Jump to content


Dedicated Members
  • Content Count

  • Joined

  • Last visited

  • Days Won


Everything posted by PoSHMagiC0de

  1. Bash. The commandline shell for most Linux systems like Bat files for Windows.
  2. Not really. no need for it since it is the Bash Bunny. You can probably do something like that with BashFu. Maybe they turned it into an environment variable on the Bash Bunny you initialize.
  3. Hmm, just started trying it out and doesn't work half bad. I only made a web forensics image from the kali image but plan on doing one for wifi abd testing out the privilege flag to see if it works for direct access. Also, to push the net stack I may try yersinia commandline version. Yersinia sometimes crashes my net stack when I run bare metal doing dhcp exhaustion. Lets see if it breaks faster in a docker container hehe.
  4. Hmm, do not know for sure but that maybe a rubber duck specific thing. Maybe someone can confirm @Foxtrot.
  5. Give up explaining this. I did on several different threads about meta on the BB. All for people experimenting but I always said you will be there for a minute just for Meta to spin up...maybe 2 and another 4-5 for it to get done doing what it is doing. I know this because I tried running Meta and PowerShell Empire (which is much lighter than Meta) from a Raspberry Pi 3 and Zero. It takes a bit on the Zero that has more horse power than BB and even took awhile on the Pi 3 (new one) so I know it drags on the BB. I mentioned this before, it is much better to figure out what you want out of Meta and Bunnyize it to a much smaller the payload designed for just that autopwm and not the autopwn plus the whole huge library Meta brings with it. Ruby has more overhead on load too so yeah. So, proceed at your own peril. Not a project I am persusing since I have lots of Pis and stuff around me I can use as a USB rat or network rat plus other Hak5 products to do that stuff with...like the Lan Turtle with a remote C2 which can be a Pi sitting on the network somewhere. In my opinion, the BB was meant for quick in and out. Payloads should take that into consideration.
  6. I would not be afraid of the advanced students. If they were going to do something, it would have already been done or is being done and you have not noticed yet. You do not need a pineapple to do mana/karma attacks. What would worry me would be the non-advanced. The future script kiddies. The ones that are looking for hack-in-the-boxes without understanding how they work. Look out for those. Those are the ones that will cause the disruption not understanding what they are doing just they want to pwn you very fast. šŸ˜‘
  7. if you did an upgrade through app, upgraded the dhcp server (dnsmasq or isc, do not remember which one is used) then you may have overwritten the custom config they had for stuff thus breaking how the Bunny works. I don't upgrade the bunny with apt. No reason to.
  8. Hmm, never used Burp for external proxy but I am suspecting it is a proxy issue. I have only tried Bettercap. I am on my phone so forgive typos. Change burp back to default. Localhost 8080 for http and 8443 for https. Now, hopefully you are on Linux and create these iptable rules. I am not in front of machine so if you are using hak5 wp6, you will have to see if any rules will bypass yours and insert in place accordingly. iptables -t nat -A PREROUTING -p tcp -i usb0 --dport 80 -j REDIRECT --to-ports 8080 Of course do the same for 443 to 8443. That may work. This you all do on your computer, not pineapple. I will have to test it out to see though.
  9. I know it does python and node. If you want to compile a binary you can do so for arm architecture too. I recently found out I can compile go binaries for the BB.
  10. Also, something to look out for is if the drivers are installed before the script begins to run. If not then it will not get an ip of victim until victim does. Tests to do. In a clean switch folder make a payload.txt that just loads the rndis_ethernet attack mode and place a 3 second delay followed by a status light letting you know it is done setting the ethernet and then check to see if you have a new interface and can ping the BB at its IP. If you do not, wait and see if things are being installed in the background for it to work. Check device manager and see if you have a broken driver in there too expecting more. If you find there is a delay with the ethernet coming up, you may have to modify the payload.txt around that part to add a delay or a loop with a counter to limit how long it goes with a delay to keep trying to get the target ip and to give up after so many times or carry on if succeeds. Any payload I modify that has a target ip getter I wrap it in a loop because of some machines running Win10 when they shouldn't will take longer to load drivers if they are not already loaded.
  11. Not saying this will fix the issue but I had an issue with recon back on 2.4.2. I had to do a firmware recover and recovery and then straight from there updated to the newer version after initial setup. May have to try that. I don't know if I updated my Nano yet. Been busy. Will have to take a look this weekend.
