#Terraform #RedTeam C2
Covenant, Digital Ocean, Docker and Cloudflare Proxy
A lazy security engineer automating his C2 Cloud Environment Setup with HTTPS for both C2 Host and Listeners without redirecting.
- Terraform will be used to auto deploy Infrastructure
- Digital Ocean — Hosting (It’s cheap and stable).
- Cloudflare — Hiding Origin IP & Traffic Shaping
First is first; install Terraform and grab a copy of all your token and keys. Then generate your ssh keys for terraform to be able to use.
Now, prepare your *.tfvars variables and add do_token, cloudflare_email, cloudflare_zone, cloudflare_account_id and cloudflare_api_key
The config for provision.tf
# Configure the DigitalOcean Provider
provider "digitalocean" {
token = var.do_token
}#Variables we will be usingvariable "do_token" {}
variable "cloudflare_email" {}
variable "cloudflare_api_key" {}
variable "cloudflare_zone" {}provider "cloudflare" {
version = "~> 2.0"
email = var.cloudflare_email
api_key = var.cloudflare_api_key
}resource "digitalocean_ssh_key" "attack" {
name = "SSH Key"
public_key = file("/root/.ssh/id_rsa2.pub")
}terraform {
required_providers {
digitalocean = {
source = "digitalocean/digitalocean"
version = "1.22.2"
}
cloudflare = {
source = "cloudflare/cloudflare"
version = ">= 0.13"
}
}
}resource "digitalocean_droplet" "covenant" {
image = "ubuntu-18-04-x64"
name = "covenant"
region = "lon1"
size = "s-1vcpu-1gb"
private_networking = true
ssh_keys = [digitalocean_ssh_key.attack.fingerprint]connection {
user = "root"
type = "ssh"
private_key = file("/root/.ssh/id_rsa2")
timeout = "2m"
host = digitalocean_droplet.covenant.ipv4_address
}provisioner "remote-exec" {
inline = [
"export PATH=$PATH:/usr/bin",
# install docker
"sudo curl -sSL https://get.docker.com/ | sh",
"git clone --recurse-submodules https://github.com/cobbr/Covenant",
"docker run --rm -d -p 8443:7443 -p 80:80 -p 443:443 --name covenant --hostname -v /root/Covenant/Covenant/Data:/app/Data rocketscientist/covenant:terraform"
]
}
}resource "cloudflare_record" "ads2" {
zone_id = var.cloudflare_zone
name = "ads2"
value = digitalocean_droplet.covenant.ipv4_address
type = "A"
ttl = 1
proxied = true
}
You may also want to change the instance as the one I have selected is pretty small for the article with just 1 vCPU and 1 GB ram at 5$ per month.
We just fire this up now!
It stops with a success message! We are now ready to go…
Kudos, this created the domain ads2.{attackerdomain.com} on cloudflare with proxy DNS pointed to Docker DigitalOcean Container. It takes roughly 2–3 minutes for the infrastructure to setup…..
Convenant will be accessible with https for the domain.
Wait,… we are not done yet.
Its time to setup some Cloudflare workers…
Save script.js which will reject anyone not belonging to the AS 7641 and show a response “Hello World”.
async function handleRequest(request) {
// Return a new Response based on a URL's hostname
const url = new URL(request.url)if (request.cf && request.cf.asn != 7641) {
return new Response("Hello World")
}return fetch(request)
}addEventListener("fetch", event => {
event.respondWith(handleRequest(event.request))
})
Usually Red Team will restrict the C2 but I thought its kind of fun to use serverless scripting “cloudflare workers” to modify response and show to an end user a different response which makes them believe that its a harmless host. (but that is effective for only your listener host which can be different from your C2 Host; although you can use both using this strategy). You can refer the terraform website documentation for implementing workers.
It looks like this when someone visits not belonging to the same AS (this can be changed with conditional access based on IP as well).
I have not used firewall policies to restrict traffic is because the DNS is configured with proxy mode which masks the Origin IP Address although you can still configure these if you may require.
Last is last, now we destroy the Infrastructure…
