Running as a Service

Running the team server as a service allows it to start automatically when the VM starts up, which obviously saves us having to SSH in each time and start it manually. This can be done with a systemd unit file.

First, create the file in /etc/systemd/system.

attacker@ubuntu ~> sudo vim /etc/systemd/system/teamserver.service

\

Then paste the following content:

[Unit]
Description=Cobalt Strike Team Server
After=network.target
StartLimitIntervalSec=0

[Service]
Type=simple
Restart=always
RestartSec=1
User=root
WorkingDirectory=/home/attacker/cobaltstrike
ExecStart=/home/attacker/cobaltstrike/teamserver 10.10.5.50 Passw0rd! c2-profiles/normal/webbug.profile

[Install]
WantedBy=multi-user.target

\

Next, reload the systemd manager and check the status of the service. It will be inactive/dead.

attacker@ubuntu ~> sudo systemctl daemon-reload
attacker@ubuntu ~> sudo systemctl status teamserver.service
● teamserver.service - Cobalt Strike Team Server
     Loaded: loaded (/etc/systemd/system/teamserver.service; disabled; vendor preset: enabled)
     Active: inactive (dead)

\

Start the service and check its status again.

attacker@ubuntu ~> sudo systemctl start teamserver.service
attacker@ubuntu ~> sudo systemctl status teamserver.service
● teamserver.service - Cobalt Strike Team Server
     Loaded: loaded (/etc/systemd/system/teamserver.service; disabled; vendor preset: enabled)
     Active: active (running) since Mon 2022-09-05 08:25:26 UTC; 14s ago
   Main PID: 1406 (teamserver)
      Tasks: 19 (limit: 4620)
     Memory: 47.5M
     CGroup: /system.slice/teamserver.service
             ├─1406 /bin/bash /home/attacker/cobaltstrike/teamserver 10.10.5.50 Passw0rd! c2-profiles/normal/webbug.profile
             └─1447 ./TeamServerImage -Dcobaltstrike.server_port=50050 -Dcobaltstrike.server_bindto=0.0.0.0 -Djavax.net.ssl.keyStore=./cobaltstrike.store -Djavax.net.ssl.keyStorePassword=123456 teamserver >
Sep 05 08:25:28 ubuntu teamserver[1447]: [*] Setting 'https.protocols' system property: SSLv3,SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3
Sep 05 08:25:28 ubuntu teamserver[1447]: [+] I see you're into threat replication. c2-profiles/normal/webbug.profile loaded.
Sep 05 08:25:28 ubuntu teamserver[1447]: [*] Loading Windows error codes.
Sep 05 08:25:28 ubuntu teamserver[1447]: [*] Windows error codes loaded
Sep 05 08:25:28 ubuntu teamserver[1447]: [*] Loading beacons
Sep 05 08:25:28 ubuntu teamserver[1447]: [*] Loaded 0 beacons
Sep 05 08:25:28 ubuntu teamserver[1447]: [+] Team server is up on 0.0.0.0:50050
Sep 05 08:25:28 ubuntu teamserver[1447]: [*] SHA256 hash of SSL cert is: 3bf25b6317a1c948cfad31faa0e14414d2d35f73b7947fa0bd3717ab5d0bc32d
Sep 05 08:25:28 ubuntu teamserver[1447]: [+] Listener: dns started!
Sep 05 08:25:29 ubuntu teamserver[1447]: [+] Listener: http started!

\

The service should be active/running and you will see the typical console output from the team server. Now that we know the service is working, we can tell it to start on boot.

attacker@ubuntu ~> sudo systemctl enable teamserver.service
Created symlink /etc/systemd/system/multi-user.target.wants/teamserver.service → /etc/systemd/system/teamserver.service.

\

We will now be able to connect from the Cobalt Strike client as soon as the VMs boot up.