Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

服务端解密失败 #172

Open
z0edff0x3d opened this issue Jun 17, 2022 · 6 comments
Open

服务端解密失败 #172

z0edff0x3d opened this issue Jun 17, 2022 · 6 comments

Comments

@z0edff0x3d
Copy link

cs4.2
`[-] A Malleable C2 attempt to recover data from a '.http-get.client.metadata' transaction failed. This could be due to a bug in the profile, a change made to the profile after this Beacon was run, or a change made to the transaction by some device between your target and your Cobalt Strike controller. The following information will (hopefully) help narrow down what happened.

From 'x.x.x.x'
URI '/load'

Headers

'User-Agent' = 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.163'
'Cookie' = 'xxxx'
'Accept' = '/'
'Host' = 'x.x.x.x:8443'
'REMOTE_ADDRESS' = '/x.x.x.x'
'Connection' = 'keep-alive'

[-] Trapped javax.crypto.BadPaddingException during RSA decrypt [HTTP session handler]: Decryption error
javax.crypto.BadPaddingException: Decryption error
at sun.security.rsa.RSAPadding.unpadV15(RSAPadding.java:379)
at sun.security.rsa.RSAPadding.unpad(RSAPadding.java:290)
at com.sun.crypto.provider.RSACipher.doFinal(RSACipher.java:365)
at com.sun.crypto.provider.RSACipher.engineDoFinal(RSACipher.java:391)
at javax.crypto.Cipher.doFinal(Cipher.java:2168)
at dns.AsymmetricCrypto.decrypt(Unknown Source)
at beacon.BeaconC2.process_beacon_metadata(Unknown Source)
at beacon.BeaconHTTP$GetHandler.serve(Unknown Source)
at c2profile.MalleableHook.serve(Unknown Source)
at cloudstrike.WebServer._serve(WebServer.java:232)
at cloudstrike.WebServer.serve(WebServer.java:213)
at cloudstrike.NanoHTTPD$HTTPSession.run(NanoHTTPD.java:372)
at java.lang.Thread.run(Thread.java:748)
[-] decrypt of metadata failed`

@gloxec
Copy link
Owner

gloxec commented Jun 17, 2022

teamserver是否配置了c2profile?

@gloxec gloxec closed this as completed Sep 10, 2022
@nnsssa
Copy link

nnsssa commented Oct 9, 2023

解决了吗

@nnsssa
Copy link

nnsssa commented Oct 9, 2023

这个问题

@gloxec
Copy link
Owner

gloxec commented Oct 9, 2023

@nnsssa 需要提供

  1. cs版本信息
  2. crossc2版本信息
  3. teamserver运行时是否指定了c2profile
  4. genCrossC2生成beacon时的命令
  5. .cobaltstrike.beacon_keys文件是否与server端一致

@gloxec gloxec reopened this Oct 9, 2023
@nnsssa
Copy link

nnsssa commented Oct 9, 2023

1 cs4.8
2 3.2版本
3 未指定genCrossC2.Win.exe 38.xx.xx.xx xxxx .cobaltstrike.beacon_keys null linux x64 ./cc stager 4.8
4一致

@gloxec
Copy link
Owner

gloxec commented Oct 9, 2023

@nnsssa 怀疑是4.8版本相关问题,相似的问题 #194 ,可否共享下相关文件,以便进行分析

  1. 用例中4.8客户端解压后的 resources/default.profile 文件
  2. 在新环境中,使用干净的4.8服务端临时创建任意listener时,自动生成的 .cobaltstrike.beacon_keys 文件

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants