Open in app

Sign in

Write

Sign in

TryHackMe: Intro to C2

Abhijit Kamath
7 min readSep 12, 2022

Learn the essentials of Command and Control to help you become a better Red Teamer and simplify your next Red Team assessment!

This room Intro to C2 is part of a new TryHackMe Red Teaming path that launched some days back. Here in this Article, I won't be explaining everything about C2, because the TryHackMe Room: Intro to C2 explains everything in detail. So, I strongly urge all the readers to use this article and the Room in conjunction.

You can complete the following rooms after finishing this room, for a better grasp of all the ideas discussed in this room.

  1. TryHackMe | Weaponization
  2. TryHackMe | Post-Exploitation Basics
  3. TryHackMe | Empire

Some Prerequisites

  1. Basic Programming Knowledge
  2. Basic Linux and Networking
  3. Metasploit Basics
  4. How an Exploit works and idea about payloads

Some THM Rooms I would recommend before going to this one

  1. Finish the TryHackMe Jr Penetration Tester Path.
  2. Finish the TryHackMe Complete Beginner Path.

Welcome to Intro to C2

Command and Control (C2) Frameworks are an essential part of both Red Teamers and Advanced Adversaries playbooks. They make it both easy to manage compromised devices during an engagement and often help aid in lateral movement

Room Objectives

In this room, we will learn about Command-and-Control Frameworks in-depth to gain a better understanding of the following topics:

  • How a Command-and-Control Framework operates
  • The various components that you may use.
  • How to set up a basic Command and Control Framework
  • Use Armitage or Metasploit to gain familiarity with a Command-and-Control Framework
  • How to administer a Command-and-Control Framework
  • OPSEC Considerations while administering a Command-and-Control Framework
  • And much more!

Task 2: Command and Control Framework Structure

This room sheds a light on the basic C2 framework structures and their components. It’s highly recommended that you understand all the things mentioned in this task. If you have any doubts, try searching for that topic separately on Google or YouTube to get a complete explanation.

Questions

  1. What is the component’s name that lives on the victim machine that calls back to the C2 server?
    ~ agent
  2. What is the beaconing option that introduces a random delay value to the sleep timer?
    ~ jitter
  3. What is the term for the first portion of a Staged payload?
    ~ dropper
  4. What is the name of the communication method that can potentially allow access to a restricted network segment that communicates via TCP ports 139 and 445?
    ~ smb beacon

Task 3: Common C2 Frameworks

This room deals with Paid/Premium and Free C2 frameworks such as Metasploit, Cobalt Strike, Armitage, PowerShell Empire, and more.

The list of C2 frameworks mentioned here are:
1. Metasploit
2. Armitage
3. PowerShell Empire/Starkiller
4. Covenant
5. Sliver
6. Cobalt Strike
7. Brute Ratel
8. The C2 Matrix — C2 Matrix

Questions

  1. Learn about some common C2 Frameworks that are out in the wild!
    ~ Complete

Task 4: Setting Up a C2 Framework

In order to gain a better understanding of what is required to set up and administer a C2 server, we will be using Armitage. As a reminder, Armitage is a GUI for the Metasploit Framework, and because of this, it has almost all aspects of a standard C2 framework.

Try it out and be familiar with installing a C2 framework yourself and its working, since Metasploit is always pre-installed in Kali Linux we won't get an opportunity to install it by ourselves

Now that Armitage is set up and working correctly, in the next task, we will learn more about securely accessing Armitage (as described above), creating listeners, various listener types, generating payloads, and much more!

Questions

  1. Read the task, set up Armitage, and explore the User Interface.
    ~ Complete

Task 5: C2 Operation Basics

Now that we have a general idea of how to set up a C2 Server, we will go over some basic operational details that you should know when accessing your C2 Server. It’s important to note that you are not required to perform any actions in this task — This is meant to gain general experience and familiarity with Command-and-Control Frameworks.

This section will be focusing on how to securely access your C2 server by SSH port-forwarding. SSH port-forwarding allows us to either host resources on a remote machine by forwarding a local port to the remote server or allows us to access local resources on the remote machine we are connecting to. In some circumstances, this may be for circumventing Firewalls.

Now that we have a better understanding of why we want to SSH port forward, let’s go over the how.

