Convert sliver's http-c2.json file to apache modrewrite
This is a script that helps automate the process of converting sliver's http-c2 file to apache modrewrite format to allow use with a C2 redirector. The script takes into account sliver's procedural HTTP/S generation.
- Takes an argument of
- http-c2
- team server URL
- redirection URL
- optional - .htaccess file name
- Checks if the URL is formatted correctly
- Parses the supplied values in the config
- Places the values into a apache modrewrite template
- Outputs the .htaccess to the screen (or to the a file)
usage: sliver2modrewrite.py [-h] -i INPUTFILE -c C2SERVER -r REDIRECT [-o OUT_FILE]
Python 3.0+ Converts sliver http-c2 json file to Apache mod_rewrite. This outputs .htaccess file format which contains the rewrite rules.
options:
-h, --help show this help message and exit
-i INPUTFILE Sliver http-c2.json file
-c C2SERVER Sliver Server (http://teamserver)
-r REDIRECT Redirect to this URL (http://google.com)
-o OUT_FILE Write .htaccess contents to target file
The following options in the http-config file are currently supported:
stager_files,stager_file_ext,stager_pathspoll_files,poll_file_ext,poll_pathsstart_session_file_ext,session_files,session_file_ext,session_pathsclose_files,close_file_ext,close_pathsmin/max values for paths
sudo apt install apache2- edit the /etc/apache2/apache2.config file - change allow overide to all
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
sudo a2enmod rewrite proxy proxy_httpsudo service apache2 restart- Run the script to generate the .htaccess
python3 sliver2modrewrite.py -i http-c2.json -c http://10.10.10.10 -r https://google.co.uk
- Save the output into
/var/www/html/.htaccessor copy the saved .htacces file to the directory sudo systemctl restart apache2
########################################
## .htaccess START
RewriteEngine On
## C2 Traffic (HTTP-GET, HTTP-POST, HTTP-STAGER URIs)
## Logic: If a requested URI matches and the User-Agent String matches, proxy the connection to the Teamserver
## Refer to http://httpd.apache.org/docs/current/mod/mod_rewrite.html
## Only allow GET and POST methods to pass to the C2 server
RewriteCond %{REQUEST_METHOD} ^(GET|POST) [NC]
## Profile URIs
RewriteCond %{REQUEST_URI} ^(/php/?|/api/?|/upload/?|/actions/?|/rest/?|/v1/?|/auth/?|/authenticate/?|/oauth/?|/oauth2/?|/oauth2callback/?|/database/?|/db/?|/namespaces/?|/js/?|/umd/?|/assets/?|/bundle/?|/bundles/?|/scripts/?|/script/?|/javascripts/?|/javascript/?|/jscript/?|/static/?|/www/?|/assets/?|/images/?|/icons/?|/image/?|/icon/?|/png/?|/static/?|/assets/?|/fonts/?|/locales/?|/?){2,4}(login|signin|api|samples|rpc|index|admin|register|sign-up|bootstrap|bootstrap.min|jquery.min|jquery|route|app|app.min|array|backbone|script|email|favicon|sample|example|attribute_text_w01_regular|ZillaSlab-Regular.subset.bbc33fb47cf6|ZillaSlab-Bold.subset.e96c15f68c68|Inter-Regular|Inter-Medium)(.php|.html|.js|.png|.woff)$
## Query String
RewriteCond %{{QUERY_STRING}} ^(\w{{1,3}}=.*)$
## Profile UserAgent
RewriteCond %{HTTP_USER_AGENT} ^.*$
RewriteRule ^.*$ "http://192.168.239.136%{REQUEST_URI}" [P,L]
## Redirect all other traffic here
RewriteRule ^.*$ https://google.co.uk/? [L,R=302]
## .htaccess END
########################################
If you need to debug the rules to check if they are working or where they are failing you can add the following to the etc/apache/apache2.conf
LogLevel alert rewrite:trace5
Then you can read /var/log/apache2/error.log and /var/log/apache2/error.log
Shoutout to threatexpress for their fantastic scripts, from which this script is based.