John Hammond Explores Loki C2 Tool for Penetration Testing on Electron Applications
This content is an AI-generated summary. If you encounter any misinformation or problematic content, please report it to cyb.hub@proton.me.
In this video, John Hammond explores a penetration testing and command control (C2) tool called Loki C2, developed by Bobby Cook. This tool is designed to exploit Electron applications, which are applications based on Node.js and Chromium, commonly used for software like VS Code, Discord, Slack, and many others. The goal of Loki C2 is to create a backdoor in these applications by replacing their JavaScript files with malicious ones, allowing the execution of arbitrary code on the target system. Hammond begins by explaining the concept of Electron applications and their potential vulnerability.
Electron applications read and execute JavaScript files at runtime, which allows attackers to inject malicious Node.js code. Loki C2 exploits this feature to replace the JavaScript files of an Electron application with its own files, creating a backdoor. The video details the process of setting up and demonstrating Loki C2. Hammond uses three virtual machines: a victim running Windows 11, an attack machine running Kali Linux, and another attack machine running Windows. He installs the Cursor application, an Electron application, on the victim machine and checks its vulnerability using Process Monitor to observe the files the application attempts to load at runtime.
To configure Loki C2, Hammond creates an Azure blob storage account and generates a SAS (Shared Access Signature) token, which will be used for secure communication between the Loki agent and the C2 server. He then clones the Loki repository, installs the necessary dependencies, and uses an obfuscation script to generate the malicious JavaScript files. Hammond then replaces the JavaScript files of the Cursor application with the files generated by Loki. When he launches Cursor, the application connects to the C2 server, allowing the attacker to take control of the victim machine.
He demonstrates various commands available in Loki C2, such as navigating the file system, executing child processes, and uploading/downloading files. However, Hammond notes that the Cursor application does not open as usual after Loki's injection. He explains that Loki "hollows out" the application, using only the signed Node.js interpreter to execute the C2 code. To bypass this issue, Hammond and Cook discuss a method to run both Loki and the original application. They propose duplicating the application and modifying the package.json file to alternate between running Loki and the original application.
Hammond shows a proof of concept where he successfully runs both Loki and Cursor, although this method doubles the size of the application. Cook proposes a more elegant solution using an init.js file to dynamically switch between Loki and the original application, making the backdoor persistent. In conclusion, Loki C2 is a powerful tool for penetration testing, allowing the creation of backdoors in Electron applications. Although the initial method hollows out the application, more advanced solutions allow the application to function normally while maintaining command control.