Deploy Hak5 Cloud C2 on AWS LightSail (2022)

Deploy Hak5 Cloud C2 on AWS LightSail (2022)

Last year I wrote on article on deploying the C2 application on AWS LightSail, as a number of things have changed since then, including an updated version of the application, I thought I’d update the tutorial.

Update, if you are using HAK5 KeyCrocs with C2, be sure to check this post too as there can be issues connecting with https enabled: https://bobmckay.com/i-t-support-networking/security/hak5-keycroc-problems-connecting-to-cloud-c2-when-https-is-used/

Setting up AWS LightSail

Create a LightSail Instance

Firstly, you’ll need to register for an AWS account here, once logged in, under All services click the Lightsail option.

On the Home page, click Instances (if not already on that page)

Click Create Instance

On the instance page, you’ll need to select a region in which your instance will be deployed (I generally opt for Oregon based on price)

Select Linux/Unix as your platform type

Under Select a blueprint, click OS Only

Select Ubuntu 18.04 (other versions will no doubt work but this is the version I have tested)

Scroll down and select your instance plan, Hak5 advise that Cloud C2 can run on the smallest AWS instance ($3.50 per month,  providing 512MB of memory, 1vCPU and 20GB SSD of storage.

Personally I prefer to pay the extra $1.50 per month for double the memory and and storage (some users have reported issues on the smaller instance in the Hak5 forums too).

In case you are going to be running multiple LightSail instances, give yours a meaningful name:

Once you are happy with your selection, click Create Instance to queue the creation of the server instance – this will show up on your instances tab, marked as Pending.  Once the server is provisioned, the Pending status will change to Running – this typically takes about 5 to 10 minutes

Add a Static IP Address

The Public IP address provided by AWS for your instance will change whenever you restart it so ideally you should assign a static IP address to it and then point your domain name at the IP address (necessaary for adding an SSL certificate later) – a static IP address is a paid-for option in AWS.

To add a Static IP address:

  • Click the the Network tab on either your LightSail homepage or instance page, both have an button/link that says Create Static IP, click this.
  • Select the new LightSail instance we created in the Attach to an instance drop down (if its not selected already), then give your IP address a name (for example, C2CloudIP)
  • Click Create 

Add Firewall Rules

Click on the Networking tab on your instance page, scroll down to IPv4 Firewall and add the rules you require, the recommended ones for Cloud C2 are below, however I would recommend locking down as many of them as you can to an IP address you control rather than leaving them open to Any IPv4 address.

ApplicationProtocolPort or range / CodeRestricted to
SSHTCP22Any IPv4 address
HTTPTCP80Any IPv4 address
HTTPSTCP443Any IPv4 address
CustomTCP2022Any IPv4 address
CustomTCP8080Any IPv4 address

Note for home users: If you are on a broadband connection at home with a dynamic IP address that changes, you can still add a big range to afford yourself protection.

Scroll down to IPv6 networking and either disable it or configure the same ports as for IPv4 (depends on if you plan to setup DNS address for IPv6 for your domain name).

Setup your Domain Name

Point a DNS record your domain name at the Public IP address for your instance (the Static IP provided if you created one), for example myc2.mydomain.com

Connecting via SSH

To manage your LightSail instance, you’ll typically use “SSH” – its beyond the scope of this tutorial to go over SSH usage but essentially for LightSail you have two options on the Connect tab for your instance:

Browser based SSH

AWS have provided a handy browser based SSH connection to access your servers shell – this is a good ‘quick and dirty’ option to get you going and start the server updating but I would recommend using a proper SSH client long term.  To use the browser based SSH, make sure you have a rule for SSH added with the option setting enabled:

Using an SSH client

You can use your favourite SSH client to access the instance, the option to download the keys is on the Connect tab too under Download default key.  Note Windows Putty users will have to use the PuttyGen feature to convert their private key to a format Putty can understand (plenty of tutorials out there).

Configuring the Cloud C2 AWS Server

Update the OS

Update your instance by running the following

sudo apt-get update && sudo apt-get upgrade -y

If prompted to restart services automatically, say yes (unless you’re running other sensitive stuff on this box).  If prompted about the ssh configuration, keep the current one.

Install unzip

The automated bash script we’ll use from Hak5 to deploy C2 uses unzip so we must install that first:

sudo apt install unzip

Initial Install

The command below does everything we need to download the ZIP file, extract it and execute the binary for Linux on our system for the first time (grabbing our static IP to add it as a command parameter):

wget https://c2.hak5.org/dl -q -O c2.zip && unzip -qq c2.zip && IP=$(curl -s https://checkip.amazonaws.com) && echo "Copy the below setup token and browse to http://$IP:8080" && ./c2-*_amd64_linux -hostname $IP

You’ll be prompted with a screen like this, take note of the URL (though its basically your public IP address appended with :8080) and more importantly, the setup token (save this somewhere).

Run Cloud C2 Setup

In your browser, enter the address of your AWS instance, without https and specifying port 8080 as per the confirmation in the last step:

http://example.mydomain.com:8080/

At this stage, you should see the initial setup for like this one, enter the license key you got in your confirmation email from Hak5 and the setup token you got from the previous step:

Complete the forms, though I have no idea what the “Contact” field is supposed to contain (it’s mandatory).  Accept the EULA and click save.

