KeyCroc and specific chars

 Just some words regarding the Key Croc having issues with special chars, both when it comes to QUACK them as well as trigger MATCH strings.
(For those just stumbling on this text; you need to have been a part of the Hak5 Discord discussions about the matter to be able to place it into context)

Running the following logged in using ssh on the Croc, it is obvious that the Croc thinks that there are no Swedish chars available to match even if you have told the Croc to use "se" as language. Some samples...

root@croc:/usr/local/croc/bin# QUACK STRING "å"
Traceback (most recent call last):
  File "/usr/local/croc/bin/QUACK", line 281, in <module>
    run_script(input_line, language)
  File "/usr/local/croc/bin/QUACK", line 250, in run_script
    context = run_ducky_line(context, line, lang_file)
  File "/usr/local/croc/bin/QUACK", line 165, in run_ducky_line
    elements = lang_file[char].split(",");
KeyError: u'\xe5'

root@croc:/usr/local/croc/bin# QUACK STRING "ä"
Traceback (most recent call last):
  File "/usr/local/croc/bin/QUACK", line 281, in <module>
    run_script(input_line, language)
  File "/usr/local/croc/bin/QUACK", line 250, in run_script
    context = run_ducky_line(context, line, lang_file)
  File "/usr/local/croc/bin/QUACK", line 165, in run_ducky_line
    elements = lang_file[char].split(",");
KeyError: u'\xe4'

root@croc:/usr/local/croc/bin# QUACK STRING "ö"
Traceback (most recent call last):
  File "/usr/local/croc/bin/QUACK", line 281, in <module>
    run_script(input_line, language)
  File "/usr/local/croc/bin/QUACK", line 250, in run_script
    context = run_ducky_line(context, line, lang_file)
  File "/usr/local/croc/bin/QUACK", line 165, in run_ducky_line
    elements = lang_file[char].split(",");
KeyError: u'\xf6'


However, when forcing the Croc to use the Swedish language file (mine is modified since the original doesn't contain Swedish chars) instead of US, you get another result.
Change line 263 in /usr/local/croc/bin/QUACK from
    language = os.getenv("DUCKY_LANG", default="us").lower()
to
    language = os.getenv("DUCKY_LANG", default="se").lower()

and the errors above will not show anymore and the Croc starts QUACKing Swedish...

So, it seems as if the Croc for some reason doesn't really read/use the configured language file since it uses what is defined as "default" if you aren't actually forcing it to use something else. Setting "se" as default also indicates that there are no problems with the language file itself since it does its job as long as the Croc actually uses it.

Example payload and output after changing/forcing the Croc to use Swedish as default language

root@croc:~/udisk/payloads# cat payload.txt
MATCH test
QUACK DELAY 500
QUACK STRING "ö"

root@croc:~/udisk/payloads# testStarting C2 Notify Tool
Notification Sent Successfully
ö
-bash: testö: command not found

The last error can be ignored, I just pressed enter and, of course, there's no "ö" or "testö" command. The "Starting C2 Notify Tool" and "Notification Sent Successfully" is just because the payload was triggered on the Key Croc itself just to catch any errors.

There must be some locale thing on the Croc that needs to be sorted out as well. Not sure how it affects the Croc functionality itself, but vi and nano are totally being ass when handling the special Swedish chars. You have to fiddle with the payload file to get the chars displayed properly.

So, this isn't the solution, it's just workarounds and steps on the way. The croc.py file probably needs some work to get MATCH to trigger on Swedish chars. The errors that are thrown back indicates that there is some handling in the file (or more files) that uses ascii instead of encode (Unicode UTF-8) which can cause problems in Python(2) if your chars isn't in the default ascii table. It will throw back errors. Haven't been digging deeper into that other than trying to do the same as with the QUACK file, i.e. changing the line 339 from "us" to "se".
self.keymap_path = "/root/udisk/languages/us.json"
to
self.keymap_path = "/root/udisk/languages/se.json"

This hasn't made any difference and won't most likely help since the Python scripts running on the Croc still uses/defaults to ascii and can't handle chars outside of that table and no "extended ascii" (ISO 8859-1/ISO Latin-1) or Unicode is used.