  12. So, I am working on a Intro to Golang workshop for my local hackerspace when I remembered I wanted to try something. I looked up the specs for the BB and seen it uses an Arm process and runs linux. Same as my pis that I cross compile Go code for all the time. Time to try something. So, I made a simple hello world and compiled it for arm5. scped it over to the BB and ssh into it and ran it and there was my hello world. I then may a http server that when I send a Get request, I get hello world back. It worked. All is working so if you want to mess around and start using Golang for your payloads, the command to compile to the correct architecture for the BB is below. Remember if you want to publish your payload here, it cannot be compiled so you will have to publish the source for others to compile themselves. env GOOS=linux GOARCH=arm GOARM=5 go build
  13. Hey Mubix, When you are back, you should do a show on using Metasploit to get into an AD domain machine, deliver Empire for post exploitation or deliver Empire as a payload for metaploit's initial exploit. Use BloodhoundAD to find a way to elevate somewhere and then initiate elevation. That should keep the questions rolling in for a bit.
  14. Okay, I will bite. Yes you can. Powersploit has a module to do it for Powershell as well. For python, there is cool function called exec() that will run a string as python code. Of course it has to be valid python code. Similar to the "invoke-expression" for Powershell. So, what works in Posh, works in Pyth. You can encrypt your code with a key and convert it to base 64 string. That string will be what you put in a new python function as an assignment to a variable..hard coded assignment. Now, your new function takes the key as an input parameter and when ran the reverse happens. Your code is unbase64, decrypted with key back to a string and then ran with exec().
  15. Yeah, I found it. I been playing with Go a lot. I love it. Python and JS is cool but has been pissing me off with its lack of types making me having to confirm types manually before using versus in typed languages if I throw the wrong type at it, I get an error or exception I can handle. šŸ˜ Go bridges that gap plus cross compilation is a plus. Been loving it.
  16. I have seen UAC bypasses put into the privesc category but as far a privesc from an unprivileged user like a normal user to admin it is not. It is sort of a privesc since until you bypass UAC you really do not have any admin functions. Update, per request from a Youtube user, I added in the ability for this to run on Windows 8.1. Does it work on 8.1? Have no idea but he says it does. šŸ˜›
  17. Here you go, new version. @Darren Kitchen @lokiuox https://github.com/PoSHMagiC0de/Invoke-TaskCleanerBypass It uses dynamic parameters and can take in the standard posh base64 encoded commands or a file location of your script. As far as the bypass thing. Just run it as an encoded command. Better yet, here is a good way to launch it. šŸ˜› Just create a encoded stager to downloadstring the bypass script from web server and execute with "Invoke-Expression" IEX for short with the command. You probably can take this function, add after it the command to run it with your parameters and encode the whole thing to run. No bypass to execution policy needed. Anyway, look at the script. Some modifications were needed to the reg hack. I needed to use cmd /c in front so I could escape the appended stuff that gets added when ran like the cleaner command. That was breaking the exploit. So the new reg entry is cmd /c yourpayload & :: That runs the command and then rems out whatever else is there. SQL injection for registries. šŸ˜› Since I won the competition this month so I am not payloading this. Someone else can run with this and create a BB payload. I know a few ways to use it but someone else can have a turn. FYI: It checks if you have Win10, member of local admins and already UAC bypassed. Will run if bypassed, will do nothing if not on 10 or greater and/or not a local admin.
  18. Yeah, I seen enigma post something about this. Surprised it hasn't made it into Empire yet. I am refactoring this thing and making it into a reusable script. It will take an encoded command or a file path. It might be done before I go out of town this weekend. We will see.
  19. Nevermind, while searching for something else I came across the C2 web talk I missed when it was released. Seen Seb mention it is written in GoLang. I love Go. Been hanging out in the BloodHound slack shooting the sh** with them about stuff and Go is one we talk about a lot like how to make dlls with it (not straight forward and still involves C or C++ to consume and make into dll). I love it. Mixes the best of both worlds of the new Python/Ruby crowd who like verbose with static type languages with concurrency baked in. Wonder why I see post talking about running the C2 behind a WSGI? The idea behind Go is microservices that can handle all that on their own without Apache or NGINX. Seeing how this product has a paid version, it is understandable why the code is closed. Would be nice to be able to contribute but it is all good. Hmm, wonder if I can compile a Go binary for the BB like I can for the Pi? šŸ˜›
  20. PoSHMagiC0de

