mythicagents / apollo Goto Github PK
View Code? Open in Web Editor NEWA .NET Framework 4.0 Windows Agent
License: BSD 3-Clause "New" or "Revised" License
A .NET Framework 4.0 Windows Agent
License: BSD 3-Clause "New" or "Revised" License
Hello,
I have been trying to execute from a Domain Admin context on a domain connected host printspoofer to execute notepad as seen in the screenshot with SYSTEM privs or my bat which will execute the apollo payload to get a reverse shell but it seems to fail with error 5 (aka access denied). Not sure why...
It does say named pipe listening...Maybe because the smb beacons are not released yet?
When building a payload through the mythic payload creator, mimikatz agent source files (specifically MimikatzWrappers.cs
) will be included in the generated payload if mimikatz
is not selected but pth
(and maybe dcsync
) is still selected. This is a bit unintuitive and can lead to payloads that will be easily caught by AV if not aware of this behavior.
Cause:
MimikatzWrappers.cs
only checks for the following two build parameters: PTH
and DCSYNC
. No check is done to see if MIMIKATZ
is in the build params.
Fixes:
1: Add an #IF MIMIKATZ
block around the entire MimikatzWrappers.cs
code. This would be a quick and logical fix, as everything in this file does depend on mimikatz as well.
2: Add support for agent module dependencies. For example, if a user tried to build a payload with pth
but no mimikatz
, mythic would return an error saying a dependency is missing. This would be a more in-depth change, but this behavior may also be desirable by future agent functions.
I'm happy to PR either (or both!) fixes, but would appreciate the opinion of the maintainer beforehand :)
Headers in requests should adhere to proper ordering
Running the unlink
command to unlink a P2P agent that is using the TCP profile maintains an established connection. This causes the agent to stay alive after exit
or the link to be properly removed with unlink
has been executed.
Creating a pull request that has a fix, but I wanted to create the issue for tracking purposes.
hi,
The Apollo agent goes online to obtain the IP display 169.254.190.230, but it does not affect the execution of the command.
Use test environment:
server system: kali-linux-2020.2-amd64 (192.168.23.130)
agent system :windows (win10 x64) (192.168.23.140)
Use Apollo's payload build settings :
payload:Apollo
c2profiles:http
Callback Host:http://192.168.23.130
Callback Port:80
Choose a target .NET Framework:4.0
Target architecture:x64
Output as shellcode, executable, or dynamically loaded library.:WinExe
Build a payload with or without debugging symbols.:Release
Selected OS:Windows
Selected command:powershell、upload、download ........
Hi,
The dcsync module is not parsing correctly the output of Mimikatz, it is sometimes capturing the Security ID instead of the Realm, and the Relative ID instead of the password's hash
I think the Mimikatz output changed when targeting a single account. Here is an extract of the new output, some fields are also omitted when the arg "/all" is used
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
Account Type : 30000000 ( USER_OBJECT ) # not present using /all
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration : # not present using /all
Password last change : 6/4/2022 7:45:12 PM # not present using /all
Object Security ID : S-1-5-21-117627179-2072415408-3747117325-500
Object Relative ID : 500
Credentials:
Hash NTLM: e19ccf75ee54e06b06a5907af13cef42
I have reproduced the problem on a Microsoft Windows Server 2019 Standard / 10.0.17763 N/A Build 17763
When I create an Apollo payload the User Agent shows up as the literal string "USER_AGENT" instead of the value of the User-Agent key in the headers section of the C2 profile.
An example of a redirector log:
1.1.1.1 - - [06/Jul/2021:17:47:14 +0000] "POST /bah/bah/bah HTTP/1.1" 200 753 "-" "USER_AGENT"
Please let me know if you need more information - thanks very much!
Hey,
Are there any plans to support dynamichttp as c2 profile? Being able to craft the communication would be really good.
Hi,
I'd like to know if this agent supports domain fronting. When configuring the C2 http profile during Apollo payload generation, I've set the following configuration values:
Callback host - https://somethingrandom.microsoft.com
HTTP Header - "Host": "somethingrandom.azureedge.net"
I get a callback when I execute the payload but when I check in Wireshark (Client Hello packet) the agent connects to "somethingrandom.azureedge.net" instead of "somethingrandom.microsoft.com".
