Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not receiving callbacks on HTTP profile with SSL enabled #443

Open
j2671724 opened this issue Feb 21, 2025 · 3 comments
Open

Not receiving callbacks on HTTP profile with SSL enabled #443

j2671724 opened this issue Feb 21, 2025 · 3 comments

Comments

@j2671724
Copy link

I'm having an issue getting callbacks on the HTTP profile with SSL enabled.

I'm using the Athena agent and the automatically generated self-signed key/cert. Seems the requests are getting to the host Mythic is running on, but no active callbacks appear in the UI. Not getting any feedback from Stdout/Stderr for the HTTP profile in the UI, either. This is with no redirectors, so callbacks are going directly to the HTTP profile.

I had no issues with callbacks when running port 80.

Output from payload config check:

Image

Mythic Version: v3.3.1-rc35
UI Version: v0.2.75

Thanks for the help!!
@its-a-feature
Copy link
Owner

I just tested and was able to get a callback with Poseidon through the self signed HTTPS profile.
Let's do some troubleshooting:

  • Can you double check that you stopped and started the c2 profile (from the UI) after making the configuration change? That'll just confirm that the inner c2 profile is running on that port.
  • Can you check the listening ports on the host where the mythic server is running and see that 443 is bound properly?
  • Can you enable debug in the http profile (through the UI), then click to stop and start the profile again, run your agent, wait a few seconds, and check to see if you have any data in the stdout?
  • The Athena payload is still running right? Can you confirm that it's making https traffic to the c2 profile?
    If all of that is good to go, I'm gonna have to ask that you open this up against the https://github.com/MythicAgents/Athena repo so that the Athena dev can hop in and see what's up

@j2671724
Copy link
Author

Thanks for the quick response!

I can confirm that the c2 profile was stopped and started after making the change.

Here are the ports the host is listening on (included all of them in case there is something I might be missing):

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
tcp LISTEN 0 4096 127.0.0.1:8090 0.0.0.0:* users:(("docker-proxy",pid=152192,fd=4))
tcp LISTEN 0 4096 127.0.0.1:8080 0.0.0.0:* users:(("docker-proxy",pid=152281,fd=4))
tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=517,fd=15))
tcp LISTEN 0 4096 127.0.0.1:3000 0.0.0.0:* users:(("docker-proxy",pid=152204,fd=4))
tcp LISTEN 0 4096 127.0.0.1:7007 0.0.0.0:* users:(("docker-proxy",pid=152453,fd=4))
tcp LISTEN 0 4096 127.0.0.1:7006 0.0.0.0:* users:(("docker-proxy",pid=152444,fd=4))
tcp LISTEN 0 4096 127.0.0.1:7005 0.0.0.0:* users:(("docker-proxy",pid=152413,fd=4))
tcp LISTEN 0 4096 127.0.0.1:7004 0.0.0.0:* users:(("docker-proxy",pid=152393,fd=4))
tcp LISTEN 0 4096 127.0.0.1:7003 0.0.0.0:* users:(("docker-proxy",pid=152373,fd=4))
tcp LISTEN 0 4096 127.0.0.1:7002 0.0.0.0:* users:(("docker-proxy",pid=152364,fd=4))
tcp LISTEN 0 4096 127.0.0.1:7001 0.0.0.0:* users:(("docker-proxy",pid=152345,fd=4))
tcp LISTEN 0 4096 127.0.0.1:7000 0.0.0.0:* users:(("docker-proxy",pid=152326,fd=4))
tcp LISTEN 0 4096 127.0.0.1:7010 0.0.0.0:* users:(("docker-proxy",pid=152533,fd=4))
tcp LISTEN 0 4096 127.0.0.1:7009 0.0.0.0:* users:(("docker-proxy",pid=152501,fd=4))
tcp LISTEN 0 4096 127.0.0.1:7008 0.0.0.0:* users:(("docker-proxy",pid=152482,fd=4))
tcp LISTEN 0 4096 0.0.0.0:7777 0.0.0.0:* users:(("docker-proxy",pid=152451,fd=4))
tcp LISTEN 0 4096 127.0.0.1:5672 0.0.0.0:* users:(("docker-proxy",pid=152534,fd=4))
tcp LISTEN 0 4096 127.0.0.54:53 0.0.0.0:* users:(("systemd-resolve",pid=517,fd=17))
tcp LISTEN 0 128 127.0.0.1:6010 0.0.0.0:* users:(("sshd",pid=6496,fd=8))
tcp LISTEN 0 4096 127.0.0.1:17444 0.0.0.0:* users:(("docker-proxy",pid=152563,fd=4))
tcp LISTEN 0 4096 127.0.0.1:17443 0.0.0.0:* users:(("docker-proxy",pid=152554,fd=4))
tcp LISTEN 0 4096 127.0.0.1:5432 0.0.0.0:* users:(("docker-proxy",pid=152168,fd=4))
tcp LISTEN 0 4096 127.0.0.1:8888 0.0.0.0:* users:(("docker-proxy",pid=152589,fd=4))
tcp LISTEN 0 128 [::1]:6010 [::]:* users:(("sshd",pid=6496,fd=7))
tcp LISTEN 0 4096 :8081 : users:(("mythic_websocke",pid=154296,fd=7))
tcp LISTEN 0 4096 [::]:7777 [::]: users:(("docker-proxy",pid=152484,fd=4))
*tcp LISTEN 0 4096 :443 : users:(("mythic_http_ser",pid=201976,fd=3))

Just enabled debug. No output coming through in Stdout/Stderr after restarting the profile and running the agent, though.

And I can confirm I am seeing HTTPS requests on the client running the Athena payload to the C2 profile.

@its-a-feature
Copy link
Owner

hmm ok, in your Mythic/.env file, set DEBUG_LEVEL="warning" to DEBUG_LEVEL="debug" then do sudo ./mythic-cli start http. That'll start the http container (any all containers started after this) with debug level output instead of just warning level. Now do sudo ./mythic-cli logs http -f, that'll start streaming the logs from the http container. Now start the Athena agent and hopefully you'll see something come through on the debug log

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@its-a-feature @j2671724