Easy C2 Over The Trello API

Easy C2 over Trello’s API (Proof-of-Idea)

By: Fabrizio Siciliano (@0rbz_)

Replace 12/30/2019

Eliminated hardcoded API key and Token, use enter() as a substitute.

1. Create a Trello account: https://trello.com/signup
2. As soon as logged in, get your API key: https://trello.com/app-key
3. Generate a Token (similar web page as app-key, observe the “Token” hyperlink)
4. Save each API key and Token, they’re utilized in each the agent and operator scripts.
5. Browse to your board https://trello.com/b/[random]/[membername].json to get the listing ID which is required within the agent script. You’ll find this within the json output underneath the “lists” merchandise and inside the “Issues To Do” merchandise “id” worth.

Utilization

1. Run agent.py on the goal system. That is the implant, and as soon as run, will provide the operator with a “CID” worth. That is the cardboard ID and is required on the operator-side.
2. Run the operator.py script on the attacker host. It’s going to immediate for the agent’s CID which is offered at agent.py runtime.
3. Do what thou wilt…
4. The operator script at the moment solely has two instructions; “show_commands” and “kill_implant”. The “show_commands” command merely prints the assistance menu whereas the “kill_implant” command deletes the cardboard related to agent which terminates the agent connection. Typing “?” on the operator immediate can even show the instructions menu.

Limitations

• The Trello API “description” discipline for playing cards, which is used for quickly storing instructions and ensuing command output, is restricted in dimension. I believe it is one thing round 16k characters. That is OK for many instructions, nevertheless, instructions that return giant output will trigger the agent to die because of the Trello API returning a 400 Dangerous Request (dimension too giant) standing. Be conscious of instructions and their anticipated outputs. I will ultimately work in some logic to find out command output dimension earlier than sending it again to trello’s servers for operator consumption.

• This isn’t OPSEC-safe. All instructions and command output will quickly cross by means of Trello’s servers and output will exist within the brokers’ “card” in cleartext quickly. Though the site visitors is TLS encrypted (in-transit) courtesy of Trello, and though the operator script makes an effort to “wipe the slate” away from the command output, there is no telling whether or not this data is saved indefinitely. Ideally, the instructions and command output ought to be saved to a “card” in an encrypted format, (i.e., AES), pulled down, and decrypted domestically. This hasn’t been constructed into the instrument but, and in its present state would require the machine the agent lives on to have sure libraries which could not be current in a default situtation. (One thing to work on)

• The operator script and implant are at the moment each designed to be run on Linux-based packing containers. Home windows implants are a piece in progress at this cut-off date.

Misc

Be aware: That is merely a proof-of-concept to show authentic companies as command and management infrastructure and is 100% in alpha dev. Use at your personal danger and on methods you’ve got been approved to entry. (i.e., wherever the agent lives)

Credit (concepts and ideas impressed by different works):