Please let me know if I'm missing something. I've tested that the Domain Fronting works fine but I can't seem to get it working with Apollo.
Mythic v2.3.9
UI v0.0.52
Apollo: 2.2.0
Hi the Team,
I originally opened a case on its-a-feature/Mythic#197, but was told that it would be better here. Here is my problem.
I've some issue when using register_assembly or powershell_import:
[-] apollo ran into an error processing powershell_import:
'RPCResponse' object has no attribute 'message'
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/mythic_payloadtype_container/mythic_service.py", line 277, in callback
final_task = await Command.create_tasking(task)
File "/Mythic/mythic/agent_functions/powershell_import.py", line 54, in create_tasking
raise Exception("Failed to create subtask: {}".format(response.message))
AttributeError: 'RPCResponse' object has no attribute 'message'
'RPCResponse' object has no attribute 'message'
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/mythic_payloadtype_container/mythic_service.py", line 277, in callback
final_task = await Command.create_tasking(task)
File "/Mythic/mythic/agent_functions/register_assembly.py", line 54, in create_tasking
raise Exception("Failed to create subtask: {}".format(response.message))
AttributeError: 'RPCResponse' object has no attribute 'message'
It's ok when i use some other commands : run, mkdir, ls, etc.
Any idea ?
Thanks,
Nicknam3
Is plain text mode supported when Mythic configures the Payload with "Crypto Type" as "None" and "Perform Key Exchange" as "F"? The agent appears to encounter an error when it tries to encrypt messages with invalid keys.
Hey, I am having issues using execute_boff.
I compiled and registered runof.dll as mentioned in the documentation for the 2024Q1-Dev branch.
Then I have registered the individual BOF files before I attempt to execute them using register_coff and/or register_file.
I have tried multiple Situational Awareness BOFs like the one below:
execute_coff -Coff whoami.x64.o -Function go -Timeout 30 -Arguments []
Receiving this error for every attempt:
Exception: Object reference not set to an instance of an object.
Location: at Tasks.execute_coff.Start()
Including more info in case it is relevant:
[STDOUT]:
The following args aren't being used because they don't belong to the Default parameter group:
{}
[STDERR]:
Conducting against a Windows 10 VM.
After runoff was added to the branch code I re-downloaded the branch and tried register_coff then execute_coff again getting different results:
Exception: System.Exception: Unable to process function relocation type IMAGE_REL_AMD64_REL32_2 - please file a bug report.
at RUNOF.Internals.BofRunner..ctor(ParsedArgs parsed_args)
at RUNOF.Program.Main(String[] args)
Location: at RunOf.Internals.BofRunner..ctor(ParsedArgs parsed_args)
at RUNOF.Program.Main(String[] args)
I know this has not been added to the main branch yet and maybe there is something I am missing or not understanding.
Any assistance would be helpful, thanks.
While trying to install the Apollo Agent the installer runs into an issue, although I think the issue is not with Apollo agent itself and rather with donut.
./mythic-cli install github https://github.com/MythicAgents/Apollo
2024/05/08 11:07:13 [*] Creating temporary directory
2024/05/08 11:07:13 [*] Cloning https://github.com/MythicAgents/Apollo
Cloning into '/opt/Mythic/tmp'...
2024/05/08 11:07:16 [*] Parsing config.json
[*] Processing Payload Type apollo
[*] apollo already exists. Replace current version? [y/n]: y
2024/05/08 11:07:17 [*] Stopping current container
2024/05/08 11:07:17 [*] Removing current version
2024/05/08 11:07:17 [+] Successfully removed the current version
2024/05/08 11:07:17 [*] Copying new version of payload into place
2024/05/08 11:07:17 [*] Adding service into docker-compose
WARN[0000] /opt/Mythic/docker-compose.yml: `version` is obsolete
No stopped containers
WARN[0000] /opt/Mythic/docker-compose.yml: `version` is obsolete
[+] Building 16.5s (5/6) docker:default
=> [apollo internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 179B 0.0s
=> [apollo internal] load metadata for docker.io/itsafeaturemythic/mythi 0.8s
=> [apollo internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> CACHED [apollo 1/3] FROM docker.io/itsafeaturemythic/mythic_python_do 0.0s
=> ERROR [apollo 2/3] RUN python3 -m pip install donut-shellcode 15.6s
------
> [apollo 2/3] RUN python3 -m pip install donut-shellcode:
2.141 Collecting donut-shellcode
2.208 Downloading donut-shellcode-1.0.2.tar.gz (293 kB)
2.264 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 293.0/293.0 kB 6.6 MB/s eta 0:00:00
2.432 Installing build dependencies: started
8.662 Installing build dependencies: finished with status 'done'
8.665 Getting requirements to build wheel: started
9.305 Getting requirements to build wheel: finished with status 'done'
9.313 Preparing metadata (pyproject.toml): started
10.00 Preparing metadata (pyproject.toml): finished with status 'done'
10.01 Building wheels for collected packages: donut-shellcode
10.02 Building wheel for donut-shellcode (pyproject.toml): started
13.12 Building wheel for donut-shellcode (pyproject.toml): finished with status 'error'
**13.15 error: subprocess-exited-with-error**
13.15
13.15 × Building wheel for donut-shellcode (pyproject.toml) did not run successfully.
