NGINX (AWS EC2/AZURE)

ed

NGINX PAYLOAD SERVER INSTALLATION & CONFIGURATION

#create the ec2/azure instance

#create a DNS A record pointing nginx ec2 instance ip to {subdomain}.{domain}.{tld}
#this is required prior to proceding

#connect to the ec2 virtual machine
root@oco:~$ sudo -i {key}.pem [email protected]

#NGINX installation
root@NGVM: sudo apt update
root@NGVM: sudo apt install certbot python-certbot-nginx nginx
root@NGVM: sudo nano /etc/resolv.conf
 #this is mapped to the nginx ip
 nuclear.cyberwarfare.live 20.66.87.234
  - this is the mapping of nginx vm ip to fqdn
     - this is a local DNS entry and not a public entry
 
#SSL Configuration (FOR OPSEC)
root@NGVM: sudo certbot --nginx --register-unsafely-without-email --agree-tos
 Enter your domain: nuclear.cyberwarfare.live
 Redirect HTTP traffic to HTTPS: 2 (Redirect)

 * email is not required
 * certificate keys will be stored in the following directories
    - /etc/letsencrypt/live/{nginx payloadServer domain}/fullchain.pem
    - /etc/letsencrypt/live/{nginx payloadServer domain}/privkey.pem
#download and activate a simple HTTP server to serve payloads
root@NGVM: go version
root@NGVM: sudo apt update && sudo apt upgrade -y
root@NGVM: sudo apt install golang -y

#set up the environment variables
root@NGVM: echo "export PATH=\$PATH:/usr/local/go/bin" >> ~/.bashrc
root@NGVM: source ~/.bashrc

root@NGVM: curl -O https://github.com/projectdiscovery/simplehttpserver/releases/download/v0.0.6/simplehttpserver_0.0.6_linux_amd64.zip
 * https://github.com/projectdiscovery/simplehttpserver

#this payload server is only accessible from a specific host
#nginx is setup to serve the payload from a special directory called /{cwl}
root@NGVM: simplehttpserver -listen ':5555' -http1
#example trigger
root@NGVM: BROWSER > {nuclear.cyberwarfare.live}
 * this should work and anyone visiting will see the nginx page
 
root@NGVM: BROWSER > {nuclear.cyberwarfare.live/arbitraryPage}
 * this will show a 404 NOT FOUND error as nothing is configured
 
#ensure that the payload server's hidden directory "cwl" can't be easily brute forced by anyone to include by the blue team - use a long string page name, so it can't be cracked by gobuster/dirbuster easily
root@NGVM: BROWSER > {nuclear.cyberwarfare.live/cwl}
 * this hidden page will be accessible
PreviousPAYLOAD SERVERNextFW RULES

Last updated