Darren Kitchen

The Shark Jack features a firmware recovery option which allows the user to restore the devices firmware image. This procedure is performed via a special web interface. Download the latest firmware image for your Shark Jack from the Hak5 Download Center. It is extremely important that you follow the directions precisely as it pertains to powering the device and image selection from the web recovery interface. The video is provided as a reference however does not replace carefully reading the instructions listed below. Follow these steps to access the recovery web interface and update the firmware. With the switch in the OFF position, plug in a suitable USB power source and fully charge the Shark Jack. The LED will blink blue while charging, and solid blue when fully charged. If no LED activity is present, leave the Shark Jack connected to the power source for 10 minutes. Unplug the Shark Jack completely from the USB power source Prepare to press the Shark Jack reset button located on the bottom of the device next to the regulatory label. Using a paperclip, SIM card removal tool or similar instrument practice pressing the button. With the Shark Jack unplugged and with its switch in the off position, carefully insert the instrument and directly downward until you feel resistance. Gently press the button. You should feel a click. With the instrument at the ready, flip the switch into the arming (middle) position and immediately after press and hold the reset button for 7 seconds. Connect a USB power source to the Shark Jack Connect the Shark Jack to your host PC Ethernet interface. After a moment the Shark Jack LED will indicate solid green with intermittent activity flashes. Set a static IP address for the host PC Ethernet interface connected to the Shark Jack as follows: IP Address: 192.168.1.2 Netmask: 255.255.255.0 From the host PC, browse to http://192.168.1.1 A Shark Jack Recovery interface with a red banner will appear. Click to the Recovery tab, then click Browse Firmware, select the Shark Jack firmware downloaded from the Hak5 Download Center, then click Start Upload File. If your Shark Jack web interface shows a blue banner reading Web Failsafe Recovery, click the OS tab, then click browse, select the Shark Jack firmware downloaded previously, then click Start Upload File. If your Shark Jack features the blue bannered Web Failsafe Recovery interface, it is extremely important that you select the OS tab and not the Firmware tab or any other tab as doing so will render the device inoperable. This process will take several minutes. Do not interrupt the power supply while the firmware is updating. Once complete, the Shark Jack will restart as indicated by a green blinking LED. At this point, disable the static IP address on the host PC Ethernet interface connected to the Shark Jack and reset it to receive an IP address automatically via DHCP.

At first glance I would imagine this would be in /tmp/dhcp.leases and one may repurpose this part of the GET extension for the Bash Bunny function GET() { case $1 in "TARGET_IP") export TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq) ;; Having said that and looking at NETMODE, the condition for DHCP_SERVER is "DHCP_SERVER") uci set network.lan.proto='none' /etc/init.d/odhcpd start ;; It's possible that a parameter must be set for the log file. I'm not in front of my Shark Jack but I'd check the odhcpd options as well as the output of `dmesg` and `logread` after the client connects to see if there are any clues there.

Unfortunately none of those are for the mips architecture, but if you have source it could be compiled for the Shark Jack. Target is ramips and subtarget is MT7628. More specifically, the SoC is a MediaTek MT7628, the OS is OpenWRT and the architecture is MIPS 24KEc.

My apologies for the trouble - that doesn't seem right at all. If you haven't already, go ahead and open a ticket at https://shop.hak5.org/contact and we'll get you sorted.

We're aware of the issue and will be releasing an update with ACMEv2 soon. Account creation should work again today. Let's Encrypt is doing 24 hour brownouts to call attention to the upgrade. In the meantime either wait the 24 hours for the v1 service to come back online, or provide your own keys using the appropriate command line parameters.

I use a Digital Ocean "droplet" (VPS) with 512 MB RAM and 20 GB disk. I hardly tax the thing.

Correct. STRING simply states to treat the file as standard ASCII so it can be viewed in the Cloud C2 web UI. Otherwise it's treated as a binary. The SOURCE is indeed just a tag - which is helpful when managing loot from multiple payloads. No problem on the example payload - I really enjoy writing these and hope they're useful for others looking to implement these features.

If your phone support a USB Ethernet dongle, you can exfiltrate data via the web UI from your phone. I'm sure many other methods - like SMB as you mentioned - would work similarly. The USB-C port is only for charging. Interestingly, you can use your phone to charge the Shark Jack. Select "Connected device" from USB controlled by on the USB Preferences menu.

@Topknot thanks for detailing the process you followed to upgrade - however I want to advise against this method as it will not be supported. We cannot guarantee that the firmware file will always fit in the root file system in /root/, and the sysupgrade function may not always be present in the framework. If you wish to manually upgrade the Shark Jack, as opposed to the guided method using the sharkjack.sh helper available from https://downloads.hak5.org I advise you to please follow the instructions listed at https://docs.hak5.org/hc/en-us/articles/360038189894-Manual-Upgrade

Currently the C2EXFIL command accepts only one file at a time. USAGE -- C2EXFIL (optional)STRING (required)<PATH> (optional)<SOURCE> Examples: C2EXFIL STRING <PATH> <SOURCE> - send text data from <PATH> file from <SOURCE> C2EXFIL <PATH> <SOURCE> - send <PATH> file from <SOURCE> C2EXFIL <PATH> - send <PATH> file Multiple files may be uploaded using the tool, however you would need to loop over them in order to do so. I've published an example of this here: https://github.com/hak5/sharkjack-payloads/blob/master/payloads/library/example/cloudc2-multi-file-exfiltration/payload.sh

Glad to see you got the C2CONNECT issue sorted with your specific keyfile configuration. As for the C2EXFIL, if you run the command interactively you will get usage. I prefer to use the STRING flag as it will make standard ASCII files easily readable within the Cloud C2 web interface.

Thanks for the report. We are looking into this now. This is related to Hak5 infrastructure as it pertains to adding packages not already in the mainline OpenWRT feeds end and will not impact your ability to install standard packages.

Glad to hear that the Shark Jack is working out for you. I don't know if this comes across on the videos but I'm really proud of it. As for the payloads, the convention we established with the Bash Bunny was to create a directory called "Library" in which you can carry multiple payloads. It may be fruitful to store that in /root/ using a git clone. Your idea of storing multiple payloads to swap out on the device is something we've been giving thought on how to best facilitate - so I'm sure as the product matures we'll have a great solution for. Happy hacking 🙂

I mean, anything is possible but at first glance I'd say it's much easier to invoke with a keystroke injection attack using the Bash Bunny or USB Rubber Ducky. Not sure exactly how you'd pull it off with the Shark Jack, but I'm not going to rule it out since you never know what's possible RCE wise when you have direct network access.

@Geeksystem here's the article on manual flashing as promised: https://docs.hak5.org/hc/en-us/articles/360038189894-Manual-Upgrade