Describe the bug
The sandcat agent crashes and the connection between it and Caldera is lost (no heartbeat) when executing shellcode using the shellcode_amd64 executor on a Windows 10 system.

To Reproduce
Steps to reproduce the behavior:
Target system: Windows 10 22H2

Caldera: latest (4.2.0)
Sandcat: latest

1. Open Powershell on the Windows machine and exec sandcat.exe to get a callback to Caldera
2. Make an ability using the shellcode_amd64 executor and put in a simple nop
   
3. Execute the operation. The agent will crash, the heartbeats will cease and an error will be displayed in Powershell
   

Here is the text

panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xc0000005 code=0x0 addr=0x18 pc=0xa688b9]

goroutine 28 [running]:
syscall.(*Proc).Call(0x2?, {0xc0000cfa40?, 0x64d6a514?, 0x36699b4c?})
        /usr/local/go/src/syscall/dll_windows.go:190 +0x19
github.com/mitre/gocat/execute/shellcode.Runner({0xc0000a3e30, 0x1, 0x28034c30598?})
        /home/quentin/Downloads/caldera/plugins/sandcat/gocat/execute/shellcode/shellcode_windows.go:28 +0x65
github.com/mitre/gocat/execute/shellcode.(*Shellcode).Run(0x0?, {0xc0000a3e28?, 0x0?}, 0x100000000000000?, {0xc00014ea50, 0xc00014e9f0, {0x0, 0x0, 0x0}, 0xc00014ea20})
        /home/quentin/Downloads/caldera/plugins/sandcat/gocat/execute/shellcode/shellcode.go:34 +0xe5
github.com/mitre/gocat/execute.RunCommand({0xc00014ea50, 0xc00014e9f0, {0x0, 0x0, 0x0}, 0xc00014ea20})
        /home/quentin/Downloads/caldera/plugins/sandcat/gocat/execute/execute.go:80 +0x436
github.com/mitre/gocat/agent.(*Agent).runInstructionCommand(0x0?, 0xc00014e9f0)
        /home/quentin/Downloads/caldera/plugins/sandcat/gocat/agent/agent.go:282 +0x157
github.com/mitre/gocat/agent.(*Agent).RunInstruction(0xc0000cab60, 0x0?, 0x1)
        /home/quentin/Downloads/caldera/plugins/sandcat/gocat/agent/agent.go:263 +0x3f
created by github.com/mitre/gocat/core.runAgent
        /home/quentin/Downloads/caldera/plugins/sandcat/gocat/core/core.go:100 +0xcea

Expected behavior
The given shellcode is executed.

Desktop (please complete the following information):

• OS: Caldera on Ubuntu 20 using Python3.8, target system running Windows 10 (see screenshot above)
• Browser: Firefox
• Version: Caldera and Sandcat are latest versions

Additional context
I tested the shellcode functionality on Linux (Kali) and it seemed to work fine.
The same error code is also shown in a cmd prompt

Current build for Darwin runs only on Intel based systems. ARM arch like MacBook M1 is failing.

...
$ ./splunkd -server $server -v
zsh: bad CPU type in executable: ./splunkd

Executable is Intel only:

file splunkd
splunkd: Mach-O 64-bit executable x86_64

Desired state:

$ file splunkd 
splunkd: Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit executable x86_64
- Mach-O 64-bit executable x86_64] [arm64]
splunkd (for architecture x86_64):	Mach-O 64-bit executable x86_64
splunkd (for architecture arm64):	Mach-O 64-bit executable arm64

Describe the bug
Building errors when including proxy_receiver_http.go occur.

