Deploy Hak5 Cloud C2 on AWS LightSail with SSL

Deploy Hak5 Cloud C2 on AWS LightSail with SSL

So I treated myself to some more Hak5 kit (having previously only had the Rubber Ducky), the new devices come with access to a free Command and Control platform – called Cloud C2 – that can be run on Android, Linux or Windows.  For experimental purposes, running this on a local device (such as a Raspberry PI) is fine but when you want to do demonstrations or pen tests at client locations, you really want something Internet hosted and for simplicity that means AWS for me.

A little Googling showed the Hak5 documentation for deploying Cloud C2 on AWS LightSail (an excellent choice) but some of the commands were dated, some of them didn’t work and it was broken up in to seperate tutorials – I decided to pull it together in an updated comprehensive tutorial.

Setting up AWS LightSail

Create an Instance

Firstly, you’ll need to register for an AWS account here, once logged in, under All services click the Lightsail option.

On the Home page, click Instances (if not already on that page)

Click Create Instance

On the instance page, you’ll need to select a region in which your instance will be deployed (I generally opt for Oregon based on price)

Select Linux/Unix as your platform type

Under Select a blueprint, click OS Only

Select Ubuntu 18.04 (other versions will no doubt work but this is the version I have tested)

Scroll down and select your instance plan, Hak5 advise that Cloud C2 can run on the smallest AWS instance ($3.50 per month,  providing 512MB of memory, 1vCPU and 20GB SSD of storage) – personally I prefer to pay the extra $1.50 per month for double the memory and and storage (some users have reported issues on the smaller instance in the Hak5 forums too).

Once you are happy with your selections, click Create Instance to queue the creation of the server instance – this will show up on your instances tab, marked as Pending.  Once the server is provisioned, the Pending status will change to Running – this takes about 5 minutes typically.

Add a Static IP Address

Once provisioned, if you click on your server instance, you are presented with a number of options as tabs – if you click the Networking tab you can see your instance has been assigned a public IP address (for accessing to from the Internet) and a private IP address (for accessing from within AWS).

The Public IP address provided by AWS will change whenever you restart your instance so you should assign a static IP address to it and then point your domain name at the IP address (necessaary for adding an SSL certificate later)

On the Networking tab, next to your Public IP address is an option to Create static IP, click it

In the Attach to an instance box, ensure the instance listed is the one you have just created (if you have more than one), under Identify your static IP, give it a descriptive name (for example ‘Cloud-C2-Static-IP’).

Click Create

Add Firewall Rules

Click on the Networking tab, scroll down to IPv4 Firewall and add the rules you require, the recommended ones for Cloud C2 are below, however I would recommend locking down as many of them as you can to an IP address you control rather than leaving them open to Any IPv4 address.

Restricted to: If you are on a broadband connection at home with a dynamic IP address that changes, you can still add a big range to afford yourself protection.

ApplicationProtocolPort or range / CodeRestricted to
SSHTCP22Any IPv4 address
HTTPTCP80Any IPv4 address
HTTPSTCP443Any IPv4 address
CustomTCP2022Any IPv4 address
CustomTCP8080Any IPv4 address

Scroll down to IPv6 networking and either disable it or configure the same ports as for IPv4 (depends on if you plan to setup DNS address for IPv6 for your domain name).

Setup your Domain Name

Point your domain name at the Public IP address for your instance (the Static IP provided if you created one).

Configuring the Cloud C2 AWS Server

Update the OS

Update your instance by running the following

sudo apt-get update && sudo apt-get upgrade -y

If prompted to restart services automatically, say yes (unless you’re running other sensitive stuff on this box).  If prompted about the ssh configuration, keep the current one.

Get your Cloud C2 License

In order to install the Cloud C2 software, you will need to either purchase a paid version or get the community version – even for the free community version, you need to need to go through the ecommerce site and “buy” it for a zero payment: https://hak5.org/products/c2#c2-versions.

Once you have done this, you will receive a license code email similar to this:

To activate Cloud C2 server(s) you'll will need the following license key(s):
Community Edition (1 user(s), 1 site(s), 10 devices): 6JB4-8TI5-Q194-223D

Save this somewhere, you’ll need it during setup.

Download the binary to your server

On the official tutorials, there is a wget command that is supposed to download the latest copy of the software from the Hak5 C2 dowloads section but it doesn’t appear to be working so you’ll need to download it manually.  I’ve put a copy of the zip file on my blog but can make no guarantees about it, if you are struggling to find a way to get the file on your instance, you can use the following command:

wget http://bobmckay.com/wp-content/uploads/2021/10/c2-3.1.2_amd64_linux.zip

If you are downloading the whole ZIP pack from the Hak5 C2 dowloads section, the  file you’ll need from it is the one similarly named to c2-3.1.2_amd64_linux (the version number may have changed).

