LGee Posted July 15, 2017 Share Posted July 15, 2017 I have recently started playing around with my new bashbunny, and payloads. Can't figure out what I see when running my first basic payloads on Win7. Take this for example...: Here is a payload I wrote, where I am trying to use ducky script commands and at the same time use the storage on the bunny, e.g. to store stuff on it later while running ducky commands. Here is my payload for switch1: #!/bin/bash # Set LED Red while setting up attack LED R ATTACKMODE HID STORAGE Q DELAY 10000 LED R G Q GUI r Q DELAY 2000 Q STRING cmd Q DELAY 4000 Q ENTER Q DELAY 5000 Q STRING e: Q ENTER Q DELAY 5000 Q STRING dir Q ENTER Q DELAY 2000 # Light turns green - trap is clean. LED R G B And this results in a single command given in GUI+r: powershell .))gwmi win32?volume +f ælabel\ææBashBunnyæææ=.Name`æpayloads'switch2'd.cmdæ= I have flashed the bunny to latest (1.3) firmware. What am I doing wrong? I can't seem to get my new bunny hopping. :( Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted July 15, 2017 Share Posted July 15, 2017 First question is what is the error you are getting? Second one I have is can you submit that powershell line again but use the code formatting in the toolbar. On my screen it looks jumbled up so can't really read some of it. Quote Link to comment Share on other sites More sharing options...
LGee Posted July 16, 2017 Author Share Posted July 16, 2017 sorry for the bad formatting. here it goes: powershell .))gwmi win32?volume +f ælabel\ææBashBunnyæææ=.Name`æpayloads'switch2'd.cmdæ= so, the error is, I am not getting any of the expected behavior per my ducky script above. instead, when I insert the bunny with switch in pos. 1., I only get this powershell-like line in the Run window and an ENTER after. nothing else happens. really cannot see where this line is coming from. not to mention why my actual commands are not executing... BTW, I also struggle with the ATTACKMODE setting. no matter what payload I use, and what ATTACKMODE I configure in payload.txt, I am always getting the bunny mounted as storage, no matter which setting the hardware switch is in. I could not find any forum entry related to that, but please point me to one if this has been observed before. Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted July 16, 2017 Share Posted July 16, 2017 Do not know if you are using a different language keyboard but that is some wierd formatted text so will attempt to see if that is the issue. One thing you are doing in your ducky script is your are assuming the ducky wiill be on drive e: when it may not be on every machine. Your script will know but not the BashBunny. This is the reason why the BB Ducky commands you see in most of the payloads are just enough to run a script that does the rest. Now if you know on your test machine that drive is e: then you are all good for that test machine. Next, your script still looks strangely formatted so I will redo the duck command for it at how it should probably look. Q STRING "powershell -C \".((gwmi -class win32_volume -f {label='BashBunny'}).Name + 'payloads\\$SWITCH_POSITION\\d.cmd'\")" Of course I do not have enough info to see what you are really accomplishing except running the file called d.cmd on the BB and then getting a dir of e: drive. Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted July 17, 2017 Share Posted July 17, 2017 Looks like a language issue. What language does your PC use? If it's US then you need to set your Bunny's language to US. Quote Link to comment Share on other sites More sharing options...
LGee Posted July 17, 2017 Author Share Posted July 17, 2017 I am using Norwegian keyboard conf. So, that explains the æææ's. But it does not explain why the powershell command shows up when I don't have any powershell commands in my script. Also, I've tried the bunny under linux, and ATTACKMODE seemed to work correctly, whereas when I tried to plug it in under Win7 (tried two different win machines) it always turns up as storage, accessible. No matter what switch position or payload I use. Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted July 17, 2017 Share Posted July 17, 2017 Well you clearly do have Powershell lines in your script lol. Looks like your firmware has broken so much it only wants to run one payload. You can try some "udisk" commands in the serial console, see if that helps (1 or 2 of those commands will probably wipe everything, but maybe it'll help you get back on your feet). E.g. "udisk reformat". Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted July 18, 2017 Share Posted July 18, 2017 If you have access to your Bash Bunny, the correct way to perform a factory reset is the following: Boot the device in ARMING mode Serial into the device and execute "udisk reformat". The storage partition will now be formatted and the device will reboot Serial into the device and execute "factory_reset_bunny". The Bash Bunny will reboot and be restored to firmware v1.0 Download and upgrade your Bash Bunny to the latest firmware version You should be ready to go after this. 2 Quote Link to comment Share on other sites More sharing options...
AGD Posted July 18, 2017 Share Posted July 18, 2017 You probably have tried out this payload: https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/credentials/PasswordGrabber It on switch 2 and it might still be there. Is it possible, that you were using switch position 2 instead of 1 to test your own payload? Quote Link to comment Share on other sites More sharing options...
TurdFurguson Posted July 20, 2017 Share Posted July 20, 2017 On 7/17/2017 at 9:56 PM, Sebkinne said: If you have access to your Bash Bunny, the correct way to perform a factory reset is the following: Boot the device in ARMING mode Serial into the device and execute "udisk reformat". The storage partition will now be formatted and the device will reboot Serial into the device and execute "factory_reset_bunny". The Bash Bunny will reboot and be restored to firmware v1.0 Download and upgrade your Bash Bunny to the latest firmware version You should be ready to go after this. Sebkinne, I appreciate the vast wealth of knowledge that you guys posses and I appreciate the help that all of you guys give to guys like me. I tried to factory reset my Bunny following your instructions above, I immediately got the "Police" LED patter and then it stopped blinking. I removed the Bunny and tried to reboot it. I get a green light for about 2 seconds then nothing. I think my bunny just died. Quote Link to comment Share on other sites More sharing options...
TurdFurguson Posted July 20, 2017 Share Posted July 20, 2017 Scratch that I waited 18 Minutes and it booted, so far so good Quote Link to comment Share on other sites More sharing options...
redm0squit0 Posted October 14, 2017 Share Posted October 14, 2017 did you leave it plugged in for the 18 minutes? I am having the same exact issue and have reformated a bunch of times only to see it go dead. I haven't waited any specific amount of time though, so i guess that will be my next move. I tried plugging it in with the pineapple cord thinking maybe it needed extra power but that just failed to. What a damn shame. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.