To be a little bit more precise, here is a list of all errors I encountered when compiling gocat:

# github.com/mitre/gocat/proxy
proxy/proxy_receiver_http.go:52:37: cannot use &HttpReceiver{} (type *HttpReceiver) as type P2pReceiver in assignment:
        *HttpReceiver does not implement P2pReceiver (wrong type for InitializeReceiver method)
                have InitializeReceiver(*string, *contact.Contact, *sync.WaitGroup) error
                want InitializeReceiver(string, contact.Contact, *sync.WaitGroup) error
proxy/proxy_receiver_http.go:308:18: undefined: GetLocalIPv4Addresses

# github.com/mitre/gocat/proxy
proxy/proxy_receiver_http.go:52:37: cannot use &HttpReceiver{} (type *HttpReceiver) as type P2pReceiver in assignment:
        *HttpReceiver does not implement P2pReceiver (wrong type for InitializeReceiver method)
                have InitializeReceiver(*string, *contact.Contact, *sync.WaitGroup) error
                want InitializeReceiver(string, contact.Contact, *sync.WaitGroup) error

# github.com/mitre/gocat/proxy
proxy/proxy_receiver_http.go:52:37: cannot use &HttpReceiver{} (type *HttpReceiver) as type P2pReceiver in assignment:
        *HttpReceiver does not implement P2pReceiver (missing UpdateUpstreamComs method)

# github.com/mitre/gocat/proxy
proxy/proxy_receiver_http.go:52:37: cannot use &HttpReceiver{} (type *HttpReceiver) as type P2pReceiver in assignment:
        *HttpReceiver does not implement P2pReceiver (missing UpdateUpstreamServer method)

And when looking into these lines, I found that the changes the buildsystem complains about were pretty recent in the following commit e736a5d

But the linked version of gocat is on commit mitre/gocat@1b4b19c which is older. So I just checked out master for the gocat repository and it works like a charm.

As I installed caldera with the plugins as suggested in the documentation, via a recursive git clone, master branch of sandcat is checked out, but as it stands the gocat extensions are is not aligned with the state of the code in the gocat repository in the revision referenced.

To Reproduce
Steps to reproduce the behavior:

1. clone sandcat repository (I did so as part of recursively cloning caldera 3.1.0) on branch master
2. copy gocat-extensions/proxy/proxy_receiver_http.go to gocat/proxy
3. build gocat using go build

Expected behavior
Successful compilation

Suggested Solution
Reference a newer commit of the gocat repository.
OR: Reference an older commit of the sandcat repository in the caldera repository

System:

• OS: Manjaro Linux [Kernel version 5.11.10]
• Go: version go1.16.2 linux/amd64

When running a the Sandcat GoLang agent for linux, it fails. Looks like the Go binary breaks when it is decoding the http response (probably over ssl cert). Is there a fix available for this issue?

Starting sandcat in verbose mode.
[*] Attempting to set channel HTTP
Beacon API=/beacon
[*] Set communication channel to HTTP
initial delay=0
server=https://xxxxxxxxxx/file/download
group=red
privilege=User
allow local p2p receivers=false
beacon channel=HTTP
[-] Failed to decode HTTP response: illegal base64 data at input byte 3
[-] beacon: DEAD
[-] Failed to decode HTTP response: illegal base64 data at input byte 3
[-] beacon: DEAD
[-] Failed to decode HTTP response: illegal base64 data at input byte 3
[-] beacon: DEAD

In sandcat/templates/54ndc47.sh you are using single quotes around the $user_agent_string. This is creating the process:

curl --noproxy localhost -sk -X POST -H $user_agent_string -d @- https://localhost:8888/sand/instructions

You need to use different quotes or change your syntax

Describe the bug

To Reproduce
Steps to reproduce the behavior:

1. Ensure Go dependencies are installed by running go mod download in gocat directory.
2. Start Caldera server.
3. Try to compile Sandcat with any gocat-extension that has a Go dependency.
   server="http://caldera01.red:8888"; curl -s -X POST -H "file:sandcat.go" -H "platform:linux" -H "gocat-extensions:dns_tunneling" $server/file/download > splunkd

Expected behavior
Sandcat successfully compiles with the expected gocat-extension instead of omitting it over allegedly missing dependencies.

Desktop (please complete the following information):

• OS: CentOS Stream 8
• Browser: Google Chrome v89
• Version: Caldera Server 3.1.0

Possible fix?
Adding cwd='./plugins/sandcat/gocat' to the options of the call to subprocess.run() call referenced above fixes the issue for me.

