Open in app

Sign in

Write

Sign in

#4 LAVAEL: Deploy Threat Actor VM

Vladyslav Diadenko
3 min readNov 10, 2024

--

In this virtual machine, a Command and Control (C2) and HTTP server will be implemented. After a successful simulated phishing attempt, the fictional victim will connect to this server. The simplest implementation for C2 was taken from the Atomic Red Team project.

Vagrant.configure("2") do |config|
  config.vm.define "threat_actor" do |ta_vm|
    ta_vm.vm.box = "debian/bullseye64"
    ta_vm.ssh.insert_key = false
    ta_vm.vm.hostname = "threat-actor-vm"
    ta_vm.nfs.verify_installed = false
    ta_vm.vm.synced_folder '.', '/vagrant', disabled: true
    ta_vm.vm.provider :libvirt do |libvirt|
      libvirt.management_network_name = 'lab_wan_adversary'
      libvirt.management_network_address = '203.0.113.0/24'
      libvirt.cpus = 1
      libvirt.memory = 1024
    end

    ta_vm.vm.provision "shell", privileged: true, inline: <<-SHELL
      echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config
      sed -i 's/^#\\?PasswordAuthentication.*/PasswordAuthentication yes/' /etc/ssh/sshd_config
      systemctl restart sshd
    SHELL
  end
end

Run Vagrant VM

vagrant up threat_actor

Create /setup-vm directory

sudo mkdir -p /setup-vm
sudo chown root:root /setup-vm
sudo chmod 0755 /setup-vm

Configure networking, change /etc/network/interfaces

source-directory /etc/network/interfaces.d

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
  address 203.0.113.50/24
  gateway 203.0.113.254
  dns-nameservers 203.0.113.254

Add default route

sudo ip route add default via 203.0.113.254 dev eth0 onlink

Overwrite the /etc/resolv.conf file with a new DNS server address

sudo cat <<EOF > /etc/resolv.conf
nameserver 192.0.2.14
EOF

Restart networking and reconnect using new IP 203.0.113.50

sudo systemctl restart networking

Create directories with the specified ownership and permissions

sudo mkdir -p /root/c2 /root/http-server
sudo chown root:root /root/c2 /root/http-server
sudo chmod 0755 /root/c2 /root/http-server

Create /root/c2/openssl.cnf

[req]
default_bits       = 4096
default_md         = sha256
default_keyfile    = key.pem
prompt             = no
encrypt_key        = no

distinguished_name = req_distinguished_name

[req_distinguished_name]
C                  = US
ST                 = Some-State
L                  = Some-City
O                  = Internet Widgits Pty Ltd
OU                 = IT Department
CN                 = yourdomain.com
emailAddress       = admin@yourdomain.com

Generate certificates using OpenSSL

sudo openssl req -x509 -newkey rsa:4096 -keyout "/root/c2/key.pem" -out "/root/c2/cert.pem" -days 365 -nodes -config "/root/c2/openssl.cnf"

Create systemd service for Simple HTTP Server

sudo tee /etc/systemd/system/simple-http-server.service > /dev/null <<EOF
[Unit]
Description=Simple HTTP Server
After=network.target

[Service]
ExecStart=/usr/bin/env python3 -m http.server 80 --directory /root/http-server
Restart=always

[Install]
WantedBy=multi-user.target
EOF

sudo chmod 0644 /etc/systemd/system/simple-http-server.service
sudo systemctl daemon-reload
sudo systemctl enable simple-http-server.service
sudo systemctl start simple-http-server.service

Golang Installation

Install required packages

sudo apt update
sudo apt install -y curl

For simplicity, let’s use a specific Go version, for example, 1.20.3. You can change the version as needed.

GO_VERSION=1.20.3
curl -Lo /tmp/go${GO_VERSION}.linux-amd64.tar.gz "https://golang.org/dl/go${GO_VERSION}.linux-amd64.tar.gz"

Remove any previous Go installations

sudo rm -rf /usr/local/go

Extract the downloaded archive

sudo tar -C /usr/local -xzf /tmp/go${GO_VERSION}.linux-amd64.tar.gz

Clean up the downloaded tar file

rm /tmp/go${GO_VERSION}.linux-amd64.tar.gz

Set up Go environment variables in .profile

echo 'export PATH=$PATH:/usr/local/go/bin' >> ~/.profile
echo 'export GOPATH=$HOME/go' >> ~/.profile
echo 'export PATH=$PATH:$GOPATH/bin' >> ~/.profile

Source the profile file manually

source ~/.profile

Create a symlink to the Go binary

sudo ln -s /usr/local/go/bin/go /usr/local/bin/go

Verify Go installation

/usr/local/go/bin/go version

Next I will compile the “fictional malicious program” that is written in Go to use later in the lab. As an example, you can use this VM to convert any code that will be executed in the Windows VM.

So first I need additional tools:

sudo apt install -y socat expect net-tools

Compile Go script to Windows executable

sudo env GOOS=windows GOARCH=amd64 go build -o /root/http-server/wallet_update_f4332.exe /setup-vm/files-encryption.go

To listen for connections on port 443, run the following command:

cd /root/c2/
openssl s_server -quiet -key key.pem -cert cert.pem -port 443
Vagrant

--

--

Vladyslav Diadenko
Vladyslav Diadenko

Written by Vladyslav Diadenko

13 Followers
9 Following

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams