Jump to content

C2 connection


Recommended Posts

*sigh* I didn't think of myself a newb, but the Shark Jack has got me by the short and curly ones. I cannot get it connected to the C2 server. I have a C2 server running on a VPS. I solved the SSL issue I was having earlier by using certbot and issuing my own valid certificate for the public domain name. I can get to the C2 webui no problem. The Shark Jack is on the latest firmware, 1.1.0

I'm using the IP Blinker payload in attack mode, so I can SSH to the Shark Jack and confirm I have internet access. I can ssh into the SJ from a machine on the same LAN. I go to add the Shark Jack to C2 by adding a new device and then downloading the setup file "device.config". I scp that file to the Shark Jack and put it in the /etc/ folder. 

I manually run the C2CONNECT command .... and nothing happens. I took at a look at the C2CONNECT script, which, amongst other things, runs 

cc-client /etc/device.config

When I run that manually, it executes and just sits there, not giving me the prompt back. And the SJ never checks into the C2 webui. I took a look at the device.config file and it has the public host name of the C2 server, port 443, and an ssh key. I even explicitly set the SSH port on the C2 server to port 2022 to make sure it matches the default settings.

Help me, Darren Wan Kenobi, you're my only hope. Where am I going wrong here?

EDIT: And then it magically started to work! The force is strong with this one. Just kidding. I fiddled with the C2 server options, after curl gave me some lip about the SSL certificate not being trusted. I looked into the issue and found that since I created the SSL certs and key manually, I had to specify the key, the cert AND the ca-bundle file at the command line when starting the C2 server. After changing the cert.pem file for the fullchain.pem file in the command line, curl stopped complaining and the SJ connected! Here is the full command line (with some obfuscation):

/root/c2_community-linux-64 -db ./c2.db -hostname xxx.xxxxxxxx.xxx -https -keyFile /etc/letsencrypt/live/xxx.xxxxxxxx.xxx/privkey.pem -certFile /etc/letsencrypt/live/xxx.xxxxxxxx.xxx/fullchain.pem

I even put some test loot files in the loot folder to further test the functionality, but the C2 server did not see them, claiming that the loot directory was empty. Is it looking specifically for .txt files only? I had the nmap output files in there (i like the -oA switch) which outputs the .xml, .nmap and .gnmap files:

192.168.0.1-24.gnmap
192.168.0.1-24.nmap
192.168.0.1-24.xml

I'm just hoping to get answers to the little issues, and I'm hoping my adventures will help others.

Edited by Flatlinebb
Link to post
Share on other sites

Glad to see you got the C2CONNECT issue sorted with your specific keyfile configuration. 

As for the C2EXFIL, if you run the command interactively you will get usage. I prefer to use the STRING flag as it will make standard ASCII files easily readable within the Cloud C2 web interface. 

Link to post
Share on other sites

Thanks for the words of encouragement, Darren.

Are there any other flags to be used with C2EXFIL, besides STRING? And can it only exfil one file at a time? No wildcards?

One of my ideas for the nmap scan was to use the $SUBNET variable in the file name of the captured loot, so I know at a glance what the network subnet was that was just scanned. But that will make the file name unpredictable and not easily automated with the C2EXFIL line in the payload. So if I could grab it with a C2EXFIL STRING nmap_*.txt command, it would make things easier.

Link to post
Share on other sites

Currently the C2EXFIL command accepts only one file at a time. 

USAGE -- C2EXFIL (optional)STRING (required)<PATH> (optional)<SOURCE>

Examples:
C2EXFIL STRING <PATH> <SOURCE> - send text data from <PATH> file from <SOURCE>
C2EXFIL <PATH> <SOURCE> - send <PATH> file from <SOURCE>
C2EXFIL <PATH> - send <PATH> file

Multiple files may be uploaded using the tool, however you would need to loop over them in order to do so. 

I've published an example of this here: https://github.com/hak5/sharkjack-payloads/blob/master/payloads/library/example/cloudc2-multi-file-exfiltration/payload.sh

  • Like 1
Link to post
Share on other sites

Thank you for the example script. I didn't expect you to take the time. It seems so simple once someone else does it first.

C2EXFIL STRING <PATH> <SOURCE>

Just to clarify the options for the C2EXFIL command above, STRING simply means the loot file is text that can be read in the C2 Web console, as opposed to a binary file; PATH is the directory and file we want to exfil, and the optional switch SOURCE is ... ?  just a label or a tag?

Link to post
Share on other sites

Correct. STRING simply states to treat the file as standard ASCII so it can be viewed in the Cloud C2 web UI. Otherwise it's treated as a binary.

The SOURCE is indeed just a tag - which is helpful when managing loot from multiple payloads. 

No problem on the example payload - I really enjoy writing these and hope they're useful for others looking to implement these features. 

  • Like 1
Link to post
Share on other sites
  • 3 weeks later...
2 hours ago, Treebug842 said:

Hello, im a big noob and im having the same problem, I am running C2 locally and can't connect the shark jack (or any other Hak5 device). Im still unclear on how to fix this, any help would be greatly apreciated. 😄

Need to make sure you are using the right connection address setup during C2 setup.  If that info is wrong at setup then the device configs will be wrong as well.

Make sure your traffic is not being blocked by and sort of firewall (if there is one) on your network as well.

Link to post
Share on other sites
  • 2 weeks later...

Hi, and good evening.

I have added and setup the C2 and Sharkjack with the config file as per the videos, however, even adding the device.config file to the /etc/ it says that it is connecting but does not appear in the web browser.

Additionally, when using the -https option in starting the C2, when trying to log into the C2 through the browser, it fails to find the login page.

 

Any tips, suggestions would be really appreciated. Thankyou.

Link to post
Share on other sites

Hi, and good evening.

I have added and setup the C2 and Sharkjack with the config file as per the videos, however, even adding the device.config file to the /etc/ it says that it is connecting but does not appear in the web browser.

Additionally, when using the -https option in starting the C2, when trying to log into the C2 through the browser, it fails to find the login page.

 

Any tips, suggestions would be really appreciated. Thankyou.

 

 

sorry in addition --every time i plug in the wire shark it adds a new network interface, such as network 10 for example, thats under the named description.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...