13.15 │ exit code: 1
13.15 ╰─> [65 lines of output]
13.15 running bdist_wheel
13.15 running build
13.15 running build_ext
13.15 building 'donut' extension
13.15 creating build
13.15 creating build/temp.linux-aarch64-cpython-311
13.15 creating build/temp.linux-aarch64-cpython-311/loader
13.15 gcc -pthread -Wsign-compare -DNDEBUG -g -fwrapv -O3 -Wall -fPIC -Iinclude -I/usr/local/include/python3.11 -c donut.c -o build/temp.linux-aarch64-cpython-311/donut.o
13.15 donut.c: In function ‘read_file_info’:
13.15 donut.c:574:19: warning: comparison of integer expressions of different signedness: ‘ULONG64’ {aka ‘long unsigned int’} and ‘int’ [-Wsign-compare]
13.15 if (ofs != -1) {
13.15 ^~
13.15 donut.c:579:22: warning: comparison of integer expressions of different signedness: ‘ULONG64’ {aka ‘long unsigned int’} and ‘int’ [-Wsign-compare]
13.15 if(ofs != -1) {
13.15 ^~
13.15 donut.c: In function ‘gen_random_string’:
13.15 donut.c:667:15: warning: comparison of integer expressions of different signedness: ‘int’ and ‘uint64_t’ {aka ‘long unsigned int’} [-Wsign-compare]
13.15 for(i=0; i<len; i++) {
13.15 ^
13.15 donut.c: In function ‘is_dll_export’:
13.15 donut.c:1481:16: warning: comparison of integer expressions of different signedness: ‘ULONG64’ {aka ‘long unsigned int’} and ‘int’ [-Wsign-compare]
13.15 if(ofs != -1) {
13.15 ^~
13.15 In function ‘build_module’,
13.15 inlined from ‘DonutCreate’ at donut.c:1590:17:
13.15 donut.c:768:7: warning: ‘strncpy’ output may be truncated copying 255 bytes from a string of length 255 [-Wstringop-truncation]
13.15 strncpy(mod->method, c->method, DONUT_MAX_NAME-1);
13.15 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
13.15 donut.c:746:9: warning: ‘strncpy’ output may be truncated copying 8 bytes from a string of length 255 [-Wstringop-truncation]
13.15 strncpy(mod->domain, c->domain, DONUT_DOMAIN_LEN);
13.15 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
13.15 donut.c:753:9: warning: ‘strncpy’ output may be truncated copying 255 bytes from a string of length 255 [-Wstringop-truncation]
13.15 strncpy(mod->cls, c->cls, DONUT_MAX_NAME-1);
13.15 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
13.15 donut.c:756:9: warning: ‘strncpy’ output may be truncated copying 255 bytes from a string of length 255 [-Wstringop-truncation]
13.15 strncpy(mod->method, c->method, DONUT_MAX_NAME-1);
13.15 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
13.15 donut.c:763:7: warning: ‘strncpy’ output may be truncated copying 255 bytes from a string of length 255 [-Wstringop-truncation]
13.15 strncpy(mod->runtime, c->runtime, DONUT_MAX_NAME-1);
13.15 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
13.15 donut.c:792:7: warning: ‘strncat’ output may be truncated copying 250 bytes from a string of length 255 [-Wstringop-truncation]
13.15 strncat(mod->args, c->args, DONUT_MAX_NAME-6);
13.15 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
13.15 gcc -pthread -Wsign-compare -DNDEBUG -g -fwrapv -O3 -Wall -fPIC -Iinclude -I/usr/local/include/python3.11 -c donutmodule.c -o build/temp.linux-aarch64-cpython-311/donutmodule.o
