Not receiving callbacks on HTTP profile with SSL enabled

[j2671724]

I'm having an issue getting callbacks on the HTTP profile with SSL enabled.

I'm using the Athena agent and the automatically generated self-signed key/cert. Seems the requests are getting to the host Mythic is running on, but no active callbacks appear in the UI. Not getting any feedback from Stdout/Stderr for the HTTP profile in the UI, either. This is with no redirectors, so callbacks are going directly to the HTTP profile.

I had no issues with callbacks when running port 80.

Output from payload config check:

Mythic Version: v3.3.1-rc35
UI Version: v0.2.75

Thanks for the help!!

[its-a-feature]

I just tested and was able to get a callback with Poseidon through the self signed HTTPS profile.
Let's do some troubleshooting:

• Can you double check that you stopped and started the c2 profile (from the UI) after making the configuration change? That'll just confirm that the inner c2 profile is running on that port.
• Can you check the listening ports on the host where the mythic server is running and see that 443 is bound properly?
• Can you enable debug in the http profile (through the UI), then click to stop and start the profile again, run your agent, wait a few seconds, and check to see if you have any data in the stdout?
• The Athena payload is still running right? Can you confirm that it's making https traffic to the c2 profile?
  If all of that is good to go, I'm gonna have to ask that you open this up against the https://github.com/MythicAgents/Athena repo so that the Athena dev can hop in and see what's up

[j2671724]

Thanks for the quick response!

I can confirm that the c2 profile was stopped and started after making the change.

Here are the ports the host is listening on (included all of them in case there is something I might be missing):

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
tcp LISTEN 0 4096 127.0.0.1:8090 0.0.0.0:* users:(("docker-proxy",pid=152192,fd=4))
tcp LISTEN 0 4096 127.0.0.1:8080 0.0.0.0:* users:(("docker-proxy",pid=152281,fd=4))
tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=517,fd=15))
tcp LISTEN 0 4096 127.0.0.1:3000 0.0.0.0:* users:(("docker-proxy",pid=152204,fd=4))
tcp LISTEN 0 4096 127.0.0.1:7007 0.0.0.0:* users:(("docker-proxy",pid=152453,fd=4))
tcp LISTEN 0 4096 127.0.0.1:7006 0.0.0.0:* users:(("docker-proxy",pid=152444,fd=4))
tcp LISTEN 0 4096 127.0.0.1:7005 0.0.0.0:* users:(("docker-proxy",pid=152413,fd=4))
tcp LISTEN 0 4096 127.0.0.1:7004 0.0.0.0:* users:(("docker-proxy",pid=152393,fd=4))
tcp LISTEN 0 4096 127.0.0.1:7003 0.0.0.0:* users:(("docker-proxy",pid=152373,fd=4))
tcp LISTEN 0 4096 127.0.0.1:7002 0.0.0.0:* users:(("docker-proxy",pid=152364,fd=4))
tcp LISTEN 0 4096 127.0.0.1:7001 0.0.0.0:* users:(("docker-proxy",pid=152345,fd=4))
tcp LISTEN 0 4096 127.0.0.1:7000 0.0.0.0:* users:(("docker-proxy",pid=152326,fd=4))
tcp LISTEN 0 4096 127.0.0.1:7010 0.0.0.0:* users:(("docker-proxy",pid=152533,fd=4))
tcp LISTEN 0 4096 127.0.0.1:7009 0.0.0.0:* users:(("docker-proxy",pid=152501,fd=4))
tcp LISTEN 0 4096 127.0.0.1:7008 0.0.0.0:* users:(("docker-proxy",pid=152482,fd=4))
tcp LISTEN 0 4096 0.0.0.0:7777 0.0.0.0:* users:(("docker-proxy",pid=152451,fd=4))
tcp LISTEN 0 4096 127.0.0.1:5672 0.0.0.0:* users:(("docker-proxy",pid=152534,fd=4))
tcp LISTEN 0 4096 127.0.0.54:53 0.0.0.0:* users:(("systemd-resolve",pid=517,fd=17))
tcp LISTEN 0 128 127.0.0.1:6010 0.0.0.0:* users:(("sshd",pid=6496,fd=8))
tcp LISTEN 0 4096 127.0.0.1:17444 0.0.0.0:* users:(("docker-proxy",pid=152563,fd=4))
tcp LISTEN 0 4096 127.0.0.1:17443 0.0.0.0:* users:(("docker-proxy",pid=152554,fd=4))
tcp LISTEN 0 4096 127.0.0.1:5432 0.0.0.0:* users:(("docker-proxy",pid=152168,fd=4))
tcp LISTEN 0 4096 127.0.0.1:8888 0.0.0.0:* users:(("docker-proxy",pid=152589,fd=4))
tcp LISTEN 0 128 [::1]:6010 [::]:* users:(("sshd",pid=6496,fd=7))
tcp LISTEN 0 4096 :8081 : users:(("mythic_websocke",pid=154296,fd=7))
tcp LISTEN 0 4096 [::]:7777 [::]: users:(("docker-proxy",pid=152484,fd=4))
*tcp LISTEN 0 4096 :443 : users:(("mythic_http_ser",pid=201976,fd=3))

