Comment on page
Man-in-the-Browser via Chrome Extension
- 1.CursedChrome extension is added to Chrome on a compromised computer;
- 2.Compromised computer's Chrome connects back to an attacker controlled CursedChrome C2 server. Comromised computer's Chrome now acts as a proxy into the compromised network;
- 3.Attacker can now proxy web requests through the compromised computer's Chrome and reach any internal web application that the compromised user/computer can access.
The beauty of this technique is in the fact that the attacker's web requests leverage cookies stored in the compromised Chrome browser, which means that if a compromised user is logged on to some web application the attacker is interested in, the attacker no longer requires to authenticate to that application in order to access it as their HTTP request will re-use the existing cookies from the compromised Chrome and will be let in without being asked to provide credentials.
Below is a list of systems involved in this lab:
- 188.8.131.52 - CursedChrome C2 server;
- 10.0.0.7 - attacker computer
- x.x.x.x - compromised computer in some other network outside the
On the CursedChrome C2 server, pull the CusedChrome git repo, enter it and spin up the CursedChrome server using
docker-composewith the following commands:
git clone https://github.com/mandatoryprogrammer/CursedChrome.git /opt/
docker-compose up -d redis db
docker-compose up cursedchrome
After running the above
docker-compose, you should see the below screen:
CursedChrome C2 server installed and configured
Save the username and password for later as these will be required when connecting to the CursedChrome C2 web console:
Additionally, note that the CursedChrome's web console is listening on
127.0.0.1:8118and HTTP proxy on
127.0.0.1:8080- we will need these later, when setting up local SSH tunnels, so that we can access these services from the attacking machine
On a compromised computer, we need to install the CursedChrome implant.
It's up to you how you will do it, but for the demo purposes, I simply enabled
Developer modeand clicked
Load unpackedand pointed it to the
.\extensionfolder from the CursedChrome's repo. The extension is now installed:
CursedChrome installed in to Chrome
On the attacker machine, let's set up a couple of local SSH tunnels.
In order to access the CursedChrome's C2 web console via
http://localhost:1111, we need the following SSH tunnel to the CursedChrome's C2 server:
In order to proxy our HTTP traffic through the CursedChrome's C2 web proxy, using FoxyProxy, we need the following tunnel:
Once we have the tunnels setup, we can try accesing the web console by navigating to
http://localhost:1111and if everything works, you should see a login panel:
CursedChrome web console.
Enter the admin credentials you got after setting up the CursedChrome server using
docker-composeand you should now be logged on to the panel, where you will see a bot / compromised computer's CursedChrome extension calling back to the CursedChrome C2:
CursedChrome web panel, logged in.
Note the username and password of the bot as you will need it when configuring FoxyProxy.
Important Do not forget to export the Proxy CA certificate (see the big download button below the connected bots panel) and install it to FireFox as this is required for the technique to work.
Installing CursedChrome CA Certificate to FireFox
Now we're ready to setup the FoxyProxy (FireFox extension).
Proxy IP and port should be
127.0.0.1:2222(remember, we set up a local SSH tunnel for this earlier) and username/password should be those seen in the "Connected bots" panel in the CursedChrome's C2 web console:
ProxyFoxy configured to proxy traffic through the infected Chrome on a compromised computer
Configure FireFox to use the FoxyProxy you just set up and you are ready to access some internal web application on a compromised computer's network, that otherwise would not be accessible to you.
With all the setup completed, the below image shows how I'm able to access a Bitbucket on behalf of a compromised user
Mantvydaswithout knowing their credentials on a network that is outside of the attacking VM
Accessing Bitbucket via a compromised computer with CursedChrome extension installed on it