Support for Cobalt Strike HTTP Host Profiles

[pwnf]

**Is your feature request related to a problem? Please describe. **
I am trying to run BounceBack using a Cobalt Strike profile that includes a 'http-host-profiles' block, and it appears unsupported.

Describe the solution you'd like
Host profiles allow for differing URI's and variability in HTTP/S C2 within Cobalt Strike i.e. a profile variation is used based on the hostname being used at the time and allows for additional headers or parameters to be added as well as supporting a dynamic syntax for variation within the host profile itself. Ideally, BounceBack would support Host profiles. This would involve parsing the http-host-profiles block and factoring in any of the dynamic syntax into its malleable rule generation.

Describe alternatives you've considered
The alternatives would be to not use BounceBack and continue using something like Apache or Nginx as the benefit of host profiles is desired.

Additional context

Here's a screenshot of the error message:

Here is a link to the documentation describing host profiles and the dynamic syntax that can be used within a host profile:

https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/malleable-c2_http-host-profiles.htm

[D00Movenok]

Thanks for your report!

Yeah, looks like I fully missed that section in the parser.

I'll try to fix that bug in the near future.

Aa a temporary solution, you may try not to use http-host-profiles section.

Please, let me know, if you find other bugs.

[pwnf]

I am really excited to use BounceBack on ops but I think I prefer having the dynamic http-host-profile logic to reduce how static my c2 traffic is.. Therefore, I think instead I will use the NOT wrapper rule and make some regex to filter for c2 traffic for now.

Happy to report back on anything else I observe whilst using BounceBack.

[pwnf]

I have made my own Regex so I am going to test how this goes for now. Another thing I think would be good to have would be the ability to dynamically redirect / proxy based on the . In my case I have three different host profiles that use a different CDN domain each.

If the blue team is investigating domain1.cdn.com I would like to be able to proxy them to somedomain.com or if they are investigating domin2.cdn.com, I'd like to be able to proxy them to someotherdomain.com such that the domain they are proxied or redirected to is relevant to the domain they are investigating..

I know Azure send an X-Host header, I am not sure about other CDN's.. This is probably more in the enhancement category than the bug so I could raise it elsewhere?

[D00Movenok]

If the blue team is investigating domain1.cdn.com I would like to be able to proxy them to somedomain.com or if they are investigating domin2.cdn.com, I'd like to be able to proxy them to someotherdomain.com such that the domain they are proxied or redirected to is relevant to the domain they are investigating..

Yeah, you probably could do it using independent proxy instances in config (one proxy - one cdn), e.g.

proxies:
  - name: cdn 1
    type: http
    listen: 0.0.0.0:8081 <--- one listen port
    target: http://127.0.0.1:8080
    filter_settings:
      reject_action: proxy
      reject_url: https://site1.org <--- one proxy site
    **snip**
      
  - name: cdn 2
    type: http
    listen: 0.0.0.0:8082 <--- another one listen port
    target: http://127.0.0.1:8080
    filter_settings:
      reject_action: proxy
      reject_url: https://site2.org <--- another one proxy site
    **snip**

[pwnf]

Hmm, but I don't think for example azureedge lets you specify a port.. so I'd need to put something infront of bounceback I think?

[D00Movenok]

Hmm, it is also possible to have multiple bounceback instances on different servers, so you may use the same port on different servers.

[pwnf]

Good point, if the situation requires enough opsec I guess this is an option.