New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

2016-06-28-cobalt-strike-http-c2-redirectors-with-apache-mod_rewrite #13

bluscreenofjeff opened this Issue May 1, 2017 · 2 comments


2 participants

This comment has been minimized.

Copy link

e0x70i commented Oct 26, 2017

Thanks for this great writeup, we use this setup regularly.

Wanted to note, we've had issues with many malleable C2 profiles using this setup, with some Cobalt commands and features completely breaking. This was due to Apache by default compressing the response with when gzip is in the accept-encoding header, and Apache URL encoding any URI parameters automatically.

Disabling mod_deflate, a2dismod deflate, and specifying the NE (no-encode) flag on the rewrite rule resolved these issues. Didn't see this mentioned around when we were trying to debug this issue, so hopefully this comes in handy for others having the same problem!

Thanks again for the great work, really cool way to setup a redirector!


This comment has been minimized.

Copy link

bluscreenofjeff commented Oct 26, 2017

Very interesting and good to know. I've added an update to the post with your fix.
Thank you so much for the info!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment