mythicagents / apollo Goto Github PK

View Code? Open in Web Editor NEW

427.0 427.0 88.0 25.07 MB

A .NET Framework 4.0 Windows Agent

License: BSD 3-Clause "New" or "Revised" License

Dockerfile 0.02% C# 82.32% C++ 0.09% C 0.05% PowerShell 0.06% Python 15.05% JavaScript 2.40%

apollo's People

Contributors

Stargazers

Watchers

Forkers

alainw68 hatchetxuexi gavz hello-xbugs thiagomayllart alacerda p3r1k0 red-infosec bopin2020 reznok atropineal 001spartan aleffine zhouzu pyking gh0st0ne crash0ver1d3 nosorry dycsy 5l1v3r1 eladshamir shantanu561993 icemoonhsv ryan1547 idfix007 a32567901 noname57 t94j0 mfadzilr n0pe-sled c4shm4k3r tmcmil who1smrrobot digitalarche toxicnade askyeye j5s 5m7x jermainlaforce rawk77 getshellz slooppe thespicybyte subat0mik marcostolosa hartl3y94 ascemama bluecmd tryweirdier cmndcntrlcyber hxlxmjxbbxs nadrojisk suriya73 checkymander xorrior th3bak3r sybilsystem morsecur crimsonlabs-io mmyyhack evilc0d3rh4ck3r breakid nahid5 jon-qcc-so anthemtotheego ratandc2 0xfschott jasonlou jimplasra thekevinwang primody m4rvxpn axax002 boku7 f0cker sygnialabs aceizwild runesage a1swartz testitok retrospected unclenull sheepfood idansz stoicmehedi zc-githubs n0viii vhdtogo

apollo's Issues

User Agent Key Not Populating

When I create an Apollo payload the User Agent shows up as the literal string "USER_AGENT" instead of the value of the User-Agent key in the headers section of the C2 profile.

An example of a redirector log:

1.1.1.1 - - [06/Jul/2021:17:47:14 +0000] "POST /bah/bah/bah HTTP/1.1" 200 753 "-" "USER_AGENT"

Please let me know if you need more information - thanks very much!

DCSync module is broken

Hi,

The dcsync module is not parsing correctly the output of Mimikatz, it is sometimes capturing the Security ID instead of the Realm, and the Relative ID instead of the password's hash

I think the Mimikatz output changed when targeting a single account. Here is an extract of the new output, some fields are also omitted when the arg "/all" is used

Object RDN           : Administrator

** SAM ACCOUNT **

SAM Username         : Administrator
Account Type         : 30000000 ( USER_OBJECT )     # not present using /all
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration   :                              # not present using /all
Password last change : 6/4/2022 7:45:12 PM          # not present using /all
Object Security ID   : S-1-5-21-117627179-2072415408-3747117325-500
Object Relative ID   : 500

Credentials:
  Hash NTLM: e19ccf75ee54e06b06a5907af13cef42

Apollo/Payload_Type/apollo/mythic/agent_functions/dcsync.py

Line 129 in 2472fe7

passwd = lines[i+2].split(" : ")[1].strip()

I have reproduced the problem on a Microsoft Windows Server 2019 Standard / 10.0.17763 N/A Build 17763

Execute assembly no output

Hi the Team,

Sorry another issue (maybe it's just my fault as the previous one).

I want to load assembly and i start with Sharpshares.exe (but it is the same with other binaries - i used these https://github.com/Flangvik/SharpCollection):

As you can see, there is no output on the command "Sharpshares.exe shares". I

t's ok if i execute the binary on my "infected" machine.

Any idea?

Thanks.

Nicknam3

Request Headers Out of Order

Headers in requests should adhere to proper ordering

Error creating tasks : AttributeError: 'RPCResponse' object has no attribute 'message'

Hi the Team,

I originally opened a case on its-a-feature/Mythic#197, but was told that it would be better here. Here is my problem.

I've some issue when using register_assembly or powershell_import:

[-] apollo ran into an error processing powershell_import: 
'RPCResponse' object has no attribute 'message'
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/mythic_payloadtype_container/mythic_service.py", line 277, in callback
    final_task = await Command.create_tasking(task)
  File "/Mythic/mythic/agent_functions/powershell_import.py", line 54, in create_tasking
    raise Exception("Failed to create subtask: {}".format(response.message))
AttributeError: 'RPCResponse' object has no attribute 'message'

'RPCResponse' object has no attribute 'message'
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/mythic_payloadtype_container/mythic_service.py", line 277, in callback
    final_task = await Command.create_tasking(task)
  File "/Mythic/mythic/agent_functions/register_assembly.py", line 54, in create_tasking
    raise Exception("Failed to create subtask: {}".format(response.message))
AttributeError: 'RPCResponse' object has no attribute 'message'

It's ok when i use some other commands : run, mkdir, ls, etc.

Any idea ?

Thanks,

Nicknam3

Operation Timed Out (Fork and Run Commands)

I've been trying to run commands that spawn a sacrificial process (e.g. execute-assembly, keylog, powerpick, etc). I had no success with any of them. I can see the process spawning but the only output i get is this:

Error in execute-assembly (PID: 2644). Reason: The operation has timed out.

Something went wrong: The operation has timed out. (For the keylog command).

I've tried with a fresh mythic installation and in 3 different windows systems without success...

I'm also not sure if this is just happening in my systems..

Support for dynamichttp

Hey,

Are there any plans to support dynamichttp as c2 profile? Being able to craft the communication would be really good.

reg_write_value Discrepancies

From Slack:

[FoobarLegend](https://app.slack.com/team/U024Y0R5M25)
  [6 days ago](https://bloodhoundhq.slack.com/archives/CHG769BL2/p1661499912287659)
[@djhohnstein](https://bloodhoundhq.slack.com/team/U784E8R9A)
 Hi Dwight. We are testing Apollo in our lab environment but encountering some troubles with executing the reg_write_value command. We get an unauthorized exception (we're sure that we've got admin rights an our target machine). Following is the command we're trying to execute: reg_write_value -Hive HKLM -Key SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest\ -Name 'UseLogonCredential' -Value '1'.  The command parsed by Mythic looks totally different btw so I think our arguments our wrong or in the wrong format that Apollo expects. Can you provide the given command in the correct format?







[djhohnstein](https://app.slack.com/team/U784E8R9A)
  [6 days ago](https://bloodhoundhq.slack.com/archives/CHG769BL2/p1661525323567149?thread_ts=1661499912.287659&cid=CHG769BL2)
What is the command parsed by Mythic?


[djhohnstein](https://app.slack.com/team/U784E8R9A)
  [6 days ago](https://bloodhoundhq.slack.com/archives/CHG769BL2/p1661525464000189?thread_ts=1661499912.287659&cid=CHG769BL2)
It's not a command I tested fully I think once the rewrite happened so it's possible something got screwed up


[U Schmidt](https://app.slack.com/team/U03B8PV7AJ2)
  [6 days ago](https://bloodhoundhq.slack.com/archives/CHG769BL2/p1661567716187749?thread_ts=1661499912.287659&cid=CHG769BL2)
The Readme shows ` at the beginning and end of the whole command compared to other commands, do those perhaps need to be included to parse correctly?
New


[FoobarLegend](https://app.slack.com/team/U024Y0R5M25)
  [6 hours ago](https://bloodhoundhq.slack.com/archives/CHG769BL2/p1662027816176069?thread_ts=1661499912.287659&cid=CHG769BL2)
Problem solved. reg_write_value documented that a leading slash was needed but when provided it leads to a NRE. Looks like a bug or discrepancy between docs and code. Solution could be adding leading and trailing slashes in code where applicable so the user doesn't  need to add them (for simplicity) in command minimising discrepancies. Also the call to OpenSubKey in code needed a true value for second argument if you need write access to the key

MimikatzWrappers Included in Binary when MIMIKATZ is undefined

When building a payload through the mythic payload creator, mimikatz agent source files (specifically MimikatzWrappers.cs) will be included in the generated payload if mimikatz is not selected but pth (and maybe dcsync) is still selected. This is a bit unintuitive and can lead to payloads that will be easily caught by AV if not aware of this behavior.

Cause:
MimikatzWrappers.cs only checks for the following two build parameters: PTH and DCSYNC. No check is done to see if MIMIKATZ is in the build params.

