frankace Posted March 14, 2017 Share Posted March 14, 2017 When using the following command ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\a.cmd')" It errors out . : The term 'E:\payloads\\a.cmd' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:2 + .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\a.cmd' ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (E:\payloads\\a.cmd:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException It is not grabbing the variable for $SWITCH_POSITION What am I missing? Thanks Quote Link to comment Share on other sites More sharing options...
GermanNoob Posted March 14, 2017 Share Posted March 14, 2017 Did you do a source bunny_helpers.sh in your payload? Quote Link to comment Share on other sites More sharing options...
frankace Posted March 14, 2017 Author Share Posted March 14, 2017 Yes it is in the payload. Quote Link to comment Share on other sites More sharing options...
RazerBlade Posted March 14, 2017 Share Posted March 14, 2017 If you go into the bunny via serial and mount udisk and then run souce bunny_helpers.sh does it output errors? Check if bunny_helpers is encoded as DOS and if, then change the line coding to unix. Quote Link to comment Share on other sites More sharing options...
frankace Posted March 14, 2017 Author Share Posted March 14, 2017 fairly new to all this and not really sure how to mount or check for errors. Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted March 15, 2017 Share Posted March 15, 2017 Are you calling this line with a QUACK command? If so, try doing this: ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\" "$SWITCH_POSITION" "\a.cmd')" Use 3 separate commands, one after the other, to write them instead of all in one line. Sometimes it misinterprets something and gets confused. Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted March 15, 2017 Share Posted March 15, 2017 Remember to add your QUACK STRING <line> to actually use the HID injection. Just using that line/those lines without a command in front of them won't do anything. It will just come up with similar errors. Quote Link to comment Share on other sites More sharing options...
frankace Posted March 15, 2017 Author Share Posted March 15, 2017 I started out on multiple lines, but just for grins I tired multiple lines again. Still no joy. Same issue thanks Quote Link to comment Share on other sites More sharing options...
frankace Posted March 15, 2017 Author Share Posted March 15, 2017 I did notice the bunny_helpers is missing this bit of code: check_switch() { switch1=`cat /sys/class/gpio_sw/PA8/data` switch2=`cat /sys/class/gpio_sw/PL4/data` switch3=`cat /sys/class/gpio_sw/PL3/data` echo "--- switch1 = $switch1, switch2 = $switch2, switch3 = $switch3" if [ "x$switch1" = "x0" ] && [ "x$switch2" = "x1" ] && [ "x$switch3" = "x1" ]; then SWITCH_POSITION="switch1" elif [ "x$switch1" = "x1" ] && [ "x$switch2" = "x0" ] && [ "x$switch3" = "x1" ]; then SWITCH_POSITION="switch2" elif [ "x$switch1" = "x1" ] && [ "x$switch2" = "x1" ] && [ "x$switch3" = "x0" ]; then SWITCH_POSITION="switch3" else SWITCH_POSITION="invalid" fi } check_switch export SWITCH_POSITION Is it as simple as editing the file and adding the missing code? Quote Link to comment Share on other sites More sharing options...
frankace Posted March 15, 2017 Author Share Posted March 15, 2017 To clarify this is the bunny_helpers.sh that is located in the library folder Quote Link to comment Share on other sites More sharing options...
GermanNoob Posted March 16, 2017 Share Posted March 16, 2017 8 hours ago, frankace said: I did notice the bunny_helpers is missing this bit of code: @frankace please use only the actual versions from GitHub! There are a lot of improvements already done... Quote Link to comment Share on other sites More sharing options...
frankace Posted March 16, 2017 Author Share Posted March 16, 2017 I copied the bunny_helpers.sh from github to the library folder on the Bash Bunny, but i still can't get it to pass the $SWITCH_POSITION value. Quote Link to comment Share on other sites More sharing options...
Draxiom Posted March 16, 2017 Share Posted March 16, 2017 21 hours ago, frankace said: To clarify this is the bunny_helpers.sh that is located in the library folder The back-up/original version of bunny_helpers.sh does not include the switch_position variable. You'll have to pull the latest version from the repo (or add it yourself manually) to be able to use that variable. To make updating the payloads easier, I have created a payload (with @audibleblink) that will clone the repo directly to the bunny. Check it out: https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/GitBunnyGit Quote Link to comment Share on other sites More sharing options...
frankace Posted March 17, 2017 Author Share Posted March 17, 2017 @Draxiom I was not able to get your payload to work properly. I am sure it is something i missed. Your suggestion did lead me to the post from Just_a_User. I downloaded to the zip from his post, extracted the bunny_helpers.sh and copied to my bash bunny. Thanks for the help Quote Link to comment Share on other sites More sharing options...