The entry CC is not removed from the dict if which(compile_options[platform]['CC']) returns None which cause an invalid argument exception when calling the _compile_new_agent method if MinGW is not installed.

It's told in exploit using this functionality (Inject sandcat into a process for instance) that it requires MinGW to run, but it could be better to throw a more explicit exception here.

I'm testing some adversary emulation on Caldera and I'm using Sandcat as the agent to deploy operations. I have this ability with just an executable called Backstab and it runs fine both locally and with Sandcat. It's behavior: drops a Procexp driver, creates the service and kills a protected program leveraging Procexp.

To test further techniques I use SharpSploit to embed Backstab and this SharpSploit+Backstab runs as expected when executed locally on the victim system. But If I execute the same binary from Caldera with Sandcat it executes fine (the Procmon logs match with the previous local execution) but no actions take place (the protected process is not killed). In addition, the driver dropped it's supposed to be deleted before ending the execution, but this deletion does not happen and if I try to delete it manually the system complains that the file is being used. So it's like the execution never ended and the service is still running although Caldera marks the operation as successful.

My impression is that somehow the execution is stopped by the agent or Caldera. It is weird that Procmon logs are the same, that's why I'm suspicious of Sandcat. I have all defenses disabled. I am testing on a Windows 10. I have tried with Manx agent but I'm having other issues running Manx agents so I cannot test this.

If any stderr results from a command execution, only stderr is returned as the command output to the caldera api server.

This can affect troubleshooting of the command execution as useful information may be present in stdout.

Both stderr and stdout are returned if the command execution times out.

I propose that the same occurs if any stderr results from command execution.

I have raised a PR #419 as a proposed solution.

Hello,
I tried to execute a sandcat on my Windows 2016 VM in AWS cloud and I get following error:
panic: interface conversion: interface {} is nill, not string

I tried to execute the sandcat under Administrator as well. Same issue

Here you can see the complete output when the sandcat is executed:

PS C:\users\public> .\sandcat.exe -server "http://10.X.X.X:8888" -group WinEng
[+] Connectivity not established
[+] beacon: ALIVE
panic: interface conversion: interface {} is nil, not string

goroutine 1 [running]:
_/Users/davidhunt/Desktop/toolbox/caldera/plugins/sandcat/gocat/api.Instructions(0xc000068f00, 0x1)
        /Users/davidhunt/Desktop/toolbox/caldera/plugins/sandcat/gocat/api/api.go:44 +0x4d7
main.askForInstructions(0xc000068f00)
        /Users/davidhunt/Desktop/toolbox/caldera/plugins/sandcat/gocat/sandcat.go:20 +0x47
main.main()
        /Users/davidhunt/Desktop/toolbox/caldera/plugins/sandcat/gocat/sandcat.go:69 +0x2d2
PS C:\users\public>

Connectivity between the Windows host and Caldera instance was checked - it's reachable and port 8888 is accessible.

Thanks for any hints.

await statement is missing causing exception while trying to build library

How can I deploy sandcat agent on remote windows machine while AV (ESET or Windows Defender) doesn't allow it. I have go lang installed on caldera:
root@caldera:~# go version go1.18.1 lunux/amd64

Any ideas?

Describe the bug
Okay yes, the Sandcat agent does beacon however, due to the way Golang HTTP client works, it will not close a session till running something like resp.body.close().

If you look at this function GetPayloadBytes

TL;DR - A Sandcat payload that only beacons will show up as large sessions in a PCAP file due to the lack of closing out the session on each callback. A Sandcat payload that needs to read bytes from a command executed will have broken up sessions due to the GetPayloadBytes implementation having proper closing of sessions.

Funnily enough, this actually causes beacon detection tools such as RITA to completely miss the beaconing however, if one was to identify anomalous connections based on session length or connection time, this beacon would be easy to notice.

To Reproduce
Steps to reproduce the behavior:

1. Use Sandcat beacon in caldera
2. Infect Linux host
3. Monitor traffic with Wireshark

Expected behavior
I expect the PCAP to be multiple sessions per callback.

