Red Team Part 5 – Intro to C2 | TryHackMe

Hello world and welcome to HaXeZ where today we’re going to be getting a bit more technical and looking at C2s. To clarify, C2 is short for Command and Control and is a central location from which to control all your compromised devices. If you’re interested in Red Team engagements or cybersecurity in general then head over to TryHackMe and level up your skills.

Task 1 – Introduction

As with most first rooms on TryHackMe, the first room is an introduction room and explains what is going to be covered. Not much to talk about here other than that we will be covering how Command and Control Frameworks work. Then, we will cover the various components that Command and Controls use. After that, we will cover the basic setup of a Command and Control Framework. Furthermore, the room covers how to use Armitage and Metasploit.

Task 1 - Introduction
Task 1 – Introduction

Task 2 – Command and Control Framework Structure

This section of the room has a lot of information to digest. In short, the room explains what a Command and Control Framework is, the structure of a Command and Control, how to obfuscate agent callbacks, payload types, and a lot more. Overall, the information contained in this section is essential. For example, it explains that a C2 agent is similar to a Netcat reverse shell. Furthermore, it elaborates on beacons and explains how beacons are callbacks to the main Command and Control server and that unless confiscated can be easily recognized.

Task 2 - Command and Control Framework Structure
Task 2 – Command and Control Framework Structure
Question: What is the component's name that lives on the victim machine that calls back to the C2 server?
Answer: Agent

Question: What is the beaconing option that introduces a random delay value to the sleep timer?
Answer: Jitter

Question: What is the term for the first portion of a Staged payload?
Answer: Dropper

Question: What is the name of the communication method that can potentially allow access to a restricted network segment that communicates via TCP ports 139 and 
Answer: SMB Beacon

Task 3 – Common C2 Frameworks

Next, task 3 discusses the various different Command and Control frameworks. It breaks them down into free and premium versions. Notably, it covers Metasploit, Armitage, Powershell Empire, Covenant, and Sliver. It then covers the premium Command and Control frameworks such as Cobalt Strike and Brute Ratel.

Task 3 - Common C2 Frameworks
Task 3 – Common C2 Frameworks

Task 4 – Setting Up a C2 Framework

The next room covers how to set up a Command and Control Framework. Notably, it focuses on Armitage and how you can clone the framework from Gitlab. It then discusses how Metasploit needs to be set up correctly as Armitage heavily relies on Metasploit’s database. Furthermore, it explains how Armitage can be used by multiple people provided they have the IP address, port, username, and password. For more information on this section please refer to the video at the end.

Task 4 - Setting Up a C2 Framework
Task 4 – Setting Up a C2 Framework

Task 5 – C2 Operation Basics

The next section, section 5 covers C2 operation basics. Furthermore, it explains how best to hide your C2 server from those pesky Blue Team security analysts. It discusses how Cobalt Strike servers could be easily identified due to an additional space in the HTTP header. Moreover, it explains how things like Cloudflare and virtual hosts can be used to hide your C2 server.

Task 5 - C2 Operation Basics
Task 5 – C2 Operation Basics
Question: Which listener should you choose if you have a device that cannot easily access the internet?
Answer: DNS

Question: Which listener should you choose if you're accessing a restricted network segment?
Answer: SMB

Question: Which listener should you choose if you are dealing with a Firewall that does protocol inspection?
Answer: HTTPS


Task 6 – Command, Control, and Conquer

Section 6 of this room covers using Armitage to exploit hosts. In particular, it walks through performing a Nmap scan against the vulnerable virtual machine Blue. Consequently, the host is vulnerable to the Eternal Blue vulnerability which you can then exploit through Armitage. Once the exploit is complete you can then perform a post-exploitation investigation directly through the terminal. Again, see the video at the end for more information.

Task 6 - Command, Control, and Conquer
Task 6 – Command, Control, and Conquer
Question: What flag can be found after gaining Administrative access to the PC?
Answer: THM{bd6ea6c871dced619876321081132744}

Question: What is the Administrator's NTLM hash?
Answer: c156d5d108721c5626a6a054d6e0943c

Question: What flag can be found after gaining access to Ted's user account?
Answer: THM{217fa45e35f8353ffd04cfc0be28e760}

Question: What is Ted's NTLM Hash?
Answer: 2e2618f266da8867e5664425c1309a5c


Task 7 – Advanced C2 Setups

This section of the room covers advanced C2 setups. It goes into more detail about setting up Apache and virtual hosts. These efforts are to attempt to avoid detection by a security analyst which could result in the server getting reported and shut down. This section has some great advise on how you can configure the Apache server to only respond with the C2 if the header include a certain User Agent.

Task 7 - Advanced C2 Setups
Task 7 – Advanced C2 Setups


Task 8 – Wrapping Up / Conclusions

The last room in the series summarizes what was covered in the room and how to choose a framework. I thoroughly enjoyed this room as I was recently looking at C2s and couldn’t find one I liked. I looked at Chaos but had a lot of issues getting it to work. Nevertheless, this room has been educational and has pointed me in the right direction on how to set up and use a full-fledged C2.

Task 8 - Wrapping Up / Conclusions
Task 8 – Wrapping Up / Conclusions