Turning a VM into a Container
Last updated
Last updated
There are scenarios in which you need a Mythic container for an agent, but you can't (or don't want) to use the normal docker containers that Mythic uses. This could be for reasons like:
You have a custom build environment that you don't want to recreate
You have specific kernel versions or operating systems you're wanting to develop with
So, to leverage your own custom VM or physical computer into a Mythic recognized container, there are just a few steps.
External agents need to connect to mythic_rabbitmq
in order to send/receive messages. They also need to connect to the mythic_server
to transfer files and potentially use gRPC. By default, these container is bound on localhost only. In order to have an external agent connect up, you will need to adjust this in the Mythic/.env
file to have RABBITMQ_BIND_LOCALHOST_ONLY=false
and MYTHIC_SERVER_BIND_LOCALHOST_ONLY=false
and restart Mythic (sudo ./mythic-cli restart
).
Install python 3.10+ (or Golang 1.21) in the VM or on the computer
pip3 install mythic-container
(this has all of the definitions and functions for the container to sync with Mythic and issue RPC commands). Make sure you get the right version of this PyPi package for the version of Mythic you're using (). Alternatively, go get -u github.com/MythicMeta/MythicContainer
for golang.
Create a folder on the computer or VM (let's call it path /pathA
). Essentially, your /pathA
path will be the new InstalledServices/[agent name]
folder. Create a sub folder for your actual agent's code to live, like /pathA/agent_code
. You can create a Visual Studio project here and simply configure it however you need.
Your command function definitions and payload definition are also helpful to have in a folder, like /pathA/agent_functions
.
Edit the /pathA/rabbitmq_config.json
with the parameters you need
the mythic_server_host
value should be the IP address of the main Mythic install
the rabbitmq_host
value should be the IP address of the main Mythic install unless you're running rabbitmq on another host.
You'll need the password of rabbitmq from your Mythic instance. You can either get this from the Mythic/.env
file, by running sudo ./mythic-cli config get rabbitmq_password
, or if you run sudo ./mythic-cli config payload
you'll see it there too.
External agents need to connect to mythic_rabbitmq
in order to send/receive messages. By default, this container is bound on localhost only. In order to have an external agent connect up, you will need to adjust this in the Mythic/.env
file to have RABBITMQ_BIND_LOCALHOST_ONLY=false
and restart Mythic (sudo ./mythic-cli restart
). You'll also need to set MYTHIC_SERVER_BIND_LOCALHOST_ONLY=false
.
In the file where you define your payload type is where you define what it means to "build" your agent.
Run python3.10 main.py
and now you should see this container pop up in the UI
If you already had the corresponding payload type registered in the Mythic interface, you should now see the red text turn green.
You should see output similar to the following:
If you mythic instance has a randomized password for rabbitmq_password
, then you need to make sure that the password from Mythic/.env
after you start Mythic for the first time is copied over to your vm. You can either add this to your rabbitmq_config.json
file or set it as an environment variable (MYTHIC_RABBITMQ_PASSWORD
).
There are a few caveats to this process over using the normal process. You're now responsible for making sure that the right python version and dependencies are installed, and you're now responsible for making sure that the user context everything is running from has the proper permissions.
One big caveat people tend to forget about is paths. Normal containers run on *nix, but you might be doing this dev on Windows. So if you develop everything for windows paths hard-coded and then want to convert it to a normal Docker container later, that might come back to haunt you.
Whether you're using a Docker container or not, you can load up the code in your agent_code
folder in any IDE you want. When an agent is installed via mythic-cli
, the entire agent folder (agent_code
and mythic
) is mapped into the Docker container. This means that any edits you make to the code is automatically reflected inside of the container without having to restart it (pretty handy). The only caveat here is if you make modifications to the python or golang definition files will require you to restart your container to load up the changes sudo ./mythic-cli start [payload name]
. If you're making changes to those from a non-Docker instance, simply stop your python3.8 main.py
and start it again. This effectively forces those files to be loaded up again and re-synced over to Mythic.
If you're doing anything more than a typo fix, you're going to want to test the fixes/updates you've made to your code before you bother uploading it to a GitHub project, re-installing it, creating new agents, etc. Luckily, this can be super easy.
Say you have a Visual Studio project set up in your agent_code
directory and you want to just "run" the project, complete with breakpoints and configurations so you can test. The only problem is that your local build needs to be known by Mythic in some way so that the Mythic UI can look up information about your agent, your "installed" commands, your encryption keys, etc.
To do this, you first need to generate a payload in the Mythic UI (or via Mythic's Scripting). You'll select any C2 configuration information you need, any commands you want baked in, etc. When you click to build, all of that configuration will get sent to your payload type's "build" function in mythic/agent_functions/builder.py
. Even if you don't have your container running or it fails to build, no worries, Mythic will first save everything off into the database before trying to actually build the agent. In the Mythic UI, now go to your payloads page and look for the payload you just tried to build. Click to view the information about the payload and you'll see a summary of all the components you selected during the build process, along with some additional pieces of information (payload UUID and generated encryption keys).
Take that payload UUID and the rest of the configuration and stamp it into your agent_code
build. For some agents this is as easy as modifying the values in a Makefile, for some agents this can all be set in a config
file of some sort, but however you want to specify this information is up to you. Once all of that is set, you're free to run your agent from within your IDE of choice and you should see a callback in Mythic. At this point, you can do whatever code mods you need, re-run your code, etc.
Following from the previous section, if you just use the payload UUID and run your agent, you should end up with a new callback each time. That can be ideal in some scenarios, but sometimes you're doing quick fixes and want to just keep tasking the same callback over and over again. To do this, simply pull the callback UUID and encryption keys from the callback information on the active callbacks page and plug that into your agent. Again, based on your agent's configuration, that could be as easy as modifying a Makefile, updating a config file, or you might have to manually comment/uncomment some lines of code. Once you're reporting back with the callback UUID instead of the payload UUID and using the right encryption keys, you can keep re-running your build without creating new callbacks each time.