You will be redirected to a login page and should be able to login:

Making the service AutoStart

So we have manually run the configuration but now we want it to run as a service and autostart when the server is rebooted.

Firstly, check the folder where the script deployed C2:

pwd

In my test this was /home/ubuntu/ but its probably not the idea place so I may change it later

Run the following command via SSH to create a service config file in which to put our settings for CloudC2, this makes the binary run as a service on start-up:

sudo nano /etc/systemd/system/cloudc2.service

In here, paste the following configuration, replacing hostname with your own IP address or domain name:

[Unit]
Description=Example Cloud C2
After=cloudc2.service
[Service]
Type=idle
ExecStart=/home/ubuntu/c2-3.2.0_amd64_linux -hostname examplec2.bobmckay.com -db /home/ubuntu/c2.db
[Install]
WantedBy=multi-user.target

Hit CTRL + O and then enter to write the file (save)

Hit CTRL + X to exit the editor

Flush the service daemon cache:

sudo systemctl daemon-reload

Enable the Cloud C2 service:

sudo systemctl enable cloudc2.service

Start the Cloud C2 service:

sudo systemctl start cloudc2.service

Now try browsing to your domain name using the following format: http://examplec2.bobmckay.com:8080 (not https) and you should be able to see the web interface, if you cannot, revisit the steps above:

Installing SSL

The tutorial recommends simply appending the -https switch to the launch command to configure LetsEncrypt based SSL in the background but I wasn’t sure how this could work (given you have to verify domain ownership for LetsEncrypt).

As I’d rather have more control of the process anyway, I handled the renewal  manually via the following steps:

Install LetsEncrypt:

sudo apt install letsencrypt -y

Next, ensure that the certbot timer utility (that handles automatic renewal) is set to autostart so we don’t forget and let the certificate expire:

sudo systemctl status certbot.timer

Now we need to launch certbot, confirming our domain name as we do (replace examplec2.bobmckay.com with your own domain name).  Here I have chosen dns as my preferred ‘challenge type’ (the method of confirming you own the domain name) so get ready to add a txt DNS record for your domain:

sudo certbot -d examplec2.bobmckay.com --manual --preferred-challenges dns certonly

You will be asked a couple of questions about you and logging, answer as per your preferences, finally you’ll be prompted with a message similar to the below, giving you the details of a TXT DNS record you need to create, leave this prompt open while you create the DNS record and then wait 5 minutes or so (depending on who hosts your DNS and the TTL), then press enter:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.examplec2.bobmckay.com with the following value:

O2SqWDC4tztBv5v5kH1rdA1qsEUYdnLd1PKWW_2g8Rk

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

After a message stating ‘Waiting for verificiation” you should be presented with a success message saying:

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/examplec2.bobmckay.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/examplec2.bobmckay.com/privkey.pem

Take note of the two file locations above as we will need to add them to our Cloud C2 launch command as switches, by adding the -https switch we tell Cloud C2 to listen on port 443 and to use SSL but the -certFile and -keyFile switches stop it from attempting any LetsEncrypt shenanigans of its own.

Let’s update our service with the new executable:

sudo nano /etc/systemd/system/cloudc2.service

In here, paste the following configuration:

[Unit]
Description=Example Cloud C2
After=cloudc2.service
[Service]
Type=idle
ExecStart=/home/ubuntu/c2-3.2.0_amd64_linux -hostname examplec2.bobmckay.com -certFile /etc/letsencrypt/live/examplec2.bobmckay.com/fullchain.pem -keyFile /etc/letsencrypt/live/examplec2.bobmckay.com/privkey.pem -https -db /home/ubuntu/c2.db
[Install]
WantedBy=multi-user.target

Hit CTRL + O and then enter to write the file (save)

Hit CTRL + X to exit the editor

Flush the service daemon cache:

sudo systemctl daemon-reload

Restart the Cloud C2 service:

sudo systemctl restart cloudc2.service

That’s it, you should now have a fully configured Cloud C2 instance in AWS with a static IP address, SSL via LetsEncrypt (which will autorenew), to access the platform via https you simply ommit any port numbers from the end of the URL an put https:// at the beginning.

If you can any errors, be sure to try an incognito window too because caching can confuse browsers easily here.

Bob McKay

About Bob McKay

Bob is a Founder of Seguro Ltd, a full time father and husband, part-time tinkerer-with-wires, coder, Muay Thai practitioner, builder and cook. Big fan of equality, tolerance and co-existence.

Disclosure Policy

7 comments on «Deploy Hak5 Cloud C2 on AWS LightSail (2022)»

  1. George says:

    Thank you this helped a lot! I’m still having some issues with getting my url to work with google domains though. Any ideas on what I could check?

    1. Bob McKay says:

      Hi George,
      What sort of issues/errors are you seeing?

  2. paul says:

    Awesome Tutorial 🙂

  3. Emiliano Martinez says:

    I followed the guide and I was able to get everything up and running with the exception of the MK VII Pineapple. I can ping google from within the Pineapple, but it wont connect. Is there any tips to get this to connect. Thank you again.

    1. Bob McKay says:

      Hi Emiliano, can you ping the C2 server from the PineApple and can you telnet in to the C2 server from the PineApple?

  4. John says:

    Another very helpful tutorial, thanks Bob!

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.