Desktop (please complete the following information):

• Target OS: Linux
• Attacker OS: Linux
• Version: Latest

Additional context
I am attempting to do beacon analysis and making use of caldera to help with doing some preliminary analysis. The Sandcat beacon was the only one I noticed this issue with.

I'm trying to generate a DLL for use in Windows but I can't seem to figure out how to do that. I did see the documentation on the shared extension

shared extension provides the C sharing functionality for Sandcat. This can be used to compile Sandcat as a DLL rather than a .exe for Windows targets.

but I'm not exactly sure how to implement it. I tried the following:

$server="http://1.1.1.1:8888";
$url="$server/file/download";
$wc=New-Object System.Net.WebClient;
$wc.Headers.add("platform","windows");
$wc.Headers.add("file","sandcat.go");
$wc.Headers.add("gocat-extensions","donut,shellcode,shared");
$wc.Headers.add("server","http://1.1.1.1:8888");
$wc.Headers.add("group","windows");
$data=$wc.DownloadData($url);
[io.file]::WriteAllBytes("C:\Users\Public\sandcat.dll",$data) | Out-Null;

but my DLL isn't usable. What's the correct way to generate a DLL? Thanks!

I'm new to this, it seems to me that the caldera tool is a very practical solution.

I just made the last update, modify the file of /conf/local.yml to server 0.0.0.0:8888, modify the file /gocat/sandcat.go server:https://0.0.0.0:8888, modify the file servers.txt 0.0.0.0: 8888
following the instructions run GOOS = windows go build -ldflags = "- s -w" sandcat.go
GOOS = linux go build -ldflags = "- s -w" sandcat.go
GOOS = darwin go build -ldflags = "- s -w" sandcat.go
and copy the new files to stockpile / payloads and when executing the Quick start commands I get the errors:

[54ndc47] beaconing
panic: interface conversion: interface {} is nil, not [] interface {}

goroutine 1 [running]:
main.stayInTouch (0x6a3f35, 0x14, 0xc42001a490, 0x10, 0xc42001c300, 0x17, 0x6a03cc, 0x6)
/home/ubuntu/caldera/plugins/sandcat/gocat/sandcat.go:17 + 0x2da
main.main ()
/home/ubuntu/caldera/plugins/sandcat/gocat/sandcat.go:42 + 0x1eb

I think (I'm not a programmer) that the error is in: server: = "https: // localhost: 8888", in go with // a line is commented

Thanks for the help

Describe the bug
I am deploying Caldera in Azure Containers using a Private network (no public IP address assigned). The ENTRYPOINT in the docker image points to a bash file that launches the server, then builds and runs the sandcat agent on the same container.

What I notice is that the execution of sandcat crashes with the following error

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x6d6fb9]

goroutine 1 [running]:
github.com/grandcat/zeroconf.(*Resolver).Browse(0x0, 0x819040, 0xc000070800, 0x7a47d6, 0xf, 0x7a1ca8, 0x6, 0xc000072120,0xa424a0, 0x7f748e746d98)
/root/go/pkg/mod/github.com/grandcat/[email protected]/client.go:92 +0xc9
github.com/mitre/gocat/agent.(*Agent).DiscoverPeers(0xc0000be500)
/usr/src/app/plugins/sandcat/gocat/agent/agent.go:530 +0x19d
github.com/mitre/gocat/agent.(*Agent).Initialize(0xc0000be500, 0x7fff25cc37ca, 0x18, 0x7fff25cc37ea, 0x3, 0xc000077200, 0x787f00, 0x0, 0x0, 0x0, ...)
/usr/src/app/plugins/sandcat/gocat/agent/agent.go:123 +0x42d
github.com/mitre/gocat/agent.AgentFactory(0x7fff25cc37ca, 0x18, 0x7fff25cc37ea, 0x3, 0xc000077200, 0xc00007ce00, 0x0, 0x0, 0x0, 0x0, ...)
/usr/src/app/plugins/sandcat/gocat/agent/agent_factory.go:7 +0xc5
github.com/mitre/gocat/core.initializeCore(0x7fff25cc37ca, 0x18, 0x7fff25cc37ea, 0x3, 0xc000077200, 0x7f748e746d00, 0x0,0x4caf00, 0x0, 0x0, ...)
/usr/src/app/plugins/sandcat/gocat/core/core.go:22 +0xbd
github.com/mitre/gocat/core.Core(0x7fff25cc37ca, 0x18, 0x7fff25cc37ea, 0x3, 0x0, 0xc000077200, 0xc000090000, 0x0, 0x0, 0x0)
/usr/src/app/plugins/sandcat/gocat/core/core.go:27 +0xc0
main.main()
/usr/src/app/plugins/sandcat/gocat/sandcat.go:45 +0x60e

