Day 20 : Setting up Mythic Server

Now that the attack diagram for the offensive side of this project is done, the next step is to setup the offensive infrastructure for it. In today's article, I will be setting up a Kali Linux Virtual Machine, a Mythic Server and understanding how Mythic works.

Creating Mythic Server

Firstly, I headed to Vultr.com and used the Deploy > Deploy New Server button:

Configuring Server Settings

Since this server doesn't require a lot of processing power, I chose the lightweight Cloud Compute - Shared CPU option and set the location to Delhi NCR.

For the Operating System image, I chose Ubuntu 22.04 LTS x64.

For the plan, I went with the recommended specs of 2 CPUs and 4GB RAM.

I opted to deselect all additional features, and left the server settings as default. I set the Server Hostname to MYDFIR-MYTHIC and clicked on Deploy Now.

Installing Mythic Prerequisites

Once the installation finishes, I SSH'ed into this server using Windows PowerShell and as usual, used the following command to update repositories:

apt-get update && apt-get upgrade -y        

next, I used the following command to install docker compose

apt install docker-compose        

Once that finishes installing, I cloned the repositories using the following command:

git clone https://github.com/its-a-feature/Mythic        

I now changed to the mythic directory and displayed the contents using cd and ls.

The install_docker_ubuntu.sh is the script we're interested in so I invoked it using the following command:

./install_docker_ubuntu.sh        

Once installed, I checked the docker service status using:

systemctl status docker        

In case it is disabled, I started docker service using:

systemctl restart docker        

Next, I used the command make so I can use the Mythic CLI (make sure you're in the mythic directory before using this command).

Then, I ran the following command to run Mythic CLI:

./mythic-cli start        

Mythic is now all set!

Configuring Firewall Rules for Mythic Server

Since I only want my own Kali VM and the target machines (Windows and Ubuntu) to be able to communicate with Mythic and not the rest of the internet. I headed to my Vultr dashboard > Compute > MYDFIR-MYTHIC > Settings > Firewall and added a new firewall named MyDFIR-Mythic-Firewall.

Next, I added 3 rules to allow traffic from my IP, the Windows server and the Ubuntu server:

Logging in into Mythic Web GUI

I accessed the Mythic Web GUI at https://Mythic_server_IP:7443

The username by default is mythic_admin and the password can be found by opening the Mythic server terminal and reading the /root/Mythic/.env file.

Once logged in, Mythic is up and ready to go.

Overview of Icons and Buttons in the Mythic Dashboard:

Tasking Section:

• Command Input Box: This field allows operators to issue commands to compromised agents. It's where users input instructions for the remote host.
• Submit Button: After typing the command, this button sends the task to the selected agent.
• Task List: Displays all previously issued commands and their current statuses (e.g., queued, executing, completed).

Agent Management:

• Agents/Callbacks List: A list of all active agents (or callbacks) that are currently communicating with the Mythic server. Each agent typically has a unique ID and information such as the operating system, username, and connection time.
• Task Icon: Clicking this icon allows you to task a specific agent with commands.
• Kill Icon: Terminates the agent or callback session, removing its ability to communicate further.
• Download Icon: Used to retrieve files or data from the compromised host.
• Pause/Resume Icon: Temporarily pauses or resumes an agent’s communication with the server.

Operations Management:

• Create Operation Button: Allows users to start a new operation, which is a container for managing separate C2 activities or engagements.
• Operations List: Displays all ongoing and past operations, including the status of each.

Notifications and Alerts:

• Alert Icon: Shows notifications for new agent connections, completed tasks, or any errors that occur during the operation.
• Task Status Icons: These icons display the status of tasks—whether they are pending, executing, or have failed.

File Management:

• Upload File Button: Enables users to upload files to the compromised system, such as additional payloads or tools.
• File Download Button: Allows retrieval of files from the compromised machine back to the Mythic server for further analysis.
• File Browser Icon: Opens a file explorer for browsing the remote system's file directories.

Credentials Management:

• Credentials Icon: Displays a list of credentials (usernames and passwords) that have been captured during the engagement. Useful for monitoring compromised accounts.
• Add Credentials Button: Manually add credentials discovered outside the Mythic platform for future use in operations.

Payloads Management:

• Create Payload Button: Used to generate new payloads for infecting target systems. This opens a configuration panel where you can customize the payload's parameters.
• Payloads List: A view of all available payloads, including their current status (e.g., created, deployed, failed).

Reporting and Export:

• Generate Report Button: Creates detailed reports of the operation, including tasks, agents, and interactions for documentation or post-engagement review.
• Export Data Icon: Exports collected data or logs from the operation, often for use in other tools or for later analysis.

Search Functionality:

Search Bar: Allows users to search across agents, tasks, or operations, making it easier to locate specific interactions or data.

Settings and Configuration:

• Settings Icon: Opens a menu for configuring Mythic's settings, such as network configurations, agent communication intervals, or operator preferences.
• Themes Button: Changes the visual appearance of the dashboard (e.g., light mode, dark mode).
• Users and Roles: Manages operator accounts and roles, allowing team members to collaborate on engagements while maintaining appropriate access controls.

Additional Icons and Features:

• Logs Viewer: Displays real-time logs of all communications between the Mythic server and agents, helping operators debug or monitor ongoing tasks.
• Command Documentation: Provides built-in documentation for all supported commands, guiding operators on how to use various commands within the dashboard.

Setting up Kali Linux VM

The second requirement of the offensive infrastructure is a Kali Linux VM. To set up one, I headed to the official Kali Linux website at kali.org and from the pre built VM download page, selected the VM for VirtualBox (I am using virtualbox for virtualization).

Once downloaded, I opened the kali.vbox file which adds Kali Linux to my Virtualbox:

Once installed, the VM can be started using the Start button at the top.

Conclusion

With invaluable guidance from Mr. Stevens at MYDFIR (his website) and his YT video outlining Day 20 of the 30-Day SOC Challenge, I successfully set up and configured a Mythic Server, and installed a Kali Linux Virtual Machine on my local host using Virtualbox.