Version 1.4

Load

Load new commands into a callback

Example (user tasking):

> load shell

Walkthrough:

If the payload type associated with the callback is registered as an external payload, Apfell will create a task that's simply {"command": "load", "parameters": "shell", "id": "task uuid here", "timestamp": timestampvalue }.

If the payload type associated with the callback is not external, then a few more steps are taken:

  • If the associated container is not running, Apfell will return an error

  • Otherwise, Apfell will create a task in the preprocessing status and submit the associated code to the container for processing:

    • Apfell copies all of the c2 profile code and agent code to a temporary directory

    • Apfell will replace the appropriate values in the C2 profile code for that payload type

    • Apfell will place the c2 profile name and UUID in the base agent code

    • Apfell zips all of this code up

    • Apfell will base64 encode the associated command files if they exist and store it in an array

    • Apfell looks up all of the associated load transforms for this payload type

  • Apfell sends this all off to the container:

send_pt_rabbitmq_message(cb.registered_payload.payload_type.ptype,
                        "load_transform_with_code.{}".format(task.id),
                        base64.b64encode(
                            js.dumps(
                                {"zip": base64.b64encode(file_data).decode('utf-8'),
                                 "transforms": load_transforms['transforms'],
                                 "extension": cb.registered_payload.payload_type.file_extension,
                                 "loads": transform_output}
                            ).encode()
                        ).decode('utf-8'))

The container unzips the data, and uses the load transforms to do what's needed to process the load command. This varies by payload type though. For example, the viper payload needs to create a loadable zip file, the apfell-jxa payload just combines the loaded code together.

After the container is done with the code, it sends back a message with the final loaded file. This file gets registered in the Apfell database and stored temporarily on disk with a file name of load-UUID. The tasking command is then modified with this new data:

{
    "command": "load", 
    "parameters": "{\"cmds\": \"upload\", \"file_id\": \"a90ad810-4a99-469d-8a24-3ee6f177978f\"}", 
    "id": "task uuid here", 
    "timestamp": timestampvalue
}

where this file_id points to this new load file. This file can only be served once. It is automatically deleted after the first request for the file. This helps reduce clutter on the system every time there is a task to load a command.

For information on how to get the file based on this file_id, look at Upload.

Last updated