[BUG] Docker - SharpSocks server doesn't start correctly
AlexH0661 opened this issue · comments
Description
When attempting to start the sharpsocks server, an error occurs.
Below is the output from both the implant and PoshC2 server perspective.
Both key and channel have been replaced for brevity.
Implant
implant PS> sharpsocks
sharpsocks -c=<channel> -k=<key> --verbose -l=http://0.0.0.0:49031
PoshC2 Server
PoshC2-Server:# sharpsocks -c=<channel> -k=<key> --verbose -l=http://0.0.0.0:49031
/usr/local/bin/sharpsocks: illegal option -- c
*** PoshC2 Docker SharpSocks Handler ***
Usage:
sharpsocks -t <docker-image-tag> <args>
Default Docker tag is latest (master)
Execution Environment:
Data | Value |
---|---|
Full Posh version (all the text between the === at the top of the Implant Handler) | PoshC2 Zip (dd39e62) |
OS & version | Debian 10.7 |
Using Docker/containerisation? | Docker |
Implant Info
- What implant does the problem occur on? PowerShell
- How was the implant created? Attempted on both running default payloads, and inject-shellcode
Defensive Technologies
- Is the target environment running any particular defensive products? No. This test environment has limited to no defensive products activated
To Reproduce
Steps to reproduce the behavior:
- Select a powershell implant
- Run
sharpsocks
- Copy output to PoshC2 server terminal, and execute
- Receive error
Expected behavior
After pasting and executing the command on the PoshC2 server, I expect the sharpsocks server to start
Screenshots
N/A
Attach files if required
N/A
Additional context
Have attempted to modify the posh-server and expose/map the sharpsocks ports, and then run the command from within the container. This executes, but receive an error about public certs. If I then press 'y' on the implant, for it to start using the sharpsocks client, I receive "Unknown C2 traffic. This might be an old implant or sharpsocks". The server doesn't seem to startup properly.
This could be a misconfiguration on my part. The documentation doesn't detail what each argument should contain. EG should the server URI, be the URI of a redirector, or the C2 server? Does the port need to be reachable externally, or can it just listen on the localhost. The socks port is self explanatory though.
had to use sharpsocks -s <args>
. Server then started. Still getting unknown C2 comms incoming (Could be old implant or sharpsocks) -<publicip>-<uri>
, but assuming this is expected behaviour
Receiving the following output when sharpsocks server attempts to start. Arguments used -c=<channel> -k=<key> --verbose -l=http://0.0.0.0:49031
SharpsSOCKS .net core
v0.1
by Rob Maslen (2019)
=================
[12/09/2020 22:31:07][!] Defaulting Socket Timeout to 120s
[x] to quit
[12/09/2020 22:31:07][!] Public key for USING DEBUG SIMPLE ENCRYPTOR
Usage: [options]
Options:
-?|-h|--help Show help information
-s|--socksserveruri IP:Port for SOCKS to listen on, default is *:43334
-c|--cmdid Command Channel Identifier, needs to be shared with the server
-l|--httpserveruri Uri to listen on, default is http://127.0.0.1:8081
-k|--encryptionkey The encryption key used to secure comms
-sc|--sessioncookie The name of the cookie to pass the session identifier
-pc|--payloadcookie The name of the cookie to pass smaller requests through
-st|--socketTimeout How long should SOCKS sockets be held open for, default is 120s
-v|--verbose Verbose error logging
I escaped the '=' from the end of the key. This has stopped the error [!] Public key for USING DEBUG SIMPLE ENCRYPTOR
from coming up, but the server still exits
Hi, sorry for the delay on this one. I think we've fixed this on the dev branch but you'll have t use the docker-build script to test this before it goes to master.
Once you execute sharpsocks in the implant it will now ask if you are running via docker and provide a slightly optimised version of the command to run server side.
You need to make sure your sharpsocks config in the posh-config is not 127.0.0.1 and is your interface IP as it has to push from the C2Server container to the SharpSocks docker container.
Does that make sense?
To get this running, make sure you do a git fetch, git reset --hard dev.
Then Install-docker.sh -b dev.
Once thats installed run the resources/script/docker-build to get a docker container on dev. Might take 15-20 minutes to build depending on your memory/cpu on the host your running on.
closing this down as this should be all resolved on dev