17 February 2022

tldr; If you want an update and working copy of httpsc2doneright, grab it here - https://github.com/FortyNorthSecurity/RandomScripts/blob/main/Cobalt Scripts/httpsc2doneright.sh

If you're a Cobalt Strike user, it's almost certain that at some point you've used Alex Rymdeko-Harvey's httpsc2doneright script. In a nutshell, it automates the process of requesting a Let's Encrypt certificate and converts it into a format usable by Cobalt Strike for your HTTPS comms. However, if you have indeed used this script, you will know that it no longer works.

The script relied on calling letsencrypt-auto, which, depending on the Linux distro you are using, might not be supported.

Thankfully, this is easily updated by directly calling certbot after installing it from apt. Outside of asking for you to provide the domain you want a certificate for, password for the java keystore, and path to Cobalt Strike (where the profile and keystore will be saved), the updated script is still automated and will finish with a sample Amazon profile configured to use the java keystore for HTTPS comms. All that's left for you to do is copy that block of code into your actual malleable profile (perhaps one that is generated by C2Concealer) and then you're set for HTTPS with a legitimate certificate.

A few smaller things have been updated, such as if a dependency isn't met, the script will auto-download it and continue with obtaining the SSL cert and generating the keystore.

Now, would you use a HTTPS certificate from Let's Encrypt for your C2 comms? Maybe not on a red team, but possibly if you have something in between you and the targeted system such as a CDN, or an Azure Function, which only requires a valid certificate and will not present your Let's Encrypt cert to the endpoint. That's going to be scenario dependent, and a call for you to make. Regardless, hope this script helps to automate some steps and save you some time.

We hope you found this quick update useful. If you have any feedback, we'd love to hear it! As always, you can reach us via Twitter, LinkedIn, and through our website.