Alternatively, there are various methods of tranferring files to your AWS instance with some examples here: https://docs.aws.amazon.com/transfer/latest/userguide/transfer-file.html

If your method of getting the binary on to your server is with it zipped, you’ll need to install the unzip utility to unpack it, you can do so with the following:

sudo apt install unzip

Then you can unzip the file simply using:

unzip c2-3.1.2_amd64_linux.zip

Install the Cloud C2 binary

Once you have the binary on your machine, navigate to its folder (if you’re not in it already) and use the move command to place it somewhere more appropriate:

sudo mv c2-3.1.2_amd64_linux /usr/local/bin

Make the file executable

sudo chmod +x /usr/local/bin/c2-3.1.2_amd64_linux

Make a folder for the software database to sit in:

sudo mkdir /var/cloudc2

Run Cloud C2 Setup

While we will be running Cloud C2 as a service, in order to complete the initial setup we need to execute the binary manually to retrieve a setup token, in the example below I’ve used the public IP address of my EC2 instance but you can also use your domain name:

/usr/local/bin/c2-3.1.2_amd64_linux -hostname 192.123.123.123 -db /var/cloudc2/c2.db

You will see a message similar to the one below:

[*] Initializing Hak5 Cloud C2 v3.1.2
[*] Hostname: 192.123.123.123
[*] DB Path: c2.db
[*] First Start. Initializing...
[*] Initial Setup Required - Setup token: DN3A-RTDJ-O6RB-WH3I
[*] Running Hak5 Cloud C2

Save the setup token somewhere safe, it will be needed for the setup step.

In your browser, enter the address of your AWS instance, without https and specifying port 8080:

http://example.mydomain.com:8080/

At this stage, you should see the initial setup for like this one:

Complete the forms, though I have no idea what the “Contact” field is supposed to contain (it’s mandatory).  Accept the EULA and click save.

Create a service config file in which to put our settings for CloudC2, this makes the executable run as a service on start-up:

sudo nano /etc/systemd/system/cloudc2.service

In here, paste the following configuration:

[Unit]
Description=Example Cloud C2
After=cloudc2.service
[Service]
Type=idle
ExecStart=/usr/local/bin/c2-3.1.2_amd64_linux -hostname examplec2.bobmckay.com -db /var/cloudc2/c2.db
[Install]
WantedBy=multi-user.target

Flush the service daemon cache:

sudo systemctl daemon-reload

Enable the Cloud C2 service:

sudo systemctl enable cloudc2.service

Start the Cloud C2 service:

sudo systemctl start cloudc2.service

Now try browsing to your domain name using the following format: http://examplec2.bobmckay.com:8080 (not https) and you should be able to see the web interface, if you cannot, revisit the steps above:

Installing SSL

The tutorial recommends simply appending the -https switch to the launch command to configure LetsEncrypt based SSL in the background but I wasn’t sure how this could work (given you have to verify domain ownership for LetsEncrypt).

As I’d rather have more control of the process anyway, I handled the renewal  manually via the following steps:

Install LetsEncrypt:

sudo apt install letsencrypt -y

Next, ensure that the certbot timer utility (that handles automatic renewal) is set to autostart so we don’t forget and let the certificate expire:

sudo systemctl status certbot.timer

Now we need to launch certbot, confirming our domain name as we do (replace examplec2.bobmckay.com with your own domain name).  Here I have chosen dns as my preferred ‘challenge type’ (the method of confirming you own the domain name) so get ready to add a txt DNS record for your domain:

certbot -d examplec2.bobmckay.com --manual --preferred-challenges dns certonly

You will be asked a couple of questions about you and logging, answer as per your preferences, finally you’ll be prompted with a message similar to the below, giving you the details of a TXT DNS record you need to create, leave this prompt open while you create the DNS record and then wait 5 minutes or so (depends on who hosts your DNS), then press enter:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.examplec2.bobmckay.com with the following value:

O2SqWDC4tztBv5v5kH1rdA1qsEUYdnLd1PKWW_2g8Rk

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

After a message stating ‘Waiting for verificiation” you should be presented with a success message saying:

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/examplec2.bobmckay.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/examplec2.bobmckay.com/privkey.pem

Take note of the two file locations above as we will need to add them to our Cloud C2 launch command as switches, by adding the -https switch we tell Cloud C2 to listen on port 443 and to use SSL but the -certFile and -keyFile switches stop it from attempting any LetsEncrypt shenanigans of its own.

Let’s update our service with the new executable:

sudo nano /etc/systemd/system/cloudc2.service

In here, paste the following configuration:

[Unit]
Description=Example Cloud C2
After=cloudc2.service
[Service]
Type=idle
ExecStart=/usr/local/bin/c2-3.1.2_amd64_linux -hostname examplec2.bobmckay.com -db /var/cloudc2/c2.db -certFile /etc/letsencrypt/live/examplec2.bobmckay.com/fullchain.pem -keyFile /etc/letsencrypt/live/examplec2.bobmckay.com/privkey.pem -https
[Install]
WantedBy=multi-user.target

Flush the service daemon cache:

sudo systemctl daemon-reload

Enable the Cloud C2 service:

sudo systemctl enable cloudc2.service

Start the Cloud C2 service:

sudo systemctl start cloudc2.service

That’s it, you should now have a fully configured Cloud C2 instance in AWS with a static IP address, SSL via LetsEncrypt (which will autorenew)!

Bob McKay

About Bob McKay

Bob is Director of Operations at Perfect Image, a full time father and husband, part-time tinkerer-with-wires, coder, Muay Thai practitioner, builder and cook. Loves love, tolerance and co-existance. Hates hate. Is aware of the irony of hating hate.

Disclosure Policy

One comment on “Deploy Hak5 Cloud C2 on AWS LightSail with SSL

  1. Bruece says:

    Thanks for sharing

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.