Just enabled debug. No output coming through in Stdout/Stderr after restarting the profile and running the agent, though.

And I can confirm I am seeing HTTPS requests on the client running the Athena payload to the C2 profile.

[its-a-feature]

hmm ok, in your Mythic/.env file, set DEBUG_LEVEL="warning" to DEBUG_LEVEL="debug" then do sudo ./mythic-cli start http. That'll start the http container (any all containers started after this) with debug level output instead of just warning level. Now do sudo ./mythic-cli logs http -f, that'll start streaming the logs from the http container. Now start the Athena agent and hopefully you'll see something come through on the debug log

[j2671724]

Hmm, not seeing anything come through in the HTTP log:

Here's what traffic I am seeing from the client on the C2 server:

mythic@mythic:~/Mythic$ sudo tcpdump -i any port 443
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
15:57:32.379118 eth0  In  IP client.internal.cloudapp.net.51276 > mythic.internal.cloudapp.net.https: Flags [S], seq 2580450795, win 65535, options [mss 1410,nop,wscale 8,nop,nop,sackOK], length 0
15:57:32.379152 eth0  Out IP mythic.internal.cloudapp.net.https > client.internal.cloudapp.net.51276: Flags [S.], seq 2445255317, ack 2580450796, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:57:32.380937 eth0  In  IP client.internal.cloudapp.net.51276 > mythic.internal.cloudapp.net.https: Flags [.], ack 1, win 255, length 0
15:57:32.383491 eth0  In  IP client.internal.cloudapp.net.51276 > mythic.internal.cloudapp.net.https: Flags [P.], seq 1:419, ack 1, win 255, length 418
15:57:32.383503 eth0  Out IP mythic.internal.cloudapp.net.https > client.internal.cloudapp.net.51276: Flags [.], ack 419, win 501, length 0
15:57:32.385792 eth0  Out IP mythic.internal.cloudapp.net.https > client.internal.cloudapp.net.51276: Flags [P.], seq 1:1464, ack 419, win 501, length 1463
15:57:32.387421 eth0  In  IP client.internal.cloudapp.net.51276 > mythic.internal.cloudapp.net.https: Flags [.], ack 1464, win 255, length 0
15:57:32.388653 eth0  In  IP client.internal.cloudapp.net.51276 > mythic.internal.cloudapp.net.https: Flags [P.], seq 419:483, ack 1464, win 255, length 64
15:57:32.389576 eth0  In  IP client.internal.cloudapp.net.51276 > mythic.internal.cloudapp.net.https: Flags [P.], seq 483:507, ack 1464, win 255, length 24
15:57:32.389576 eth0  In  IP client.internal.cloudapp.net.51276 > mythic.internal.cloudapp.net.https: Flags [F.], seq 507, ack 1464, win 255, length 0
15:57:32.389606 eth0  Out IP mythic.internal.cloudapp.net.https > client.internal.cloudapp.net.51276: Flags [.], ack 508, win 501, length 0
15:57:32.389627 eth0  Out IP mythic.internal.cloudapp.net.https > client.internal.cloudapp.net.51276: Flags [P.], seq 1464:1589, ack 508, win 501, length 125
15:57:32.389656 eth0  Out IP mythic.internal.cloudapp.net.https > client.internal.cloudapp.net.51276: Flags [FP.], seq 1589:1613, ack 508, win 501, length 24
15:57:32.390703 eth0  In  IP client.internal.cloudapp.net.51276 > mythic.internal.cloudapp.net.https: Flags [R.], seq 508, ack 1589, win 0, length 0
15:57:43.402176 eth0  In  IP client.internal.cloudapp.net.51282 > mythic.internal.cloudapp.net.https: Flags [S], seq 3559640305, win 65535, options [mss 1410,nop,wscale 8,nop,nop,sackOK], length 0
15:57:43.402220 eth0  Out IP mythic.internal.cloudapp.net.https > client.internal.cloudapp.net.51282: Flags [S.], seq 187030050, ack 3559640306, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0