This error does not occur when I launch the same container with a Publicly assigned IP address.

To Reproduce
Steps to reproduce the behavior:

1. Prepare a Docker image from the latest caldera release
2. Add the following launch script on the image
   launch copy.txt
   (rename it as launch.sh)
3. Modify the Dockerfile ENTRYPOINT to look like : ENTRYPOINT ["/bin/bash", "launch.sh"]
4. build the image on your local docker
5. push the image to Azure on your Azure registry of choice
6. Deploy an instance of your image and Select "Private" on the networking step in the deployment wizard
7. Watch the logs of the instance

Expected behavior
The sandcat client should launch without panicking. This does not happen when a publicly assigned IP is configured in the contianer.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):
Irrelevant of Desktop setup. Deployment is on Azure.

Additional context
I am preparing an automated lab where caldera auto deploys in Docker and the same instance also has a sandcat client that I can immediately use to run operations.

I'd like to experiment with Sandcat's DNS tunneling functionality. I've got it compiling with the DNS tunneling extension, but I can't figure out how to pass the DNS contact address to Sandcat. Any tips? Thank you!

If I try to start the 54ndc47 agent on Ubuntu 18.04.2 LTS, I get this error:

emilio@emilio-VivoBook:~$ eval "$(curl -sk -X POST -H "file:54ndc47.sh" https://localhost:8888/file/render)"
base64: input non valido
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib/python3.6/json/__init__.py", line 299, in load
    parse_constant=parse_constant, object_pairs_hook=object_pairs_hook, **kw)
  File "/usr/lib/python3.6/json/__init__.py", line 354, in loads
    return _default_decoder.decode(s)
  File "/usr/lib/python3.6/json/decoder.py", line 339, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "/usr/lib/python3.6/json/decoder.py", line 357, in raw_decode
    raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 2 column 1 (char 1)
[54ndc47] registration failed

While in the terminal where the server is running:

ERROR:aiohttp.server:Error handling request
Traceback (most recent call last):
  File "/home/emilio/.local/lib/python3.6/site-packages/aiohttp/web_protocol.py", line 390, in start
    resp = await self._request_handler(request)
  File "/home/emilio/.local/lib/python3.6/site-packages/aiohttp/web_app.py", line 366, in _handle
    resp = await handler(request)
  File "/home/emilio/.local/lib/python3.6/site-packages/aiohttp/web_middlewares.py", line 106, in impl
    return await handler(request)
  File "/home/emilio/.local/lib/python3.6/site-packages/aiohttp_session/__init__.py", line 152, in factory
    response = await handler(request)
  File "/home/emilio/.local/lib/python3.6/site-packages/aiohttp/web_middlewares.py", line 96, in impl
    return await handler(request)
  File "/home/emilio/Scrivania/caldera/plugins/sandcat/app/sand_api.py", line 22, in registration
    data = json.loads(self.utility_svc.decode_bytes(await request.read()))
  File "/usr/lib/python3.6/json/__init__.py", line 354, in loads
    return _default_decoder.decode(s)
  File "/usr/lib/python3.6/json/decoder.py", line 339, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "/usr/lib/python3.6/json/decoder.py", line 355, in raw_decode
    obj, end = self.scan_once(s, idx)
json.decoder.JSONDecodeError: Unterminated string starting at: line 1 column 57 (char 56)

While if I start the 54ndc47 agent in powershell (always on Ubuntu 18.04.2 LTS) everything is fine. What I miss?

