nettitude / PoshC2

A proxy aware C2 framework used to aid red teamers with post-exploitation and lateral movement.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[BUG] Docker - SharpSocks server doesn't start correctly

AlexH0661 opened this issue · comments

Description

When attempting to start the sharpsocks server, an error occurs.
Below is the output from both the implant and PoshC2 server perspective.
Both key and channel have been replaced for brevity.

Implant

implant PS> sharpsocks
sharpsocks -c=<channel> -k=<key> --verbose -l=http://0.0.0.0:49031

PoshC2 Server

PoshC2-Server:# sharpsocks -c=<channel> -k=<key> --verbose -l=http://0.0.0.0:49031
/usr/local/bin/sharpsocks: illegal option -- c
*** PoshC2 Docker SharpSocks Handler ***
Usage:
sharpsocks -t <docker-image-tag> <args>

Default Docker tag is latest (master)

Execution Environment:

Data Value
Full Posh version (all the text between the === at the top of the Implant Handler) PoshC2 Zip (dd39e62)
OS & version Debian 10.7
Using Docker/containerisation? Docker

Implant Info

  • What implant does the problem occur on? PowerShell
  • How was the implant created? Attempted on both running default payloads, and inject-shellcode

Defensive Technologies

  • Is the target environment running any particular defensive products? No. This test environment has limited to no defensive products activated

To Reproduce

Steps to reproduce the behavior:

  1. Select a powershell implant
  2. Run sharpsocks
  3. Copy output to PoshC2 server terminal, and execute
  4. Receive error

Expected behavior

After pasting and executing the command on the PoshC2 server, I expect the sharpsocks server to start

Screenshots

N/A

Attach files if required

N/A

Additional context

Have attempted to modify the posh-server and expose/map the sharpsocks ports, and then run the command from within the container. This executes, but receive an error about public certs. If I then press 'y' on the implant, for it to start using the sharpsocks client, I receive "Unknown C2 traffic. This might be an old implant or sharpsocks". The server doesn't seem to startup properly.

This could be a misconfiguration on my part. The documentation doesn't detail what each argument should contain. EG should the server URI, be the URI of a redirector, or the C2 server? Does the port need to be reachable externally, or can it just listen on the localhost. The socks port is self explanatory though.

had to use sharpsocks -s <args>. Server then started. Still getting unknown C2 comms incoming (Could be old implant or sharpsocks) -<publicip>-<uri>, but assuming this is expected behaviour

Receiving the following output when sharpsocks server attempts to start. Arguments used -c=<channel> -k=<key> --verbose -l=http://0.0.0.0:49031

SharpsSOCKS .net core
v0.1
by Rob Maslen (2019)
=================

[12/09/2020 22:31:07][!] Defaulting Socket Timeout to 120s

[x] to quit

[12/09/2020 22:31:07][!] Public key for USING DEBUG SIMPLE ENCRYPTOR
Usage:  [options]

Options:
  -?|-h|--help         Show help information
  -s|--socksserveruri  IP:Port for SOCKS to listen on, default is *:43334
  -c|--cmdid           Command Channel Identifier, needs to be shared with the server
  -l|--httpserveruri   Uri to listen on, default is http://127.0.0.1:8081
  -k|--encryptionkey   The encryption key used to secure comms
  -sc|--sessioncookie  The name of the cookie to pass the session identifier
  -pc|--payloadcookie  The name of the cookie to pass smaller requests through
  -st|--socketTimeout  How long should SOCKS sockets be held open for, default is 120s
  -v|--verbose         Verbose error logging

I escaped the '=' from the end of the key. This has stopped the error [!] Public key for USING DEBUG SIMPLE ENCRYPTOR from coming up, but the server still exits

Hi, sorry for the delay on this one. I think we've fixed this on the dev branch but you'll have t use the docker-build script to test this before it goes to master.

Once you execute sharpsocks in the implant it will now ask if you are running via docker and provide a slightly optimised version of the command to run server side.

You need to make sure your sharpsocks config in the posh-config is not 127.0.0.1 and is your interface IP as it has to push from the C2Server container to the SharpSocks docker container.

Does that make sense?

To get this running, make sure you do a git fetch, git reset --hard dev.

Then Install-docker.sh -b dev.

Once thats installed run the resources/script/docker-build to get a docker container on dev. Might take 15-20 minutes to build depending on your memory/cpu on the host your running on.

closing this down as this should be all resolved on dev