Skip to main content

Mythic

C2 install​

info

The C2 was running on an Ubuntu 22.04 on a DEV-1M instance (Scaleway).

Execute the following commands as root to install the C2.

apt install docker docker-compose

cd /opt
git clone https://github.com/its-a-feature/Mythic
cd Mythic/
./mythic-cli start

./mythic-cli install github  https://github.com/MythicAgents/poseidon.git
./mythic-cli install github  https://github.com/MythicC2Profiles/http
tip

The GUI can be accessed on port 7443 with HTTPS.

The credentials can be found in the file /opt/Mythic/.env with the variable MYTHIC_ADMIN_PASSWORD.

Configure the bastion and the access to the C2​

You need to modify your ssh config file $HOME/.ssh/config as the following:

Host c2
    Hostname <C2_IP>
    User  root
    IdentityFile <ssh_key_path>
    ProxyJump bastion

Host bastion
    Hostname <BASTION_IP>
    User  root
    IdentityFile <ssh_key_path>

Host fw-7443
    Hostname <BASTION_IP>
    User root
    IdentityFile <ssh_key_path>
    LocalForward <C2_IP>:7443

The admin port should only be accessible by the bastion IP. Execute the following command on the C2.

iptables -I DOCKER-USER ! --src <BASTION_IP> -p tcp --dport 7443 -j DROP

Enable local port forwarding in a terminal on your laptop and you should be able to access the C2 admin panel from https://localhost:7443.

SSL / TLS Configuration​

Generate the certificate.

apt install certbot python3-certbot-apache
certbot certonly --apache -d <DOMAIN> -n --register-unsafely-without-email --agree-tos --preferred-challenges http

Modify the profile configuration.

{
  "instances": [
  {
    "ServerHeaders": {
      "Server": "nginx/1.23.0",
      "Cache-Control": "max-age=0, no-cache",
      "Pragma": "no-cache",
      "Connection": "keep-alive",
      "Content-Type": "application/javascript; charset=utf-8"
    },
    "port": 443,
    "key_path": "./privkey_certbot.pem",
    "cert_path": "./fullchain_certbot.pem",
    "debug": false,
    "use_ssl": true,
    "payloads": {}
    }
  ]
}
info

The certificate and the key are located here: /opt/Mythic/C2_Profiles/http/c2_code.

Create an instance profile and then select this instance profile when you create the payload thanks to Poseidon.

Port 80

You can either close port 80 with iptable or make a redirection by modifying /var/www/html/index.html.

<!DOCTYPE html>
<html>
<head>
    <title>HTML Redirect</title>
    <meta http-equiv="refresh" content="0; url =
    https://legitwebsite.com" />
</head>
</html>