Draxiom Posted March 17, 2017 Share Posted March 17, 2017 1 hour ago, frankace said: @Draxiom I was not able to get your payload to work properly. I am sure it is something i missed. Your suggestion did lead me to the post from Just_a_User. I downloaded to the zip from his post, extracted the bunny_helpers.sh and copied to my bash bunny. Thanks for the help np. Out of curiosity, how did the payload fail? Quote Link to comment Share on other sites More sharing options...
frankace Posted March 17, 2017 Author Share Posted March 17, 2017 It would get to white LED and then go red. I was able to get to it via Putty, but it was not able to get out to the internet. I don't think it was your payload. It was something on my end Quote Link to comment Share on other sites More sharing options...
Draxiom Posted March 17, 2017 Share Posted March 17, 2017 You have to enable internet sharing first. I wrote the instructions on the readme for linux, but the process should be the same. Check the wiki to set up internet sharing, and then give my payload another try. It sounds like the payload was running, but couldn't get out to the internet. http://wiki.bashbunny.com/#!index.md Quote Link to comment Share on other sites More sharing options...
NightStalker Posted March 18, 2017 Share Posted March 18, 2017 (edited) So I was having the same issue and I found that the placement of the "source bunny_helpers.sh" matters. It must be placed after the ATTACKMODE command: LED R 50 ATTACKMODE HID STORAGE source bunny_helpers.sh Q DELAY 6000 This fixed the issue with not being able to read the "$SWITCH_POSITION" variable. Hope this helps, NightStalker Edited March 18, 2017 by NightStalker Quote Link to comment Share on other sites More sharing options...
trumpet7347 Posted March 21, 2017 Share Posted March 21, 2017 I am having this issue as well, and the SWITCH_POSITION variable is just not working in any of the payloads I try. Here is an example payload.txt I have setup ATTACKMODE HID source bunny_helpers.sh QUACK GUI r QUACK DELAY 100 QUACK STRING Testing Switch Position, Switch Position is ${SWITCH_POSITION} And this is the output I get And this is the contents of the bunny_helper.sh that is present under payloads/library on the bunny itself #!/bin/bash ################################################################################ # Get target ip address and hostname from dhcp lease. # This is for the attack mode of ETHERNET specified. # Without ETHERNET specified, below environment variables will be empty. # # How this works? # 1) ATTACKMODE waits until: # a) target ip address is negotiated by dhcp # b) time out # 2) After ATTACKMODE, we can get target ip address and hostname. ################################################################################ leasefile="/var/lib/dhcp/dhcpd.leases" export TARGET_IP=$(cat $leasefile | grep ^lease | awk '{ print $2 }' | sort | uniq) export TARGET_HOSTNAME=$(cat $leasefile | grep hostname | awk '{print $2 }' \ | sort | uniq | tail -n1 | sed "s/^[ \t]*//" | sed 's/\"//g' | sed 's/;//') export HOST_IP=$(cat /etc/network/interfaces.d/usb0 | grep address | awk {'print $2'}) ################################################################################ # Get switch position # Taken from bash_bunny.sh ################################################################################ check_switch() { switch1=`cat /sys/class/gpio_sw/PA8/data` switch2=`cat /sys/class/gpio_sw/PL4/data` switch3=`cat /sys/class/gpio_sw/PL3/data` echo "--- switch1 = $switch1, switch2 = $switch2, switch3 = $switch3" if [ "x$switch1" = "x0" ] && [ "x$switch2" = "x1" ] && [ "x$switch3" = "x1" ]; then SWITCH_POSITION="switch1" elif [ "x$switch1" = "x1" ] && [ "x$switch2" = "x0" ] && [ "x$switch3" = "x1" ]; then SWITCH_POSITION="switch2" elif [ "x$switch1" = "x1" ] && [ "x$switch2" = "x1" ] && [ "x$switch3" = "x0" ]; then SWITCH_POSITION="switch3" else SWITCH_POSITION="invalid" fi } check_switch export SWITCH_POSITION Not really sure what I am doing wrong, and any help would be greatly appreciated. Quote Link to comment Share on other sites More sharing options...
