HTTPSC2DoneRight (and Working)
By Red Siege | February 17, 2022
If you’re a Cobalt Strike user, it’s almost certain that at some point you’ve used Alex Rymdeko-Harvey‘s httpsc2doneright script. In a nutshell, it automates the process of requesting a Let’s Encrypt certificate and converts it into a format usable by Cobalt Strike for your HTTPS comms. However, it no longer works.
The script relied on calling letsencrypt-auto, which might not be supported depending on the Linux distro you are using.
Thankfully, this is easily updated by directly calling certbot after installing it from apt. Outside of asking for you to provide the domain you want a certificate for, a password for the java keystore, and the path to Cobalt Strike (where the profile and keystore will be saved), the updated script is still automated and will finish with a sample Amazon profile configured to use the java keystore for HTTPS comms. All that’s left for you to do is copy that block of code into your actual malleable profile (perhaps one that is generated by C2Concealer) and then you’re set for HTTPS with a legitimate certificate.
A few smaller things have been updated, such as if a dependency isn’t met, the script will auto-download it and continue with obtaining the SSL cert and generating the keystore.
Now, would you use a HTTPS certificate from Let’s Encrypt for your C2 comms? Maybe not on a red team, but possibly if you have something in between you and the targeted system such as a CDN, or an Azure Function, which only requires a valid certificate and will not present your Let’s Encrypt cert to the endpoint. That’s going to be scenario dependent, and a call for you to make. Regardless, this script helps to automate some steps and save you some time.
Related StoriesView More
By Red Siege | March 4, 2024
By Alex Reid, Current Red Siege Intern A long-time tactic of threat actors and offensive security professionals alike, tampering with LSASS.exe in order to recover credentials remains a highly […]Learn More
By Red Siege | February 15, 2024
By: Justin Palk, Senior Security Consultant SSH is an incredibly valuable tool for penetration testing. It provides us with a secure channel for administering machines, remotely executing tools, transferring […]Learn More
By Red Siege | January 22, 2024
By: Alex Reid, Current Red Siege Intern Introduction This blog post accompanies the release of an open source tool called GraphStrike which can be found here. Those familiar with my […]Learn More