Running the team server as a service allows it to start automatically when the VM starts up, which obviously saves us having to SSH in each time and start it manually. This can be done with a systemd unit file.
First, create the file in /etc/systemd/system.
attacker@ubuntu ~> sudo vim /etc/systemd/system/teamserver.service
\
Then paste the following content:
[Unit]
Description=Cobalt Strike Team Server
After=network.target
StartLimitIntervalSec=0
[Service]
Type=simple
Restart=always
RestartSec=1
User=root
WorkingDirectory=/home/attacker/cobaltstrike
ExecStart=/home/attacker/cobaltstrike/teamserver 10.10.5.50 Passw0rd! c2-profiles/normal/webbug.profile
[Install]
WantedBy=multi-user.target
\
Next, reload the systemd manager and check the status of the service. It will be inactive/dead.
attacker@ubuntu ~> sudo systemctl daemon-reload
attacker@ubuntu ~> sudo systemctl status teamserver.service
● teamserver.service - Cobalt Strike Team Server
Loaded: loaded (/etc/systemd/system/teamserver.service; disabled; vendor preset: enabled)
Active: inactive (dead)
\
Start the service and check its status again.
attacker@ubuntu ~> sudo systemctl start teamserver.service
attacker@ubuntu ~> sudo systemctl status teamserver.service
● teamserver.service - Cobalt Strike Team Server
Loaded: loaded (/etc/systemd/system/teamserver.service; disabled; vendor preset: enabled)
Active: active (running) since Mon 2022-09-05 08:25:26 UTC; 14s ago
Main PID: 1406 (teamserver)
Tasks: 19 (limit: 4620)
Memory: 47.5M
CGroup: /system.slice/teamserver.service
├─1406 /bin/bash /home/attacker/cobaltstrike/teamserver 10.10.5.50 Passw0rd! c2-profiles/normal/webbug.profile
└─1447 ./TeamServerImage -Dcobaltstrike.server_port=50050 -Dcobaltstrike.server_bindto=0.0.0.0 -Djavax.net.ssl.keyStore=./cobaltstrike.store -Djavax.net.ssl.keyStorePassword=123456 teamserver >
Sep 05 08:25:28 ubuntu teamserver[1447]: [*] Setting 'https.protocols' system property: SSLv3,SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3
Sep 05 08:25:28 ubuntu teamserver[1447]: [+] I see you're into threat replication. c2-profiles/normal/webbug.profile loaded.
Sep 05 08:25:28 ubuntu teamserver[1447]: [*] Loading Windows error codes.
Sep 05 08:25:28 ubuntu teamserver[1447]: [*] Windows error codes loaded
Sep 05 08:25:28 ubuntu teamserver[1447]: [*] Loading beacons
Sep 05 08:25:28 ubuntu teamserver[1447]: [*] Loaded 0 beacons
Sep 05 08:25:28 ubuntu teamserver[1447]: [+] Team server is up on 0.0.0.0:50050
Sep 05 08:25:28 ubuntu teamserver[1447]: [*] SHA256 hash of SSL cert is: 3bf25b6317a1c948cfad31faa0e14414d2d35f73b7947fa0bd3717ab5d0bc32d
Sep 05 08:25:28 ubuntu teamserver[1447]: [+] Listener: dns started!
Sep 05 08:25:29 ubuntu teamserver[1447]: [+] Listener: http started!
\
The service should be active/running and you will see the typical console output from the team server. Now that we know the service is working, we can tell it to start on boot.