13.15 donutmodule.c:199:9: warning: initialization of ‘PyObject * (*)(PyObject *, PyObject *)’ {aka ‘struct _object * (*)(struct _object *, struct _object *)’} from incompatible pointer type ‘PyObject * (*)(PyObject *, PyObject *, PyObject *)’ {aka ‘struct _object * (*)(struct _object *, struct _object *, struct _object *)’} [-Wincompatible-pointer-types]
13.15 Donut_Create, // C wrapper function
13.15 ^~~~~~~~~~~~
13.15 donutmodule.c:199:9: note: (near initialization for ‘Donut_FunctionsTable[0].ml_meth’)
13.15 gcc -pthread -Wsign-compare -DNDEBUG -g -fwrapv -O3 -Wall -fPIC -Iinclude -I/usr/local/include/python3.11 -c encrypt.c -o build/temp.linux-aarch64-cpython-311/encrypt.o
13.15 gcc -pthread -Wsign-compare -DNDEBUG -g -fwrapv -O3 -Wall -fPIC -Iinclude -I/usr/local/include/python3.11 -c format.c -o build/temp.linux-aarch64-cpython-311/format.o
13.15 format.c: In function ‘base64_template’:
13.15 format.c:94:10: warning: ‘i’ may be used uninitialized in this function [-Wmaybe-uninitialized]
13.15 while(i!=0) { *out++ = '='; i--; }
13.15 ^
13.15 format.c:58:14: note: ‘i’ was declared here
13.15 uint32_t i, len, x;
13.15 ^
13.15 gcc -pthread -Wsign-compare -DNDEBUG -g -fwrapv -O3 -Wall -fPIC -Iinclude -I/usr/local/include/python3.11 -c hash.c -o build/temp.linux-aarch64-cpython-311/hash.o
13.15 gcc -pthread -Wsign-compare -DNDEBUG -g -fwrapv -O3 -Wall -fPIC -Iinclude -I/usr/local/include/python3.11 -c loader/clib.c -o build/temp.linux-aarch64-cpython-311/loader/clib.o
13.15 creating build/lib.linux-aarch64-cpython-311
13.15 gcc -pthread -shared build/temp.linux-aarch64-cpython-311/donut.o build/temp.linux-aarch64-cpython-311/donutmodule.o build/temp.linux-aarch64-cpython-311/encrypt.o build/temp.linux-aarch64-cpython-311/format.o build/temp.linux-aarch64-cpython-311/hash.o build/temp.linux-aarch64-cpython-311/loader/clib.o lib/aplib64.a -Llib -L/usr/local/lib -o build/lib.linux-aarch64-cpython-311/donut.cpython-311-aarch64-linux-gnu.so
13.15 /usr/bin/ld: lib/aplib64.a(elfstubs.o): Relocations in generic ELF (EM: 62)
13.15 /usr/bin/ld: lib/aplib64.a: error adding symbols: file in wrong format
13.15 collect2: error: ld returned 1 exit status
13.15 error: command '/usr/bin/gcc' failed with exit code 1
13.15 [end of output]
13.15
13.15 note: This error originates from a subprocess, and is likely not a problem with pip.
13.15 ERROR: Failed building wheel for donut-shellcode
13.16 ERROR: Could not build wheels for donut-shellcode, which is required to install pyproject.toml-based projects
13.16 Failed to build donut-shellcode
13.26
13.26 [notice] A new release of pip is available: 23.1.2 -> 24.0
13.26 [notice] To update, run: pip install --upgrade pip
------
failed to solve: process "/bin/sh -c python3 -m pip install donut-shellcode" did not complete successfully: exit code: 1
2024/05/08 11:07:36 [+] Successfully installed service
2024/05/08 11:07:36 [+] Successfully installed c2
2024/05/08 11:07:36 [*] Processing Documentation for apollo
Are there any plans to add support for the DNS profile?
