documentation regarding the usage of the -l DEBUG flag or for using GoLang to dynamically compile payloads.

However, to ensure that it works, all you should need to do is ensure that Go is in your path (which go) for the same user that the CALDERA server is running under.

Once you've done that, to check to make sure dynamic compilation is working:

1. Restart your server, adding the -l DEBUG flag.
2. When you deploy an agent using a deployment command, there should be output from the server onto the console it was started from, indicating that an agent executable is being dynamically compiled, as shown below.

[nopfor]

We have some troubleshooting documentation coming in the next release, in case that helps: https://github.com/mitre/fieldmanual/blob/master/sphinx-docs/Troubleshooting.md

[fDotGoodman]

Hi - Adding for visibility for future viewers of this issue, should anyone else encounter it. Tl;Dr - I encountered this issue when trying to install the server, having deleted the files Stockpile, even though I disabled it in the server config

I encountered this issue when trying to install Caldera on Ubuntu 22.04. During install, there were a number of plugins that I didn't want to be included. My incorrect assumption here was that after removing the lines in the server config file that loaded them, I could safely remove those plugins' directories themselves. There is nothing in the documentation that says this is, in reality the doco states clearly during the install that you should clone the repo recursively, and disable the plugins you don't want to run, it does not state that it's safe to delete the plugin directories that aren't loaded.

In case anyone else encounters this issue and has also removed the Stockpile plugin directory, do note that there appear to be dependencies between at least this and the main server, even if it isn't enabled.