Ehrm Posted August 3, 2022 Share Posted August 3, 2022 Hello all, While working on setting up my Sharkjack, I've come across an interesting issue with how the data is transmitted back to my C2. I have the following gathering happening on my device's payload: INTERNALIP=$(ifconfig eth0 | grep "inet addr" | awk {'print $2'} | awk -F: {'print $2'}) GATEWAY=$(route -n | grep UG | awk {'print $2'}) PUBLICIP=$(curl -w "\n" $PUBLIC_IP_URL) || FAIL echo -e "Date: $(date)\n\ Internal IP Address: $INTERNALIP\n\ Public IP Address: $PUBLICIP\n\ Gateway: $GATEWAY\n" >> $LOG Now, the device itself is printing to the serial connection the appropriate Public IP and Gateway, however, when checking the output on my C2 instance, I'm seeing the Hostname of the gateway router and the Public IP address is showing the Gateway's IP ON the C2 instance. WAN IP WAN Gateway WAN Subnet Mask External IP 192.168.1.40 RT-AC68P-[||] 255.255.255.0 192.168.1.1 Am I missing how the C2 gathers this information from the variables? Link to comment Share on other sites More sharing options...
dark_pyrro Posted August 3, 2022 Share Posted August 3, 2022 Describe more in detail on how you involve C2 in the mix. If it's the Shark that provides the info (C2 itself shouldn't gather anything really) and then transmits it as loot to the C2 server, then what you see on the C2 side is what the Shark has gathered using some payload or such. I'm not sure what you expect to happen, hence the need for more details. What is producing the "incorrect" information? I can't see the link between your posted payload and the output that follows that in the post (the section with 192.168.1.x network info). Link to comment Share on other sites More sharing options...
Ehrm Posted August 3, 2022 Author Share Posted August 3, 2022 24 minutes ago, dark_pyrro said: Describe more in detail on how you involve C2 in the mix. If it's the Shark that provides the info (C2 itself shouldn't gather anything really) and then transmits it as loot to the C2 server, then what you see on the C2 side is what the Shark has gathered using some payload or such. I'm not sure what you expect to happen, hence the need for more details. What is producing the "incorrect" information? I can't see the link between your posted payload and the output that follows that in the post (the section with 192.168.1.x network info). 1) it does appear the script itself is gathering the data, the base version is this: https://hak5.org/blogs/payloads/nmap-ip-info-payload-for-shark-jack-w-c2 the only modifications I've done is to include curl instead of wget on line 55 and change route to strip resolution from the gateway name on 56. 2)the loot text files are being transmitted to the C2, along with a compiled ip_info.txt, this is output as: Date: Wed Aug 3 19:53:47 UTC 2022 Internal IP Address: 192.168.1.40 Public IP Address: [CENSORED] Gateway: 192.168.1.1 this is expected behavior and fine for my engagement if it has to be, however, the CloudC2 software is showing the IP's from my first post on the Device Overview page, to give you a better direction on where the first posts IP location. I can from here provide a screenshot if needed. Link to comment Share on other sites More sharing options...
dark_pyrro Posted August 3, 2022 Share Posted August 3, 2022 I can't see that it would be strange in any way. It's just info that the device provides when being connected to the C2 server. Without dissecting it to pieces, my guess is that it's provided by cc-client on the device side. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.