Jump to content

Darren Kitchen

Root Admin
  • Posts

  • Joined

  • Days Won


Everything posted by Darren Kitchen

  1. The Shark Jack features a firmware recovery option which allows the user to restore the devices firmware image. This procedure is performed via a special web interface. Download the latest firmware image for your Shark Jack from the Hak5 Download Center. It is extremely important that you follow the directions precisely as it pertains to powering the device and image selection from the web recovery interface. The video is provided as a reference however does not replace carefully reading the instructions listed below. Follow these steps to access the recovery web interface and update the firmware. With the switch in the OFF position, plug in a suitable USB power source and fully charge the Shark Jack. The LED will blink blue while charging, and solid blue when fully charged. If no LED activity is present, leave the Shark Jack connected to the power source for 10 minutes. Unplug the Shark Jack completely from the USB power source Prepare to press the Shark Jack reset button located on the bottom of the device next to the regulatory label. Using a paperclip, SIM card removal tool or similar instrument practice pressing the button. With the Shark Jack unplugged and with its switch in the off position, carefully insert the instrument and directly downward until you feel resistance. Gently press the button. You should feel a click. With the instrument at the ready, flip the switch into the arming (middle) position and immediately after press and hold the reset button for 7 seconds. Connect a USB power source to the Shark Jack Connect the Shark Jack to your host PC Ethernet interface. After a moment the Shark Jack LED will indicate solid green with intermittent activity flashes. Set a static IP address for the host PC Ethernet interface connected to the Shark Jack as follows: IP Address: Netmask: From the host PC, browse to A Shark Jack Recovery interface with a red banner will appear. Click to the Recovery tab, then click Browse Firmware, select the Shark Jack firmware downloaded from the Hak5 Download Center, then click Start Upload File. If your Shark Jack web interface shows a blue banner reading Web Failsafe Recovery, click the OS tab, then click browse, select the Shark Jack firmware downloaded previously, then click Start Upload File. If your Shark Jack features the blue bannered Web Failsafe Recovery interface, it is extremely important that you select the OS tab and not the Firmware tab or any other tab as doing so will render the device inoperable. This process will take several minutes. Do not interrupt the power supply while the firmware is updating. Once complete, the Shark Jack will restart as indicated by a green blinking LED. At this point, disable the static IP address on the host PC Ethernet interface connected to the Shark Jack and reset it to receive an IP address automatically via DHCP.
  2. At first glance I would imagine this would be in /tmp/dhcp.leases and one may repurpose this part of the GET extension for the Bash Bunny function GET() { case $1 in "TARGET_IP") export TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq) ;; Having said that and looking at NETMODE, the condition for DHCP_SERVER is "DHCP_SERVER") uci set network.lan.proto='none' /etc/init.d/odhcpd start ;; It's possible that a parameter must be set for the log file. I'm not in front of my Shark Jack but I'd check the odhcpd options as well as the output of `dmesg` and `logread` after the client connects to see if there are any clues there.
  3. Unfortunately none of those are for the mips architecture, but if you have source it could be compiled for the Shark Jack. Target is ramips and subtarget is MT7628. More specifically, the SoC is a MediaTek MT7628, the OS is OpenWRT and the architecture is MIPS 24KEc.
  4. My apologies for the trouble - that doesn't seem right at all. If you haven't already, go ahead and open a ticket at https://shop.hak5.org/contact and we'll get you sorted.
  5. We're aware of the issue and will be releasing an update with ACMEv2 soon. Account creation should work again today. Let's Encrypt is doing 24 hour brownouts to call attention to the upgrade. In the meantime either wait the 24 hours for the v1 service to come back online, or provide your own keys using the appropriate command line parameters.
  6. I use a Digital Ocean "droplet" (VPS) with 512 MB RAM and 20 GB disk. I hardly tax the thing.
  7. Correct. STRING simply states to treat the file as standard ASCII so it can be viewed in the Cloud C2 web UI. Otherwise it's treated as a binary. The SOURCE is indeed just a tag - which is helpful when managing loot from multiple payloads. No problem on the example payload - I really enjoy writing these and hope they're useful for others looking to implement these features.
  8. If your phone support a USB Ethernet dongle, you can exfiltrate data via the web UI from your phone. I'm sure many other methods - like SMB as you mentioned - would work similarly. The USB-C port is only for charging. Interestingly, you can use your phone to charge the Shark Jack. Select "Connected device" from USB controlled by on the USB Preferences menu.
  9. @Topknot thanks for detailing the process you followed to upgrade - however I want to advise against this method as it will not be supported. We cannot guarantee that the firmware file will always fit in the root file system in /root/, and the sysupgrade function may not always be present in the framework. If you wish to manually upgrade the Shark Jack, as opposed to the guided method using the sharkjack.sh helper available from https://downloads.hak5.org I advise you to please follow the instructions listed at https://docs.hak5.org/hc/en-us/articles/360038189894-Manual-Upgrade