Verifying that the Croc returns ascii as default encoding can be done with:
python -c 'import sys; print(sys.getdefaultencoding())'
 

This is also obvious if running the KEY_DEBUGGER "command" and pressing Swedish chars.
KEY_DEDUBBER also states the following when it's started so it "should" use the correct language file
DUCKY_LANG CONFIG OPTION: /root/udisk/languages/se.json

However, pressing what should be "ä" (and is present in the se.json file) returns
UnicodeEncodeError: 'ascii' codec can't encode character u'\xe4' in position 346: ordinal not in range(128)
just because of the previously mentioned fact that åäöÅÄÖ isn't a part of "non extended" ascii

A bit about ascii and Unicode
https://towardsdatascience.com/a-guide-to-unicode-utf-8-and-strings-in-python-757a232db95c
https://www.ascii-code.com/

OK... so a bit of work seems to be needed to get it all further. I don't have time for that, at least not now. QUACKing Swedish chars should be possible to get working at least.

Popular posts from this blog

Hak5 Cloud C2 on a Raspberry Pi

Setting up the Raspberry Pi (RPi) itself isn't covered here, a default installation of Raspberry Pi OS Lite will do the job. This setup will work on a LAN only, i.e. no external access to the C2 instance from the internet. To get that working, port openings and stuff is needed but that isn't covered here. If needed, run the following to get information about which C2 version to run on the RPi: cat /proc/cpuinfo Note! You need a license key from Hak5 in order to activate/validate the installation (the community edition is free, but still needs a license key). The RPi also needs to have a working connection to the internet since the C2 license is validated at service start, and during runtime as well. Download the C2 zip file to the RPi and unzip it wget https://c2.hak5.org/download/community -O c2.zip unzip c2.zip Start the server manually to verify that it works: ./c2-3.1.2_armv7_linux -hostname <ip address> (or whatever version that was downloaded) When the C2 instance h
Read more

Hak5 Cloud C2 as a Windows service

As long as the C2 Windows binary is just a plain and simple exe (i.e. a "non-service" executable), it won't be allowed to start as a service in Windows (error 1053). To do this, either A) the C2 binary for Windows needs to be developed in a way that it is allowed to be started as a service or B) use one of the utilities out there on the interwebs that allows using an "ordinary" exe as a service. The "Plan B" is used here building on the tool "srvstart". Download the latest C2 zip file from Hak5 and extract it Download srvstart and extract the zip file https://github.com/rozanski/srvstart/blob/master/srvstart/srvstart_run.v110.zip Copy/move the two DLL and two EXE files from the srvstart zip to the C:\Windows folder of the computer (or somewhere in PATH) Make sure that there is a "msvcrt.dll" file in C:\Windows\System32 Rename the Hak5 C2 executable (64 bit variant used here) to c2_amd64_windows.exe This makes it more "transpare
Read more

Project name: WEIRDFEED

  Project name: WEIRDFEED Instruction on installing Kali Linux 2020.4 AMD64 using an ISO file downloaded from kali.org on a Windows 10 2004 host/"hypervisor" running VirtualBox 6.1.16 r140961 (w/ VirtualBox Extension Pack) and get the Hak5 Shark Jack available to the VM Make sure that virtualization is enabled in BIOS/UEFI (VT-x/AMD-V) otherwise you might get the turtle Create a new VM in VirtualBox by clicking "New" Name the VM and select Linux as Type and Debian 64-bit as Version Set the desired amount of RAM (using 2048 MB here) Create a Virtual storage device (using 24 GB here) The VM is now created, click "Settings" and make any additional config to the VM (# of CPUs/cores, video RAM, disable floppy, disable audio, shared folders, etc. anything of choice that is valid) Last but not least, attach the Kali Linux ISO file to the virtual optical drive of the VM Click "OK" Click "Start" to boot the VM Select the startup disk if asked (o
Read more