Jump to content

theonewhoknocks

Active Members
  • Posts

    13
  • Joined

  • Last visited

Posts posted by theonewhoknocks

  1. I got annoyed pretty quickly by the amount of times I had to re-plug the Bash Bunny in order to test a complicated payload of some sort, so I threw together this rather rudimentary payload that spins up a flask server. Given that you can see the bunny via IP, you can test your payloads with ease by POSTing some text to it.

    The post data type should be JSON and look like:

    {"text": "cat "hello.txt";commands here;"}           I recommend putting a sleep in there so you have time to tab out of Postman or whatever you use to test APIs with

    I just wanted to get the idea out there, but I think I'll clean it up soon enough.

    I can imagine some more advanced things with this, related to data exfil or even remote administration....

    And yeah.. I know.. this is suceptible to RCE, but whatever, it's testing!

    ----------------------

    I ran these commands from https://blog.miguelgrinberg.com/post/designing-a-restful-api-with-python-and-flask

    NOTE: Requires you have ICS on the bunny in order to "apt-get install python-pip" so that you can get flask from pip repo

    $ mkdir app-name-whatever
    $ cd app-name-whatever
    $ virtualenv flask
    $ flask/bin/pip install flask

    ------------------------------

    Python app.py code below:

    #change to whatever folder it is in relative to /root/
    #ex: app-name-whatever/flask/bin/python
    #!apiserver/flask/bin/python
    from flask import Flask, jsonify, abort, request
    import subprocess
    
    app = Flask(__name__)
    
    
    @app.route('/api/test', methods=['POST'])
    def getapi():
        try:
            with open('data.txt', 'w') as outfile:
                cmd = request.json.get("text","")
                outfile.write(cmd)
            subprocess.call(['/bin/bash', "data.txt"])
            subprocess.call(['/root/ATTACKMODE', "RNDIS_ETHERNET"])
            subprocess.call(['LED', "R", "100"])
            return jsonify("OK")
        except:
            abort(500)
    
    if __name__ == '__main__':
        app.run(debug=True)

     

    The LED will flash red once the server is accessible again (because you probably changed attackmodes when testing)

  2. On 3/14/2017 at 5:44 PM, Sebkinne said:

    I actually started working on a program you can execute on a target machine (that does not require root/admin) that will be able to automatically share internet connection to the Bash Bunny.

    It's not a priority, yet, but it shouldn't take too many evenings to implement.

    I was struggling with that same project. I found an ICS vbs script online, a netsh command for static IP, and threw together ducky script to bring up powershell for it all, but the frickin driver install messes it all up as it takes too long. No amount of pre-sleeping can help. I wanted it to work on virgin computers so I had to uninstall BB ether every time I try to run it.

    I can give you my script so far if you'd like to help.

  3. You would have to exploit any unpatched vulns that are through the network connections. Since you are the router, I suggest using QuickCreds to get the authentication information. Maybe use a cracker of some sort to decrypt the hashes, unlock the computer, run your commands for april fools, and then lock it again. In theory, this should work.

  4. Whenever I switch from ATTACKMODE HID STORAGE to ATTACKMODE RNDIS_ETHERNET, Windows 10 (1607) gives me a USB Device Not Recognized. It seems like the OS is rejecting it because the device that is was before is no longer there, and it it's like, hey, this wasn't there a second ago...

    I do get the USB device disconnects, and RNDIS_ETHERNET does work on this machine all by itself, but it seems that switching is the issue. Can anyone shed light on this?

    Device manager shows up as Unknown USB Device (Configuration Descriptor Request Failed).

  5. Yeah, this isn't the device for that. It's not possible to boot a machine and use the Bunny's cpu or use the bunnys os and the comps cpu. It also cannot mount the host disk directly.

     

    Edit: You could, however, setup a windows share on the C: drive and cifs mount that! I bet duckyscript can whip up a good series of CMD/Powershell commands to help you.

  6. When was the March 10th batch declared? I ordered The BB on the 1st at 2pm, so it couldn't have been backordered then or my order status would have reflected it. I know this probably isn't the forum, but I need some feedback on what happened. The last update on my order said: "Being Processed" at 2pm on the 1st.

     

    Thanks!

  7. I don't know if this is practical at all, but I think it'd be pretty cool to be able to flip the switch a series of times to access different payloads or render the bunny inactive/active. Depending on the types of signals you guys use. Does the bunny necessarily restart after you flip the switch or is there an internal kill bash that happens and it switches to execing the other payload? Haven't got mine yet so I don't know. If so, I could probably put conditional logic to hide or disable the scripts.

×
×
  • Create New...