In our C2 set up from Task 4, our Team server is listening on localhost on TCP/55553. In order to access Remote port 55553, we must set up a Local port-forward to forward our local port to the remote Team-server server. We can do this with the -L flag on our SSH client:

SSH Port Forward

Now that we have an SSH remote port forward set up, you can now connect to your C2 server running on TCP/55553. As a reminder, Armitage does not support listening on a loopback interface (127.0.0.1–127.255.255.255), so this is general C2 server admin advice. You will find this advice more centric to C2 servers like Covenant, Empire, and many others.

Payload Generation

Listener Types mentioned in this task

1. Standard listener
2. HTTP/HTTPS Listeners
3. DNS Listeners
4. SMB Listeners

Questions

  1. Which listener should you choose if you have a device that cannot easily access the internet?
    ~ dns
  2. Which listener should you choose if you’re accessing a restricted network segment?
    ~ smb
  3. Which listener should you choose if you are dealing with a Firewall that does protocol inspection?
    ~ https

Task 6: Command, Control, and Conquer

This Task is all about hands-on. so from the questions, what THM wants you is to exploit the windows machine and get NT_Authority privileges. Let’s get on to it.

SMB is vul’n here and the vuln is eternal blue, knowing that will make our job easier but here I ll show you guys the complete process.

  1. Nmap Scan
nmap -A -T4 -vv -p- 10.10.137.29

We finalize that we are going to exploit the SMB, Cuz it's really bad.

2. Start Metasploit

msfconsole

First, we need to enumerate the SMB version, then well find the exploit for that version either offline (searchsploit) or online (exploirDB or rapid7).

3. Enumerate SMB version

Enumerating for the SMB version

So, at this point in time, we have decided that we are going to try the “eternal blue” exploit.

ms17_010_eternalblue

Now simply give the required details and run the exploit!!!!

FAIL

You might get a “FAILED” output but its all part of the game, you are not going to reach anywhere is you get everything correct in the 1st time, so failing is nice, you learn from it.

SUCCESS

So, that's it, you have exploited the machine and you directly went to the Administrator user. This makes our lives much easier

2nd part of the hash dump output is the NTLM hash

So, you first go find the user.txt file then root.txt and that's it

Questions

  1. What flag can be found after gaining administrative access to the PC?
    ~ THM {bd6ea6c871dced6dsar6321023132744}
  2. What is the Administrator’s NTLM hash?
    ~ c156darku9721c5626a6a05406thr93c
  3. What flag can be found after gaining access to Ted’s user account?
    ~ THM {217fa4ku9721c5626a6a0c0be28eas760}
  4. What is Ted’s NTLM Hash?
    ~ a05406thr936c871dced6a4ku9721c5

Don't try to copy and paste these answers they are the correct answers!!!!! for that, you’ll have to do it on your own

Task 7: Advanced C2 Setups

This last bitt will be a bit complex if you guys haven't completed the prerequisite THM paths and have done some kind of CTFs, but no worries, if it's about your pay grade at the moment you can always come back later to finish it. It's actually good if you ask me, Cuz then you'll have something to look forward to and work on. It's better than not having anything to do at all.

Questions

  1. What setting name that allows you to modify the User Agent field in a Meterpreter payload?
    ~ HttpUserAgent
  2. What setting name that allows you to modify the Host header in a Meterpreter payload?
    ~ HttphostHeaders

Conclusion

In this room, you hopefully learned a lot about Command-and-Control frameworks and will be able to take the knowledge you gained within this room and apply it in the real world. At the end of the day, almost everyone in Red Team Ops uses a Command-and-Control Framework. It’s an essential part of every Red Teamer’s toolkit, and we encourage you to go out and explore various C2 frameworks that were not covered or mentioned in this room.

And with that, I am winding up this article, it was real fun learning Red Teaming, hope this article was instructive to all readers. Good luck with your learning, Keep learning …. Happy Hacking ;)

Red Team
Offensive Security
Command And Control
Cybersecurity

--

--

Abhijit Kamath

Written by Abhijit Kamath

10 Followers

eWPTXv2 | Preparing for eCPTX & (ISC)² CC | Penetration Tester | Bog Bounty | Top 0.5% TryHackMe | HackTheBox | OverTheWire | PenTesterLab | PortSwigger |

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams