Checking loot from BashBunny for new files

[GermanNoob]

Hi,

I'm working on a payload that seizes some info from the target with a secondary payload. The secondary payload is executed on the target with QUACK commands. 

Now I want to wait BashBunny until the file was created in the loot folder. I tried this:

LED G R 500

while [ ! -f "/root/udisk/loot/scan.txt" ]; do
	sleep 1
done

LED R B 200

Unfortunately I realized that files that are created by the target machine will not show up in the mounted udisk. I tried it manually by doing "sync" as well on the target machine as in the BashBunny, but without any change.

Does anybody have an idea how to solve this? Thanks in advance!

[GermanNoob]

By now I found out that if you eject the Bunny from the target the file will appear also in the mounted udisk but not before that...

I found that I could eject the Bunny with

(New-Object -comObject Shell.Application).Namespace(17).ParseName((gwmi win32_volume -f 'label=''BashBunny''').Name).InvokeVerb("Eject")

within powershell, but I can't use this command within a .cmd payload

QUAK the above command doesn't work because I don't know if the payload is already finished. Of course I could use Q DELAY but as the time will be different on different machines, I don't like that solution. 

Anybody with a nice idea?

[yeahits_ZP83]

Thank you for sharing. 

[jag]

Like GermanNoob I'm trying to "watch" the loot directory for completion from BB/payload.txt (to change LED status, etc.) and am not coming up with anything that works...
Got curious about this again after Darren mentioned better LED status' in ep. 2305 and I looked at his RDP Checker payload. Then I ended up here after noticing that /root/udisk/loot/ wasn't being checked as expected and, obviously in hindsight, ejecting the BB (using roughly same PowerShell that GermanNoob mentioned) makes cmd.exe angry and throws an error dialog box which makes it not so silent any more!

Hoping someone else has some thoughts or insight?

[LowValueTarget]

I've updated one of my payloads recently that might be able to help out.

Check out https://github.com/hak5/bashbunny-payloads/pull/268 (it hasn't been merged yet) for an updated psh_DownloadExecSMB.

psh_DownloadExecSMB essentially runs a powershell payload from the BB using SMB. Because it's using SMB, it makes it trivial to exfil data. Also, since the powershell payload is abstracted from the BB payload, your possibilites are endless.

The payload waits for the powershell to complete, and then changes the LED green.

If you want to exfil data, put that corresponding powershell in p.txt and upload to \\172.16.64.1\s\l\ -- this will be copied to the BB as loot.

[StampeRnator]

Is there still an solution? Why cant the USB Storage not be synced to catch new files with a while loop in the payload.txt? Also auto eject doesn't work.

[RazerBlade]

I would also like to know if someone had a solution

[PoSHMagiC0de]

I don't use USB storage for exfiltration for this reason.  I suspect the issue lies with this.  The udisk is mounted to the BB local os but also mounted to the usb storage gadget.  Data written by the usb machine will always be seen by that machine but not finalized until the device is ejected.  This maybe the cause of the missing file and why you should eject because the data is not finalized or is still open.  Because of this, if you use usb you will have to check for write confirmation on the victim side and the eject so the file shows up to the BB and that loop will then see it.

 

I prefer smb and signaling from the victim when done.  If I am looking for a file and that file is my exfiltrated data then stopping when I see it might cause an issue if I am just now writing it.