PoC Go C2 server that mimics Mattermost HTTP traffic
- Untested and unpolished code
- No help menu
- No exception handling
- No corresponding client provided
- No functionality to customize Einstein's configuration
- Filenames don't really mean anything
- Intentionally free of external packages/dependencies
Clone the repository and go run Einstein.go.
| Command | Purpose |
|---|---|
list |
List registered clients |
select |
Select client |
unselect |
Unselect client |
current |
Print currently-selected client |
up |
Upload file to client |
ex |
Execute system command on client |
persist |
Install persistence on client |
down |
Download file from client |
snap |
Take screenshot of client |
exit/quit |
Shutdown server |
| Method | Path | Purpose |
|---|---|---|
| GET | /api/v<>/plugins/webapp |
Initial beacon to register client & commence checking for pulses/heartbeats |
| POST | /api/v<>/users/status/ids |
Poll for and retrieve jobs for client + register pulse |
| POST | /api/v<>/users/ids?since=<unix_timestamp_in_milliseconds> |
Retrieve job results from client |
| GET | /static/<>.js |
File transfer to client |
- Coded against Mattermost Server 6.6.1
- Client's unique ID and name is transmitted through a combination of the
MMAUTHTOKEN,MMUSERID, andMMCSRFHTTP Cookie values - Data transmitted is usually AES-128-GCM-encrypted and then ZBase32-encoded except in the case of file transfers where it is Base64-encoded after encryption instead
- For file transfers, the final encoded data is smuggled via a minified JavaScript file used by Mattermost
- For job retrieval for client, the final encoded data is split into chunks across multiple Mattermost
statusstructures where the data resides in theUserIdfield and theStatusfield will discreetly indicate the type of job to the client