So I treated myself to some more Hak5 kit (having previously only had the Rubber Ducky), the new devices come with access to a free Command and Control platform – called Cloud C2 – that can be run on Android, Linux or Windows. For experimental purposes, running this on a local device (such as a [easyazon_link keywords=”Raspberry PI” locale=”US” tag=”bobmckay-20″]Raspberry PI[/easyazon_link]) is fine but when you want to do demonstrations or pen tests at client locations, you really want something Internet hosted and for simplicity that means AWS for me.
A little Googling showed the Hak5 documentation for deploying Cloud C2 on AWS LightSail (an excellent choice) but some of the commands were dated, some of them didn’t work and it was broken up in to seperate tutorials – I decided to pull it together in an updated comprehensive tutorial.
Setting up AWS LightSail
Create an Instance
Firstly, you’ll need to register for an AWS account here, once logged in, under All services click the Lightsail option.
On the Home page, click Instances (if not already on that page)
Click Create Instance
On the instance page, you’ll need to select a region in which your instance will be deployed (I generally opt for Oregon based on price)
Select Linux/Unix as your platform type
Under Select a blueprint, click OS Only
Select Ubuntu 18.04 (other versions will no doubt work but this is the version I have tested)
Scroll down and select your instance plan, Hak5 advise that Cloud C2 can run on the smallest AWS instance ($3.50 per month, providing 512MB of memory, 1vCPU and 20GB SSD of storage) – personally I prefer to pay the extra $1.50 per month for double the memory and and storage (some users have reported issues on the smaller instance in the Hak5 forums too).
Once you are happy with your selections, click Create Instance to queue the creation of the server instance – this will show up on your instances tab, marked as Pending. Once the server is provisioned, the Pending status will change to Running – this takes about 5 minutes typically.
Add a Static IP Address
Once provisioned, if you click on your server instance, you are presented with a number of options as tabs – if you click the Networking tab you can see your instance has been assigned a public IP address (for accessing to from the Internet) and a private IP address (for accessing from within AWS).
The Public IP address provided by AWS will change whenever you restart your instance so you should assign a static IP address to it and then point your domain name at the IP address (necessaary for adding an SSL certificate later)
On the Networking tab, next to your Public IP address is an option to Create static IP, click it
In the Attach to an instance box, ensure the instance listed is the one you have just created (if you have more than one), under Identify your static IP, give it a descriptive name (for example ‘Cloud-C2-Static-IP’).
Click Create
Add Firewall Rules
Click on the Networking tab, scroll down to IPv4 Firewall and add the rules you require, the recommended ones for Cloud C2 are below, however I would recommend locking down as many of them as you can to an IP address you control rather than leaving them open to Any IPv4 address.
Restricted to: If you are on a broadband connection at home with a dynamic IP address that changes, you can still add a big range to afford yourself protection.
Application | Protocol | Port or range / Code | Restricted to |
---|---|---|---|
SSH | TCP | 22 | Any IPv4 address |
HTTP | TCP | 80 | Any IPv4 address |
HTTPS | TCP | 443 | Any IPv4 address |
Custom | TCP | 2022 | Any IPv4 address |
Custom | TCP | 8080 | Any IPv4 address |
Scroll down to IPv6 networking and either disable it or configure the same ports as for IPv4 (depends on if you plan to setup DNS address for IPv6 for your domain name).
Setup your Domain Name
Point your domain name at the Public IP address for your instance (the Static IP provided if you created one).
Configuring the Cloud C2 AWS Server
Update the OS
Update your instance by running the following
sudo apt-get update && sudo apt-get upgrade -y
If prompted to restart services automatically, say yes (unless you’re running other sensitive stuff on this box). If prompted about the ssh configuration, keep the current one.
Get your Cloud C2 License
In order to install the Cloud C2 software, you will need to either purchase a paid version or get the community version – even for the free community version, you need to need to go through the ecommerce site and “buy” it for a zero payment: https://hak5.org/products/c2#c2-versions.
Once you have done this, you will receive a license code email similar to this:
To activate Cloud C2 server(s) you'll will need the following license key(s): Community Edition (1 user(s), 1 site(s), 10 devices): 6JB4-8TI5-Q194-223D
Save this somewhere, you’ll need it during setup.
Download the binary to your server
On the official tutorials, there is a wget command that is supposed to download the latest copy of the software from the Hak5 C2 dowloads section but it doesn’t appear to be working so you’ll need to download it manually. I’ve put a copy of the zip file on my blog but can make no guarantees about it, if you are struggling to find a way to get the file on your instance, you can use the following command:
wget http://bobmckay.com/wp-content/uploads/2021/10/c2-3.1.2_amd64_linux.zip
If you are downloading the whole ZIP pack from the Hak5 C2 dowloads section, the file you’ll need from it is the one similarly named to c2-3.1.2_amd64_linux (the version number may have changed).