Hi the Team,
Sorry another issue (maybe it's just my fault as the previous one).
I want to load assembly and i start with Sharpshares.exe (but it is the same with other binaries - i used these https://github.com/Flangvik/SharpCollection):
As you can see, there is no output on the command "Sharpshares.exe shares". I
t's ok if i execute the binary on my "infected" machine.
Any idea?
Thanks.
Nicknam3
Mythic has the ability to display process name of mythic agents, but Apollo does not currently leverage this feature. It'd be great if this was implemented to improve the operator's workflow.
Details on where to implement this can be found here: https://docs.mythic-c2.net/customizing/c2-related-development/c2-profile-code/agent-side-coding/initial-checkin
Apollo wasn't playing nice when being loaded in via assembly load, managed to figure out the issue was that the Main
was being set to private
.
Was able to get it to work by just simply editing the Main
to be public
shown here:
https://github.com/getshellz/Apollo/blob/master/Payload_Type/apollo/agent_code/Apollo/Program.cs#L40
Not sure if you count it as an issue
The RunArguments
class does not specify ui-position
for either of its arguments, which causes them to be parsed with arguments
first and executable
second.
Example:
run whoami /priv
will be translated to run -Executable /priv -Arguments whoami
The Issue:
The solution:
self.add_arg("command", "mimikatz.exe {}".format(cmd), parameter_group_info=[ParameterGroupInfo(group_name=self.get_parameter_group_name())])
Gives the deb.debian.org resolve issue
The c# agents are a hassle to fix
Hi guys. There seems to be not much flexibility in obfuscating the agent. I'm wanting to figure out how to call the dll method, and have decompiled the assembly, but not having much luck. Here's code so far from some guess work:
$FilePath = "C:\Downloads\apollo.dll"
$ByteArray = [System.IO.File]::ReadAllBytes($FilePath);
$Base64String = [System.Convert]::ToBase64String($ByteArray);
$assemblyBytes = [System.Convert]::FromBase64String($Base64String);
$assembly = [System.Reflection.Assembly]::Load($assemblyBytes);
$entryPointMethod = $assembly.GetType('Apollo.Agent', [Reflection.BindingFlags] 'Public, NonPublic').GetMethod('InitializeAgent', [Reflection.BindingFlags] 'Static, Public, NonPublic')
$entryPointMethod.Invoke($null)
The plan is to eventually host the dll on the web server with just a powershell one liner for exec. The idea is to turn of as much as we can of AMSI / ETW before invoking script inline.
Also, I noticed on the framework that one can not specify their own payload for UAC / privesc, for example. I get it if it's by design for OPSEC, etc.. but without FUD capability on those agents, we are going to have a hard time putting things to practice... Cheers.
Hi, I've got a setup of apache2 terminating a domain and routing 443 for various services. For apollo the config is doing:
ProxyPass /6666index http://127.0.0.1:6666
ProxyPassReverse /6666index http://127.0.0.1:6666
I then have a Mythic http C2 profile / listener on port 6666
Opsec Passes.. like so:
Configuration Check message from http:
Failed to find port, 443, in C2 Profile configuration
This could indicate the use of a redirector, or a mismatch in expected connectivity.
This means there should be the following connectivity for success:
Agent via HTTPS on port 443 to https://www.example.com/6666index (should be a redirector).
Redirector then forwards request to C2 Profile container on one of the following ports: [{"port": 9999, "use_ssl": false}, {"port": 6666, "use_ssl": false}]
Server address (in the payload config) is set to https://www.example.com/6666index
I've also tried as an alternate to change URI in the payload config (i.e. Server Name set to https://www.example.com and URI set to 6666index/Index
In both options I get no connect ? Why not ? Thanks!
Not sure if an issue for Mythic (C2 listener) or Apollo.. I have the following setup:
Apollo http payload configured to connect to c2server.domain. c2server.domain terminates on a reverse nginx proxy with SSL in turn routing to C2 profile listening on a non SSL http port. Everything works.
If I however terminate c2server.domain on a second proxy which uses socat as a forwarding mechanism (in front of / before Nginx) I won't get a callback. Why not ? I would have thought maybe websockets are being used, but that shouldn't be the case with http profile ? All other http services (there're about 20) routing through the same setup work fine.
Please shed some light, thanks very much!