  10. Currently the C2EXFIL command accepts only one file at a time. USAGE -- C2EXFIL (optional)STRING (required)<PATH> (optional)<SOURCE> Examples: C2EXFIL STRING <PATH> <SOURCE> - send text data from <PATH> file from <SOURCE> C2EXFIL <PATH> <SOURCE> - send <PATH> file from <SOURCE> C2EXFIL <PATH> - send <PATH> file Multiple files may be uploaded using the tool, however you would need to loop over them in order to do so. I've published an example of this here: https://github.com/hak5/sharkjack-payloads/blob/master/payloads/library/example/cloudc2-multi-file-exfiltration/payload.sh
  11. Glad to see you got the C2CONNECT issue sorted with your specific keyfile configuration. As for the C2EXFIL, if you run the command interactively you will get usage. I prefer to use the STRING flag as it will make standard ASCII files easily readable within the Cloud C2 web interface.
  12. Thanks for the report. We are looking into this now. This is related to Hak5 infrastructure as it pertains to adding packages not already in the mainline OpenWRT feeds end and will not impact your ability to install standard packages.
  13. Glad to hear that the Shark Jack is working out for you. I don't know if this comes across on the videos but I'm really proud of it. As for the payloads, the convention we established with the Bash Bunny was to create a directory called "Library" in which you can carry multiple payloads. It may be fruitful to store that in /root/ using a git clone. Your idea of storing multiple payloads to swap out on the device is something we've been giving thought on how to best facilitate - so I'm sure as the product matures we'll have a great solution for. Happy hacking 🙂
  14. I mean, anything is possible but at first glance I'd say it's much easier to invoke with a keystroke injection attack using the Bash Bunny or USB Rubber Ducky. Not sure exactly how you'd pull it off with the Shark Jack, but I'm not going to rule it out since you never know what's possible RCE wise when you have direct network access.
  15. @Geeksystem here's the article on manual flashing as promised: https://docs.hak5.org/hc/en-us/articles/360038189894-Manual-Upgrade
  16. Netcat is included on the Shark Jack with the command `nc` As for starting netcat on a target, it really depends. There are a few reverse shell payloads for the Bash Bunny, for instance...
  17. @MoLeViP you are correct - the Shark Jack ARMING mode enables a DHCP server - however this is just for management of the device. If you would like to make a payload for the Shark Jack @Jenny_B that enables a DHCP server rather than a client, use NETMODE DHCP_SERVER rather than NETMODE DHCP_CLIENT This is documented at https://docs.hak5.org/hc/en-us/categories/360002117973-Shark-Jack
  18. Awesome payload! I would suggest changing the LED to use the standardized states like LED SETUP, LED ATTACK and such. They're documented at https://docs.hak5.org/hc/en-us/articles/360034667893-LED Currently your LED commands will fail, as they would need an additional parameter - like SOLID.
  19. I'm using the USB Ethernet adapter from https://shop.hak5.org/collections/accessories/products/combo-ethernet-adapter-and-retractable-cable (which is included in the Shark Jack Combo Kit) - but any regular USB Ethernet adapter will work. I'll post a manual upgrade guide to https://docs.hak5.org but essentially the process is similar to that of the Packet Squirrel or WiFi Pineapple where you download the latest firmware from downloads.hak5.org, copy the file to /tmp/ on your device via SCP, then SSH into the device, verify its SHA256 sum, then issue sysupgrade -n /tmp/upgrade.bin The IMPORTANT bit to keep in mind with the Shark Jack is that it should be plugged into USB power during the flashing process, as an interruption in power will result in a bricked device.
  20. Everything from unboxing your Shark Jack to connecting in arming mode, exfiltrating loot, changing out payloads, upgrading the firmware, checking out the new web interface and even connecting it to Cloud C2. VIDEO CHAPTERS: 0:58 - Unboxing 4:22 - Attacking with the default payload 7:08 - Connecting in arming mode 10:40 - Navigating the file system 12:34 - Exfiltrating loot to our local host 14:13 - The sharkjack.sh helper script 17:16 - Upgrading the firmware 19:26 - The new arming mode web interface 20:30 - Loading new payloads 25:19 - Setting up Cloud C2
  21. Normal runtime is between 10 and 15 minutes - not 2 and 5. Is the battery fully charged? Charging time is between 5 and 10 minutes, and the LED will light solid blue when it is fully charged. Something seems off here. If the run time is really that low when fully charged, please reach out to me directly at https://shop.hak5.org/contact and we'll get you sorted.
  22. So here's a pretty image of the Shark Jack Combo Kit: And here's how I rock it every day: *not pictured: Plunder Bug
  23. This will happen if the file system is filled. I recommend following the factory reset guide from https://docs.hak5.org/hc/en-us/articles/360010471134-Factory-Reset
  24. Thanks! PR accepted 🙂 I will note that this payload overwrites the nameserver in the /etc/resolv.conf file to If I were to recommend any change - it would be to make that configurable in the variables at the top of the payload. Otherwise, fantastic work - and I'll see if we can't get some of those dependencies baked into the next official release so it's even easier to use out of the box.
  • Create New...