# Azure API 管理服务转发器 类似于 Azure Function 应用,Azure API 管理服务也可用于搭建安全的 C2 基础设施。在 Azure 面板中,导航到 **API Management services**,创建新的 API 管理服务。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-10/scaled-1680-/J5W4NY0VBuikHJpE-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-10/J5W4NY0VBuikHJpE-image.png) 点击 **Add API**,添加 2 个HTTP API,分别用于处理 **GET** 与 **POST** 请求。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-10/scaled-1680-/0Yme6QgdF4VY7ej6-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-10/0Yme6QgdF4VY7ej6-image.png) [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-10/scaled-1680-/VXCVpuSazTr9cqsa-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-10/VXCVpuSazTr9cqsa-image.png) **Web service URL** 填写 C2 服务器 Nginx 的 URL,因为我们在 **API URL suffix** 添加了名为 **get** 的后缀,因此 Nginx URL 这里也对应地补上。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-10/scaled-1680-/QCZh1TeGabW6TDRM-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-10/QCZh1TeGabW6TDRM-image.png) 取消对 **Subscription required** 的勾选,其他保持默认即可。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-10/scaled-1680-/3D8lXTSW8KQ2qGZM-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-10/3D8lXTSW8KQ2qGZM-image.png) 在该 API 里通过点击 **Add operation** 来添加一个操作,指定请求类型为 **GET**,以及**终端名称**。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-10/scaled-1680-/EdLMapFeVBjfOBng-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-10/EdLMapFeVBjfOBng-image.png) 这样,就完成了处理 GET 请求的 API 管理服务。我们重复类似的步骤来完成处理 POST 请求的 API 管理服务。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-10/scaled-1680-/TzFsXmf5hXqoRUp6-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-10/TzFsXmf5hXqoRUp6-image.png) 这样,这 2 个终端的完整 URI 如下所示: ``` GET: https://dlersec-api.azure-api.net/get/api POST: https://dlersec-api.azure-api.net/post/api ``` 修改 Nginx 配置文件添加对这 2 个终端的转发,使得从 Azure 转发至 Nginx 的请求最终被转发到 C2 团队服务器。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-10/scaled-1680-/yR4tZe92OpnlXNDz-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-10/yR4tZe92OpnlXNDz-image.png) 以及修改侧写文件中的 URI [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-10/scaled-1680-/HIEwVbOITMWbyYFF-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-10/HIEwVbOITMWbyYFF-image.png) [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-10/scaled-1680-/HcHJsnUBLaYJINRS-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-10/HcHJsnUBLaYJINRS-image.png) 使用 curl 测试以下,成功得到了 C2 的响应。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-10/scaled-1680-/zjTHJzDDxOHq93bF-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-10/zjTHJzDDxOHq93bF-image.png) 生成 exe 载荷并执行,成功获得会话,并且命令执行与输出一切正常。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-10/scaled-1680-/jrne59ZVCoaijUd3-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-10/jrne59ZVCoaijUd3-image.png) 查看 Beacon 的通信地址,IP 是 20.241.189.223,也就是我们 Azure API 管理服务的地址,成功隐藏了 C2 服务器。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-10/scaled-1680-/uNQq5wpnobsLH6Vl-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-10/uNQq5wpnobsLH6Vl-image.png) [![image.png](https://raven-medicine.com/uploads/images/gallery/2023-10/scaled-1680-/5d9qXayUht7K7raV-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-10/5d9qXayUht7K7raV-image.png)