Fixes:
1: Add an #IF MIMIKATZ block around the entire MimikatzWrappers.cs code. This would be a quick and logical fix, as everything in this file does depend on mimikatz as well.

2: Add support for agent module dependencies. For example, if a user tried to build a payload with pth but no mimikatz, mythic would return an error saying a dependency is missing. This would be a more in-depth change, but this behavior may also be desirable by future agent functions.

I'm happy to PR either (or both!) fixes, but would appreciate the opinion of the maintainer beforehand :)

Stageless payload creation

Can you add the ability to create a stageless payload please.

Plain Text mode

Is plain text mode supported when Mythic configures the Payload with "Crypto Type" as "None" and "Perform Key Exchange" as "F"? The agent appears to encounter an error when it tries to encrypt messages with invalid keys.

printspoofer fails?

Hello,

I have been trying to execute from a Domain Admin context on a domain connected host printspoofer to execute notepad as seen in the screenshot with SYSTEM privs or my bat which will execute the apollo payload to get a reverse shell but it seems to fail with error 5 (aka access denied). Not sure why...
It does say named pipe listening...Maybe because the smb beacons are not released yet?

FUD of agent

Hi guys. There seems to be not much flexibility in obfuscating the agent. I'm wanting to figure out how to call the dll method, and have decompiled the assembly, but not having much luck. Here's code so far from some guess work:

$FilePath = "C:\Downloads\apollo.dll"
$ByteArray = [System.IO.File]::ReadAllBytes($FilePath);
$Base64String = [System.Convert]::ToBase64String($ByteArray);
$assemblyBytes = [System.Convert]::FromBase64String($Base64String);
$assembly = [System.Reflection.Assembly]::Load($assemblyBytes);
$entryPointMethod = $assembly.GetType('Apollo.Agent', [Reflection.BindingFlags] 'Public, NonPublic').GetMethod('InitializeAgent', [Reflection.BindingFlags] 'Static, Public, NonPublic')
$entryPointMethod.Invoke($null)

The plan is to eventually host the dll on the web server with just a powershell one liner for exec. The idea is to turn of as much as we can of AMSI / ETW before invoking script inline.

Also, I noticed on the framework that one can not specify their own payload for UAC / privesc, for example. I get it if it's by design for OPSEC, etc.. but without FUD capability on those agents, we are going to have a hard time putting things to practice... Cheers.

Link command buggy

When trying to laterally move via the link command, something seems to be broken (unless there is a layer 8 problem on my side):

What I've tried so far:

Create apollo payload with SMB profile
modal link, click on add and enter host and select payload:

python error:

Questions:

What is the intended approach for a lateral movement via psexec/link
How/Where to complete the fields host, payload, c2profile in the modal from step 2?

Link Local IP in UI

Continuing from #48 -- Mythic sometimes displays the link local IP address even when other networks are available on the target host. This is because the GetIP() function selects the first of the list from all available IPv4 addresses:

Apollo/Payload_Type/apollo/agent_code/Apollo/Agent/Apollo.cs

Lines 91 to 92 in f729f2f

 Dns.GetHostName()).AddressList.FirstOrDefault( 

 ip => ip.AddressFamily == AddressFamily.InterNetwork

Apollo can't know the best address to choose, but it should pick something other than a link local address. If the link local address is the only one available, GetIP() should return a placeholder of some sort.

TCP Profile bug

Running the unlink command to unlink a P2P agent that is using the TCP profile maintains an established connection. This causes the agent to stay alive after exit or the link to be properly removed with unlink has been executed.

Creating a pull request that has a fix, but I wanted to create the issue for tracking purposes.

Mimikatz arguments parsing issue

When e.g. trying a DCSynch by mimikatz via the following command:

The command arguments aren't correctly parsed to mimikatz:

I tried it with "" as well as without them, doesn't solve the issue.

Error installing in aarch64

While trying to install the Apollo Agent the installer runs into an issue, although I think the issue is not with Apollo agent itself and rather with donut.

