Other Inspirations

Here are some additional resources that inspired this project:

• Havoc C2 Framework - https://github.com/HavocFramework/Havoc
• Building a C2 Implant with Nim - https://casvancooten.com/posts/2021/08/building-a-c2-implant-in-nim-considerations-and-lessons-learned/
• Building a C2 Framework in C++ - https://shogunlab.gitbook.io/building-c2-implants-in-cpp-a-primer

Prerequisites

To make the most of this guide, familiarity with the following areas is advantageous:

• Basic full-stack development experience
• Introductory penetration testing knowledge, such as using Metasploit
• Programming skills

However, even if you're new to these topics, you should be able to grasp the concepts we discuss without too much difficulty.

Basic Concepts

For clarity, let’s define some key terms used throughout this article:

• Agent: This refers to the code executed on a victim machine, often termed an implant. Examples include meterpreter shells and covenant beacons.
• Server/Backend/API: This denotes the code or infrastructure that listens for incoming requests, handling both agent requests and user interactions.
• Frontend: This is the web component through which users interact with agents and the backend.

Requirements

Now, let's outline the requirements for our project:

• A simple agent running on a Windows host that can evade detection by EDR.
• A robust backend capable of managing multiple agents and sessions.
• An aesthetically pleasing frontend for ease of use and presentation.
• A method for hosting and accessing files necessary for the engagement.

In addition to these functional requirements, the following elements are essential for production software:

• Comprehensive error handling
• Logging of access attempts
• Recording of commands and outputs with timestamps
• Authentication for sensitive data and endpoints

Having established our requirements, we can proceed to the design phase before diving into development.

Architecture

With a clearer understanding of our goal and the tools at our disposal, we can outline a potential solution. It’s important to note that while various programming languages can be used, the choice ultimately depends on your comfort level.

Once you've decided on your language of choice, think about how all components will integrate.

#### Agents

The simplest part of our setup is the agent. Essentially, it's a loop that performs GET and POST requests: GET to fetch the command to execute and POST to relay results. State management occurs through headers, specifically an "ID" for the command and a second ID for the agent, which serves as an authentication token. This setup can be as complex or straightforward as desired, from a PowerShell script to a fully developed application in C.

#### Frontend

The frontend is the interface you will interact with most frequently. Its functionality is straightforward: provide an overview of deployed agents, send commands, and display results. While it can be as simple or complex as you wish, I focused on user-friendly features like self-updating overviews and an intuitive agent generation interface. This is also the aspect where you can get creative, adding various features to enhance usability.

#### API / Backend

This component ensures synchronization and manages everything from agent generation to authentication. It logs events, tracks commands, and handles agent sessions.

The backend's functionality can be broken down into the following components:

• Data Transmission to Frontend: This includes agent sessions and new shells, segmented into different endpoints.
• Authentication: Both agents and the frontend require authentication, with the frontend using React routes to verify sessions against Flask sessions.
• Event Logging: Events and alerts are logged for auditing and displayed in the frontend.
• Command Management: The backend provides endpoints for sending and receiving commands, verifying agent sessions, and maintaining command records.

Integration of Components

With a better grasp of the individual components, we can examine how they interact. The frontend communicates exclusively with the Flask API, sending requests for agent commands and shell generation. The agents perform all GET and POST requests to the Flask API, which coordinates logins, agent generation, and file serving.

For visual clarity, a typical workflow diagram can be helpful, but suffice it to say, the interactions are relatively straightforward.

Choice of Programming Languages

For this project, I opted for languages I was comfortable with. I chose ReactJS for the frontend due to its extensive documentation and ease of iteration, while Python Flask served as the backend for its simplicity and speed of development.

Why No Code Snippets?

You may be wondering why this article lacks code snippets. The reason is simple: the project isn't overly complex if you have programming experience. Essentially, it involves setting up a web server with a backend API, much of which can be adapted from readily available resources.

