KeyCroc Arming mode inaccessible

[catx0rr]

I was trying to add some basic payloads found on the keycroc documentation site to get ready on our pentest engagement.  and suddenly the arming mode can't be accessed..

What i just did, is I add a DISABLE_PAYLOAD on the start of the file of Croc_Getonline.txt to disable it, and on the config.txt i just added "DNS 1.1.1.1 and 4.4.2.2". Im just getting started to play with it.

added 2 payloads from the documentation which snags the windows creds and mac/linux where in it uses SAVEKEY when keypressing \[CTRL-ALT-DELETE] or MATCH with sudo in terminal..

When I try to put it on arming mode, it started with an error.

 

Already performed the factory reset, and waited until it turns green and becomes white and basically replug it. same thing happens.

Can someone enlighten me or encountered the same issue and was able to fix? Thanks

[dark_pyrro]

Not sure I get the full grip of the scenario at hand, but it for sure seems like something related to the udisk (the storage that mounts to the target). If you press the hardware button when the LED has become white after boot, does the LED start to blink blue? Have you tried to access the Croc using serial when in arming mode? Is that working?

[catx0rr]

Thanks for the reply @dark_pyrro yes it appears to be blue after pressing the arming mode button on the keycroc. Before it happens i still can access it and will become a flash drive where you can put payloads and collect loots. 

Even now it is still has that blue blinking light after pressing the hardware button for a few seconds, but it appears just a regular usb drive and inaccessible just like on the screenshot above. Before the issue happened, it was showing Key_Croc(E:) and its drive space as well on the GUI.

[catx0rr]

Again, I tried to press the hardware button to get into arming mode and when trying to access the generic usb drive on the gui, it has an error like this:

 

Is there any other way to fix this? like ssh into it (but i haven't configured anything on a network level yet) I just played with it a little while and not actually expecting this to happen since I read the documentation first before doing anything to ensure I will not break it. Factory reset didn't solve the issue.

[dark_pyrro]

1 hour ago, dark_pyrro said:

Have you tried to access the Croc using serial when in arming mode? Is that working?

I have to ask this again. Did you try connecting using serial?

https://docs.hak5.org/key-croc/advanced-usage/serial-console-access

 

Factory reset won't solve problems related to the udisk (the udisk is left untouched during a factory reset), that's why I suspect it has something to do with that part of the Croc storage. Either that it's something wrong with the storage in itself, or that you seem to have made stuff payload-wise that makes it stop acting as desired.

[catx0rr]

Quote

Have you tried to access the Croc using serial when in arming mode? Is that working?

Sorry, I wasn't able to check it earlier. 

Yes I tried to access the serial console and successfully logged in. what I can see in /root is the udisk and the version.txt and under udisk directory is the config.txt.

I attempted to re-plug and try its basic key-logging feature, (since the LED upon plugging goes to attack mode and configuring the keylogger) and type in chars, but after accessing the serial console i couldn't find the loot directory.

Quote

Factory reset won't solve problems related to the udisk (the udisk is left untouched during a factory reset), that's why I suspect it has something to do with that part of the Croc storage. Either that it's something wrong with the storage in itself, or that you seem to have made stuff payload-wise that makes it stop acting as desired.

As mentioned earlier, I was only loading up basic payloads in payloads directory with a file extension .txt for nabbing windows creds, and on a separate .txt file again for nabbing linux/macos creds using MATCH syntax for the script. I also downloaded the Keycroc_GetOnline.txt script on the repo and added DISABLE_PAYLOAD on the first line of the file and saved, eject it in windows and replug.

Is there anyway to rebuild / reflash or anything to fix it since i already have access on the serial console? Thanks again @dark_pyrro for the help.

[dark_pyrro]

If you can see things in /root/udisk when using serial but not get it to mount to the target is quite odd. It also seems that you can't see as much files and directories that should be normal if only config.txt is present.

I would try to reformat the udisk when connected using serial with the command; udisk reformat

Note that this will remove anything you previously have stored on the udisk (such as payloads, loot, etc.) but if I was in that position getting such "bad behavior" from the Croc, I would try to get a fresh start in regards of the udisk.

Not sure about your use of DISABLE_PAYLOAD but I might not see the full scope of how you're using it.

[catx0rr]

Man thanks @dark_pyrro, I really appreciate the help. I wasn't sure how the udisk got corrupted, if it has something to do with the "DISABLE_PAYLOAD" so an example of what I did before everything goes haywire:

```KeyCroc_GetOnline.txt

DISABLE_PAYLOAD

# Title:           Croc_Getonline
# Description:     Attempt to connect Keycroc automatically to target wifi access point
#                  Save to tools/Croc_Pot/wifipass.txt and loot/Croc_Pot/old_wifipass.txt
# Author:          spywill
# Version:         3.5
# Category:        Key Croc
# Props:           Cribbit, Lodrix, potong, RootJunky, dark_pyrro

MATCH (getonline_W|getonline_R|getonline_L)

CROC_POT_DIR=(/root/udisk/loot/Croc_Pot /root/udisk/tools/Croc_Pot)
for dir in "${CROC_POT_DIR[@]}"; do [[ ! -d "$dir" ]] && mkdir "$dir" || LED B; done

wifi_pass=/root/udisk/tools/Croc_Pot/wifipass.txt

<snip..>

```

What I'm trying to achieve is to not execute that payload.

Thanks again for the help. It has been resolved, and I can see the disk again. Also, thanks for the knowledge. might be needing that in the future especially when payloads gets nasty.

[dark_pyrro]

You can't just throw in DISABLE_PAYLOAD in a payload, the syntax/usage is like it is described in the documentation:

https://docs.hak5.org/key-croc/writing-payloads/command-quick-reference#disable_payload

 

[catx0rr]

I overlook the documentation.. It should be only "DISABLE" instead of "DISABLE_PAYLOAD" on the start of the file.. but I was wondering if that's the cause why the udisk got corrupted. Anyways, thanks again @dark_pyrro.

[dark_pyrro]

Where did you get information about "DISABLE"? Any reference? I can't seem to remember that it is a valid Ducky Script command.

[catx0rr]

I just overlooked the documentation, but yeah i think so too since it was being run via shell commands, and if it was sourced correctly then it should run. (since it was a valid ducky script command) Thanks for the help on this one.