Clarification on QUACK STRING commands while SSHed in

[tommyq]

Reading the stuff on interactive development of payloads, I plugged the croc into my laptop and waited for it to call back to the C2. From there I logged onto my C2 web browser, opened the terminal.  In the terminal I typed      QUACK STRING GUI r  expencting a popup on my laptop with the Run dialog box.

What it did was to echo this string back to the terminal session and not into the target.  I also tried with that terminal closed and SSHing into it.  Have I mis-understood this feature?  It says it will type it into the target.

Also tried from a different device on the same Lan. Actually phone (sharing same AP) with ssh client. 

 

Update.  So I used QUACK GUI r    and got the dialog box but when I typed  QUACK STRING notepad, that was echoed back into the putty session?  Is there a vid or document I can refer too as the guide I'm reading doesn't have what I'm after.

 

Many thanks in advance.

[dark_pyrro]

You need to set the Croc in ATTACKMODE HID and use the QUACK commands in a payload. Never tried it outside a payload, but the Croc needs to be in the mode of emulating a keyboard and ATTACKMODE HID is mandatory for that to happen.

[tommyq]

Thank you for helping gain so soon!  I tried typing that into the SSH session and it threw an error. Something about insmod. I didn't manage to grab it.

Isn't the device in attack mode already when it's just been plugged in and not placed into arming mode?  Thats what I'd tried. Plug in, establish ssh session and type into the ssh window.

                      "Sometimes the quickest way to rapidly develop a payload is to write it interactively on the device.

This saves time entering arming mode, editing the payload file on the "KeyCroc" USB Flash Disk, safely ejecting the drive, unplugging and replugging the

KeyCroc from the host, then finally typing the matching pattern on the attached keyboard."

 

Thanks again.

[dark_pyrro]

But that quote of text just refers to writing the payload on the Croc, not executing anything manually. What it says is; write the payload directly on the Croc, eject it, insert it, attach a keyboard, type the MATCH "keyword" (or any compatible keypress that is configured) on the attached keyboard to trigger the payload.

[tommyq]

I've been following the "SSH Access- Key Croc 104" youtube video.  About 3.00 mins in, Darren plugs in the croc, waits for the lights to go out and then SSHes into it.  By default, its already in ATTACK mode. On the target, he has two windows open. One notepad and another powershell. He has focus on the notepad window. In the terminal window of the croc ssh session, he does a QUACK ALT TAB. It changes changes focus.  For me, it half works. It's like it's done the ALT TAB but only released the TAB.  I have to aadd QUACK ENTER to gain focus.  What I've also found is that if I ssh into the croc on the same computer that it is plugged into, it gets confused. It seems to echo QUACK STRING commands back to the terminal not to the target.  If ssh into the croc from another computer, things seem better. It outputs to the target in a similar fashion to what Darren sees. It is still misbehaving badly or I'm missing something. 

To try to rule out my laptop, I'd plugged the croc into a different one.

The crocinfo payload doesn't work either. It executes after the match but outputs a fair bit of junk.  It's not evaluating any likes properly like

QUACK STRING $(ifconfig wlan0 | grep "inet addr" | awk {'print $2'} | cut -c 6-)

It will output ordinary QUACK STRINGS like abcded

I only got the device last week but the firmware seems to be higer than in the downloads section.  It's listed as 1.3_510 but my device is 1.3_513.  Could I have duff firmware or should I have upgraded it from somewhere else?  It's as delivered just now.  It is connected to the C2 system at the same time, but I thought Darren had said in a video this was fine?   I hope this rather long text explains better my problem.

[tommyq]

Another think I've noticed is that when you try to safely eject the device, the symbol showing that there is still something is connected but the name keycroc has gone.  The device still flashes blue.

[dark_pyrro]

It's no error that the Croc has a higher version out of the box than what's available on the downloads site. It has been mentioned on Discord if I remember it correctly and it's just the firmware version that was shipped to the factory and it shouldn't differ when it comes to functionality.

The blue flashing when it has been safely ejected should be normal. I usually serial into it and power it off, but that is a bit overkill for most

About the "live QUACK" it should obviously work since Darren is using it in his video. Doing it from the same machine as the Croc is connected to... well, I don't know about that. Start by doing it from another machine just like Darren does in the video. I have my hands tied at the moment since I'm on vacation and I'm thousands of kilometers away from my Croc so I can't try to emulate/recreate your issues.

The QUACK with the bash command(s) is probably not working since you aren't escaping characters or not putting quote marks around that string.

https://docs.hak5.org/key-croc/writing-payloads/advanced-quack-commands

[tommyq]

Have a great holiday 🙂   My stuff will keep and maybe I'll have sorted it. 

I have tried it from a different machine and the direction of injection (into COM and not the Linux shell) is better but not the evaluation of $() commands.  I'll look into it more, but I grabbed a single line from the croc_info.txt file and it didn't play nice.  Same for cat $(/root/udisk/version.txt) etc.   Only for note later, I'm also seeing bits of what gets into the notepad screen is interlaced.  I'm thinking this is just the script stepping ahead before the previous command is done, but if so, it's gone slow.   I think I'll do the poweroff bit too.  I'd hate to end up with a corrupted partition.    I'll update the thread, but I dont expect you to respond 🙂   Chill time is indeed precious.