./mythic-cli install github https://github.com/MythicAgents/Apollo
2024/05/08 11:07:13 [*] Creating temporary directory
2024/05/08 11:07:13 [*] Cloning https://github.com/MythicAgents/Apollo
Cloning into '/opt/Mythic/tmp'...
2024/05/08 11:07:16 [*] Parsing config.json
[*] Processing Payload Type apollo
[*] apollo already exists. Replace current version?  [y/n]: y
2024/05/08 11:07:17 [*] Stopping current container
2024/05/08 11:07:17 [*] Removing current version
2024/05/08 11:07:17 [+] Successfully removed the current version
2024/05/08 11:07:17 [*] Copying new version of payload into place
2024/05/08 11:07:17 [*] Adding service into docker-compose
WARN[0000] /opt/Mythic/docker-compose.yml: `version` is obsolete
No stopped containers
WARN[0000] /opt/Mythic/docker-compose.yml: `version` is obsolete
[+] Building 16.5s (5/6)                                         docker:default
 => [apollo internal] load build definition from Dockerfile                0.0s
 => => transferring dockerfile: 179B                                       0.0s
 => [apollo internal] load metadata for docker.io/itsafeaturemythic/mythi  0.8s
 => [apollo internal] load .dockerignore                                   0.0s
 => => transferring context: 2B                                            0.0s
 => CACHED [apollo 1/3] FROM docker.io/itsafeaturemythic/mythic_python_do  0.0s
 => ERROR [apollo 2/3] RUN python3 -m pip install donut-shellcode         15.6s
------
 > [apollo 2/3] RUN python3 -m pip install donut-shellcode:
2.141 Collecting donut-shellcode
2.208   Downloading donut-shellcode-1.0.2.tar.gz (293 kB)
2.264      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 293.0/293.0 kB 6.6 MB/s eta 0:00:00
2.432   Installing build dependencies: started
8.662   Installing build dependencies: finished with status 'done'
8.665   Getting requirements to build wheel: started
9.305   Getting requirements to build wheel: finished with status 'done'
9.313   Preparing metadata (pyproject.toml): started
10.00   Preparing metadata (pyproject.toml): finished with status 'done'
10.01 Building wheels for collected packages: donut-shellcode
10.02   Building wheel for donut-shellcode (pyproject.toml): started
13.12   Building wheel for donut-shellcode (pyproject.toml): finished with status 'error'
**13.15   error: subprocess-exited-with-error**
13.15
13.15   × Building wheel for donut-shellcode (pyproject.toml) did not run successfully.
13.15   │ exit code: 1
13.15   ╰─> [65 lines of output]
13.15       running bdist_wheel
13.15       running build
13.15       running build_ext
13.15       building 'donut' extension
13.15       creating build
13.15       creating build/temp.linux-aarch64-cpython-311
13.15       creating build/temp.linux-aarch64-cpython-311/loader
13.15       gcc -pthread -Wsign-compare -DNDEBUG -g -fwrapv -O3 -Wall -fPIC -Iinclude -I/usr/local/include/python3.11 -c donut.c -o build/temp.linux-aarch64-cpython-311/donut.o
13.15       donut.c: In function ‘read_file_info’:
13.15       donut.c:574:19: warning: comparison of integer expressions of different signedness: ‘ULONG64’ {aka ‘long unsigned int’} and ‘int’ [-Wsign-compare]
13.15                  if (ofs != -1) {
13.15                          ^~
13.15       donut.c:579:22: warning: comparison of integer expressions of different signedness: ‘ULONG64’ {aka ‘long unsigned int’} and ‘int’ [-Wsign-compare]
13.15                      if(ofs != -1) {
13.15                             ^~
13.15       donut.c: In function ‘gen_random_string’:
13.15       donut.c:667:15: warning: comparison of integer expressions of different signedness: ‘int’ and ‘uint64_t’ {aka ‘long unsigned int’} [-Wsign-compare]
13.15            for(i=0; i<len; i++) {
13.15                      ^
13.15       donut.c: In function ‘is_dll_export’:
13.15       donut.c:1481:16: warning: comparison of integer expressions of different signedness: ‘ULONG64’ {aka ‘long unsigned int’} and ‘int’ [-Wsign-compare]
13.15                if(ofs != -1) {
13.15                       ^~
13.15       In function ‘build_module’,
13.15           inlined from ‘DonutCreate’ at donut.c:1590:17:
13.15       donut.c:768:7: warning: ‘strncpy’ output may be truncated copying 255 bytes from a string of length 255 [-Wstringop-truncation]
13.15              strncpy(mod->method, c->method, DONUT_MAX_NAME-1);
13.15              ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
13.15       donut.c:746:9: warning: ‘strncpy’ output may be truncated copying 8 bytes from a string of length 255 [-Wstringop-truncation]
13.15                strncpy(mod->domain, c->domain, DONUT_DOMAIN_LEN);
