Reading "Lock" keystates?


So managed to win a Bash Bunny as a prize in a CTF competition at a local conference over here and its day 1 of ownership. Have upgraded the firmware to version 1.3 and having a blast playing about with it over the serial console.

I was thinking of porting a payload I use based on work I did with an old friend of mine called "Blinking Hell" (http://blog.scriptmonkey.eu/bsides-london-2013-blinking-hell-extracting-data-using-keyboard-lock-states/) which allows for export of data via the "lock" keystates. I'd say we got there first in 2011 using a teensy, but we didn't go public until 2013 :'( and it kinda just got left in the weeds other than our own private developments as we were using it in a very niche manner to suit our work. Any way bitter tears aside :) I'd like to port it over to the bunny.

I've had a good root about using google and searching the forums and cannot see for the life of me how I can create ducky script to read the state of the various "lock" keys. I see people talking about it happening and asking "if it can" but no idea "how" to do it. I am assuming from reading the ducky script git pages its going to be some obscure command that isn't covered in the usual manual/howto.


3 hours ago, Scriptmonkey_ said:

Oof! So more of a look into it, Looks like duckyscript doesn't actually have any control flow features? I can't do tests or loops? Eesh. The HID mode on the BB doesn't require ducky script only does it?

It does, but you execute it from a bash script so you have the power of bash behind you. 

2 hours ago, Sebkinne said:

It does, but you execute it from a bash script so you have the power of bash behind you. 

Ya. So when you say "Ducky Script" it's actually Bash with QUACK commands. This means you can do all kinds of combos with timers, loops, integrate other commands for calculations etc. Way more powerful.

