[BUG] With a docker install 'posh' client does not show output, but there is output in posh-log

Question

[BUG] With a docker install 'posh' client does not show output, but there is output in posh-log

ag-michael opened this issue 4 years ago · comments

Description

With a docker install 'posh' client does not show output, but there is output in posh-log. Implant connects fine, but when running commands there is no output in the terminal console.

Execution Environment:

Data	Value
Full Posh version (all the text between the === at the top of the Implant Handler)	PoshC2 v7.0.5 (`00faa23` 2020-10-13 09:01:31)
OS & version	Kali Linux - kali-rolling
Using Docker/containerisation?	m0rv4i/poshc2:latest (fc545a8a65f2)

Implant Info

What implant does the problem occur on? C#
How was the implant created? Running a default payload

Defensive Technologies

Is the target environment running any particular defensive products? Defender is disabled, no other AV/EDR

To Reproduce

Steps to reproduce the behavior:

Install poshc2 as a docker image
run posh-service
Execute implant on target
Attempt to run commands using posh
You will not see any output,however if you quit and run posh-log you will see the output there

Expected behavior

Command output will be displayed in the console when executing commands using posh

RiskyDissonance · Answer 1 · Tue Oct 27 2020 20:12:16 GMT+0800 (China Standard Time)

Hi, I'm not able to reproduce this, are you able to provide any more details or screenshots?

E.g.

What user are both processes running as
Did you install via Install-for-Docker.sh
Do you see the implants in the ImplantHandler and do they stay active (green)
What beacon time are they set to
What commands are being run

thanks!

Michael · Answer 2 · Tue Oct 27 2020 21:06:03 GMT+0800 (China Standard Time)

@m0rv4i

both processes were started as root (directly not via sudo)
Yes, I used Install-for-Docker.sh
Yes, they show up and stay green
How can I tell what beacon time is configured? I left most things in their default setting.
Check out the screenshot below:

https://i.imgur.com/EDmaPgS.png

RiskyDissonance · Answer 3 · Wed Oct 28 2020 17:13:17 GMT+0800 (China Standard Time)

Thanks! I'll investigate some more and try to reproduce

RiskyDissonance · Answer 4 · Fri Oct 30 2020 01:13:48 GMT+0800 (China Standard Time)

Hey,

Unfortunately I can't reproduce this at all, what OS are you running on? And how are your comms set up?
Are you able to test if your current config works when not using Docker, if you haven't already?

Thanks

Michael · Answer 5 · Tue Nov 03 2020 23:23:20 GMT+0800 (China Standard Time)

@m0rv4i It's a Kali VM hosted in Azure. comms is https, target is also in Azure (same subnet, no firewalls). I do get an output in posh-log so the comms is working. I had lots of issues setting it up without Docker which is why I opted to use Docker. Can I run any diagnostic commands to help you isolate the issue?

RiskyDissonance · Answer 6 · Tue Nov 03 2020 23:40:11 GMT+0800 (China Standard Time)

You can check the NewTasks table in the database (<projects folder>/PowerShellC2.SQLite if using SQLite) and let me know if the commands are being entered in the table. Commands are written there by the implant handler and picked up by the c2 server when they are issued to an implant before being removed from that table, so what state it is in will help narrow down where the problem is.

You could also check the <projects folder>/webserver.log for any errors, issues and see how frequently the implant is beaconing (is it as expected?).

Ben Turner · Answer 7 · Tue Jan 05 2021 14:33:10 GMT+0800 (China Standard Time)

Hi, just looping in on this too - do you mean you are expecting output from the 'posh' terminal as this is the implant handler window and all implant output is expected to come out in the posh-log or posh-service. Its slightly different to other C2 frameworks like Empire in this regard, you need to have two terminal windows open at all times when using Posh. Not sure if that is the issue here or not but seems like it could be.

Michael · Answer 8 · Tue Jan 12 2021 01:36:17 GMT+0800 (China Standard Time)

@m0rv4i here is what I see in the sqlite3 database for the NewTasks table:

18|ISzM1SqpxOrcCep|loadmodule Get-IPConfig.ps1|testuser
19|ISzM1SqpxOrcCep|get-ipconfig|testuser
20|ISzM1SqpxOrcCep|#let'sdebug|testuser
21|ISzM1SqpxOrcCep|loadmodule Get-ComputerInfo.ps1|testuser
22|ISzM1SqpxOrcCep|get-computerinfo|testuser
23|rNjsd3d60WIZWbO|loadmodule Stage2-Core.ps1|autoruns

This is the complete webserver.log from the same project:

1.2.3.4 - [04/Dec/2020 06:43:05] "GET /babel-polyfill/6.3.14/polyfill.min.js=/ HTTP/1.1" 200 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36
1.2.3.4 - [04/Dec/2020 06:47:20] "GET /babel-polyfill/6.3.14/polyfill.min.js=/ HTTP/1.1" 200 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36
1.2.3.4 - [04/Dec/2020 06:48:06] "GET /babel-polyfill/6.3.14/polyfill.min.js=/ HTTP/1.1" 200 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36
1.2.3.4 - [04/Dec/2020 06:52:21] "GET /babel-polyfill/6.3.14/polyfill.min.js=/ HTTP/1.1" 200 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36
1.2.3.4 - [04/Dec/2020 06:58:06] "GET /babel-polyfill/6.3.14/polyfill.min.js=/ HTTP/1.1" 200 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36

@benpturner Now I'm thinking that might be the issue to be honest. I have posh-server/posh-service running in the background in docker. I am able to see the output of commands in posh-log. My expectation is, the command output will be shown on the same window where the command was typed (in addition to other places like posh-log). If that is not the case and this is by design then I think we can close this issue.