Michael Weinstein

So we've had Eminem, Slim Shady... and this would be Marshall Mathers? https://getyarn.io/yarn-clip/ba393c1f-4166-443c-9f8c-5cb380b26ecf#SyInJJbNa-.copy

Kid, don't run any ducky scripts anybody gives you here. At this point, they're all going to be rm -rf / and fork bombs. Also, there's very little interesting stuff you can run on a chromebook that's not rooted and running... uh... not chromeOS.

Sample code! https://pastebin.com/aZyyS16w

I'm thinking of putting in an additional feature where it will take over /bin/sudo (or wherever it's supposed to be for that specific machine) with my wrapper so that you could get anybody who sudos after.

https://github.com/michael-weinstein/bashbunny-payloads/tree/bushingsBlueTurtle/payloads/library/credentials/bushingsBlueTurtle

Taking the idea (again, mad props to sudoBackdoor) a bit further with some python scripting, I scared myself (and unintentionally pwned myself a few times as well) with this thing. How it works: The user's .bash_profile or .bashrc gets tweaked to point to ~/.config/sudo A python script called sudo is installed there. [Patience is required here, as you need to wait for the user to sudo some command now] This will take their password, validate it by running its own sudo command (literally just echoing something) and seeing if it works Once it confirms a good password, it stores the password for later retrieval and executes the intended sudo command in a subshell that the user shouldn't even notice a difference in After executing their command, it will use the password to sudo open up a reverse https meterpreter session on the machine. It will do this every time sudo is run. I unintentionally self pwned a few times, because the meterpreter session is being run as root, and one must sudo kill to get rid of it. Sudo killing it will get rid of the existing session as expected, but then will open up a shiny new session as its last step (unless the python script is gone). Because antivirus tends to recognize the base64-encoded meterpreter payload as malicious, I also wrote a script called "shellSmuggler.py" to go with it. If you use the msfvenom command I supply here, you should be able to pipe the output to the shellSmuggler and scramble the payload enough that antivirus doesn't alert on/block it anymore. You will need to know your listening machine's IP and listening port (obviously).

oXis, I was debating about that one. Truth be told, it's generally not installing packages. The packages it tries to install usually come standard (except for sometimes paramiko) and if it can find them, it won't try to install them. The main package it depends on is getpass to give a proper password prompt, but I think that's a standard python package now. It's worked pretty well in testing, although I put it aside for a bit because I got another interesting idea. JediMasterX... check it out at the link.

I decided to put together a payload to get myself familiar with the bunny. This was inspired by SudoBackdoor and borrows heavily from it, but uses python because I'm more fluent in that than bash. I'm hoping to have this thing completed by the end of this week or possibly the weekend. The code under development is on my github at https://github.com/michael-weinstein/bashbunny-payloads/tree/darkCharlie/payloads/library/credentials/darkCharlie