GermanNoob Posted March 21, 2017 Share Posted March 21, 2017 26 minutes ago, trumpet7347 said: I am having this issue as well, and the SWITCH_POSITION variable is just not working in any of the payloads I try. Here is an example payload.txt I have setup ATTACKMODE HID source bunny_helpers.sh QUACK GUI r QUACK DELAY 100 QUACK STRING Testing Switch Position, Switch Position is ${SWITCH_POSITION} And this is the output I get You need to escape the special characters... look at the examples here: Quote Link to comment Share on other sites More sharing options...
trumpet7347 Posted March 22, 2017 Share Posted March 22, 2017 On 3/21/2017 at 2:27 PM, GermanNoob said: You need to escape the special characters... look at the examples here: That would actually print out "$SWITCH_POSITION" to the run command though wouldn't it, what I am wanting it for it to print out either "switch1" or "switch2" from the bunny_helpers.sh variable Quote Link to comment Share on other sites More sharing options...
GermanNoob Posted March 22, 2017 Share Posted March 22, 2017 6 minutes ago, trumpet7347 said: That would actually print out "$SWITCH_POSITION" to the run command though wouldn't it, what I am wanting it for it to print out either "switch1" or "switch2" from the bunny_helpers.sh variable Sorry, @trumpet7347! Obviously I didn't read your post correctly... Having a look again to your code the problem is the brackets: ${SWITCH_POSITION} just try this: QUACK STRING Testing Switch Position, Switch Position is $SWITCH_POSITION Quote Link to comment Share on other sites More sharing options...
trumpet7347 Posted March 22, 2017 Share Posted March 22, 2017 23 minutes ago, GermanNoob said: Sorry, @trumpet7347! Obviously I didn't read your post correctly... Having a look again to your code the problem is the brackets: ${SWITCH_POSITION} just try this: QUACK STRING Testing Switch Position, Switch Position is $SWITCH_POSITION Its ok @GermanNoob, thanks for the help, but unfortunatly I still get the same result. I have been doing some more testing and it defenetly seems to be something with my bunny_helpers.sh file. Here is the new payload I was trying out ATTACKMODE HID RNDIS_ETHERNET source bunny_helpers.sh QUACK DELAY 1000 QUACK STRING Testing Switch Position, Switch Position is $SWITCH_POSITION QUACK ENTER QUACK STRING Testing Target IP, IP is $TARGET_IP QUACK ENTER ATTACKMODE RNDIS_ETHERNET source bunny_helpers.sh echo "Target Ip is " >> /root/udisk/test.txt echo $TARGET_IP >> /root/udisk/test.txt sync Here I am trying to see if I can access the $TARGET_IP variable that is also located in the bunny helper file. Unfortunatly I can not, below is the output of the HID section. Testing Switch Position, Switch Position is Testing Target IP, IP is You can also see that I also just tried to see if it was some issue with using HID and Ethernet attacks together, so I made a seperate ATTACKMODE section just using ethernet, and just tried to echo the IP out to a file, which unfortunatly also failed. Here is the contents of the test.txt file Target Ip is So it looks like those variables just are not getting populate for some reason, and I am really not sure why. Quote Link to comment Share on other sites More sharing options...
GreenRubi Posted March 22, 2017 Share Posted March 22, 2017 I'm having the same issues bunny_helpers.sh. The $SWITCH_POSITION variable is always empty. :( Quote Link to comment Share on other sites More sharing options...
GermanNoob Posted March 22, 2017 Share Posted March 22, 2017 That's really weird as I tested your first payload on my BashBunny & Computer and it works just fine... Have you tested the bunny_helpers.sh "offline" meaning without using in a payload? Just connect your Bunny and connect to it with screen or ssh Mount the payload drive to /root/udisk with mount -o sync /dev/nandf /root/udisk 3. goto /root/udisk/payloads/library 4. type "source bunny_helpers.sh" 5. type "echo $SWITCH_POSITION" That should work and tests your bunny_helpers.sh Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.