Defense Evasion

For defense evasion, the approach is relatively straightforward. We are drawing inspiration from hoaxshell [001] and implementing some obfuscation techniques based on the "PowerShell Obfuscation Bible" [006]. Additional evasion techniques, such as AMSI bypasses, can be incorporated as necessary, though they won’t be covered here [007]. The goal is to ensure the reverse shell remains unique, thus evading detection by string-matching defense mechanisms.

Proof of Concept

After planning, the next step is implementation, which can be time-consuming. During this phase, I was simultaneously learning frontend and API development, but the well-documented nature of these technologies helped streamline the process. Below are some initial screenshots of the web frontend before finalizing the design with CSS.

The Magic of CSS

You might be thinking that the initial designs look unpolished. Fortunately, CSS can transform the aesthetics significantly, enhancing user experience. While it’s easy to get lost in the minutiae of design, investing time in CSS is worthwhile, as it can elevate the frontend from basic to visually appealing.

After applying CSS updates, the frontend looks significantly more polished and user-friendly.

Deployment

Now that we have a functional application, how do we utilize it in real engagements? If you're like most, you'll set up a new virtual machine for each engagement. I created a simple bash script to facilitate this process, which includes commands for updating the system, cloning the repository, and setting up Flask and ReactJS.

Penetration Testing

Given that this application may handle sensitive information, it's crucial to ensure it is securely configured. Testing for common vulnerabilities is advisable, including:

• Unauthorized access and IDOR
• Weak cryptography and credentials
• Information disclosure
• Access control for both agents and users

Consulting the OWASP Top Ten is a good starting point to address potential issues.

Demo

After all the preparation, here is the demo showcasing the shell generation and multi-session handling capabilities of the application.

Points of Improvement

Post-project reflection reveals several areas for enhancement:

• CSS and Web Interface: Continuous improvement in this area is essential, including real-time updates in the console and enhanced user interactions.
• ReactJS: There’s room for improving modularity and overall code quality in the frontend.
• Flask: Simplifying the backend code and enhancing logging and error handling would be beneficial.
• Maintainability: The current state is more of a proof of concept and requires refinement for better maintainability.

In summary, while there will always be opportunities for improvement, I now have a functional proof of concept to experiment with. It’s important to balance polishing the project with the flexibility to make significant changes as needed.

Lessons Learned

This project provided a wealth of learning opportunities, particularly in web development and command serving over HTTP/HTTPS. Transitioning from PHP to modern frameworks was a refreshing experience, and exploring agent obfuscation techniques proved rewarding. Overall, it was a time-consuming yet highly educational endeavor.

Conclusion

As this project comes to a close, I've acquired numerous skills and developed a custom C2 framework. While there's room for improvement and potential for a complete overhaul, it’s gratifying to witness the evolution from a basic hoaxshell clone to a functional tool. The project has also sparked new ideas, such as the development of a more robust client utilizing the Windows API.

Thank you for joining me on this journey; I hope you found it informative and enjoyable.

References

• [001] — https://github.com/t3l3machus/hoaxshell
• [002] — Havoc C2 Framework - https://github.com/HavocFramework/Havoc
• [003] — Building a C2 Implant with Nim - https://casvancooten.com/posts/2021/08/building-a-c2-implant-in-nim-considerations-and-lessons-learned/
• [004] — Building a C2 Framework in C++ - https://shogunlab.gitbook.io/building-c2-implants-in-cpp-a-primer
• [005] — How To Create a React + Flask Project - https://blog.miguelgrinberg.com/post/how-to-create-a-react--flask-project
• [006] — PowerShell Obfuscation Bible - https://github.com/t3l3machus/PowerShell-Obfuscation-Bible
• [007] — https://github.com/Sh3lldon/FullBypass?tab=readme-ov-file
• [008] — https://kettan007.medium.com/how-to-clone-a-git-repository-using-personal-access-token-a-step-by-step-guide-ab7b54d4ef83