13.15                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
13.15       donut.c:753:9: warning: ‘strncpy’ output may be truncated copying 255 bytes from a string of length 255 [-Wstringop-truncation]
13.15                strncpy(mod->cls, c->cls, DONUT_MAX_NAME-1);
13.15                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
13.15       donut.c:756:9: warning: ‘strncpy’ output may be truncated copying 255 bytes from a string of length 255 [-Wstringop-truncation]
13.15                strncpy(mod->method, c->method, DONUT_MAX_NAME-1);
13.15                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
13.15       donut.c:763:7: warning: ‘strncpy’ output may be truncated copying 255 bytes from a string of length 255 [-Wstringop-truncation]
13.15              strncpy(mod->runtime, c->runtime, DONUT_MAX_NAME-1);
13.15              ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
13.15       donut.c:792:7: warning: ‘strncat’ output may be truncated copying 250 bytes from a string of length 255 [-Wstringop-truncation]
13.15              strncat(mod->args, c->args, DONUT_MAX_NAME-6);
13.15              ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
13.15       gcc -pthread -Wsign-compare -DNDEBUG -g -fwrapv -O3 -Wall -fPIC -Iinclude -I/usr/local/include/python3.11 -c donutmodule.c -o build/temp.linux-aarch64-cpython-311/donutmodule.o
13.15       donutmodule.c:199:9: warning: initialization of ‘PyObject * (*)(PyObject *, PyObject *)’ {aka ‘struct _object * (*)(struct _object *, struct _object *)’} from incompatible pointer type ‘PyObject * (*)(PyObject *, PyObject *, PyObject *)’ {aka ‘struct _object * (*)(struct _object *, struct _object *, struct _object *)’} [-Wincompatible-pointer-types]
13.15                Donut_Create, // C wrapper function
13.15                ^~~~~~~~~~~~
13.15       donutmodule.c:199:9: note: (near initialization for ‘Donut_FunctionsTable[0].ml_meth’)
13.15       gcc -pthread -Wsign-compare -DNDEBUG -g -fwrapv -O3 -Wall -fPIC -Iinclude -I/usr/local/include/python3.11 -c encrypt.c -o build/temp.linux-aarch64-cpython-311/encrypt.o
13.15       gcc -pthread -Wsign-compare -DNDEBUG -g -fwrapv -O3 -Wall -fPIC -Iinclude -I/usr/local/include/python3.11 -c format.c -o build/temp.linux-aarch64-cpython-311/format.o
13.15       format.c: In function ‘base64_template’:
13.15       format.c:94:10: warning: ‘i’ may be used uninitialized in this function [-Wmaybe-uninitialized]
13.15            while(i!=0) { *out++ = '='; i--; }
13.15                 ^
13.15       format.c:58:14: note: ‘i’ was declared here
13.15            uint32_t i, len, x;
13.15                     ^
13.15       gcc -pthread -Wsign-compare -DNDEBUG -g -fwrapv -O3 -Wall -fPIC -Iinclude -I/usr/local/include/python3.11 -c hash.c -o build/temp.linux-aarch64-cpython-311/hash.o
13.15       gcc -pthread -Wsign-compare -DNDEBUG -g -fwrapv -O3 -Wall -fPIC -Iinclude -I/usr/local/include/python3.11 -c loader/clib.c -o build/temp.linux-aarch64-cpython-311/loader/clib.o
13.15       creating build/lib.linux-aarch64-cpython-311
13.15       gcc -pthread -shared build/temp.linux-aarch64-cpython-311/donut.o build/temp.linux-aarch64-cpython-311/donutmodule.o build/temp.linux-aarch64-cpython-311/encrypt.o build/temp.linux-aarch64-cpython-311/format.o build/temp.linux-aarch64-cpython-311/hash.o build/temp.linux-aarch64-cpython-311/loader/clib.o lib/aplib64.a -Llib -L/usr/local/lib -o build/lib.linux-aarch64-cpython-311/donut.cpython-311-aarch64-linux-gnu.so
13.15       /usr/bin/ld: lib/aplib64.a(elfstubs.o): Relocations in generic ELF (EM: 62)
13.15       /usr/bin/ld: lib/aplib64.a: error adding symbols: file in wrong format
13.15       collect2: error: ld returned 1 exit status
13.15       error: command '/usr/bin/gcc' failed with exit code 1
13.15       [end of output]
13.15
13.15   note: This error originates from a subprocess, and is likely not a problem with pip.
13.15   ERROR: Failed building wheel for donut-shellcode
13.16 ERROR: Could not build wheels for donut-shellcode, which is required to install pyproject.toml-based projects
13.16 Failed to build donut-shellcode
13.26
13.26 [notice] A new release of pip is available: 23.1.2 -> 24.0
13.26 [notice] To update, run: pip install --upgrade pip
------
failed to solve: process "/bin/sh -c python3 -m pip install donut-shellcode" did not complete successfully: exit code: 1
2024/05/08 11:07:36 [+] Successfully installed service
2024/05/08 11:07:36 [+] Successfully installed c2
2024/05/08 11:07:36 [*] Processing Documentation for apollo

