Reading Time: < 1 minute

Following the really interesting article of Tek : https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/

Where he described how to get a valid URL for CobaltStrike, I tried to check if it was the same for Metasploit as he mentionned.

Didier Stevens also has this in his tools : https://blog.didierstevens.com/2020/01/27/update-hash-py-version-0-0-8/

hash.py -a checksum8 #aaa9 => 15c => 5C == 92 which is a valid MetaSploit Checksum.

But testing it myself, showed it didn’t work on my Metasploit C2C server.

Looking again at the Metasploit source code : https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/payloads/meterpreter/uri_checksum.rb

a few other checks popup and there is a minimum length calculation.

So I changed the minimum length from Tek’s code to 27

Output of the tool is :

wget –no-check-certificate -O metasploit.bin –user-agent=”Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko” https://192.168.1.5/aaaaaaaaaaaaaaaaaaaaaaaaaiz

Bingo, the meterpreter is being downloaded.

0