The C2 framework, a toolset for controlling and managing compromised systems, consists of three main components: the agent, teamserver, and client. Agents, running on compromised systems, connect back to the teamserver to receive commands and send information.
The teamserver acts as a central hub for managing agents and tasks, while clients, used by operators, provide a user interface for interacting with the teamserver and issuing commands to agents.
C2 frameworks, while essential for red team operations, introduce security risks due to their complex components and potential vulnerabilities. Agents, teamservers, and clients, often tightly coupled within frameworks, can be exploited by malicious actors.
Untrusted input from agents can lead to unintended behavior on the teamserver, while compromised operator accounts or authentication flaws can grant unauthorized access.
The C2 framework Sliver was found to have a vulnerability that allowed authenticated users to execute arbitrary commands on the teamserver, which was achieved by exploiting a feature that allowed users to specify advanced options for Metasploit stagers.
By overwriting a bundled binary with a malicious payload, attackers could gain root access to the teamserver, compromising the security of the entire C2 infrastructure.
Havoc, a C2 framework with a visually appealing interface, has been found to contain several vulnerabilities. A command injection vulnerability in the teamserver allows attackers to execute arbitrary commands, especially when default configurations are used.
An authentication bypass in the service API enables unauthorized access to the teamserver. While the developer has addressed some of these issues, the authenticated RCE vulnerability remains unpatched in the main branch.
The Ninja C2 framework is vulnerable to unauthenticated arbitrary file downloads due to a path traversal vulnerability in its download endpoint, where an attacker can exploit this by registering a malicious agent and uploading a file to an arbitrary location on the teamserver.
SHAD0W, a modular C2 framework, suffers from an unauthenticated RCE vulnerability. Beacon-provided values, which are displayed to the operator, are used as parameters in shellcode compilation.
The migrate module, for instance, passes the architecture value to a shellcode-building function. When the operator interacts with the beacon using the migrate module, the attacker’s command executes on the teamserver.
The Covenant framework, a popular red team tool, has a critical vulnerability that allows users to escalate privileges from User to Administrator, which is due to a flaw in the user interface that permits users to self-assign the Administrator role.
As an Administrator, users can create custom HTTP listener profiles, which can be exploited to execute arbitrary C# code on the server while requiring authenticated access, which highlights the potential risks associated with exposing the Covenant management port to the public.
Mythic is a modular C2 framework that prioritizes teamserver functionality and collaboration over agent stealth, whose modular design allows for customization with various agents and transports.
While its web UI is basic, it offers extensive features for user management, campaign tracking, and data searchability. Despite its complexity, researchers found no glaring security vulnerabilities in its API authentication or logic.
According to Include Security, its modular nature and focus on the teamserver make it suitable for larger operations and active development, potentially becoming a future trend in open source C2 frameworks.
