AWS EC2

Last updated 3 months ago

#Create a Virtual Machine & Install an OS onto the VM #VM creation and configuration root@oco:~$ BROWSER > https://aws.amazon.com/ > My Account > AWS Management Console > All Services > Compute > EC2 > Instances > Instances > Launch Instances Name & Tags: Name: {MythicC2Server} Application & OS Images: Browse More AMIs: Ubuntu Server LTS (HVM), SSD Volume Type Instance Type: t2.medium/t2.large Key Pair (login): Create New Key Pair Network Settings: {default} Network: vpc-0d50648fce11e930b Subnet: no preference (Default subnet in any availability zone) Auto-assign public IP: enabled FW (security groups): Create security group Allow SSH traffic from: My IP - {xxx.xxx.xxx.xxx/32} * Anywhere 0.0.0.0/0 shouldn't be used as the C2 should only be accessible by the Red Team operators * the "Allow HTTPS traffic from the internet" option can be enabled based on requirements - e.g., beacon call backs that need to use it * the "My IP - {xxx.xxx.xxx.xxx/32 is tied to the individual's remote public IP} - this specific aws instance can be accessed ONLY by a specific IP through local port forwarding Configure Storage: 1x 30GiB gp2 Root volume (Not Encrypted) * free tier's max is 30GiB Number of Instances: 1 Launch Instance root@oco:~$ BROWSER > https://aws.amazon.com/ > View All Instances > {instanceID} * verify that the instance is running - Instance state: running

#configure root@oco:~$ BROWSER > https://aws.amazon.com/ > View All Instances > {instanceID} > Connect * acquire the ssh client connection settings root@oco:~$ ssh -i "{awsKey}.pem" ubuntu@ec2...computer.amazonaws.com * requires {key}.pem * ensure this aws vm is only accessible to the operator and that the IP is whitelisted * if you receive an SSH permission error, refer to... 2.System Administration > Windows > Open SSH > Private Key permissions #Upgrade the system repository & Upgrade the system to the newest version root@aws:~$ sudo apt update root@aws:~$ sudo apt upgrade #install dependencies root@aws:~$ sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin #Clone the Mythic C2 repository & install Mythic C2 via script root@aws:~$ mkdir -p C2 root@aws:~$ cd C2 root@aws:~$ git clone https://github.com/its-a-feature/Mythic --depth 1 root@aws:~$ cd Mythic root@aws:~$ sudo ./install_docker_ubuntu.sh * this cmd will install docker and docker compose plugin if not already installed on Ubuntu * use the specific shell script if on Kali or Debian distribution - ./install_docker_kali.sh or ./install_docker_debian.sh #build the Mythic CLI root@oco:~$ cd Mythic/Mythic_CLI root@oco:~$ sudo apt install build-essential * this is required if you get an error msg stating "make cmd not found" root@oco:~$ sudo make root@oco:~$ cp mythic-cli ../ #install Mythic Agents Payload #https://github.com/MythicAgents root@aws:~$ sudo -E ./mythic-cli install github https://github.com/MythicAgents/Apollo.git * Apollo is a Windows agent written in C# using the 4.0 .NET Framework designed to be used in SpecterOps training offerings #Install the Mythic C2 Apollo agent and the http C2 Profile #install Mythic C2 Profiles #https://github.com/MythicC2Profiles root@aws:~$ sudo ./mythic-cli install github https://github.com/MythicC2Profiles/http #Start the C2 server root@aws:~$ sudo ./mythic-cli start #access the AWS C2 server via local port forwarding root@oco:~$ ssh -i {keyFile}.pem user@AWS_EC_IP -L 7443:127.0.0.1:7443 * the Mythic C2 Server is only accessible through https://127.0.0.1:7443 and by a specific attacker IP address - this Mythic C2 server can only be accessed via local port forwarding and with the appropriate ssh key file root@aws:~$ cd C2/Mythic root@aws:~/Mythic$ cat .env * MYTHIC_ADMIN_PASSWORD="..." - this is the random password created for Mythic C2 Server * MYTHIC_ADMIN_USER="..." - this is the user credential #Access Mythic C2 via the browser root@oco:~$ BROWSER > https://127.0.0.1:7443 * the OCO VM accesses the AWS C2 server through Local Port Forwarding