PTH Tasking Issue and Solution

The Issue:

In the pth command, https://github.com/MythicAgents/Apollo/blob/master/Payload_Type/apollo/mythic/agent_functions/pth.py#L143, a new parameter is getting added in called command.
That new parameter doesn’t have any group_name associated with it, so it gets the Default group
The other parameters supplied, credential and run match to the SavedCredentials group
now we have 2 parameters that say we should be in the SavedCredentials group and one that says we should be in the Default group. So, Mythic errors out since it doesn’t know which set of parameters should be included

The solution:

https://github.com/MythicAgents/Apollo/blob/master/Payload_Type/apollo/mythic/agent_functions/pth.py#L143
On that line, simply update it to be: self.add_arg("command", "mimikatz.exe {}".format(cmd), parameter_group_info=[ParameterGroupInfo(group_name=self.get_parameter_group_name())])
that’ll add into the new parameter the currently matched group name

Keylogs

Hello!
Why keylogs are showed in strange format like backspace backspace etc?

Building wheel for donut-shellcode did not run successfully (on ARM)

After installing and running mythic-cli start, I get an error when trying to build donut-shellcode. Since this is dockerized I'm guessing the error isn't only on my side!

Here are the related logs:
logs.txt

Please let me know if you need extra information or if you have any hints on how to troubleshoot.

Issues installing apollo and athena on kali linux

Gives the deb.debian.org resolve issue

The c# agents are a hassle to fix

run command parses arguments in incorrect order

The RunArguments class does not specify ui-position for either of its arguments, which causes them to be parsed with arguments first and executable second.

Example:
run whoami /priv will be translated to run -Executable /priv -Arguments whoami

Domain Fronting Support

Hi,

I'd like to know if this agent supports domain fronting. When configuring the C2 http profile during Apollo payload generation, I've set the following configuration values:
Callback host - https://somethingrandom.microsoft.com
HTTP Header - "Host": "somethingrandom.azureedge.net"

I get a callback when I execute the payload but when I check in Wireshark (Client Hello packet) the agent connects to "somethingrandom.azureedge.net" instead of "somethingrandom.microsoft.com".

Please let me know if I'm missing something. I've tested that the Domain Fronting works fine but I can't seem to get it working with Apollo.

Mythic v2.3.9
UI v0.0.52
Apollo: 2.2.0

Socks Proxy Won't Tunnel Response Packets

Good Afternoon,

First of all: I'm not 100% certain that this is an issue of the Apollo Implant, or Mythic itself.

When opening a Socks Proxy, everything seems to work fine at first, the port opens and when connecting to the Proxy via Proxychains, I can see the tunneled (Input) traffic in Wireshark on the client machine that is originating from the proxy.

However, no response packets are received on the proxychains side (I can see them in Wireshark. but they don't seem to get rerouted through the Proxy).