After installing and running mythic-cli start, I get an error when trying to build donut-shellcode. Since this is dockerized I'm guessing the error isn't only on my side!
Here are the related logs:
logs.txt
Please let me know if you need extra information or if you have any hints on how to troubleshoot.
Continuing from #48 -- Mythic sometimes displays the link local IP address even when other networks are available on the target host. This is because the GetIP() function selects the first of the list from all available IPv4 addresses:
Apollo/Payload_Type/apollo/agent_code/Apollo/Agent/Apollo.cs
Lines 91 to 92 in f729f2f
Apollo can't know the best address to choose, but it should pick something other than a link local address. If the link local address is the only one available, GetIP() should return a placeholder of some sort.
The ps
command uses IsWOW64Process
when it should be using IsWOW64Process2
instead. Change to ensure proper arch is retrieved.
From Slack:
[FoobarLegend](https://app.slack.com/team/U024Y0R5M25)
[6 days ago](https://bloodhoundhq.slack.com/archives/CHG769BL2/p1661499912287659)
[@djhohnstein](https://bloodhoundhq.slack.com/team/U784E8R9A)
Hi Dwight. We are testing Apollo in our lab environment but encountering some troubles with executing the reg_write_value command. We get an unauthorized exception (we're sure that we've got admin rights an our target machine). Following is the command we're trying to execute: reg_write_value -Hive HKLM -Key SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest\ -Name 'UseLogonCredential' -Value '1'. The command parsed by Mythic looks totally different btw so I think our arguments our wrong or in the wrong format that Apollo expects. Can you provide the given command in the correct format?
[djhohnstein](https://app.slack.com/team/U784E8R9A)
[6 days ago](https://bloodhoundhq.slack.com/archives/CHG769BL2/p1661525323567149?thread_ts=1661499912.287659&cid=CHG769BL2)
What is the command parsed by Mythic?
[djhohnstein](https://app.slack.com/team/U784E8R9A)
[6 days ago](https://bloodhoundhq.slack.com/archives/CHG769BL2/p1661525464000189?thread_ts=1661499912.287659&cid=CHG769BL2)
It's not a command I tested fully I think once the rewrite happened so it's possible something got screwed up
[U Schmidt](https://app.slack.com/team/U03B8PV7AJ2)
[6 days ago](https://bloodhoundhq.slack.com/archives/CHG769BL2/p1661567716187749?thread_ts=1661499912.287659&cid=CHG769BL2)
The Readme shows ` at the beginning and end of the whole command compared to other commands, do those perhaps need to be included to parse correctly?
New
[FoobarLegend](https://app.slack.com/team/U024Y0R5M25)
[6 hours ago](https://bloodhoundhq.slack.com/archives/CHG769BL2/p1662027816176069?thread_ts=1661499912.287659&cid=CHG769BL2)
Problem solved. reg_write_value documented that a leading slash was needed but when provided it leads to a NRE. Looks like a bug or discrepancy between docs and code. Solution could be adding leading and trailing slashes in code where applicable so the user doesn't need to add them (for simplicity) in command minimising discrepancies. Also the call to OpenSubKey in code needed a true value for second argument if you need write access to the key
Can you add the ability to create a stageless payload please.
Good Afternoon,
First of all: I'm not 100% certain that this is an issue of the Apollo Implant, or Mythic itself.
When opening a Socks Proxy, everything seems to work fine at first, the port opens and when connecting to the Proxy via Proxychains, I can see the tunneled (Input) traffic in Wireshark on the client machine that is originating from the proxy.
However, no response packets are received on the proxychains side (I can see them in Wireshark. but they don't seem to get rerouted through the Proxy).
Not sure where to start debugging from this point, any ideas where the issue could originate from?
Thanks in advance!
When trying to laterally move via the link command, something seems to be broken (unless there is a layer 8 problem on my side):
What I've tried so far:
Questions:
I've been trying to run commands that spawn a sacrificial process (e.g. execute-assembly, keylog, powerpick, etc). I had no success with any of them. I can see the process spawning but the only output i get is this:
Error in execute-assembly (PID: 2644). Reason: The operation has timed out.
or
Something went wrong: The operation has timed out. (For the keylog command).
I've tried with a fresh mythic installation and in 3 different windows systems without success...
I'm also not sure if this is just happening in my systems..
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.