# [Backup] How Did I Take Over CobaltStrike Servers

Hi folks, today I would like to share how I take over some Cobalt Strike TeamServers  
with Quake and Password Spray Attack. From the perspective of a threat hunter, it is  
good to track C2 servers on the Internet. From the perspective of a hacker, it is good to  
compromise a host, but it is better to compromise a C2 team server and then take over  
all compromised hosts connected to the team server : D

  
**Recon**  
Before exploitation, we need to recon. Here I use Quake(https://quake.360.net) to  
find a list of Cobalt Strike with weak credentials. Quake is something which is similar  
to Shodan. The query sentence should be **response:“\\x00\\x00\\xca\\xfe” AND port:  
“50050”**  
What does it mean? Quake will try some very simple passwords to connect to Cobalt  
Strike Team Server. If the authentication is successful, Cobalt Strike Team Server will  
return “\\x00\\x00\\xca\\xfe” in response. According to search results, there are 417  
records, 191 unique IPs currently. Of course, if you do not specify the default port, you  
could get more results. To get complete and detailed information, a subscription of  
Quake is recommended.

<figure class="wp-block-image size-large" id="bkmrk-">![](https://3.83.25.223/wp-content/uploads/2022/07/image-1-1024x427.png)</figure>After getting these results, then export IP of these Team Servers as a file. So, let’s use  
Password Spray Attack against these Team Servers!

  
**Exploitation**

**Just a disclaimer, it is unethical and even illegal to actually take over those Team Servers. The article is just a proof of concept, it does not encourage anyone to pwn those servers, even they may belong to unethical hackers.**  
Because Cobalt Strike Team Server has rate limit, it is not wise to brute force a single  
Team Server with a big password list. Instead, we can use spray a single simple  
password to a list of Team Servers.  
I download and modify a script from https://github.com/ryanohoro/csbruter to  
enable it to launch Password Spray Attack.

<figure class="wp-block-image size-full" id="bkmrk--1">![](https://3.83.25.223/wp-content/uploads/2022/07/image-2.png)</figure><figure class="wp-block-image size-full" id="bkmrk--2">![](https://3.83.25.223/wp-content/uploads/2022/07/image-3.png)</figure>Oh, among these 158 Team Servers, 24 of them use the same simple password! Just  
select one and try to log in!

<figure class="wp-block-image size-full" id="bkmrk--3">![](https://3.83.25.223/wp-content/uploads/2022/07/image-4.png)</figure>Oh no! The version of your client should match target Team Server’s! Actually most of  
these Team Servers’ version are 4.0 lol.

Try another one, cool, there are a lot of bots controlled by the Team Server! By this way we  
are able to successfully find and take over some Cobalt Strike Team Servers!

<figure class="wp-block-image size-full" id="bkmrk--4">![](https://3.83.25.223/wp-content/uploads/2022/07/image-5.png)</figure>**Tips**  
The list I used is absolutely not an exhaustive list of Team Server with a weak  
password. If you want to find more Team Servers with a weak password, here are some  
tips  
1: Remove the specified port and modify the script.  
2: If a Team Server does not show up in previous search results, it does not mean the  
Team Server has a strong password, since Quake will only try some simplest  
passwords like 123123, 123456, password, etc.  
3: Just try different fingerprinting methods to get a large list of Cobalt Strike Team  
Servers, and then spray a single simple password to them. If you are lucky, you will  
take over many Team Servers from the list : P  
Thanks for reading! Happy hacking!