Menu
Article OffSec

Minimalistic https c2 beacon poc - using c/libcurl

bigfella

bigfella

• 3 min read

Having some fun with c recently and also playing with c2 concepts, decided to make a poc c2 beacon using c and libcurl.

libcurl honestly because i didn't want to deal with winhttp/sockets, and because it is already present inside every windows host (even though mine exec i dynamically linked against other dll that i had to ship with my executable) - a possible todo to consider once i get back into compilation shenanigans.

Obviously, this is just a proof of concept code, which once compiled and ran on windows host, will pop a calc and send a response to our server.

On to the code itself

We have ccurl.h which has all curl things we need, and beacon.c, that has main beacon functions.

ccurl.h

We are just making wrapper functions in order to make our life easier at beacon.c and have somewhat a clean-er code.

We need a place to store our response, so we are gonna dynamically allocate some memory for it, and store that memory chunk inside manifestResponse pointer, that we are later going to dereference and handle inside beacon.

We will also have ccurl_do_post (for exfiltrating data), ccurl_check_manifest (to check if beacon has assigned tasks), and generic write_callback function that curl calls upon every time a request is made. We can see how write_callback should look like inside manpages and libcurls extensive docs at https://curl.se/libcurl/

This is a straight-up curl boilerplate for handling response data.

ccurl_do_post is methodically same as ccurl_check_manifest, just without handling response (CURLOPT_WRITEFUNCTION, CURLOPT_WRITEDATA) because for this purpose we don't care about it. Also here we are just doing GET for poc, even if i left it named do_post.

beacon.c

Checking for tasks, if YES, execute them. // (pop calc and do whoami)

Popping calc and exfiltrating

0:00
/0:23

Here we see that executing this compiled executable pops a calculator, and sends a get request to our server with a path being a name of a user that beacons runs under, doing the same every 30 seconds.

Missings:

  • Actual tasks
  • Error handling
  • Malleable profile
  • Actual post & chunking
  • Jitter
  • User Agent change
  • Lowering ioc footprint

Next in post-exploitation area:

  • Loaders / Stagers
  • Compile time encryptors / xors
  • PIC
  • BOFs
Share