Mythic Client Download Command Re-Writes Source File
Ne0nd0g opened this issue · 0 comments
Prerequisite
Environment Data
- Merlin Version:
v0.5.0 - Merlin Build:
nonRelease - Go Version:
1.18 - GOPATH Environment Variable:
- GOROOT Environment Variable:
- Operating System:
Windows
Expected Behavior
When the download command is issued from Mythic, that the agent downloads the file and does not re-write the source file.
Actual Behavior
If the command download C:\secrets.txt was issued from Mythic, the file will successfully be downloaded to the Mythic server. However, the Mythic client incorrectly returns an error after sending the data. This causes the job to go back into the job queue as a recovery mechanism for C2 channel errors. The original command has the IsDownload field set to true in job tasking structure. When the agent re-processes the job from the previous failure to send, it now interprets it as an upload command re-writes the same file to the source directory.
Once the file has been sent to the Mythic server, it is deleted from a map here
merlin-agent/clients/mythic/mythic.go
Line 571 in 59a846a
merlin-agent/clients/mythic/mythic.go
Line 579 in 59a846a
The confusion with IsDownload stems from the original implementation that was from the agent's point of view. From the agent's point of a view, downloading means to download a file from the server and write it to the host where the agent is running. Mythic commands and clients work off of the operator's point of view. From the operator's perspective, download means retrieve a file from the host where the agent is running and download it to the server. The source code to upload/download files is the same for standalone Merlin and for the Mythic client, thus the confusion on the field.
Steps to Reproduce Behavior
Using a Merlin agent build with Verbose and Debug logging enabled, issue a download command from Mythic.