Not sure where to start debugging from this point, any ideas where the issue could originate from?

Thanks in advance!

IP display problem

hi,

The Apollo agent goes online to obtain the IP display 169.254.190.230, but it does not affect the execution of the command.

Use test environment：
server system: kali-linux-2020.2-amd64 （192.168.23.130）
agent system :windows (win10 x64) （192.168.23.140）

Use Apollo's payload build settings ：
payload：Apollo
c2profiles：http
Callback Host：http://192.168.23.130
Callback Port：80
Choose a target .NET Framework：4.0
Target architecture：x64
Output as shellcode, executable, or dynamically loaded library.：WinExe
Build a payload with or without debugging symbols.：Release
Selected OS：Windows
Selected command：powershell、upload、download ........

Execute coff issues --2024Q1-Dev branch

Hey, I am having issues using execute_boff.
I compiled and registered runof.dll as mentioned in the documentation for the 2024Q1-Dev branch.
Then I have registered the individual BOF files before I attempt to execute them using register_coff and/or register_file.
I have tried multiple Situational Awareness BOFs like the one below:

execute_coff -Coff whoami.x64.o -Function go -Timeout 30 -Arguments []

Receiving this error for every attempt:

Exception: Object reference not set to an instance of an object.
Location: at Tasks.execute_coff.Start()

Including more info in case it is relevant:

[STDOUT]:
The following args aren't being used because they don't belong to the Default parameter group:
{}

[STDERR]:

Conducting against a Windows 10 VM.

After runoff was added to the branch code I re-downloaded the branch and tried register_coff then execute_coff again getting different results:

Exception: System.Exception: Unable to process function relocation type IMAGE_REL_AMD64_REL32_2 - please file a bug report.
at RUNOF.Internals.BofRunner..ctor(ParsedArgs parsed_args)
at RUNOF.Program.Main(String[] args)
Location: at RunOf.Internals.BofRunner..ctor(ParsedArgs parsed_args)
at RUNOF.Program.Main(String[] args)

I know this has not been added to the main branch yet and maybe there is something I am missing or not understanding.
Any assistance would be helpful, thanks.

No connection behind apache2 rev proxy

Hi, I've got a setup of apache2 terminating a domain and routing 443 for various services. For apollo the config is doing:

        ProxyPass /6666index http://127.0.0.1:6666
        ProxyPassReverse /6666index http://127.0.0.1:6666

I then have a Mythic http C2 profile / listener on port 6666
Opsec Passes.. like so:

Configuration Check message from http:
Failed to find port, 443, in C2 Profile configuration
This could indicate the use of a redirector, or a mismatch in expected connectivity.

This means there should be the following connectivity for success:
Agent via HTTPS on port 443 to https://www.example.com/6666index (should be a redirector).
Redirector then forwards request to C2 Profile container on one of the following ports: [{"port": 9999, "use_ssl": false}, {"port": 6666, "use_ssl": false}]

Server address (in the payload config) is set to https://www.example.com/6666index
I've also tried as an alternate to change URI in the payload config (i.e. Server Name set to https://www.example.com and URI set to 6666index/Index

In both options I get no connect ? Why not ? Thanks!

Apollo over socat

Not sure if an issue for Mythic (C2 listener) or Apollo.. I have the following setup:

Apollo http payload configured to connect to c2server.domain. c2server.domain terminates on a reverse nginx proxy with SSL in turn routing to C2 profile listening on a non SSL http port. Everything works.

If I however terminate c2server.domain on a second proxy which uses socat as a forwarding mechanism (in front of / before Nginx) I won't get a callback. Why not ? I would have thought maybe websockets are being used, but that shouldn't be the case with http profile ? All other http services (there're about 20) routing through the same setup work fine.

Please shed some light, thanks very much!

https://github.com/getshellz/Apollo/blob/master/Payload_Type/apollo/agent_code/Apollo/Program.cs#L40

Not sure if you count it as an issue

ps task reports incorrect architecture

The ps command uses IsWOW64Process when it should be using IsWOW64Process2 instead. Change to ensure proper arch is retrieved.

	Dns.GetHostName()).AddressList.FirstOrDefault(
	ip => ip.AddressFamily == AddressFamily.InterNetwork