Describe the bug
Based on reading a few of the issues in mitre/caldera sounds like a known issue/feature request. This specifically relates to the agent deployment as part of Caldera.

Discussion here mitre/caldera/pull/1091 & here mitre/caldera/issues/537 & here caldera/issues/2178, & here mitre/caldera/issues/61

However when attempting to deploy the agent on 32bit Windows 10 using the default Caldera commands, the deployment fails with the following message:

Start-Process : This command cannot be run due to the error: The specified executable is not a valid application for this OS platform..
At line:1 char:561
+ ...  | Out-Null;Start-Process -FilePath C:\Users\Public\$name.exe -Argume ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Start-Process], InvalidOperationException
    + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands.StartProcessCommand

To Reproduce
Steps to reproduce the behavior:

1. Copy New Agent creation code from caldera into a 32bit Windows 10 host and run

Expected behavior
Agent is deployed and sandcat is dynamically compiled or pulls from preset of payloads to support 32bit architecture

Screenshots

Desktop (please complete the following information):

• Caldera: Kali Current Version running in Docker
• Host: Windows 10 32bit VM

Describe the bug
When the sandcat agent is running on a device with Zscaler active, we can get occasional network errors, which stop later command processing, but do not result in any data returned to the console indicating a problem / apparent retries.

To Reproduce
Run the sandcat agent (I'm using a slightly updated version of 5.0.0) in verbose mode.
Have Zscaler ZIA enabled. I believe other tools that interfere with network traffic would have a similar impact.
Execute an operation.

Some actions (I have not yet found a commonality) result in errors like the following:
Failed to decode HTTP response: illegal base64 data at input byte 0
or similarly
Failed to perform HTTP request: Post "https://xxxxx/beacon": read tcp 10.XX.XXX.XXX:58794->XXX.XXX.XX.X:443: wsarecv: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

After this occurs, we return to a status of receiving [+] Beacon (HTTP): ALIVE messages, and the agent shows as live within the Caldera UI. However the step associated with this never errors out / retries in the Caldera UI, resulting in the test 'freezing' waiting for for a status that will never come until the operation times out.

The screenshot below was taken well after 10 minutes after the last successful action listed in the operation UI.

Expected behavior
The agent should either retry the failed operation, or at a minimum have some kind of status data returned denoting a failure.

Screenshots

Desktop (please complete the following information):
Latest version of Chrome / Edge in use, but not really relevant since it's impacting the sandcat agent.
Sandcat agent tested on current updates for Win 10 / Win 11.

I downloaded the sandcat.go file on the target computer, but I get this error when trying to execute it:
` panic: interface conversion: interface {} is nil, not string

goroutine 1 [running]:
_/Users/amanners/MITRE_Projects/caldera/plugins/sandcat/gocat/contact.API.GetInstructions(0xc00005cc30, 0xc000080008)
/Users/amanners/MITRE_Projects/caldera/plugins/sandcat/gocat/contact/api.go:48 +0x52b
main.runAgent(0x750be0, 0x943650, 0xc00005cc30)
/Users/amanners/MITRE_Projects/caldera/plugins/sandcat/gocat/sandcat.go:34 +0x448
main.main()
/Users/amanners/MITRE_Projects/caldera/plugins/sandcat/gocat/sandcat.go:111 +0x658 `

Describe the bug
Sandcat agent fails on startup when whoami command is not found on the platform.

To Reproduce
Steps to reproduce the behavior:

1. Temp remove whoami e.g. rename, alter path etc
2. Launch sandcat agent -v

./sandcat-arm64 -v
Starting sandcat in verbose mode.
[-] Error when initializing agent: exec: "whoami": executable file not found in $PATH
[-] Exiting.

Expected behavior
Not all platforms have whoami -- soft-fail instead of a terminal error?

Desktop (please complete the following information):

• arm64 / IoT / debian