    Blunder Bug

    Lol. That was a hilarious blunder. I don't have a rooted phone for this device. šŸ˜‘
  21. If you want to test smbserver.py, a good way is to test it by itself. Make a new payload.txt and in it just put these lines. LED SETUP ATTACKMODE RNDIS_ETHERNET sleep 5 LED ATTACK When it is ready connect to it with putty from the Windows machine to ssh and login. At the login change to the root of the bashbunny "cd /". Type the below. python /tools/impacket/examples/smbserver.py 'test' './' If you have to, add the smb2support param to the above line too. Now, while smbserver has the terminal bust launch an explorer window and try to connect to the bashbunny ip and share. \\bashbunnyip\test You should be browsing the root of the bunny. If you are, even with the smb2support switch then impacket is working. The issue might be the last param the way it is formatted which it is very picky about. Always use full path for smbserver to server like "/root/udisk/payloads/$SWITCH_POSITION/" or "/root/udisk/look/etc/etc../". When you connect to smbserver, you have to use the share name you specified as the parameter.
  22. Oneliners got you down? Trying to type out all that text and including escapes getting confusing and then modifying later on is even more frustrating? Well, lets try having our one liner a multiliner in the beginning and encode it, all from bash. Complete with all the bash variables you want to pass and powershell variables you want to be unharmed. The original premise is from @elkentaro post about PowerRun he wrote using iconv. This can convert files to whatever encoding you want. Well, we are not converting files here, we will be converting echoed text...or echoed variable. Lets do the example as a payload since most of you may not run linux or if you do, do not run Powershell 6 on it to test seamlessly. This is a hacky way of doing it but it works. LED SETUP MYTEXT="Charles" MYSCRIPT=" \$name = \"$MYTEXT\"; cls; Start-Sleep -s 2; Write-Host \"Hello there, \$(\$name).\"; " ENCODED=$(echo $MYSCRIPT | iconv -t utf-16le | base64 -w 0) ATTACKMODE HID Q DELAY 5000 LED ATTACK GUI r Q STRING "cmd" Q DELAY 500 Q ENTER Q DELAY 2000 Q STRING "powershell -E \"$ENCODED\"" Q DELAY 700 Q ENTER LED FINISH So, you still have to escape (") when inside quotes or use single quotes instead but isn't that much easier to follow? You also still need to escape ($) where you want to them passed to powershell rather than bash replace with its own value it has. Also, since bash concatenates each line, you will have to add a semicolon to each line except where a loop starts and begin or statement like below. MYTEXT=" while \$true { Start-Sleep -s 1; Write-Host \"Running loop\"; } " #or MYTEXT=" if(\$i -eq 4) { Write-Host \"Item is 4.\"; } " Now, if you do not need to pass any values to from bash then you can have all your Powershell in a file all neat and formatted without all the escapes and stuff and then use the PowerRun method to encode. This is a lost gem I decided to resurrect and show a spin on.
  23. Hmm, on your computer when you hit "windows key + r" what happens? If nothing, you have a keyboard like mine that can disable the windows key and that also stops the BB GUI command. If not, try opening notepad and set a payload to just type string to see if anything is coming across at all.
  24. Grrr.. So, I knew trying to go the Python route would hurt. Right now I have the pythonists at the hackerspace I going into scratching their heads on slack on how to exit BaseHTTPServer.BaseHTTPRequestHandler class. I mean, seriously. I can exit in node by just exiting. In python I get a python error dump and I am still stuck in serve_forever. Even built my own exception to try and raise but seems like it doesn't exit the server_forever. Hell, even handle_request() is not acting right. Soooo, I told my pythonists friends that I am scratching the python language server and going back to what I know works great...node. So, new server will still be in nodejs.
  25. @Darren Kitchen I got your response on youtube and sent you it already awhile back. Thanks. šŸ™‚
  • Create New...