Jump to content

bg-wa

Active Members
 View Profile  See their activity

  • Posts

    85

  • Joined

  • Last visited

  • Days Won

    5

 Content Type 

Posts posted by bg-wa

    Injection of malicious code in a webpage

    in Applications & Coding

    Posted · Edited by bg-wa
    syntax

    @anao00 Yes, you are correct DNS is a fragile system (in more ways than this example).  Regardless of where you intercept, it can be difficult to detect. 

    One thing not mentioned is SSL... you can use this method to host https://amazon.com at https://my-custom domain.com or http://amazon.com, but you wont have the right cert on your middleware machine to host https://amazon.com. Its subtle, but browsers are doing a better job of pointing out non-secure sites lately.

    Injection of malicious code in a webpage

    in Applications & Coding

    Posted

    I made this a few weeks ago.

    https://github.com/bg-wa/rails_in_the_middle

    Set up the app and point your DNS to it, point the app to the site you want to modify, and inject whatever code you want before it's sent to the user (also works the other direction, sending data to the original server).

    *Also not sure how practical this is, but its possible.

    [POC] Rails in the Middle - A Web-content Proxy

    in Applications & Coding

    Posted · Edited by bg-wa
    Link formatting

    I started this quick POC, which uses Rails as a web-content proxy to allow intercepting and modifying html pages.

    [End User Request  > My Bad URL > Actual server > My Bad URL > Nokogiri (modify response) > End User Response]

    It's pretty bare bones and allows you to browse any website at your own URL, modifying the response in the middle.

     

    https://github.com/bg-wa/rails_in_the_middle

     

    Seems like an interesting loophole.  Even with CORs set up properly, assets could be stored and re-served to the end user.

    A help to simplify playloads

    in Classic USB Rubber Ducky

    Posted

    Hey Luca,

    You can cut down this code, by putting your file types into an array, then loop through that array, executing at each object your 

    if Exist %USERPROFILE%\Searches (xcopy /C /Q /G /Y /S %USERPROFILE%\Searches\*.[YOUR FILE EXTENSION FROM ARRAY] %dst% >>nul)

    https://stackoverflow.com/questions/8880603/loop-through-an-array-of-strings-in-bash

    This will trim up your code for each location.  To make it even smaller, you should throw that line into a new function, then call it, passing your location and file-type.  As a positive side effect, will also make the script much easier to test and maintain.

    https://stackoverflow.com/questions/6212219/passing-parameters-to-a-bash-function 

    General Debugging and "Loot" Folder Permissions

    in Bash Bunny

    Posted · Edited by bg-wa

    1 hour ago, Dave-ee Jones said:

    I'm confused. Is it fixed or no?

    Yes.  When I took the time to write a test, it makes more sense...

    Basically I had locked myself out of the BashBunny partition where the loot and payload folders live.  I couldn't sudo chmod them from the machines I tried, so I had to reset them on the Bunny itself...  Somewhere along the lines of the hundreds of times I plugged and unplugged this device, into everything in my house that has a USB port, permissions got changed. 

    Here is a script I wrote after the fact in case it happens again: 

    # At this point I could not write to /root/udisk/loot
# or /root/udisk/debug as I could before

LED G

mkdir /root/udisk/debug

touch /test # File 'test' written
touch /root/test # File 'test' written
touch /root/udisk/test # File NOT written
touch /root/udisk/loot/test # File NOT written
touch /root/udisk/debug/test # File NOT written
touch /root/udisk/payloads/test # File NOT written
touch /root/udisk/payloads/switch1/test # File NOT written

# Then I ran:
# mount -o sync /dev/nandf /root/udisk
# chown root:root /root/udisk -R
# chmod 777 /root/udisk -R



touch /test # File 'test' written
touch /root/test # File 'test' written
touch /root/udisk/test # File 'test' written
touch /root/udisk/loot/test # File 'test' written
touch /root/udisk/debug/test # File 'test' written
touch /root/udisk/payloads/test # File 'test' written
touch /root/udisk/payloads/switch1/test # File 'test' written


# Here I could write to my Bunny again

LED R G B

    https://github.com/bg-wa/bashbunny-payloads/blob/bunny_permissions_checker/payloads/library/bunny_permissions_checker/payload.txt

    Hope that helps someone else along the line.

     

     

    Key Press Duration

    in Bash Bunny

    Posted

    Wondering if anyone has figured out how to dictate the keypress duration...  I've got my windows mouse control payload working but it would be more useful if I could hold a key down instead of pressing it 100 times in a loop.  I think the end goal will be to emulate something you can't do with a keyborad, like a signature in an HTML5 canvas.

    Thanks!

    source bunny_helpers.sh

    in Bash Bunny

    Posted

    You should just copy everything you need for your payload to switch1 or switch2 folders.  Meaning if you are using a helper, you should also copy that helper to the switch folder next to your payload.txt.  `source bunny.sh` is a relative path (just looking in the switch folder).  /root/udisk/payloads/library/bunny_helpers.sh is just a hard coded, long hand, version of the same pointer.

    hope that helps explain what you're seeing

    General Debugging and "Loot" Folder Permissions

    in Bash Bunny

    Posted · Edited by bg-wa

    So after a week of clean testing I managed to break my bash bunny, somehow messing up the mount point /root/udisk/ (It would not auto-mount and was read-only when manually mounted)...

    Thanks to @Foxtrot I was able to regain access by re-mounting and changing the permissions: 

    mount -o sync /dev/nandf /root/udisk
chown root:root /root/udisk -R
chmod 777 /root/udisk -R

    I still can't write to my individual payload switch folders like I previously could, so I've updated my debug helper to reflect a more accessible directory (/root/udisk/debug):

    https://github.com/bg-wa/bashbunny-payloads/blob/bunny_debug_helpers/payloads/library/bunny_debug_helpers.sh

    Again, to use this script:

    1.) Include the helper at the top of your script: 

    source bunny_debug_helpers.sh

    2.) Pepper your script with log entries to see where events succeed. 

    debug_log "Attack Mode Set" #ln. 41
    debug_log "IP Address : ${TARGET_IP}" #ln 92

    3.) Plug in Bunny... bash bash bash...

    4)  When finished, set the Bunny to arming mode and view your debug logs in the newly created "Debug" folder (/root/udisk/debug).

    Unable to run QUACK script

    in Bash Bunny

    Posted · Edited by bg-wa

    Try something like QUACK DELAY 500 after setting your attack mode, and make sure your cursor is in a text area (notepad, word etc.)  when you plug in the bash bunny.

    I wrote this simple, working, script for a friend, but it should give you an idea of how to get your test working as well.

    https://github.com/bg-wa/bashbunny-payloads/blob/feature/issue_79/payloads/library/payloads/example/multi_hid_storage_example.txt

     

     

×
×
  • Create New...