Alternatively, there are various methods of tranferring files to your AWS instance with some examples here: https://docs.aws.amazon.com/transfer/latest/userguide/transfer-file.html
If your method of getting the binary on to your server is with it zipped, you’ll need to install the unzip utility to unpack it, you can do so with the following:
sudo apt install unzip
Then you can unzip the file simply using:
unzip c2-3.1.2_amd64_linux.zip
Install the Cloud C2 binary
Once you have the binary on your machine, navigate to its folder (if you’re not in it already) and use the move command to place it somewhere more appropriate:
sudo mv c2-3.1.2_amd64_linux /usr/local/bin
Make the file executable
sudo chmod +x /usr/local/bin/c2-3.1.2_amd64_linux
Make a folder for the software database to sit in:
sudo mkdir /var/cloudc2
Run Cloud C2 Setup
While we will be running Cloud C2 as a service, in order to complete the initial setup we need to execute the binary manually to retrieve a setup token, in the example below I’ve used the public IP address of my EC2 instance but you can also use your domain name:
/usr/local/bin/c2-3.1.2_amd64_linux -hostname 192.123.123.123 -db /var/cloudc2/c2.db
You will see a message similar to the one below:
[*] Initializing Hak5 Cloud C2 v3.1.2 [*] Hostname: 192.123.123.123 [*] DB Path: c2.db [*] First Start. Initializing... [*] Initial Setup Required - Setup token: DN3A-RTDJ-O6RB-WH3I [*] Running Hak5 Cloud C2
Save the setup token somewhere safe, it will be needed for the setup step.
In your browser, enter the address of your AWS instance, without https and specifying port 8080:
http://example.mydomain.com:8080/
At this stage, you should see the initial setup for like this one:
Complete the forms, though I have no idea what the “Contact” field is supposed to contain (it’s mandatory). Accept the EULA and click save.
Create a service config file in which to put our settings for CloudC2, this makes the executable run as a service on start-up:
sudo nano /etc/systemd/system/cloudc2.service
In here, paste the following configuration:
[Unit] Description=Example Cloud C2 After=cloudc2.service [Service] Type=idle ExecStart=/usr/local/bin/c2-3.1.2_amd64_linux -hostname examplec2.bobmckay.com -db /var/cloudc2/c2.db [Install] WantedBy=multi-user.target
Flush the service daemon cache:
sudo systemctl daemon-reload
Enable the Cloud C2 service:
sudo systemctl enable cloudc2.service
Start the Cloud C2 service:
sudo systemctl start cloudc2.service
Now try browsing to your domain name using the following format: http://examplec2.bobmckay.com:8080 (not https) and you should be able to see the web interface, if you cannot, revisit the steps above:
Installing SSL
The tutorial recommends simply appending the -https switch to the launch command to configure LetsEncrypt based SSL in the background but I wasn’t sure how this could work (given you have to verify domain ownership for LetsEncrypt).
As I’d rather have more control of the process anyway, I handled the renewal manually via the following steps:
Install LetsEncrypt:
sudo apt install letsencrypt -y
Next, ensure that the certbot timer utility (that handles automatic renewal) is set to autostart so we don’t forget and let the certificate expire:
sudo systemctl status certbot.timer
Now we need to launch certbot, confirming our domain name as we do (replace examplec2.bobmckay.com with your own domain name). Here I have chosen dns as my preferred ‘challenge type’ (the method of confirming you own the domain name) so get ready to add a txt DNS record for your domain:
certbot -d examplec2.bobmckay.com --manual --preferred-challenges dns certonly
You will be asked a couple of questions about you and logging, answer as per your preferences, finally you’ll be prompted with a message similar to the below, giving you the details of a TXT DNS record you need to create, leave this prompt open while you create the DNS record and then wait 5 minutes or so (depends on who hosts your DNS), then press enter:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.examplec2.bobmckay.com with the following value: O2SqWDC4tztBv5v5kH1rdA1qsEUYdnLd1PKWW_2g8Rk Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue
After a message stating ‘Waiting for verificiation” you should be presented with a success message saying:
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/examplec2.bobmckay.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/examplec2.bobmckay.com/privkey.pem
Take note of the two file locations above as we will need to add them to our Cloud C2 launch command as switches, by adding the -https switch we tell Cloud C2 to listen on port 443 and to use SSL but the -certFile and -keyFile switches stop it from attempting any LetsEncrypt shenanigans of its own.
Let’s update our service with the new executable:
sudo nano /etc/systemd/system/cloudc2.service
In here, paste the following configuration:
[Unit] Description=Example Cloud C2 After=cloudc2.service [Service] Type=idle ExecStart=/usr/local/bin/c2-3.1.2_amd64_linux -hostname examplec2.bobmckay.com -db /var/cloudc2/c2.db -certFile /etc/letsencrypt/live/examplec2.bobmckay.com/fullchain.pem -keyFile /etc/letsencrypt/live/examplec2.bobmckay.com/privkey.pem -https [Install] WantedBy=multi-user.target
Flush the service daemon cache:
sudo systemctl daemon-reload
Enable the Cloud C2 service:
sudo systemctl enable cloudc2.service
Start the Cloud C2 service:
sudo systemctl start cloudc2.service
That’s it, you should now have a fully configured Cloud C2 instance in AWS with a static IP address, SSL via LetsEncrypt (which will autorenew)!
Thanks for sharing
No worries Bruece, glad it helped and thanks for commenting!
Great Job sir, Worked Like a charm. Thanks,
No worries DJ and thanks for commenting – nice to know people find it useful!
I couldn’t tell you how helpful this has been, but I wouldn’t complain if you gave the steps to add the SSL certificate to the device so it’ll populate on Cloud C2.
Either way, thank you for simplifying it; it helped tremendously!
Hey Taylor,
Thanks for commenting! It’s always good to know when my posts help people! I’ll review this when I get a moment and add the SSL instructions too! 🙂
This is great and thank you. I have an error code though. Overseer cannot move binary exit status 1.
/usr/local/bin/c2-3.1.2_amd64_linux -hostname 192.123.123.123 -db /var/cloudc2/c2.db < This step.
I substituted my own static IP instead but still getting the error
Hi Leon,
There is an updated version of the tutorial available here: https://bobmckay.com/i-t-support-networking/ethical-hacking/deploy-hak5-cloud-c2-on-aws-lightsail-2022/