its-a-feature
get_tasking items not bundled for same p2p agent destination when using get_delegate_tasks
Description:
When get_delegate_tasks is set to True (this is also the default behavior), tasks intended for delegation that have the same agent as the destination are being issued as separate get_tasking requests. This results in multiple delegate items instead of bundling them into a single request.
Current Behavior:
Tasks to delegate are issued as separate requests:
-
Task 1:
{ "action": "get_tasking", "tasks": [ { "timestamp": 1759492528, "command": "whoami", "parameters": "", "id": "16c235f8-5770-4e10-a99f-77b4bec758ce", "token": 0 } ] } -
Task 2:
{ "action": "get_tasking", "tasks": [ { "timestamp": 1759492530, "command": "ls", "parameters": "{\"1\": \".\", \"2\": \"\"}", "id": "ba25aa22-9ae5-42b9-9c89-f2f742d1356d", "token": 0 } ] }
These are converted to separate delegate items with the same destination UUID:
{
"action": "get_tasking",
"delegates": [
{
"message": "NTY3OTc4OWQtNjY2NS00OGYxLTkyMTMtNzYxMjBmNzQ5NmQ38deki1/pGm9UcdC1lNz5dn7BLUO9hTxfiVALqhsbGZRihWcscrG+3J4SGNrU20hUW/0V43PtUFhIoSKkX/j33ufC8ATs/O4uzSUlmkzrLSUV/jfi0AyowqkIKaeYFz/I",
"uuid": "5679789d-6665-48f1-9213-76120f7496d7",
"c2_profile": "tcp"
},
{
"message": "NTY3OTc4OWQtNjY2NS00OGYxLTkyMTMtNzYxMjBmNzQ5NmQ3pNt7md20BZDj+FANUocoVkBiraRxn8ZF5WuoFkgF7RLAkppYiVfwVrSwvp8lTfJ16q0fsJO49A4q4oYHbiotDRzlFTznqBfXbBrIG9P1vJ4eFgBuGW99sfWyjpU13+dJ",
"uuid": "5679789d-6665-48f1-9213-76120f7496d7",
"c2_profile": "tcp"
}
],
"tasks": []
}
Expected Behavior:
Items with the same destination UUID should be bundled into a single get_tasking request to optimize the delegation process.
Steps to Reproduce:
- Set
get_delegate_taskstoTrue(or not set it at all asTrueis the default). - Create multiple tasks for a p2p agent before the parent issues a
get_tasking. - Observe the separate
get_taskingrequests and delegate items.
Environment:
- Mythic C2 version: v3.3.1-rc94
That's a good point. I think I can relatively easily get those bundled together into a single message
this is updated as of the release today, if you could give that a try and let me know?
Thanks!
I managed to test it, now the tasks are properly bundled together.
Though, I noticed that if there are get_tasking items to delegate outside of the tasks array they are still sent as a separate get_tasking message.
I used socks connection for testing and I got one get_tasking response with the socks list and a separate one with the tasks.
Example:
If I issue whoami while a socks connection is open (both things on the same p2p agent of course), I get:
-
{"action": "get_tasking", "tasks": [{... -
{"action": "get_tasking", "socks": [{...
That are sent to the parent agent as:
{
"action": "get_tasking",
"delegates": [
{
"message": "OGQxZTM1YzUtMTViZS00NWQwLTk2NzctNDdmOTQzN2I2ZjJj/xIz+kXzfDUJELAzRmKbXhZiWflAwbtDm0bi64X+8hJKIv3WZ8WcfXUzhVr8wL+hkpuCq333VPkd63y8KXmd1T9DnHQNuSanGAjOSd/x3hDozt9zPY7CYtkKn2BU8+1Z",
"uuid": "8d1e35c5-15be-45d0-9677-47f9437b6f2c",
"c2_profile": "tcp"
},
{
"message": "OGQxZTM1YzUtMTViZS00NWQwLTk2NzctNDdmOTQzN2I2ZjJj1HkBD2OFb21UZMDz+1zEYlBrbt1a/0AE+Gb0kDmV9zM3kS7Cqy0Qf6LZTweGVk2sGaFyPkODyLhylMLDYeAL0oi7crZOd0fniUxtV4FX5PKIBKOeeAX+1CtbdP290I6J",
"uuid": "8d1e35c5-15be-45d0-9677-47f9437b6f2c",
"c2_profile": "tcp"
}
],
"tasks": []
}
Ah yeah that's a good point. Those are currently checked at two different points in the processing. You'll notice the same thing will happen with rpfwds and interactive tasks as well.
That'll be a little bit more work, but I'll work on it to get all of these things aggregated in as few delegate messages as possible