Here's the output if I run docker ps:

mythic@mythic:~/Mythic$ sudo docker ps
CONTAINER ID   IMAGE                                                  COMMAND                  CREATED          STATUS                    PORTS                                                                                       NAMES
cd021cf77002   ghcr.io/mythicc2profiles/http:v0.0.2.9                 "/bin/sh -c 'make ru…"   31 minutes ago   Up 31 minutes                                                                                                         http
5c48d2d5d42a   ghcr.io/mythicc2profiles/websocket:v0.0.2.5            "/bin/sh -c 'make ru…"   3 weeks ago      Up 31 minutes                                                                                                         websocket
d5775c227485   ghcr.io/mythicagents/athena:v2.2.1-rc8                 "python3 /Mythic/mai…"   4 weeks ago      Up 31 minutes                                                                                                         athena
d26f5944550d   scarecrow_wrapper                                      "python3 main.py"        4 weeks ago      Up 31 minutes                                                                                                         scarecrow_wrapper
a461fc73a659   ghcr.io/mythicagents/service_wrapper:v0.0.4            "python3 main.py"        4 weeks ago      Up 31 minutes                                                                                                         service_wrapper
fc92aa1a2f5e   ne0nd0g/merlin-mythic:v1.0.3                           "/bin/sh -c /usr/loc…"   4 weeks ago      Up 31 minutes                                                                                                         merlin
b900ab3e175a   ghcr.io/mythicagents/apollo:v0.0.0.17                  "bash -c 'cp /donut …"   4 weeks ago      Up 31 minutes                                                                                                         apollo
7e13dbe6e188   ghcr.io/mythicc2profiles/httpx:v0.0.0.16               "/bin/sh -c 'make ru…"   4 weeks ago      Up 31 minutes                                                                                                         httpx
f21984deb706   ghcr.io/its-a-feature/mythic_server:v3.3.0.59          "/bin/sh -c 'cp /myt…"   5 weeks ago      Up 31 minutes (healthy)   127.0.0.1:7000-7010->7000-7010/tcp, 127.0.0.1:17443-17444->17443-17444/tcp                  mythic_server
2683428632c6   ghcr.io/its-a-feature/mythic_nginx:v3.3.0.59           "/docker-entrypoint.…"   5 weeks ago      Up 31 minutes (healthy)   80/tcp, 0.0.0.0:7777->7777/tcp, :::7777->7777/tcp                                           mythic_nginx
269065cfe5dc   ghcr.io/its-a-feature/mythic_graphql:v3.3.0.59         "docker-entrypoint.s…"   5 weeks ago      Up 31 minutes (healthy)   127.0.0.1:8080->8080/tcp                                                                    mythic_graphql
09c52fdb69b0   ghcr.io/its-a-feature/mythic_rabbitmq:v3.3.0.59        "docker-entrypoint.s…"   5 weeks ago      Up 31 minutes (healthy)   4369/tcp, 5671/tcp, 15671-15672/tcp, 15691-15692/tcp, 25672/tcp, 127.0.0.1:5672->5672/tcp   mythic_rabbitmq
259cd507c26f   ghcr.io/its-a-feature/mythic_postgres:v3.3.0.59        "docker-entrypoint.s…"   5 weeks ago      Up 31 minutes (healthy)   127.0.0.1:5432->5432/tcp                                                                    mythic_postgres
83091f2cf0c5   ghcr.io/its-a-feature/mythic_jupyter:v3.3.0.59         "tini -g -- /bin/bas…"   5 weeks ago      Up 31 minutes (healthy)   127.0.0.1:8888->8888/tcp                                                                    mythic_jupyter
7190784e575d   ghcr.io/its-a-feature/mythic_documentation:v3.3.0.59   "/bin/sh -c 'hugo se…"   5 weeks ago      Up 31 minutes (healthy)   1313/tcp, 127.0.0.1:8090->8090/tcp                                                          mythic_documentation
b662de4cf0d8   ghcr.io/its-a-feature/mythic_react:v3.3.0.59           "/docker-entrypoint.…"   5 weeks ago      Up 31 minutes (healthy)   80/tcp, 127.0.0.1:3000->3000/tcp  

[j2671724]

Hello,

I just generated an Apollo payload using SSL with the HTTP profile and confirmed Mythic is receiving the callbacks. As you suggested, I've opened an issue under MythicAgents/Athena#84 to investigate further.

Thanks